Archive for March 24, 2017

Middle Eastern Arline Appears To Troll US Government On Twitter

Posted in Commentary with tags on March 24, 2017 by itnerd

I’m not sure that this is such a good idea given the current political climate. But Royal Jordanian Airlines is using Twitter to take a unique spin on the electronics ban. First they gave flyers the info that they needed to know:

Then they took an “interesting” look at what to do when you don’t have your laptop or tablet on a very long flight:

Some of this is humor, but number 12 could be seen as a bit of a dig at the electronics ban that may not go over too well with those in Washington. But it underscores the fact that some people, including yours truly and possibly this airline, have wondered about the logic of this ban. After all, are you any safer if a laptop with a bomb in it is in a cargo hold versus a cabin? Plus there’s the fact the optics of this are not that good as this electronic ban only targets airlines from Muslim majority countries. So perhaps Royal Jordanian Airlines has decided that because of all of that, they are going to use to express their displeasure in a way that has some degree of plausible deniability to it. Whatever the logic behind this, if they are trolling the US Government, it is kind of funny.


Turkish Crime Family iCloud Data Provided To ZDNet Proven To Be Valid

Posted in Commentary with tags on March 24, 2017 by itnerd

It may be a bit too early to blow of the so called Turkish Crime Family and their threat to cause digital harm to millions of iCloud users. I say that because ZDNet posted a story saying that it had received a set of 54 account credentials from the hacker group for “verification” and subsequently reported that all of the accounts were valid, based on a check using Apple’s online password reset function. What’s interesting is that ZDNet also contact each account holder via iMessage to confirm their password, and found that many of the accounts are no longer registered with Apple’s messaging platform. However, of those that could be contacted, 10 people who were all based in the U.K. confirmed that the passwords were accurate, and they have changed them as a result.

Now these passwords could have been acquired in a number of ways. For example, Yahoo gets hacked and because people tend to use the same password for everything, the rest of their digital lives is under threat. It doesn’t prove that the so called Turkish Crime Family have pwned Apple at all. Which would be consistent with what Apple said yesterday. Also, it is entirely possible that this is all that they have. I say that because of this:

A person representing the group, who is allegedly no longer a member, told me that the data is “handled in groups”, but would not explain how or why. The hackers refused to hand over a US-based sample of accounts

My $0.02 worth? There is a strong likelihood that this is bogus. If someone had some sort of epic exploit on a company like Apple, they’d be asking for way more than $75,000 and they would have provided far more proof that Apple had been pwned. That isn’t the case here. But it doesn’t mean that you shouldn’t take precautions. You should look at your iCloud account in terms of how secure it is. Consider using a strong password that is distinct from other passwords that you have and enabling two factor authentication to ensure that you are as secure as possible. After all, you should do everything possible to avoid getting pwned by this group or any other group of hackers.

Guest Post: Eight cyber-threats legacy tools are missing

Posted in Commentary with tags on March 24, 2017 by itnerd

By: David Masson, Canada Country Manager, Darktrace

Some of the most sophisticated cyber-attacks have a common trait – they go unnoticed for weeks, months, or even years until they have caused irreparable monetary and reputational damage. More often than not, the evidence of infiltration was present – but perimeter defenses proved insufficient in detecting them until it was too late.

To give a sense of the kinds of threats that legacy tools miss, I’ve compiled a list of real-world incidents that our AI-powered technology caught but went undetected by a traditional security system. There are a near-infinite number of ways that modern attackers can compromise a network, but here are eight of the more glaring vulnerabilities we’ve detected:

  1. Insider threat: An employee with system administrator privileges decided to leave for a new job. His company had explicit restrictions on cloud usage, but as an administrator, the employee could change the rules about who could access the cloud and from where. The employee attempted to exfiltrate data from the cloud before departing, but because Darktrace provided complete visibility across the entire network infrastructure, including the cloud, the suspicious behavior was spotted. As a result, the company was able to better manage the employee’s departure.
  2. Ransomware: An attacker sent an email containing a fake invoice, supposedly coming from a trusted stationary supplier. An administrative assistant opened the attachment, and JavaScript within the document connected the computer to a server in Ukraine. Within minutes, the downloaded malware began to encrypt company files. Darktrace found the attack by identifying both the connection and download as major deviations from the user and device’s normal ‘pattern of life’, allowing the company to quarantine the infected device before damage could be done.
  3. Compromised video equipment: After a video conferencing unit started to behave strangely, it was determined that a remote attacker had compromised the camera and was sending data outside the network. The attacker moved laterally through the network and attempted to locate Point of Sale (PoS) devices, and they could have been exfiltrating sensitive audio and video. Darktrace detected the compromise after the device initiated a large upload to rare external IPs and began communicating with internal computers that it rarely connected to. Once this behavior was identified, the company immediately disconnected the camera.
  4. Penetration Testing Vulnerability: Darktrace detected a company device updating a penetration testing tool used for attacks on web services. This particular device had never used the pen testing software in the past. Over the next few days, several anomalous behaviors were detected inside the network, including two corporate devices that tried and failed to log in using administrative credentials and an SQL injection attack. The attacks were not associated with any known threat signatures, so they went unnoticed by legacy tools, but Darktrace identified the failed login attempts and the SQL injection attack as highly anomalous behavior for the network.
  5. Credential theft: A healthcare company became infected with a strain of malware built to steal user credentials. Once on the network, the malware spread by copying programs into sensitive folders on other devices and guessing login details. Every infected device was sending programs to sensitive folders on other devices at speeds faster than users could possibly have been acting. The devices were also trying to communicate with a suspicious third-party infrastructure. This particular malware used advanced stealth techniques that allowed it to avoid traditional network defenses, but Darktrace recognized the copied programs and the forced access of password managers as abnormal compared to normal network activity.
  6. Self-modifying malware: Many sophisticated attacks contain ‘active defense mechanisms’ that allow them to avoid detection by traditional cyber security monitoring. In this case, the attacker used the ‘Smoke Malware Loader’ tool, a password grabber that protects itself from detection by evolving its threat signature in real-time and generating fake, redundant traffic. By combining various anomalous factors, including the initial incoming file and beaconing to an external device, Darktrace built a detailed understanding of this highly evolved operation, and quickly determined it was threatening behavior.
  7. BitTorrent risks: Certain types of malware can break themselves up into pieces and attach to bits of torrented files, essentially distributing themselves amongst millions of data packets. In this example, a device contacted a BitTorrent network via SSH – a powerful administrative protocol which an attacker exploited to remotely control the infected device and use it as an entry point into the network. Without quick action, this infection could have developed into a serious security breach. Darktrace identified the BitTorrent behavior and the beaconing activity as highly unusual compared to normal network activity.
  8. Biometric scanner vulnerability: To restrict access to their machinery and industrial plants, a manufacturer had a biometric scanner connected to the corporate network. When Darktrace was installed, it flagged unusual Telnet connections to and from the biometric scanner. Once investigated, it was determined that an external party had compromised the scanner and had started to change its data. No signature existed for that threat type, so it would have gone unchecked by legacy controls. Darktrace’s AI defenses identified the breach in time to avoid a physical intrusion and potentially catastrophic damage.





Apple Comments On Latest Wikileaks Info Dump

Posted in Commentary with tags on March 24, 2017 by itnerd

Yesterday, Wikileaks did a second info dump which centered around exploits used by the CIA to get into OS X and the fact that the CIA got into the supply chain of iPhone shipments to slip their software onto them. Apple has since come out with a statement that is kind of interesting:

We have preliminarily assessed the Wikileaks disclosures from this morning. Based on our initial analysis, the alleged iPhone vulnerability affected iPhone 3G only and was fixed in 2009 when iPhone 3GS was released. Additionally, our preliminary assessment shows the alleged Mac vulnerabilities were previously fixed in all Macs launched after 2013.

We have not negotiated with Wikileaks for any information. We have given them instructions to submit any information they wish through our normal process under our standard terms. Thus far, we have not received any information from them that isn’t in the public domain. We are tireless defenders of our users’ security and privacy, but we do not condone theft or coordinate with those that threaten to harm our users.

Well….what is in this statement is what I was I was expecting Apple to say as when I read the documents in the dump, it seemed like this was stuff that Apple had already fixed. But one thing to keep in mind is that based on the way the statement is written, they are still looking at this. Thus you can expect that anything that they haven’t already addressed will be fixed very quickly. Another thing to point out is that Apple took the opportunity to take a shot at Wikileaks about their disclosure of the exploits themselves. That’s interesting. I will be interested to see how Wikileaks responds to that.