Jan 15, 2016 | Cybersecurity News, Internet Security News
New Android Smartphone malware has been identified that gets around the security systems used by banks and other financial institutions to keep customers protected. The malware is managing to intercept messages that are sent to customers’ Smartphones used as part of the bank’s two-factor authentication system. However, an update to the Android Smartphone malware means it is now capable of intercepting passcodes on more robust 2FA systems.
Two-factor authentication is not infallible
Two-factor authentication offers enhanced security for bank customers. Rather than relying on a username and a password, and additional factor is used to verify identity. A one-time passcode is sent to a user’s Smartphone and that passcode is then used to authorize a transaction. If the passcode is not entered the transaction cannot be made. The codes are sent to the Smartphone via SMS in most cases, although some banks use an automated voice call to deliver the passcode.
This means that even if a user’s login credentials are obtained by a criminal they cannot be used to authorize a bank transfer unless the attacker has also managed to obtain the Smartphone of the account holder (or other device registered with the bank and used for two-factor authentication.)
While two-factor authentication makes it harder for fraudulent transactions to be made, the system is not infallible. In fact, the account holder’s device does not even need to be stolen in order for a criminal to empty a bank account. If malware can be loaded onto the device that can intercept the SMS text this will allow an attacker in possession of the login credentials to make fraudulent transfers.
Automated voice call passcode delivery intercepted by Android Smartphone malware
SMS messages can be intercepted easily if malware is installed on a device. Because of this, some banks are moving away from SMS passcodes and are now favoring the delivery of codes via an automated voice message. However, the latest android Smartphone malware is capable of obtaining these passcodes as well.
Android.Bankosy malware has been adapted to beat this system of passcode delivery. The malware will simply forward the voice call to the attacker, unbeknown to the victim. This is possible because Android.Bankosy is capable of enabling silent mode on the phone so the user is not aware that a call is being received. If the attacker has the login credentials, a transaction can be initiated. The voice call is redirected to the attacker, and that code is then used to complete the transaction.
Jan 14, 2016 | Cybersecurity Advice, Internet Security News, Network Security
Over the past four weeks we have seen numerous cybersecurity predictions for 2016 issued by security firms. Security experts are trying to determine which part of the now incredibly broad threat landscape will be most favored by cybercriminals in 2016.
Some companies have made very specific cybersecurity predictions for 2016. They have come out with very bold claims, even predicting the presidential elections will be disrupted by a major cyberattack. Others believe 2015 will be broadly similar to 2015, with just an increase in ransomware attacks and even more massive data breaches suffered.
What all of the cybersecurity predictions for 2016 have in common is that the next 12 months are expected to be tough for security professionals.
The number and types of devices now connecting to corporate networks is broader than ever before. People are now far more likely to own and use three or more Internet-connected devices and use them on a regular basis. Alternative payment methods are being used more frequently. There is now more than ever to attack and too many devices and systems to keep secure. Unsurprisingly, no one appears to be claiming that 2016 will be easier than last year for cybersecurity professionals.
Cybersecurity predictions for 2016
The attack surface is now incredibly broad, but where are cybercriminals most likely to strike? This is what we think. Here are cybersecurity predictions for 2016.
IoT – expect attacks on the Internet of Things
Let’s start with a bold prediction. The IoT is likely to come under attack this year. I say bold, but that is only in terms of the timescale. IoT devices will be attacked, shut down, altered, remotely controlled, and used as a launchpad for attacks on other devices. If a device is constantly connected to the Internet, it will only be a matter of time before an attack takes place.
One problem with adding IoT technology is the manufacturers of the devices are not security experts. A washing machine that can be controlled via Wi-Fi or a Smartphone app, and can be switched on remotely while you are at work, has been designed first and foremost to wash clothes. It has then had IoT functionality bolted on. It has not been designed with security at the core of the design.
Surely a washing machine is not going to be used to attack a corporation you may say. Well, a Smart heating and air conditioning system was used to attack Target and gain access to the credit card numbers of its customers. Hackers are certainly looking at IoT devices and are probing for weaknesses. Security needs to be first rate, but unfortunately in many cases it is not.
Crypto-ransomware evolution will continue – Increase in ransomware attacks to be expected
Over the past 12 months crypto-ransomware attacks have increased significantly. Cybercriminals are now developing new malware capable of locking computers with powerful encryption.
The encryption cannot be cracked. The devices can only be unlocked using a security key. That key is held by the attackers. A ransom is demanded by cybercriminals and it must be paid before the key is released. Ransoms are demanded in Bitcoin because the currency is next to impossible to trace.
Developing crypto-ransomware is a lucrative business and that is unlikely to change any time soon. At present, ransomware is sent via mass spam email and the victims are not really targeted. The aim is to infect as many devices as possible. More infections equal more ransoms.
What we are likely to see over the course of the next 12 months is an increase in the ransom amount demanded and a more targeted approach adopted. Businesses are likely to be targeted and crypto-ransomware used to hold companies ransom. Companies are likely to be able to pay more than individuals.
We also expect ransomware to make the jump over to OS X, and to a lesser extent iOS. Cybercriminals would love to start charging Mac prices!
Apple owners to come under attack
That neatly leads us on to Apple. Users of Macs and iPhones have had it too good for too long. Hackers have not been too bothered about Mac users in the past, as there are greater rewards to be had from writing malware to target the masses. Consequently, the majority of malware targets Windows-based devices. Apple’s market share has been too small to warrant the development of Apple-specific malware. That is now changing.
Apple’s market share is increasing. As more people make the switch to Apple, it will be more lucrative for criminals to develop malware to target OS X devices. Over the course of the last year we have seen new malware created specifically for Apple devices. The volume is still small in comparison to malware that infects Windows-based devices, but we can expect Apple to come under attack in 2016.
Increase in memory resident malware
Hackers are getting better at obfuscation. They are developing ever more complex ways of hiding malware to evade detection. One of the main problems faced by malware authors comes from the fact that if a file is downloaded to a computer it can be found.
However, if malicious code is injected into the memory of a computer and no files downloaded, it is very difficult to detect. Memory-resident malware is more difficult for hackers to create, but many are now developing new fileless malware in order to evade detection for longer.
Until now memory-resident malware has been short-lived. It only survives until the device is rebooted. However, we are now seeing new forms that are simply reloaded into the memory when the computer is rebooted. We can expect to see even more memory-resident malware attacks in 2016 as the use of fileless malware grows.
Major healthcare industry attacks will take place
In 2015, cybercriminals targeted the healthcare industry with increased vigor. Massive data breaches were suffered, the likes of which the industry had never before seen. Anthem was attacked last year and 78.8 million healthcare records were stolen. An attack on Premera BlueCross exposed 11 million records, and Excellus suffered a 10-million record data breach. These massive cyberattacks used to be a rarity. In fact, up until 2014 the largest U.S. healthcare data breach affected just 4.9 million individuals.
The healthcare industry has been slow to implement new technology and many security weaknesses remain. They are now being exploited with increasing regularity. Since the value of data stored by health insurers and healthcare providers is so high, and the volumes of Social Security numbers, health data, and personal information so large, successful attacks can be extremely profitable. Where there is profit, and poor security there will be cyberattacks. These massive breaches will therefore continue in 2016.
Attacks on employees to increase in 2016
Employees are the weakest link in the security chain and hackers and cybercriminals are well aware of this. They target employees to gain access to corporate networks, with phishing one of the easiest ways to gain access to corporate data. These attacks have proved to be highly successful and have resulted in huge volumes of data being obtained by criminals. Some of the largest data breaches of the last two years have started with phishing campaigns. The attacks on Sony, Target, and Anthem for example.
Employers are getting better at blocking phishing emails and employees are now being trained to identify them, but these attacks will continue and will become more targeted and sophisticated.
As more employees work from home, we expect them to be targeted there instead of work. Their home computers and personal devices will be used to gain access to corporate networks. They tend to have more security weaknesses. Those weaknesses are likely to be exploited with increasing frequency.
Do you agree with our cybersecurity predictions for 2016? What do you think the biggest threat will be over the next 12 months?
Jan 11, 2016 | Cybersecurity News, Internet Security News, Network Security
Hackers have potentially gained access to the data of hundreds of thousands of Time Warner Cable customers. The Time Warner Cable security breach was discovered by the FBI, which tipped off TWC last week. Affected individuals are now in the process of being notified.
320,000 customers potentially affected by Time Warner Cable security breach
The Time Warner Cable security breach was announced on Wednesday last week. Scant information was initially provided to the media about the security breach and how customer data came to be stolen by cybercriminals.
According to a statement released by the company, there has been no indication that the company’s computer systems were compromised in a cyberattack, and customers have only been advised to change their passwords as a precaution. The company advised customers via email as well as direct mail that their email addresses and passwords may have been compromised.
Over the next few days, further information about the Time Warner Cable security breach was released. At first a statement said residential customers were affected across all markets. It later came to light that the data were stolen not from TWC, but from a third party who had access to customer information.
Investigations into the TWC data breach are continuing, but at this present moment it would appear that the Time Warner Cable security breach only affects Roadrunner email accounts (rr.com).
Customers have been directed to resources where they are provided with further information about how to identify a phishing attack. There is a possibility that affected individuals will be contacted via email by the data thieves in an attempt to obtain further information that can be used to commit identity theft or fraud.
However, what will be particularly worrying for the victims is not the possibility that they may be subjected to future phishing campaigns but what confidential information they have in their email accounts. Email accounts may contain highly sensitive information about an individual which, in the wrong hands, could be used to cause considerable harm.
The information in an email account could allow a cybercriminal to build up a highly detailed knowledge of an individual. That information could then be used to conduct a phishing campaign or cyberattack on that individual’s contacts.
Last year, Ping Identity conducted a survey on 1,000 enterprise employees in the United States and discovered that almost two thirds of respondents shared passwords between work and personal accounts. Data in personal email accounts could also potentially be used to conduct phishing campaigns on employees with a view to gaining access to their employer’s computer network.
As a precaution against fraudulent use of any information, all affected customers should change their email password promptly. It would also be a wise move for any individual who has a roadrunner email account to also change their password, even if a breach notice letter or email is not received.
TWC is America’s second largest cable company and serves 16 million customers across 29 states.
Jan 7, 2016 | Cybersecurity News, Internet Security News
On December 31, 2015, the British Broadcasting Company (BBC) suffered a cyberattack which resulted in all of its websites being taken offline for a number of hours. A hacking group operating under the name “New World Hacking” has now claimed responsibility for the BBC DDoS Cyberattack.
BBC DDoS cyberattack conducted to test hacking group’s capabilities
The BBC was chosen not because of some vendetta against the broadcaster, but as a test of the power of the hacking groups servers ahead of planned attacks on ISIS. The hackers behind the BBC DDoS cyberattack did not actually intend on taking down the BBC websites, but it turned out that the servers being used for the attack proved to be “quite strong,” according to one member of the group who came forward.
‘Quite strong’ is something of an understatement. The BBC DDoS cyberattack was the largest ever recorded, with traffic up to 660 Gbps, which corresponds to many tens of thousands of connections. The hackers took down the BBC website using the Bangstresser tool, and used two nodes of attack and “a few extra dedicated servers.” Before the BBC DDoS cyberattack, the largest ever recorded was a 334 Gbps attack on an Asian network operator last year.
Attacks of this size are rare. Few manage more than 100 Gbps and when attacks of this magnitude occur they tend to be fairly short-lived, although while they are being conducted they can cause a substantial amount of damage. Many of the connections will be blocked by network filters, which are capable of identifying spoofed IP addresses, although by no means all. Attacks of this scale are likely to cause a serious amount of damage to enterprise networks.
In this case, the hacktivists were only testing capabilities and the motivation for the attack appears to have been made clear; however not all hackers conduct DDoS attacks to disrupt web services or take down servers. All too often a DDoS attack is conducted as a smokescreen to distract IT staff while the real mission is completed. One part of a network is attacked, while other members of the group attempt to gain access to other parts of the network and install backdoors for subsequent attacks or steal data. This was demonstrated recently by the attack on UK Broadband and mobile phone service provider TalkTalk.
Who are New World Hacking?
New World Hacking is an American group of 12 hackers – 8 men and 4 women – that was formed in 2012. The group has conducted numerous campaigns against terrorist organizations in the past, as well as on other groups and individuals that the hackers deem to be unpleasant or whose views or actions are contrary to the group’s beliefs.
New World Hacking has previously conducted large-scale DDoS attacks and has taken down websites run by members of the Ku Klux Klan, as well as websites depicting child pornography. Other targets include Donald Trump. That attack occurred at the same time as the BBC DDoS cyberattack and resulted in the presidential candidate’s website being taken offline for five hours. The group targeted Trump because of his recent “racist rhetoric.”
The group was also active after the recent Paris terrorist attacks and attempted to identify social media accounts used by ISIS.
The main target of New World Hacking is ISIS. The group is now planning to use its servers for attacks on ISIS websites, and those of ISIS supporters. The group claims to have a list of targets that it plans to attack in the very near future.
A member of the group going by the name of Ownz told the BBC “We realize sometimes what we do is not always the right choice, but without cyber hackers… who is there to fight off online terrorists?” The group aims to unmask ISIS, stop its spread, and end the propaganda.
Jan 6, 2016 | Cybersecurity News
Last month, President Barack Obama put his signature to an Omnibus spending bill of $1.1 trillion which contained the Cybersecurity Information Sharing Act of 2015. The purpose of the act is to encourage the sharing of cybersecurity threat intel. The Obama administration believes this is essential in order for the country to win the war against cybercrime.
Cybersecurity Information Sharing Act of 2015 signed into law
The Cybersecurity Information Sharing Act of 2015 is a compromise bill that was penned after previous attempts to introduce legislation to force private sector companies to share cybersecurity threat intelligence failed to make it past the House and Senate. Instead, the Cybersecurity Information Sharing Act of 2015 facilitates the voluntary sharing of intelligence by removing some of the legal obstacles that have previously got in the way of data sharing.
It has long been possible for private sector companies to share certain cybersecurity information with government organizations; however, many companies have failed to do so out of fear of legal action stemming from accidental antitrust violations and inadvertent violations of the private rights of individuals. There was also concern that some of the information required by the federal government could in fact be used against the organization sharing the information. Regulatory enforcement actions for example.
The Cybersecurity Information Sharing Act of 2015 offers private companies immunity from private and government lawsuits, along with other claims that could potentially result from the sharing of cybersecurity intelligence.
Sharing of cybersecurity intelligence and immunity from lawsuits
The new law allows any person or private group to share cybersecurity information with the federal government. That information includes cyber threat indicators – information that describes the attributes of a threat – and defensive measures. Defensive measures are defined as actions, devices, signatures, techniques, or procedures that “detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability.”
Before any information is shared with the federal government it must first be stripped of personal information relating to specific individuals or information that would allow specific individuals to be identified.
The Cybersecurity Information Sharing Act of 2015 allows companies to share intel primarily with the Department of Homeland Security, although a host of government agencies such as the Departments of Commerce, Energy, and Justice. The information would also be shared with the Department of Defense, which includes the NSA, as well as the Office of the Director of National Intelligence.
The US Attorney General and Secretary of Homeland Security will prepare and publish guidelines to aid organizations with the identification of information that qualifies as a cyber threat indicator. Assistance will also be provided to help organizations identify the information that must be removed prior to sharing to avoid violating privacy laws.
Seven National Guard Cyberprotection teams will be set up and active by the start of 2020 to help deal with new cybersecurity threats. Those teams will be spread across 23 states and will be capable of rapidly mobilizing soldiers and airmen to assist U.S. Cyber Command.
Jan 5, 2016 | Cybersecurity News, Internet Security News, Social Media
It has been a long time coming, but Facebook has finally taken the decision to stop using Flash for video. The social media site is now using HTML5 for all videos served on the site. Facebook Flash video is no more, but Adobe Flash has not been totally abandoned yet, as it will still be used for Facebook games. Hackers can take some comfort from the fact that Farmville players will still be highly susceptible to attack.
Facebook Flash Video Retired to Improve User Experience
The move away from Facebook Flash video didn’t really require any explaining, although a statement released by Facebook said the move was required “to continue to innovate quickly and at scale, given Facebook’s large size and complex needs.” The move to HTML5 not only makes the social media site more secure, HTML5 improves the user experience. Videos play faster, there are fewer bugs, and HTML allows faster development. The social media network also plans to improve the user experience for the visually impaired using HTML5.
The move appears to have been welcomed by Facebook users. Since changing over to HTML5, users have added more videos, registered more likes, and are spending more time viewing videos.
The End of Adobe Flash is Nigh
Unfortunately, it is not quite so easy for the Internet to be totally rid of Flash. The video platform has been used for so long it is still a major part of the web. However, its 10-year reign is now coming to an end. Google Chrome stopped supporting Flash last year and Amazon also banned the use of Flash for video last year. YouTube made the switch from Adobe Flash to HTML5 and with without Facebook’s 8 billion video views a day no longer being served through Flash, the majority of web videos will now be viewed without Adobe’s platform.
Even Adobe appears to be trying to distance itself from its toxic product, having abandoned the name Flash in recent weeks. The company is attempting to deal with the huge number of zero day vulnerabilities as soon as they are discovered, and is patching them quickly, but it is fighting a losing battle. HTML5 provides everything that Flash offers in terms of functionality, minus the myriad of security holes.
Security Risk from Adobe Flash too High
Flash is well known for being a hackers dream as the software platform contains more holes than a sieve. Early last month a new patch was released to address 78 CVE-classified security vulnerabilities, 75 of which were totally separate. This, it has to be said, is an insane amount of security vulnerabilities to discover and address in a single patch. Adobe was quick to point out that it has not received reports of those vulnerabilities being used in the wild, but this has done little to address security fears about Flash.
The risk of drive-by malware attacks is simply too high with Flash. All it takes is for one malicious Flash based advert to be sneaked onto a site, and any visitor with a Flash browser plugin enabled could be automatically infected.
Even with the 78 vulnerabilities now addressed, Adobe Flash is far from secure. In fact, even the early December mega patch was not enough. Adobe was forced to issue yet another update on December 28 to address a number of new critical security vulnerabilities that had been uncovered. The total number of Flash security vulnerabilities addressed in 2015 is now estimated to be 316.
With YouTube ditching Flash and Facebook Flash video no more, the demise of Adobe Flash has surely been hastened.
