Articles from March 11-17
Ethical Hacking: The Most Important Job No One Talks About
Dark Reading | Amit Ashbel | March 16, 2017
Great power comes with great responsibility, and all heroes face the decision of using their powers for good or evil. These heroes I speak of are called white hat hackers, legal hackers, or, most commonly, ethical hackers. All these labels mean the same thing: A hacker who helps organizations uncover security issues with the goal of preventing those security flaws from being exploited. If companies don’t have an ethical hacker working for them, they’re in a one-sided game, only playing defense against attackers. What does this all mean for companies? Well, companies must first acknowledge how ethical hackers can help them. Strong application security programs need to focus both on the code security as it’s being developed, as well as in its running state — and that’s where ethical hacking comes into play. Nothing beats secure coding from the get-go, but mistakes do happen along the way, and that’s where ethical hacking experts can make a difference in an organization. At the next meeting on staffing, ethical hackers should be right at the top of the list of priorities to keep your company, and its data, safe.
SMBs Increasingly Targeted in Ransomware Attacks
Infosecurity Magazine | Steve Evans | March 16, 2017
Small and medium businesses across Europe are being actively targeted by ransomware attacks, new research has shown. According to data protection firm Datto, 87% of European IT service providers it surveyed said their SMB customers had been hit by a ransomware attack at some point during the previous 12 months. Additionally, 40% of respondents reported multiple attacks during that time. Just over a quarter of respondents (27%) reported experiencing multiple attacks in a single day. In terms of the impact these attacks are having, the survey revealed the average ransom demanded was between £500 and £2000. In 15% of reported cases the demand was in excess of £2000. Nearly half (47%) said paying the ransom was ineffective, as they still lost some of the data that had been encrypted by the attackers. As well as financial penalties, ransomware attacks can also impact the business in other ways. A majority of respondents (62%) said they’d experienced downtime during the attack. For smaller organizations, the combination of financial loss and downtime can threaten the continued operation of the business, Datto said. Frustratingly, just 40% of ransomware victims end up reporting the crime to the authorities. The FBI has previously said that reporting ransomware attacks will help it get a better understanding of exactly how many attacks are occurring as well as help the industry develop its defenses; traditional antivirus has so far proved to be ineffectual against most ransomware.
How Can Companies Ward Off Cyber Attacks?
Newsweek | Debi Ashenden and Emma Williams | March 16, 2017
Companies are bombarded with phishing scams every day. In a recent survey of more than 500 cyber security professionals across the world, 76 percent reported that their organization fell victim to a phishing attack in 2016. These scams take the form of emails that try to persuade staff to download malicious attachments, click on dodgy links, or provide personal details or other sensitive data. A targeted “spear” phishing email campaign was blamed for instigating the recent cyber attack that caused a major power outage in Ukraine. Even more worryingly, phishing attacks are now the most popular way of delivering ransomware onto an organization’s network. This is a type of software that typically encrypts files or locks computer screens until a ransom is paid. The amounts demanded are generally quite small, meaning that many organizations will simply pay the ransom without, of course, any guarantee that their systems will be unlocked. In the face of these phishing attacks, employees have become the frontline of cyber security. Reducing their vulnerability to phishing emails has therefore become a critical challenge for companies.
FBI: Russian hackers likely used a simple phishing email on a Yahoo employee to hack 500 million user accounts
Business Insider | Steve Kovach | March 16, 2017
The FBI says hackers used social-engineering techniques on a “semi-privileged” Yahoo employee to break into the company’s systems and access 500 million user accounts. In an interview with Ars Technica, FBI agent Malcolm Palmore said the hackers were able to use a “spear phishing” email to gain the Yahoo employee’s credentials. Spear phishing emails can encompass various techniques designed to trick the recipient into giving up his or her personal information. Phishing emails usually appear to come from a trusted source. One of the best-known recent cases of phishing was when John Podesta, the campaign manager for Hillary Clinton’s 2016 presidential run, fell victim to such an email, causing his private messages to leak. The US Department of Justice released an indictment Wednesday charging two Russian intelligence agents and two others in connection with the 2014 hacks that compromised 500 million Yahoo user accounts. The DOJ says the two members of Russia’s FSB intelligence agency, Dmitry Dokuchaev and Igor Sushchin, “protected, directed, facilitated, and paid” the other two hackers to break into the Yahoo accounts.
The internet of botnets and ransomware on your TV: Here come your next big security headaches
ZDNet | Danny Palmer | March 14, 2017
Cyberattacks exploiting the insecurity of the Internet of Things, and hackers attempting to compromise industrial connected devices are among the biggest threats to the UK, those responsible for ensuring national security have warned. Citing incidents including the internet crippling Mirai botnet cyberattack and vulnerabilities in a children’s doll which could potentially be exploited to conduct espionage on unsuspecting victims, a new report by the intelligence services has warned that the rise of IoT devices is providing threat actors with more opportunities to attack targets than ever before. The joint report from the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA), titled The cyber threat to UK business, details the growing threats to individuals and organisations from cyberattacks. Noting how many IoT devices are shipped with insecurities which make them vulnerable to remote takeover — and without means to update or otherwise fix the devices — the report warns about the increased threat of IoT botnet attacks and says this form of cyberattack is going to get more frequent and more damaging in future.
NSA hacker Joyce will be White House Cyber Czar, reports say
SC Magazine | Teri Robinson | March 14, 2017
The White House has tapped the National Security Agency’s top hacker Rob Joyce as its “Cyber Czar,” according to reports Tuesday. Joyce has headed up the agency’s Tailored Access Operations group since 2013. The administration has been slow to fill key cybersecurity roles but selecting Joyce is seen as a step toward strengthening the White House’s cyber posture. “Rob Joyce is a strong pick for White House cyber coordinator. He has a sophisticated understanding of the problem and is respected within the security industry,” Amit Yoran, CEO and chairman of Tenable and the nation’s first cyber czar, said in comments emailed to SC Media. “I’m confident in his ability to work both within the government and with the private sector to improve national cybersecurity.” Mike Overly, information security and privacy partner at Foley & Lardner LLP, called the Joyce pick “a solid step in the right direction.” He noted that business has been missing a “specific direction” to achieve requited security levels. “An expert, such as Mr. Joyce, brings that to the table. In trying to comply with the many security regulations being promulgated at both the federal and state levels, what businesses need is specifics, not generalized statements,” Overly said in comments emailed to SC Media. “The choice of Mr. Joyce, in combination with other activities of the Trump administration relating to regulations, in general, and security, in particular, is movement to afford greater clarity to businesses regarding their obligations concerning information security.”
More than 120,000 affected by W-2 Phishing scams this tax season
CSO | Steve Ragan | March 14, 2017
Tax season doesn’t officially end in the United States until April 18. At last count, 110 organizations have reported successful Phishing attacks targeting W-2 records, placing more than 120,000 taxpayers at risk for identity fraud. Many of those working for the victimized firms have had a stressful time dealing with the fallout. Those who have experienced this unique type of crime say it’s a nightmare. Some of those affected have had fraudulent returns filed under their name, in addition to issues with educational expenses. In one case, the scammers created flexible spending accounts with their stolen identities. The Phishing attacks causing so much damage, also known as BEC (Business Email Compromise) attacks, are simple and effective. They exploit trust relationships within the office, and in many cases, exploit the routine practice of sharing data via email. According to the IRS, these attacks are some of the most dangerous email scams the agency has seen in a long time. “It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme,” IRS Commissioner, John Koskinen, remarked in a warning issued last month.
This Teenager Just Hacked The Nintendo Switch With A Surveillance Company’s iPhone Attack
Forbes | Thomas Fox-Brewster | March 14, 2017
Luca Todesco, a 19-year-old Italian who has risen to prominence in the iPhone jailbreaking crowd under his pseudonym qwertyoruiop, has just proven how vulnerabilities in one massively popular piece of technology can be re-used to hack an entirely different gadget. Todesco took a bug in Apple’s WebKit browser engine that was previously used by an Israeli spy agency contractor, NSO Group, to spy on iPhones and applied it to the Nintendo Switch. He found he was able to remotely run malicious code on the Switch, as YouTube user LiveOverflow demonstrated. Rather than cause consternation amongst the Switch’s rapidly growing userbase, Todesco’s escapades might be cause for excitement. That’s because there’s already a burgeoning Switch hacking scene, led by security researchers who want to tinker with their Nintendo systems so they can mod them and upload their own software. Indeed, Todesco may not have been the first to hack the Switch via that iPhone bug. A group of researchers called ReSwitched released a tool on Tuesday called PegaSwitch, “an exploit toolkit for the Nintendo Switch,” which takes advantage of the same WebKit vulnerability as Todesco’s hack. Cody Brocious, another noted iPhone hacker who’s also famous in security spheres for exposing serious digital shortcomings in hotel door locks, is one of the project leads. “This does not currently enable homebrew software, but is built to allow other hackers to work toward that goal,” the group noted on the PegaSwitch page. The ReSwitched crew’s mission is to “fully document the inner workings of the Nintendo Switch, as well as hacking the console to allow homebrew software.” As Todesco noted, his hacks only open the door for future Switch jailbreaks. Switch modders are just getting started.
Category: The Monday Media Wrap Up