Sunday, January 22, 2017
Here are this week’s cyber updates:
(1) Comsec advises its clients to restrict network access from the organization, in order to prevent data leakage to a C&C server.
Recently, Google’s infrastructure was found to be used as a C&C “server”. These servers are usually whitelisted, and thus allow attackers to extract data from organizations.
The script sends and receives commands to and from Google Apps Script, Google Sheets, and Google Forms services. For each infected user a unique Google Sheets spreadsheet is dynamically created in order to manage each victim. The use of a legitimate third party service like this one gives the attacker the ability to hide in plain sight.
Here are all the details: https://blogs.forcepoint.com/security-labs/carbanak-group-uses-google-malware-command-and-control
(2) Facebook has been hacked. While in the previous cyber updates post I wrote it about Google it wasn’t really Google’s fault, this time Facebook was really hacked.
The website was found to contain a remote code execution vulnerability in its ImageMagick parsing library (CVE-2016–3714).
In particular, Facebook contains an API that gets a URL as a parameter, surfs to an image stored on that URL and displays it back to the end-user. By using an image with the ImageMagick vulnerability in it, security researcher Andrew Leonov has shown Facebook how he could execute commands on the server, and extract their output via DNS tunneling.
Here are all the details: http://4lemon.ru/2017-01-17_facebook_imagetragick_remote_code_execution.html
(3) This has not been the week of Facebook. Hackers have also found that the Facebook voice messages are vulnerable to SSL Strip attacks.
In particular, Facebook CDN servers do not impose HTTP Strict Transport Security (HSTS) policy, hence permitting this flaw.
Here are all the details: http://go0nsquad.net/simple-hack-lets-hackers-listen-to-your-facebook-voice-messages-sent-over-chat/
And here’s a PoC video: https://youtu.be/9y0cov6dHb4
(4) A new denial of service vulnerability was recently discovered in iOS.
In particular, anyone can crash your iPhone or iPad by just sending an emoji-filled iMessage.
All you have to do to trigger this attack is send an iMessage containing the following: A white Flag emoji, the digit "0" and a Rainbow emoji. Your victim’s iPhone will crash even if they didn’t open the message!
Here’s the PoC video: https://youtu.be/G0iPhSuiMpk?t=130
(5) The Donald being sworn for presidency can’t go without a cyber-attack.
A radio station in Louisville was hacked, causing it to play anti-Trump songs for nearly 15 minutes. The hackers, most probably used a software used for emergency broadcasts in order to override the program that was already on-air at the time of hack.
Here are the details: http://www.courier-journal.com/story/news/local/2017/01/20/local-radio-station-hacked-anti-trump-song/96853106/
Stay tuned for more updates,
Head of Offensive Security & Response Unit
Sunday, January 15, 2017
“How I rebuilt organisational security strategy and BAU thanks to Comsec Group and PCI DSS”
The client: “Fundgate” (pseudonym – the firm chose to be anonymous) - An online financial services provider.
Fundgate is a global financial and payment service provider, operating in more than 200 countries and serving millions of users around the world. It is considered as a global leader in the field of online payments and money transfer, a well-known and respected player in the online financial services industry.
As business evolved and developed, security threats and risks have also evolved and became part of the business landscape. At the same time the company has also developed a strong awareness and knowledge for information security, risks and threats for their business from the security perspective.
Fundgate is no stranger to security compliance and PCI DSS compliance in particular. Operating across the globe and working closely with the card schemes– the company was very quick to address and to adopt PCI DSS soon after it was published in 2006. The company has achieved PCI DSS compliance and has maintained PCI DSS compliance ever since.
One of the company’s core principals has always been support the business and create value for the business, with each function of the organisation. This includes IT, risk, HR, compliance, third parties and suppliers. Each of those functions should support and create value to the business.
Fundgate runs a large IT infrastructure to support the business and the product environment. The infrastructure consists of multiple product teams with fast paced DevOps application delivery with product silos that are very much product orientated as they are business focused.
Fundgate performed a market search and decided to meet with Comsec, a well-known and experienced QSA company as a result of re-evaluating their PCI DSS compliance framework.
This re-evaluation came as a result of concerns that PCI DSS compliance becoming less effective and in some cases even conflicting with the company IT and security framework. Through an internal assessment and market analysis, Fundgate discovered that the great amount of resources, time, energy and money spent on PCI DSS related solutions and activities has little justification and value and should be utilised more effectively.
After several discussions, Fundgate hired Comsec to take over its PCI DSS compliance programme and to “optimise” the compliance programme and efforts.
Phase 1: Initial Assessment
After a short period of working together, Comsec’s QSAs came to the conclusion that indeed, the company was on “auto-pilot” with regards to PCI DSS compliance and that a broad change with regards to PCI DSS compliance was needed and must be implemented to truly maintain their PCI DSS compliance at all times but more importantly – to address and protect against the security threats that the company was facing. Fundgate had to rethink information security, governance and PCI DSS compliance.
Amongst the issues that Comsec’s QSA team has identified:
- Senior Management was not adequately involved with the PCI DSS compliance programme.
- PCI DSS compliance is treated as an annual project, “snap-shot”, and not as a continuous process and effort.
- Culturally, PCI DSS was considered as an unwanted practice, one that damages and slowing down the business.
- During the years, there was a decrease of knowledge in the IT and security teams regarding the PCI regulation and the forming of the “auto-pilot” state and lack of involvement of senior management.
- Changes were not addressed- services involving card data were not assessed properly, resulting in incorrect PCI DSS scope (in-scope/out-of-scope issues).
- The client’s PCI personnel, were in many cases not synched with the security and IT team.
- PCI DSS controls and processes were in many cases disconnected and separated from organisational information security controls and processes, rather than being integrated in the organisational security framework.
- Operationally, many of the PCI DSS controls and processes were disrupting and slowing down other business processes like development, product release cycles and IT operations as a result from improper environments and processes management.
- Security controls effectiveness was limited – they were only implemented and used in the PCI DSS environment (scope).
Phase 2: Implementation
After understanding the difficulties and issues surrounding PCI in Fundgate, Comsec’s QSA team proceeded to the next phase which is implementing PCI DSS compliance and controls in the correct way. Using 3 core values and principles that guide Comsec PCI QSA practice throughout its work:
Three areas of value to the organisation:
1. Information Security Focus
o Implementing and maintaining PCI DSS compliance not by addressing generic requirements and “filing the PCI checklist“, but understanding the business context, threats and risks and then designing and implementing the security controls, solutions and products that fits the environment and that would also fit the PCI DSS requirements.
o “The big picture”: Holistic approach. Understanding that information security comes first and any compliance framework has to be aligned with the organisational IS strategy. Controls and processes integrate and coherent with the overall security and compliance framework of the entity by:
§ Multi-standard environment: Addressing other relevant security standards, regulations and frameworks the company is adhering to and aligning the PCI DSS framework accordingly.
§ PCI related BAU activities – security testing, change management, IT security and others, are aligned, applicable and cover the wider information security context. For example, penetration testing is not limited to PCI DSS environment and requirements, but to the also to other environments and standards, thus increasing the value of the single activity to the organisation.
o “Back to basics”- put an emphasis on the intent of the PCI requirements and security controls, and design suitable processes, not on products and tools. In many cases security controls can be implemented by using simple practices. In many other cases a manual approach to a security control or process can be faster, more effective and more cost effective than its automatic tool equivalent.
o Solutions/products- remove unnecessary tools and products utilised as part of the PCI DSS controls/requirements. Those can have expensive costs and can be easily achieved using manual or open-source tools.
o Scope reduction- through expert consulting, Comsec experienced QSA team was able to reduce the scope of the PCI DSS environment and requirements, offering greater flexibility with addressing requirements and suggesting compensating controls where possible, to assist with reducing costs and unnecessary work.
3. Business Focus
o PCI DSS compliance is part of organisational Information Security - which is part of the organisation business.
o Security controls fit into the business and product environment.
o Implementing information security business as usual practices that support the business and operations.
o Financial services expertise and experience - Comsec has been working with all the leading financial and payment entities, including Visa and Mastercard, on their card data security programmes prior to the establishment of the PCI Security Standards Council, and in the early stages of formulating the guidelines later known as PCI DSS. This leads to unmatched experience and know-how in the financial services sector.
• Phase 3: Results and Client testimonials (anonymized)
“Comsec has been a true partner both for PCI DSS compliance and for Information Security”
· Enabled my company to achieve not just to tick the box of the standards controls, but to design the right PCI DSS compliance framework for my organisation
· Reduced costs of compliance and at the same time improve efficiency and effectiveness
· PCI is no longer a burden on the company resources, but seen as an important tool to confront our risk and security threat environment.
· Security makes sense now more than ever - security controls, solutions, products and processes work in harmony and are relevant to the requirements and the security threats.
· Employees are involved in information security more than ever and actually understand the PCI DSS requirements.
· Demonstrable best-in-class abilities in the business area under review
Throughout the project, Comsec demonstrated what is expected from a cutting edge leading consultancy.
- Total partnership and commitment to the client
objective –business, professional and operational. Comsec performed a PCI DSS
scoping that includes the organisation’s business environment, internal
processes and philosophy, to create a tailored PCI DSS compliance and framework
that fits with the organisation principals and operations.
• Clear project management and process reengineering expertise
Comsec has dedicated a senior experienced project manager (director level), with vast experience across hundreds of PCI related projects, and specific industry experience in the financial and online sectors. This comes from Comsec’s approach that PCI DSS processes and controls are not stand-alone and do not operate within a vacuum, and must consider the business, operational and even cultural aspects of an organisation. It is only from great experience, professional knowledge the two can be combined successfully.
• Mastery of the latest technological solutions
Comsec’s QSA team for the project consisted of a top-level technical consultant, with the most updated knowledge of current security solutions and products.
• Understanding of the very latest regulatory requirements
Additionally, Comsec’s lead QSA is an experienced consultant and auditor for many security standards and best practices- PA-DSS, PCI P2PE, ISO27001, COBIT 5, Data Privacy and more. Thus creating a broad vision of the regulatory environment.
• The successful delivery of a core strategic initiative / set of client objectives
Through expert consulting, Comsec’s experienced QSA team worked together with the client to achieve project targets while optimising the PCI DSS compliance process- including PCI DSS environment and requirements scope reduction, greater flexibility addressing the requirements and suggesting compensating controls where possible, to assist with reducing costs and unnecessary work.
• On budget, on time
Comsec managed to reduce the annual budget associated with PCI DSS in the organisation by removing irrelevant products and practices from the framework and optimising the overall process and security controls effectiveness.
• Successful integration with existing client infrastructure
Working together with Fundgate, Comsec successfully integrated PCI DSS compliance maintenance with the client existing IT & security operations governance framework. This was a complete re-engineering of the previous PCI DSS compliance framework, which did not work seamlessly into the organisational framework.
• Access to the right technology partners for the job
Comsec helped the company compare and choose the right suppliers and products for the business.
Here are this week’s cyber updates.
(1) I’m pretty sure most of you are aware of Google Chrome’s (as well as other browser’s) auto fill feature. This feature allows Chrome to automatically fill your personal information in websites in order to speed up registration processes.
What most of you don’t know is that hidden fields are auto-filled, and thus submitted to the website’s owner. This allows the website to collect personal information without the user’s consent.
Here is a link to a PoC website: https://anttiviljami.github.io/browser-autofill-phishing/
If you didn’t understand this one, please let me know and I’ll send you a link to another website, with an example of stealing your credit card info J
(2) Cellebrite, the Israeli-based company that allegedly helped the FBI to hack the iPhone, was hacked.
The my.Cellebrite database has been hacked, allowing the hackers to extract over 900GB of customers’ data.
Here are all the details: http://www.cellebrite.com/Mobile-Forensics/News-Events/Press-Releases/cellebrite-statement-on-information-security-breach
(3) The Brazilian government has accidentally twitted a link to a Google Drive Excel spreadsheet, which contained a list of plain text passwords for social media accounts (Facebook, Gmail, Twitter, Instagram and more).
It appears as if the tweet contained by accident a copy-paste link to the spreadsheet instead of the intended URL.
They really should be more careful with their tweets, but more than that, I couldn’t help but wonder why they didn’t enforce any permissions on Google Drive…
Here are all the details: https://www.hackread.com/brazilian-govt-twitter-posts-social-media-passwords/
Stay tuned for more updates,
Head of Offensive Security & Response Unit
Thursday, January 5, 2017
Here are this week’s cyber updates:
(1) Google Brazil domain was hacked! Yes, this is not a typo. Google was hacked.
At least that was what all major websites in Brazil have said. However, by looking into Google Brazil’s tweet (https://twitter.com/googlebrasil/status/816359978005106688?ref_src=twsrc%5Etfw), it seems like the attack did not directly target Google, but rather the ISP DNS server used to resolve Google’s DNS to their IP address.
Nevertheless, for about 30 minutes google.com.br has showed a defacement page (you can see how it looked like in the following video: https://youtu.be/YnSLGx4bWRo).
This just shows you why it’s important for clients to add the HSTS header.
Here are the details: https://www.reddit.com/r/hacking/comments/5ltfbp/google_brazil_also_hacked/
(2) iMessage (Apple messaging app) was found to be vulnerable to denial of service.
In particular, due to a high CPU consumption the app crashes when it has to handle a large vCard (contact list) file.
And the good (or bad) news about it, is that it is persistent. Rebooting your device will not solve the issue.
This is how one can exploit this:
· Generate a large contacts file (one can be found here: http://vincedes3.com/vincedes3.vcf)
· iMessage the file to your victim of choice.
i. Beware! If you are using iPhone, then your phone will also crash when sending.
Here are all the details: https://vincedes3.com/crash-message-app-iphone/ and here is a PoC video: https://youtu.be/N2doEKKywck
If you were infected, either surf to http://vincedes3.com/save.html, or use Siri to reply to the victim with another message.
(3) We always recommend organizations not to publicly expose their administrative interfaces to the internet.
As ransomware attacks are on the rise, attackers have started targeting unusual targets (not workstations).
This time, a new ransomware has started targeting MongoDB instances with blank or default credentials. The ransomware then replaces (yes, replaces, not encrypts) the DB content with a ransom message.
By looking into the attacker’s bitcoin wallet, it seems that so far 16 organization have paid the ransom. However, it is suggested that the hacker does not store the original data (makes since, as it would require the hacker to store terabytes of data on their own server), so the clients have paid for no reason whatsoever.
Here are all the details: http://www.theregister.co.uk/2017/01/04/mongodb_installs_wiped_by_bitcoin_ransoming_script/
(4) A new Android Malware (known as Switcher) was recently discovered by Kaspersky.
Instead of attacking the user, the malware targets the Wi-Fi router (in particular TP-LINK Wi-Fi routers). The malware conducts a dictionary attack on the router’s web interface, and, if successful, changes its DNS servers.
So far, two packages of the malware were identified (com.baidu.com and com.snda.wifi).
While mostly home users (and in particular in China) are affected, it is still advised to block access to the following malicious DNS servers:
Here are all the details: https://securelist.com/blog/mobile/76969/switcher-android-joins-the-attack-the-router-club/
(5) In the previous email Cyber Update blog I’ve mentioned the PHPMailer remote code execution exploit.
Since then, the patch was found to be incomplete and still contains another remote code execution.
Please update your PHPMailer version once again.
Stay tuned for more updates,
Head of Offensive Security & Response Unit