Next generation DDoS attack"
http://www.israeldefense.co.il/en/node/28609 30.01.2017
Sunday, January 22, 2017
Cyber Updates - 22/01
Hey everyone,
Here are this week’s cyber updates:
(1) Comsec advises its clients to restrict network access from the organization, in order to prevent
data leakage to a C&C server.
Recently, Google’s infrastructure was found to be
used as a C&C “server”. These servers are usually whitelisted, and thus
allow attackers to extract data from organizations.
The script sends and receives commands to and from
Google Apps Script, Google Sheets, and Google Forms services. For each infected
user a unique Google Sheets spreadsheet is dynamically created in order to
manage each victim. The use of a legitimate third party service like this one
gives the attacker the ability to hide in plain sight.
Here are all the details: https://blogs.forcepoint.com/security-labs/carbanak-group-uses-google-malware-command-and-control
(2) Facebook has been hacked.
While in the previous cyber updates post I wrote it about Google it wasn’t
really Google’s fault, this time Facebook was really hacked.
The website was found to contain a remote code
execution vulnerability in its ImageMagick parsing library (CVE-2016–3714).
In particular, Facebook contains an API that gets a
URL as a parameter, surfs to an image stored on that URL and displays it back
to the end-user. By using an image with the ImageMagick vulnerability in it,
security researcher Andrew Leonov has shown Facebook how he could execute
commands on the server, and extract their output via DNS tunneling.
Here are all the details: http://4lemon.ru/2017-01-17_facebook_imagetragick_remote_code_execution.html
(3) This has not been the week
of Facebook. Hackers have also found that the Facebook voice messages are
vulnerable to SSL Strip attacks.
In particular, Facebook CDN
servers do not impose HTTP Strict Transport Security (HSTS) policy, hence
permitting this flaw.
Here are all the details: http://go0nsquad.net/simple-hack-lets-hackers-listen-to-your-facebook-voice-messages-sent-over-chat/
And here’s a PoC video: https://youtu.be/9y0cov6dHb4
(4) A new denial of service
vulnerability was recently discovered in iOS.
In particular, anyone can crash your iPhone or iPad
by just sending an emoji-filled iMessage.
All you have to do to trigger this attack is send an
iMessage containing the following: A white Flag emoji, the digit "0"
and a Rainbow emoji. Your victim’s iPhone will crash even if they didn’t open
the message!
Here’s the PoC video: https://youtu.be/G0iPhSuiMpk?t=130
(5) The Donald being sworn for
presidency can’t go without a cyber-attack.
A radio station in Louisville was hacked, causing it
to play anti-Trump songs for nearly 15 minutes. The hackers, most probably used
a software used for emergency broadcasts in order to override the program that
was already on-air at the time of hack.
Here are the details: http://www.courier-journal.com/story/news/local/2017/01/20/local-radio-station-hacked-anti-trump-song/96853106/
Stay tuned for more updates,
Dan Gurfinkel
Head of Offensive Security & Response Unit
Sunday, January 15, 2017
PCI DSS Optimisation -- Comsec's Award Winning PCI DSS Case Study!
“How I rebuilt
organisational security strategy and BAU thanks to Comsec Group and PCI DSS”
Client story.
The client: “Fundgate” (pseudonym – the firm chose to be
anonymous) - An online financial services provider.
Fundgate is a global
financial and payment service provider, operating in more than 200 countries
and serving millions of users around the world. It is considered as a global
leader in the field of online payments and money transfer, a well-known and
respected player in the online financial services industry.
As business evolved and
developed, security threats and risks have also evolved and became part of the
business landscape. At the same time the company has also developed a strong
awareness and knowledge for information security, risks and threats for their
business from the security perspective.
Fundgate is no stranger
to security compliance and PCI DSS compliance in particular. Operating across
the globe and working closely with the card schemes– the company was very quick
to address and to adopt PCI DSS soon after it was published in 2006. The
company has achieved PCI DSS compliance and has maintained PCI DSS compliance ever
since.
One of the company’s core
principals has always been support the business and create value for the
business, with each function of the organisation. This includes IT, risk, HR,
compliance, third parties and suppliers. Each of those functions should support
and create value to the business.
Fundgate runs a large IT
infrastructure to support the business and the product environment. The
infrastructure consists of multiple product teams with fast paced DevOps
application delivery with product silos that are very much product orientated
as they are business focused.
Fundgate performed a
market search and decided to meet with Comsec, a well-known and experienced QSA
company as a result of re-evaluating their PCI DSS compliance framework.
This re-evaluation came as a result of concerns that PCI
DSS compliance becoming less effective and in some cases even conflicting with
the company IT and security framework. Through an internal assessment and
market analysis, Fundgate discovered that the great amount of resources, time,
energy and money spent on PCI DSS related solutions and activities has little
justification and value and should be utilised more effectively.
After several discussions,
Fundgate hired Comsec to take over its PCI DSS compliance programme and to “optimise”
the compliance programme and efforts.
Phase 1: Initial
Assessment
After a short period of working
together, Comsec’s QSAs came to the conclusion that indeed, the company was on
“auto-pilot” with regards to PCI DSS compliance and that a broad change with
regards to PCI DSS compliance was needed and must be implemented to truly
maintain their PCI DSS compliance at all times
but more importantly – to address and protect
against the security threats that the company was facing. Fundgate had to
rethink information security, governance and PCI DSS compliance.
Amongst the issues that
Comsec’s QSA team has identified:
-
Senior Management was not adequately involved with the PCI DSS compliance
programme.
-
PCI DSS compliance is treated as an annual project, “snap-shot”, and not as
a continuous process and effort.
-
Culturally, PCI DSS was considered as an unwanted practice, one that
damages and slowing down the business.
-
During the years, there was a decrease of knowledge in the IT and security teams
regarding the PCI regulation and the forming of the “auto-pilot” state and lack
of involvement of senior management.
-
Changes were not addressed- services involving card data were not assessed
properly, resulting in incorrect PCI DSS scope (in-scope/out-of-scope issues).
-
The client’s PCI personnel, were in many cases not synched with the
security and IT team.
-
PCI DSS controls and processes were in many cases disconnected and separated
from organisational information security controls and processes, rather than
being integrated in the organisational security framework.
-
Operationally, many of the PCI DSS controls and processes were disrupting
and slowing down other business processes like development, product release
cycles and IT operations as a result from improper environments and processes
management.
-
Security controls effectiveness was limited – they were only implemented
and used in the PCI DSS environment (scope).
Phase 2: Implementation
After understanding the difficulties and issues surrounding
PCI in Fundgate, Comsec’s QSA team proceeded to the next phase which is
implementing PCI DSS compliance and controls in the correct way. Using 3 core
values and principles that guide Comsec PCI QSA practice throughout its work:
Three areas of value to the organisation:
1.
Information Security Focus
o
Implementing and
maintaining PCI DSS compliance not by addressing generic requirements
and “filing the PCI checklist“, but understanding the business context, threats
and risks and then designing and implementing the security controls, solutions
and products that fits the environment and that would also fit the PCI DSS
requirements.
o
“The big picture”: Holistic approach. Understanding that
information security comes first and any compliance framework has to be aligned
with the organisational IS strategy. Controls and processes integrate and
coherent with the overall security and compliance framework of the entity by:
§
Multi-standard environment:
Addressing other relevant security standards, regulations and frameworks the
company is adhering to and aligning the PCI DSS framework accordingly.
§
PCI related BAU activities
– security testing, change management, IT security and others, are aligned,
applicable and cover the wider information security context. For example,
penetration testing is not limited to PCI DSS environment and requirements, but
to the also to other environments and standards, thus increasing the value of
the single activity to the organisation.
2.
Cost-effectiveness
o
“Back to basics”- put an
emphasis on the intent of the PCI requirements and security controls, and
design suitable processes, not on products and tools. In many cases security
controls can be implemented by using simple practices. In many other cases a manual
approach to a security control or process can be faster, more effective and
more cost effective than its automatic tool equivalent.
o
Solutions/products- remove
unnecessary tools and products utilised as part of the PCI DSS
controls/requirements. Those can have expensive costs and can be easily
achieved using manual or open-source tools.
o
Scope reduction- through
expert consulting, Comsec experienced QSA team was able to reduce the scope of
the PCI DSS environment and requirements, offering greater flexibility with
addressing requirements and suggesting compensating controls where possible, to
assist with reducing costs and unnecessary work.
3.
Business Focus
o
PCI DSS compliance is part
of organisational Information Security - which is part of the organisation
business.
o
Security controls fit into the
business and product environment.
o
Implementing information security business as usual practices that support
the business and operations.
o
Financial services expertise and experience - Comsec has been working with all
the leading financial and payment entities, including Visa and Mastercard, on
their card data security programmes prior to the establishment of the PCI
Security Standards Council, and in the early stages of formulating the
guidelines later known as PCI DSS. This leads to unmatched experience and
know-how in the financial services sector.
• Phase 3: Results and Client testimonials (anonymized)
“Comsec has been a true partner both for PCI DSS compliance
and for Information Security”
·
Enabled my company to
achieve not just to tick the box of the standards controls, but to design the
right PCI DSS compliance framework for my organisation
·
Reduced costs of compliance
and at the same time improve efficiency and effectiveness
·
PCI is no longer a burden
on the company resources, but seen as an important tool to confront our risk
and security threat environment.
·
Security makes sense now
more than ever - security controls, solutions, products and processes work in
harmony and are relevant to the requirements and the security threats.
·
Employees are involved in
information security more than ever and actually understand the PCI DSS
requirements.
·
Demonstrable
best-in-class abilities in the business area under review
Throughout the project, Comsec demonstrated what is expected from a cutting edge leading consultancy.- Total partnership and commitment to the client
objective –business, professional and operational. Comsec performed a PCI DSS
scoping that includes the organisation’s business environment, internal
processes and philosophy, to create a tailored PCI DSS compliance and framework
that fits with the organisation principals and operations.
• Clear project
management and process reengineering expertise
Comsec has dedicated a senior experienced project manager
(director level), with vast experience across hundreds of PCI related projects,
and specific industry experience in the financial and online sectors. This comes
from Comsec’s approach that PCI DSS processes and controls are not stand-alone
and do not operate within a vacuum, and must consider the business, operational
and even cultural aspects of an organisation. It is only from great experience,
professional knowledge the two can be combined successfully.
• Mastery of the
latest technological solutions
Comsec’s QSA team for the
project consisted of a top-level technical consultant, with the most updated
knowledge of current security solutions and products.
• Understanding of the
very latest regulatory requirements
Additionally, Comsec’s lead
QSA is an experienced consultant and auditor for many security standards and
best practices- PA-DSS, PCI P2PE, ISO27001, COBIT 5, Data Privacy and more.
Thus creating a broad vision of the regulatory environment.
• The successful
delivery of a core strategic initiative / set of client objectives
Through expert consulting, Comsec’s experienced QSA team
worked together with the client to achieve project targets while optimising the
PCI DSS compliance process- including PCI DSS environment and requirements
scope reduction, greater flexibility addressing the requirements and suggesting
compensating controls where possible, to assist with reducing costs and
unnecessary work.
• On budget, on
time
Comsec managed to reduce the annual budget associated with
PCI DSS in the organisation by removing irrelevant products and practices from
the framework and optimising the overall process and security controls
effectiveness.
• Successful
integration with existing client infrastructure
Working together with Fundgate, Comsec successfully
integrated PCI DSS compliance maintenance with the client existing IT &
security operations governance framework. This was a complete re-engineering of
the previous PCI DSS compliance framework, which did not work seamlessly into
the organisational framework.
• Access to the
right technology partners for the job
Comsec helped the company compare and choose the right
suppliers and products for the business.
Cyber Updates - 14/01
Hey all,
Here are this week’s cyber updates.
(1) I’m pretty sure most of you
are aware of Google Chrome’s (as well as other browser’s) auto fill feature.
This feature allows Chrome to automatically fill your personal information in
websites in order to speed up registration processes.
What most of you don’t know is
that hidden fields are auto-filled, and thus submitted to the website’s owner.
This allows the website to collect personal information without the user’s
consent.
Here is a link to a PoC website: https://anttiviljami.github.io/browser-autofill-phishing/
If you didn’t understand this
one, please let me know and I’ll send you a link to another website, with an
example of stealing your credit card info J
(2) Cellebrite, the
Israeli-based company that allegedly helped the FBI to hack the iPhone, was
hacked.
The my.Cellebrite database has been
hacked, allowing the hackers to extract over 900GB of customers’ data.
Here are all the details: http://www.cellebrite.com/Mobile-Forensics/News-Events/Press-Releases/cellebrite-statement-on-information-security-breach
(3) The Brazilian government
has accidentally twitted a link to a Google Drive Excel spreadsheet, which
contained a list of plain text passwords for social media accounts (Facebook,
Gmail, Twitter, Instagram and more).
It appears as if the tweet contained by accident a
copy-paste link to the spreadsheet instead of the intended URL.
They really should be more careful with their tweets,
but more than that, I couldn’t help but wonder why they didn’t enforce any
permissions on Google Drive…
Here are all the details: https://www.hackread.com/brazilian-govt-twitter-posts-social-media-passwords/
Stay tuned for more updates,
Dan
Gurfinkel
Head of
Offensive Security & Response Unit
Thursday, January 5, 2017
Cyber Updates - 05/01
Hey all,
Here are this week’s cyber updates:
(1) Google Brazil domain was
hacked! Yes, this is not a typo. Google was hacked.
At least that was what all major websites in Brazil
have said. However, by looking into Google Brazil’s tweet (https://twitter.com/googlebrasil/status/816359978005106688?ref_src=twsrc%5Etfw),
it seems like the attack did not directly target Google, but rather the ISP DNS
server used to resolve Google’s DNS to their IP address.
Nevertheless, for about 30 minutes google.com.br has
showed a defacement page (you can see how it looked like in the following
video: https://youtu.be/YnSLGx4bWRo).
This just shows you why it’s important for clients to add the HSTS header.
Here are the details: https://www.reddit.com/r/hacking/comments/5ltfbp/google_brazil_also_hacked/
(2) iMessage (Apple messaging
app) was found to be vulnerable to denial of service.
In particular, due to a high CPU consumption the app
crashes when it has to handle a large vCard (contact list) file.
And the good (or bad) news about it, is that it is
persistent. Rebooting your device will not solve the issue.
This is how one can exploit this:
·
iMessage the file to your victim of choice.
i. Beware! If you are using iPhone, then your phone will also crash
when sending.
Here are all the details: https://vincedes3.com/crash-message-app-iphone/
and here is a PoC video: https://youtu.be/N2doEKKywck
If you were infected, either surf to http://vincedes3.com/save.html, or
use Siri to reply to the victim with another message.
(3) We always recommend
organizations not to publicly expose their administrative interfaces to the internet.
As ransomware attacks are on the rise, attackers have
started targeting unusual targets (not workstations).
This time, a new ransomware has started targeting
MongoDB instances with blank or default credentials. The ransomware then replaces
(yes, replaces, not encrypts) the DB content with a ransom message.
By looking into the attacker’s bitcoin wallet, it
seems that so far 16 organization have paid the ransom. However, it is
suggested that the hacker does not store the original data (makes since, as it
would require the hacker to store terabytes of data on their own server), so
the clients have paid for no reason whatsoever.
Here are all the details: http://www.theregister.co.uk/2017/01/04/mongodb_installs_wiped_by_bitcoin_ransoming_script/
(4) A new Android Malware
(known as Switcher) was recently discovered by Kaspersky.
Instead of attacking the user, the malware targets
the Wi-Fi router (in particular TP-LINK Wi-Fi routers). The malware conducts a
dictionary attack on the router’s web interface, and, if successful, changes
its DNS servers.
So far, two packages of the malware were identified
(com.baidu.com and com.snda.wifi).
While mostly home users (and in particular in China)
are affected, it is still advised to block access to the
following malicious DNS servers:
·
101.200.147.153
·
112.33.13.11
·
120.76.249.59
Here are all the details: https://securelist.com/blog/mobile/76969/switcher-android-joins-the-attack-the-router-club/
(5) In the previous email Cyber
Update blog I’ve mentioned the PHPMailer remote code execution exploit.
Since then, the patch was found to be incomplete and
still contains another remote code execution.
Please update your PHPMailer
version once again.
Stay tuned for more updates,
Dan
Gurfinkel
Head of
Offensive Security & Response Unit
Subscribe to:
Posts (Atom)