A newly released Dell End-User Security Survey showed that even employees with information security education and training could engage in risky security practices. According to the survey, a good news is that 76% of employees feel their company prioritized security rather than productivity, and two out of three employees are trained, but 18% of them still engaged in unsafe security practices, and 24% of them did not care because they thought it is unavoidable for productivity. They also found that 72% of employees are willing to share confidential, sensitive, or regulated information with others under certain circumstances, and 35% think it’s common to see workers leaving with corporate information when they leave an organization. I think there are two problems, the first one is that balance of security and productivity. For productivity, employees would share data with each other or skip over some security steps to complete tasks more effectively. The second problem is that employee security training is not very effective so that employees still have bad security practices and habits. Organizations should realize that the security training must be continuous to create a security culture so that employees can always be aware that security has more priority than productivity.
This week, OWASP released a working draft of its latest OWASP Top 10 vulnerabilities list. This is the first time that changes were made on this industry benchmark list in four years, even though many of the vulnerabilities remain the same. OWASP Top 10 is designed to help developers, designers, architects and business owners avoid risks associated with the most common vulnerabilities and provide standards for prioritizing vulnerability mitigation. The greatest change of 2017 Top 10 is the addition of application programing interfaces (APIs), and it could potentially help raise more awareness about API security. However, some would think that the Top 10 list is not evolving quickly enough to keep up with the pace of the changes in how software is delivered, and thus unable to cover the changing trends. On the other side, some think that there’s no need to update the list every year because the strong similarities mean that the trend does not change that quickly.
Pwn2Own 2017 contest, an annually computer hacking contest, has ended in March 17. During the three-day contest, Google Chrome remained unscratched; Mozilla Firefox fell once; Apple’s Safari was taken down fourth and numbers of flaws were found from its new-developed Touch Bar; Two exploits were found on both Adobe Reader and Flash Player. One impressive thing on this contest was that two teams,360 Security and Tencent Security both from China successfully completed virtual machine escapes on the third day. Virtual machines are usually used to create an isolated environment that poses no threat to the host operating system in case of compromise. One of the main goals of hypervisors is to create a barrier between the guest OS running inside the VM and the host OS that the hypervisor runs. It prevents one user’s data and OS from being accessed by others sharing the same physical server. However, the success of VM escape meant that hackers were able to break out a VM and interact with and execute code on the host OS. 360 Security completed the VM escape by exploiting a heap overflow bug in Microsoft Edge, a type confusion in the Windows kernel, and an uninitialized buffer in VMware Workstation. The code demonstration took only 90 seconds. On the other hand, Tencent Security completed the guest-to-host by using a three-bug chain involving a Windows kernel UAF, a Workstation infoleak, and an uninitialized buffer in VMware Workstation. Finally, the 360 Security team won the most number of points and were crowned Master of Pwn for this year, and Tecent Security was the second. All the exploits found in this contest had to be shared with the contest’s organizer and the vendors, and these exploits will be kept confidential until vulnerabilities have been patched.
New RF Transceiver extension for the Metasploit Hardware Bridge API now is available for organizations to detect and scan wireless IoT devices operating outside the standard 802.11 specification. The new extension further broadens the use cases for Metasploit. It is designed for enabling organizations to craft and monitor different RF packets for identifying and assessing the security state of multi-frequency wireless devices more effectively than current tools. It allows pen testers to create and direct “short bursts of interference” at such devices to see how they respond from a security standpoint. One of the greatest threats of wireless IoT devices is the unauthorized access to the information that those devices have access to. For example, a smart lighting system with both RF and WiFi components may be attacked on the RF side to get access to the WiFi side. In addition, many RF-enabled devices fail to serialize or otherwise make sure that each request and response is unique, and therefore are vulnerable to issues like replay attacks. Since organizations are expected to connect a constantly growing range of wireless IoT devices, it’s important to increase the RF testing capabilities.
Recently, the whistleblower website WikiLeaks publicly leaked 8,761 documents purportedly containing highly confidential information on the CIA global hacking capabilities and malware arsenal. The data dump was the largest-ever leak of confidential CIA information. The revealed files and documents were code-named Vault7 and came from an isolated, high-security network inside the CIA’s Center for Cyber Intelligence facility in Langley. The documents contained a voluminous library of cyber attack techniques collected from malware produced by other countries and several hundred million lines of attack code and a collection of hacker tools developed over the year for breaking into and spying on adversary systems and networks, and masking the origin of attacks and confusing forensic investigations. WikiLeaks also stated that the documents were circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive. The leaked documents described numerous zero-day vulnerabilities targeting Android, iOS, and Windows systems, as well as exploits against network routers, smart TVs, and critical components in connected vehicles. This data dump created a concern on the ability of CIA to protect their confidential data against such massive leaks, and concern about WikiLeaks’ motives for such a leak and responsibility for potential misuse of the leaked data by criminal attackers. FBI has opened a federal criminal investigation into the WikiLeaks disclosure on Wednesday.
In a recent report, Rapid7 found that two thirds of penetration test engagements were not discovered at all by the organization being tested. The detection rates were nearly identical between large and small organizations and among different industries. This would be a great concern. Unlike pen tests which were short-term, rapid-fire and sometimes loud, real attacks were usually long-term, slow and quiet. This meant if organizations could not detect a penetration test, it would be impossible to detect real cyber attacks. Part of the problem was that organizations couldn’t or didn’t track their event logs daily. Penetration testing was gradually evolving. Bug bounty programs were rising and tended to shape the nature of some pen testing. Many organizations with bug bounty programs, especially technology companies including Facebook, Yahoo!, Google, Reddit, Square and Microsoft, were shifting focus to more focused and challenging engagements.
New research found that the pitch and speed human voice would likely change over a period of several months and years, and therefore voice biometrics might not be considered as adequate evidence for authentication any more. Organizations need to consider multifactor authentication when using voice biometrics. The research team analyzed former-Present Obama’s speech from 2009 to 2017, and found his voice accuracy dropped by 23%. They also tracked 122 speakers in six languages and found the error rate of voice biometrics doubled from 4% to 8% in two years. This was because human used up to 100 muscles to speak and these muscle would change or age as we aged. This article is interesting that it demonstrates that voice biometrics is not reliable enough as I thought before. Therefore, organizations indeed need to consider multifactor authentication including password, fingerprinting, hand geometry, facial recognition, and iris and retinal scanning.
At the recent RSA Conference, Trend Micro researchers presented the result of their investigation data on exposed cyber assets in the top 10 largest US cities by population. They found tens of thousands of webcams, network attached storage devices, routers, printers, phones, media players and etc. that connected via the public Internet were vulnerable to cyber attacks, and thus put users online at risk of data theft and exposure, and DDoS attacks. Based on the data they collected, they also found the distributions of exposed cyber assets were disproportionate according to population size. The second-most populous city, Los Angeles, topped the list with approximately 4 million exposed devices online, while the most populous city, New York, was a respectable seventh place. In terms of the types of devices and services found, firewalls were the number one exposure. In these instances, once the administrative interface of the firewall was exposed, firewall rules would be changed to allow malicious traffic into the network. The next most frequently exposed devices were webcams, routers and wireless access points, printers and PBX phones. In addition, cities examined in the research had different concentrations in the types of devices exposed. For example, Houston and Chicago came in first and second for total exposed webcams, while San Jose led the pack in terms of exposed PBX phones.
I think this report is very interesting and should be presented to all companies in the top 10 most populous cities. It determines the devices that are most likely exposed and therefore, companies can focus on improving security of these devices to better protect their data and systems. A good news is that Philly ranked 10th with around 0.4 million exposed devices in this research, even with the 5th largest population in the US. However, Philly was in the second place according to the total number of exposed printers. Worse than that, Philly has the most number of exposed cyber assets in the education sector. As a TU student, I feel a little unsecure now.
Based on their two-year studying on cybercrime forums, IntSights and RedOwl recently released a report on how hackers recruited and worked with insiders with access to corporate networks. Recruitment of insiders was increasing, and they found that the forum discussions and insider outreach nearly doubled between 2015 and 2016. Hackers recruited insiders to gain profit either by stealing data, making illegal trades or place malware within a business’ system. Successfully hacking required both tech and domain knowledge, and hackers can leverage an insider to provide domain knowledge. There are three types of people are potential insiders: negligent employees with bad cybersecurity hygiene, disgruntled employees, and malicious employees joining the organization with the intent to defraud. The Dark Web promised anonymity to insiders, and there was even a selection process for insiders on most forums. The forums needed to know where the insiders worked, how access they had, and how timely they could release information.
This would be a warning to all organizations that they have to understand that internal threats might be more serious than external threats. That’s also why background scan for employees and segregation of duty are extremely important in every organization. The access to information and data must be restricted to ensure that unauthorized employees cannot access to confidential information. However, it won’t solve the problem that if the insiders are high-level managers. Therefore, a insider threat program is necessary.