New Application Security Toolkit Uncovers Dependency Confusion Attacks
Adversaries use a variety of tricks in effort to get developers to trust and integrate software components into their codebase. Developers end up with vulnerabilities, backdoors, and unexpected behavior through malicious components instead of getting the desired functionality. Deploying a malicious component (called a package namesquatting attack or a dependency confusion attack) typically involves a bad actor uploading a code package to a public repository with the same name as a private internal package. The name of these private packages can be found by looking through configuration files in publicly available projects. The attack happens when developers update dependencies for a project and pull from both private and public repositories. The build process defaults to the malicious package from the public repository instead of pulling from the private. By the time the developer notices the incorrect package has been used, the code has already been executed.
To help address this, Apiiro has released the Dependency Combobulator, an open source Python-based toolkit that helps prevent this kind of attack. Other tools, such as Snyk, are also available to help detect and prevent this. Additional suggestions include using explicit scopes for internal packages, responding quickly when the build fails, and proactively namesquating private dependency names.
Coincidentally, npm, a popular javascript package manager that works with the Dependency Cobobulator was recently compromised. More information on this can be found here: https://github.com/advisories/GHSA-pjwm-rvh2-c87w This vulnerability was particularly severe with any computer running the package installer being considered fully compromised.
This week, I was able to find this great article to discuss the benefits of secure coding. Avatao explains that there are increasing numbers of breaches, specifically towards healthcare industry and secure coding is a great way to fight against.
Incidents might occur in lack of secure coding includes: denial of service to user, compromised secrets, loss of service, financial damage, market manipulation, and theft.
If the high level language that follows principles is in place, you can reduce the vulnerabilities. The six rules listed on the article: minify and obfuscate code, avoid shortcuts, implement automated scanning, code reviews, and threat monitoring, avoid components with known vulnerability, audit and log, integrate secure coding principles into SDLC components.
https://www.infosecurity-magazine.com/news/vulnerable-web-apps-eu-pharma/
Vulnerable Web Applications Prevalent in EU Pharma Companies:
As per the report Europe’s top 10 Pharma companies all have vulnerable web applications, it is putting sensitive medical and patient data at risk of being hacked.
Overall, research noted that EU Pharma companies run an exceptionally large number of web applications (20,394 web applications and 9,216 domains) compared to other industries.
It vulnerable to different cyber attack cause of various vulnerability exist in the web application due to not secure coding practice, use basic SSL, cookies settings and privacy policy defects.
As per the new attack vectors maximum web developer need to secure code practice as well already develop web application required modifications and update to face new challenges of cyber attack and protect self web applications.
To protect against cyber attack organizations required to earlier conduct vulnerability research or pen testing to ensure protection against immerging cyber attack
Great little article that highlights how coders view training in secure coding practices. Developers tend to see this as a tax on their productivity and not something that enhances their performance. Given how the stakes are for companies faced with cyber incidents and ransomware attacks – the tax on performance makes sense to pay! This article really underlines that this kind of training is a change for developers and therefore needs to be treated appropriately – with change management preparation and best practices to ensure the developers embrace what they learn and adjust their coding.
“Hackers Compromise FBI Email System to Spam Fake Cybersecurity Alerts”
In this article, hackers compromised an FBI online portal sending over 100,000 fake email alerts to victims claiming that they came from the FBI. They used a software misconfiguration to get access to Law Enforcement Enterprise Portal (LEEP) sending out emails from what looked like a valid FBI email address. The fake messages warned that recipients were at risk of a “sophisticated chain attack”. It also falsely claimed that a cybersecurity expert by the name of Vinny Troia was the culprit behind the fake email attacks and was associated with the hacking group The Dark Overlord (the same group that leaked fifth season of the American comedy drama “Orange Is The New Black”). It doesn’t look like the hackers were able to gain admission to FBI files, and the vulnerability was quickly fixed once the impacted hardware was put offline. Even though the unauthorized email came from an FBI operated server, it was not part of FBI’s corporate email service, which did not allow these hackers to compromise any PII on their network. Fortunately, the FBI quickly resolved the software vulnerability, gave warning to disregard the fake emails, and the integrity of the networks were confirmed.
Thank you for sharing the news. I believe the hacking of the FBI email system to send false cybersecurity alerts is similar to the way phishing emails are scammed. Although the portal sent emails from what appeared to be a valid FBI email address, the breach was quickly resolved by the FBI and warning emails were sent to confirm the network integrity. The way they responded and resolved the vulnerability in a timely manner is worth learning from many companies.
Emotet Malware is active again after a recent takedown by international law enforcement task forces. Emotet is a botnet malware that works with other malware families (Qakbot and Trickbot) often as the precurser for ransomware infections (Ryuk, conti and more). The attack sequence involves massive spam campaigns that attempt to gain initial access to vitcim devices where malware is downloaded as binaries and DLLs to initiate C2 communication with the Emotet infrastructure.
This article from late last week touches on the spam email that was distributed from the eims@ic.fbi.gov account, which is associated with FBI’s Criminal Justice Information Services division (CJIS). The article notes, “According to an interview with the person who claimed responsibility for the hoax, the spam messages were sent by abusing insecure code in an FBI online portal designed to share information with state and local law enforcement authorities”. Brian Krebs wrote the article and actually connected with Pompompurin, who is the individual claiming responsibility for the hack in order to point out a glaring vulnerability in the FBI’s system. Pompompurin began their exploitation process by gaining access to Law Enforcement Enterprise Portal (LEEP), which is a gateway that provides law enforcement agencies, intelligence groups, and criminal justice entities access to beneficial resources. From there, Pompompurin applied for an account and was able to take advantage of a flaw in the one-time passcode setup process since the site had leaked the one-time passcode in plaintext HTML code on the page which allowed for modification of change headers (i.e. To/from, subject, and body). Pompompurin describes, “Basically, when you requested the confirmation code [it] was generated client-side, then sent to you via a POST Request… This post request includes the parameters for the email subject and body content… A simple script replaced those parameters with his own message subject and body, and automated the sending of the hoax message to thousands of email addresses”.
Intel’s recent Atom, Celeron, Pentium chips can be lulled into a debug mode, potentially revealing system secrets
This article talks about how some Intel processors can be forced into a debugging mode, which would grant access to certain low-level keys. This could potentially be used for something like unlocking encrypted data on the hard drive. The affected processor chips come from Intel’s Apollo Lake, Gemini Lake, and Gemini Lake Refresh platforms. It is important to note however that the attacker does need physical access to exploit this bug. But with a CVSS score of 7.1 it certainly is something to keep an eye on, especially if your devices has one of the Intel processors affected.
“Costco Confirms: A Data Skimmer’s Been Ripping Off Customers”
Big-box behemoth retailer Costco is offering victims 12 months of credit monitoring, a $1 million insurance reimbursement policy and ID theft recovery services.
Costco has discovered a payment card skimming device at one of its retail stores and has sent out notification letters informing customers that their card data may have been ripped off if they shopped there recently.
Some customers have been aware for weeks that something was fishy and have been sharing their suspicions on social media.
“North Korean Hackers Target Cybersecurity Researchers with Trojanized IDA Pro”
This article written yesterday by Ravie Lakshmanan describes how the North Korea-affiliated state-sponsored group Lazarus is targeting security researchers once again. They are using a trojanized pirated version of IDA Pro, an interactive dissembler that translates machine language into assembly language which allows for the analysis of the inner workings of a program. The attackers are adding malicious components to the IDA Pro, “win_dw.dll”, which is executed during installation of the application, and “idahelper.dll. Following successful execution, the second component connects to a remote server (wwwdevguardmaporg) in order to retrieve subsequent payloads, a domain which has been linked to similar North Korea-backed campaigns. The goal of the most recent attack was to set up a fake security company known as “SecuriElite” to trick researchers into visiting the malware-laced website. Lazarus has been linked to attacks in the past related to financial gain and obtaining sensitive information. It is concerning because North Korea’s cyber program appears to be growing, and they are backing groups like Lazarus likely to fund nuclear programs.
A popular adult cam site call Stripchat has been a victim of a breach. Information of both customers and models has ended up on the internet. About 200 million Stripchat records including 65 million user records, emails, IP addresses, payments and customer activity has been revealed. Another database of 420k records was also attacked leaking usernames, genders, studio ID’s, and tips/ prices. This leak poses risk for both consumers and models for potential extortion and violence. With this type of breach, expect lewd phishing lures to be used to gain access to people’s information. https://threatpost.com/adult-cam-model-user-records-exposed-stripchat-breach/176372/
Cybercriminals targeted Alibaba’s Elastic Computing Service (ECS), and disabled security features. Aliyun the name of the cloud provider has preinstalled security agents that were disabled which allowed the attackers to use crypto-mining malware to create new firewall rules and drop incoming packets from internal IP ranges.
OWASP Updates the Top 10 Web Application Security Risks
Given the nature of this week’s lecture, I thought the new release of OWASP Top 10’s 2021 update was perfect to report on.
OWASP (Open Web Application Security Project) is a nonprofit community focusing on promoting secure coding practices. Their resources and research are free for companies to use, such as application security tools, corporate presentations/videos, conferences, etc. OWASP is highly known for their OWASP Top 10 Web Application Security Risks publication, which is a publication enhancing awareness of the most notorious coding risks/vulnerabilities. The 2021 update reinvigorated the previous version from 2017, including 3 new risks. In 2017, the OWASP Top 10 were: injection, broken authentication, sensitive data exposure, XML external entities (XXE), broken access control, security misconfiguration, cross site scripting (XSS), insecure deserialization, using components with known vulnerabilities, and insufficient logging/monitoring—written in that order of performance.
The 2021 version has moved up broken access control to the top OWASP risk; the reason for this is that 3.81% of applications tested by the OWASP staff had indicated one or more common weakness enumerations (CWEs) with more than 318k occurrences of CWEs in this risk category. In this study, the most prevalent CWE was connected to broken access control, outweighing the remaining 9 risks in the OWASP publication.
Cryptographic failures replaced the ‘sensitive data exposure’ risk, due to how cryptographic errors are what leads to many sensitive data exposures. By refocusing on this issue, OWASP believes more organizations will be cognizant of this risk versus the undesired outcome.
Injection has moved from 1st top risk to 3rd; this now includes XSS. OWASP concluded that injection vulnerabilities are overall less than the amount of broken access control risk measured in this study, causing it to be downgraded from the 2017 OWASP ranking.
Insecure design is a new OWASP risk in the 2021 publication, topping the charts at #4. Applications need to begin focusing on more security functions designed at the application layer (ie threat modeling, secure reference architectures, etc.) If an application is not secure at nature, additional security controls like firewalls will provide little protection. I am forecasting this ranking to result in more developers being trained in secure coding (which is also a big part of PCI DSS compliance).
Due to the industry shift into using highly configurable software, the risk of security misconfiguration has moved up. XXE has also been encompassed into this category.
Vulnerable and outdated component usage was moved up due to how impactful this risk is, and highlights the importance of continually patching applications.
Broken Authentication was recategorized as Identification and Authentication Failures, becoming less of a focus and shifting from its high spot on the Top 10. The increased availability of secure standardized authentication frameworks is believed to help in lessening this risk (such as NIST SP 800-53).
Insecure Deserialization is now included in the new category Software and Data Integrity Failures. This focuses on developers making assumptions on the integrity of software updates without proper verification.
Security Logging and Monitoring Failures moved from 10th place to 9th, expanded to include different types of logging and monitoring failures. Although I believe this should be a bit higher of importance, since logging and monitoring is critical throughout nearly every portion of information security, the low ranking was due to the difficulty in testability of this risk.
Lastly is Server-Side Request Forgery. This was the top item on the OWASP community survey, but OWASP found insufficient evidence from their resource that it was as important as believed due to the lack of prevalence in this risk.
I know that this was a bit of a long analysis, but I found this interesting since I was the analyst in charge of implementing OWASP top 10 secure coding training at my company. Seeing the changes between 2017 and now provide me with a lot of context, especially tied with the helpful readings this week. I provided the link to the new publication also if anyone is interested! https://securityboulevard.com/2021/10/owasp-updates-the-top-10-web-application-security-risks/ https://owasp.org/Top10/
FBI Says Its System Was Exploited to Email Fake Cyberattack Alert
Multiple fake urgent warning emails about cyberattacks were sent out by hackers who were able infiltrate the FBI’s email system. Over 100,000 messages were sent out. The hackers infiltrated the system through the FBI’s LEEP (Law Enforcement Enterprise Portal). The FBI describes LEEP as “a gateway providing law enforcement agencies, intelligence groups, and criminal justice entities access to beneficial resources.” The hacker wasn’t able to access any data or personally identifying information. The fake alert had no call to action which makes the goal of the attack unknown.
The US Department of Homeland Security has developed a new system to hire cybersecurity personnel. This new recruiting system is called Cybersecurity Talent Management System (CTMS). It is not easy filling these roles, but DHS is preparing to use this initiative to hire cyber security talent and fill 150 high priority positions throughout 2022. CTMS will “recruit, develop and retrain cybersecurity pros in the federal government.” (Liam Tung) Moreover, it will be used to screen applicants, test their knowledge, and reduce the time it takes for them to be hired into the department. The article goes on to mention that the compensation for these roles will likely exceed $200,000.
The roles that are currently being scouted for are as follows:
– incident response
– risk analysis
– vulnerability detection and assessment
– intelligence and investigation
– networks and systems engineer
– forensics
– software assurance
The article talks about how application security is the process of determining apps more protected by finding, fixing, and improving the security of apps. And much of those things happen during the development phase, but it includes tools and methods to protect apps once they are deployed. This is becoming increasingly more important as hackers increasingly target applications with their attacks
.Finally, the authority for application security could be spread across many category of teams within your IT department: The network personnel could be capable for managing the web app firewalls and other network-centric tools, the desktop personnel could also be capable for determining endpoint-oriented tests, and several development groups could have other problems. This makes it difficult to determine one tool that will be suitable for everyone’s needs, and that is why the market has become so fragmented.
The article that I am choosing to summarize for this weeks in-the-news article is titled “OWASP’s 2021 List Shuffle: A New Battle Plan and Primary Foe”.
The article focuses on OWASP’s (Open Web Application Security Project) list of the top ten most common vulnerabilities that hackers exploit.
For a long time, the most common method of information security attack was using code injection vulnerabilities. Code injection techniques are very versatile and are responsible for a wide range of different attacks, from SQL injections to direct attacks against servers using OS injection techniques.
As of this year, the type of attack that has taken the place of code injections as the most common attack method is broken access control. Broken access control attacks “include any instance where access control policies can be violated so that users can act outside of their intended permissions.”
These types of attacks are also very versatile and can be used in a wide variety of ways. Broken access control vulnerabilities can enable attackers to modify URLs, change primary access keys of users so that a host believes they are someone else with higher privileges, change web and access control tokens, and much more.
A main trouble with preventing broken access control vulnerabilities is that few engineers are given training and skills development that go beyond the basics, and fixing localized, code-level bugs that are usually developer-introduced in the first place.
“Robinhood Trading App Suffers Data Breach Exposing 7 Million Users’ Information”
On November 3, a security breach affected 7 million customers through the Robinhood trading App. The 3rd party is believed to have socially engineered a customer representative to gain access to internal support systems, using it to obtain the email addresses of 5 million users, full names for a different group of about 2 million people, and an additional information such as names, dates of birth, and zip codes for a limited set of 310 more users.
Once the malicious breachers were in, Robinhood stated the infiltrator demanded an extortion payment in exchange for the stolen data, and promoting the firm to involve law enforcement.
I know we’re well past this lesson in the beginning of the class. But this is an issue that I see getting a lot worse recently, especially since the cybersecurity industry pre-COVID were already struggling to find workers. This article highlights some industry problems that I have seen personally citing cybersecurity professionals are burnt out from heavy workloads due to shortages. 39 % of organizations are struggling to fill in cloud-security roles, 30% are finding it difficult to fill in vacancies. 29% state that HR doesn’t understand the skills required for cybersecurity.
I actually want to emphasize the last part; because the particular subset of cybersecurity I work in is Risk Management Framework (RMF) and a common theme I’ve seen is that a lot of people misunderstand how to assess risk. It’s also something that Vacca highlights within our first few readings that business very often does not pay attention to cyber which can be a grave mistake.
The bad news is that the industry is struggling. However, on a lighter note – and something that this article highlights – that there needs to be more cybersecurity awareness across the board. I would argue that means in the future demand would increase for cybersecurity therefore raising salaries.
I found this article very interesting as it’s related to a platform most people used since the start of Covid: Tiktok.
It talks about scammers attempting to attack businesses and people associated with large Tiktok accounts based around the world. They were targeted as part of a recent phishing campaign.
Emails warned that targeted accounts were either in danger of being deleted for copyright violations or eligible for a verification badge. If victims replied to a message, attackers directed them to click a link to a WhatsApp chat, where a purported TikTok representative would confirm their accounts.
While it remains unclear if any accounts were breached, the campaign is the latest to demonstrate how TikTok’s popularity makes its most visible users targets for scammers.
This article by The Hacker News details a newly developed tool by Palo Alto Networks and Stony Brook University researchers which automates discovery and analysis of newly uncovered phishing MITM phishing websites, which have targeted a lot of the most popular domains like Google, Apple, Paypal, Twitter, LinkedIn, etc., “which aim to hijack users’ credentials and carry out further attacks.” The tool, PHOCA, has capabilities that we have previously not seen – like a newly designed method to not only uncover previously unknown MITM phishing “toolkits” ( a streamlined set of files that help conduct a credential theft campaign) on such sites, but also detects and isolates malicious requests from these servers.
2FA has somewhat slowed traditional phishing websites, not in the sense that they are becoming less common – but that they have now evolved along with security like 2FA as well to combat these defensive mechanisms; such new phishing sites with MITM phishing toolkits are well done mirrored examples of the real services that they are impersonating, making connected users feel safe to enter their credentials. During this process, the MITM phishing toolkit essentially functions as a reverse proxy and forwards the requests back and forth between the user and the actual service while also intercepting and stealing the credentials used – including the 2FA code and the session cookie to re-authenticate with a session hijack.
A 1 year examination period of the researchers experimenting with PHOCA led to 1220 new MITM phishing toolkits being discovered, mainly in the US and Europe. PHOCA essentially implements a “machine learning classifier” which analyzes network traffic and compares RTT (round-trip time) of SYN/ACK packets and HTTP GET requests across the network and compares these times to that of connecting to the actual services. With an MITM forwarding the requests, the RTT will be significantly higher according to the researchers.
I think this article is interesting because it is drives the point very strongly that despite any advances in cybersecurity, the attackers are always innovating with equally complex tools to attack everything we try to defend, and that the same relatively primitive attack vectors can always be evolved into new stages with more effective attacks.
“Researchers Demonstrate New Fingerprinting Attack on Tor Encrypted Traffic”
A new analysis of Web site fingerprinting (WF) attacks against the Tor Web browser shows that it is possible for attackers to collect websites that are frequently visited by victims, but only if the threat actor is interested in a specific subset of websites that users visit.
The Tor browser routes Internet traffic through an overlay network, providing its users with “unlinkable communications” designed to anonymize the original location and usage of third parties conducting network surveillance or traffic analysis. The researchers concluded that “untargeted attackers aiming to comprehensively monitor users’ Web site access will fail, but focused attackers targeting specific client configurations and Web sites may succeed.”
“Data access strategy helps hotels on- and offboard employees.”
Previously, Village Hotels IT staff had to manually update user access rights and transfer data between current and former employees each time an employee joined or left the organization. The hotel group implemented CloudM’s Software-as-a-Service (SaaS) solution to automate this process, including initial migration to incoming and outgoing employees, data management, and license archiving.
This article goes into some security concerns for 5g. 5g is starting to get more widespread adoption from consumers as more and more phones are released with 5g capabilities. One of the ways 5g has improved its speed when compared to 4g is by capitalizing on cloud technology. Lateral movement within the cloud is a concern. Multiple organizations and people who rely on the cloud could be impacted by widescale attacks. Therefore, NSA and CISA urge companies to implement zero trust environments.
This article lists some additional key controls that will make 5g and the cloud more secure:
* Implement IdM and IAM solutions
* Keep 5g software updated. You should have a policy for how soon to test and release patches based on criticality.
* Ensure a secure network configuration with segmentation
* Monitor and detect lateral movement
The researchers has found an high-impact vulnerability within the Palo Alto GlobalProtect Firewall/VPN. The CVE for this vulnerability is: CVE 2021-3064. It has a CVSS score of 9.8. It has been rated as highly critical as the attackers could execute the code remotely. This vulnerability has affected the version of PAN-OS 8.1. Systems that are running versions 9.0 and later are secure against this vulnerability. The researcher has also stated that this vulnerability would allow attackers to get access to the firewall remotely and would have full visibility of the internal network. They have also stated that there were 70,000 Firewal/VPN that were vulnerable at that time.
In this article it goes over how researchers found a new way to detect man in the middle phishing attacks. Researchers from Stony Brook university and Palo Alto networks used a new fingerprinting technique that identifies MitM phishing kits by utilizing network level properties and automating the discovery analysis for phishing websites. Since the rise of 2 factor authentication phishing websites that mirror real ones have also implemented dual authentication working as a reverse proxy server between user and target webservers. The method used is transport layer security fingerprints and networking timing to classify the MitM toolkits on the reverse proxy servers. Since two distinct HTTPS sessions are maintained during communication between target web server and user the ratio of various packets will be much higher than comparison to user and original web server directly. A year study has uncovered 1,220 sites operated as MitM phishing website, these sites are put on a phishing blocklist.
Matthew Bryan says
New Application Security Toolkit Uncovers Dependency Confusion Attacks
Adversaries use a variety of tricks in effort to get developers to trust and integrate software components into their codebase. Developers end up with vulnerabilities, backdoors, and unexpected behavior through malicious components instead of getting the desired functionality. Deploying a malicious component (called a package namesquatting attack or a dependency confusion attack) typically involves a bad actor uploading a code package to a public repository with the same name as a private internal package. The name of these private packages can be found by looking through configuration files in publicly available projects. The attack happens when developers update dependencies for a project and pull from both private and public repositories. The build process defaults to the malicious package from the public repository instead of pulling from the private. By the time the developer notices the incorrect package has been used, the code has already been executed.
To help address this, Apiiro has released the Dependency Combobulator, an open source Python-based toolkit that helps prevent this kind of attack. Other tools, such as Snyk, are also available to help detect and prevent this. Additional suggestions include using explicit scopes for internal packages, responding quickly when the build fails, and proactively namesquating private dependency names.
Coincidentally, npm, a popular javascript package manager that works with the Dependency Cobobulator was recently compromised. More information on this can be found here: https://github.com/advisories/GHSA-pjwm-rvh2-c87w This vulnerability was particularly severe with any computer running the package installer being considered fully compromised.
Author: Famida Y. Rashid
Published:11-10-2001
Link:
https://www.darkreading.com/dr-tech/new-application-security-toolkit-uncovers-dependency-confusion-attacks
Miray Bolukbasi says
This week, I was able to find this great article to discuss the benefits of secure coding. Avatao explains that there are increasing numbers of breaches, specifically towards healthcare industry and secure coding is a great way to fight against.
Incidents might occur in lack of secure coding includes: denial of service to user, compromised secrets, loss of service, financial damage, market manipulation, and theft.
If the high level language that follows principles is in place, you can reduce the vulnerabilities. The six rules listed on the article: minify and obfuscate code, avoid shortcuts, implement automated scanning, code reviews, and threat monitoring, avoid components with known vulnerability, audit and log, integrate secure coding principles into SDLC components.
https://avatao.com/blog-coding-vs-secure-coding-6-rules-to-live-by/
Mohammed Syed says
https://www.infosecurity-magazine.com/news/vulnerable-web-apps-eu-pharma/
Vulnerable Web Applications Prevalent in EU Pharma Companies:
As per the report Europe’s top 10 Pharma companies all have vulnerable web applications, it is putting sensitive medical and patient data at risk of being hacked.
Overall, research noted that EU Pharma companies run an exceptionally large number of web applications (20,394 web applications and 9,216 domains) compared to other industries.
It vulnerable to different cyber attack cause of various vulnerability exist in the web application due to not secure coding practice, use basic SSL, cookies settings and privacy policy defects.
As per the new attack vectors maximum web developer need to secure code practice as well already develop web application required modifications and update to face new challenges of cyber attack and protect self web applications.
To protect against cyber attack organizations required to earlier conduct vulnerability research or pen testing to ensure protection against immerging cyber attack
Richard Hertz says
Great little article that highlights how coders view training in secure coding practices. Developers tend to see this as a tax on their productivity and not something that enhances their performance. Given how the stakes are for companies faced with cyber incidents and ransomware attacks – the tax on performance makes sense to pay! This article really underlines that this kind of training is a change for developers and therefore needs to be treated appropriately – with change management preparation and best practices to ensure the developers embrace what they learn and adjust their coding.
https://www.cpomagazine.com/cyber-security/now-more-than-ever-secure-coding-training-is-crucial-for-web-app-developers/
Christopher Clayton says
“Hackers Compromise FBI Email System to Spam Fake Cybersecurity Alerts”
In this article, hackers compromised an FBI online portal sending over 100,000 fake email alerts to victims claiming that they came from the FBI. They used a software misconfiguration to get access to Law Enforcement Enterprise Portal (LEEP) sending out emails from what looked like a valid FBI email address. The fake messages warned that recipients were at risk of a “sophisticated chain attack”. It also falsely claimed that a cybersecurity expert by the name of Vinny Troia was the culprit behind the fake email attacks and was associated with the hacking group The Dark Overlord (the same group that leaked fifth season of the American comedy drama “Orange Is The New Black”). It doesn’t look like the hackers were able to gain admission to FBI files, and the vulnerability was quickly fixed once the impacted hardware was put offline. Even though the unauthorized email came from an FBI operated server, it was not part of FBI’s corporate email service, which did not allow these hackers to compromise any PII on their network. Fortunately, the FBI quickly resolved the software vulnerability, gave warning to disregard the fake emails, and the integrity of the networks were confirmed.
https://gizmodo.com/hackers-compromise-fbi-email-system-to-spam-fake-cybers-1848055664
Dan Xu says
Hi Christopher,
Thank you for sharing the news. I believe the hacking of the FBI email system to send false cybersecurity alerts is similar to the way phishing emails are scammed. Although the portal sent emails from what appeared to be a valid FBI email address, the breach was quickly resolved by the FBI and warning emails were sent to confirm the network integrity. The way they responded and resolved the vulnerability in a timely manner is worth learning from many companies.
Kelly Sharadin says
Emotet Malware is active again after a recent takedown by international law enforcement task forces. Emotet is a botnet malware that works with other malware families (Qakbot and Trickbot) often as the precurser for ransomware infections (Ryuk, conti and more). The attack sequence involves massive spam campaigns that attempt to gain initial access to vitcim devices where malware is downloaded as binaries and DLLs to initiate C2 communication with the Emotet infrastructure.
https://www.bleepingcomputer.com/news/security/emotet-malware-is-back-and-rebuilding-its-botnet-via-trickbot/
Bryan Garrahan says
https://krebsonsecurity.com/2021/11/hoax-email-blast-abused-poor-coding-in-fbi-website/#more-57551
This article from late last week touches on the spam email that was distributed from the eims@ic.fbi.gov account, which is associated with FBI’s Criminal Justice Information Services division (CJIS). The article notes, “According to an interview with the person who claimed responsibility for the hoax, the spam messages were sent by abusing insecure code in an FBI online portal designed to share information with state and local law enforcement authorities”. Brian Krebs wrote the article and actually connected with Pompompurin, who is the individual claiming responsibility for the hack in order to point out a glaring vulnerability in the FBI’s system. Pompompurin began their exploitation process by gaining access to Law Enforcement Enterprise Portal (LEEP), which is a gateway that provides law enforcement agencies, intelligence groups, and criminal justice entities access to beneficial resources. From there, Pompompurin applied for an account and was able to take advantage of a flaw in the one-time passcode setup process since the site had leaked the one-time passcode in plaintext HTML code on the page which allowed for modification of change headers (i.e. To/from, subject, and body). Pompompurin describes, “Basically, when you requested the confirmation code [it] was generated client-side, then sent to you via a POST Request… This post request includes the parameters for the email subject and body content… A simple script replaced those parameters with his own message subject and body, and automated the sending of the hoax message to thousands of email addresses”.
Ryan Trapp says
Intel’s recent Atom, Celeron, Pentium chips can be lulled into a debug mode, potentially revealing system secrets
This article talks about how some Intel processors can be forced into a debugging mode, which would grant access to certain low-level keys. This could potentially be used for something like unlocking encrypted data on the hard drive. The affected processor chips come from Intel’s Apollo Lake, Gemini Lake, and Gemini Lake Refresh platforms. It is important to note however that the attacker does need physical access to exploit this bug. But with a CVSS score of 7.1 it certainly is something to keep an eye on, especially if your devices has one of the Intel processors affected.
https://www.theregister.com/2021/11/16/intels_chip_flaw/
Jason Burwell says
“Costco Confirms: A Data Skimmer’s Been Ripping Off Customers”
Big-box behemoth retailer Costco is offering victims 12 months of credit monitoring, a $1 million insurance reimbursement policy and ID theft recovery services.
Costco has discovered a payment card skimming device at one of its retail stores and has sent out notification letters informing customers that their card data may have been ripped off if they shopped there recently.
Some customers have been aware for weeks that something was fishy and have been sharing their suspicions on social media.
https://threatpost.com/costco-data-skimmer-customers-notification/176320/
Alexander William Knoll says
“North Korean Hackers Target Cybersecurity Researchers with Trojanized IDA Pro”
This article written yesterday by Ravie Lakshmanan describes how the North Korea-affiliated state-sponsored group Lazarus is targeting security researchers once again. They are using a trojanized pirated version of IDA Pro, an interactive dissembler that translates machine language into assembly language which allows for the analysis of the inner workings of a program. The attackers are adding malicious components to the IDA Pro, “win_dw.dll”, which is executed during installation of the application, and “idahelper.dll. Following successful execution, the second component connects to a remote server (wwwdevguardmaporg) in order to retrieve subsequent payloads, a domain which has been linked to similar North Korea-backed campaigns. The goal of the most recent attack was to set up a fake security company known as “SecuriElite” to trick researchers into visiting the malware-laced website. Lazarus has been linked to attacks in the past related to financial gain and obtaining sensitive information. It is concerning because North Korea’s cyber program appears to be growing, and they are backing groups like Lazarus likely to fund nuclear programs.
https://thehackernews.com/2021/11/north-korean-hackers-target.html
Corey Arana says
A popular adult cam site call Stripchat has been a victim of a breach. Information of both customers and models has ended up on the internet. About 200 million Stripchat records including 65 million user records, emails, IP addresses, payments and customer activity has been revealed. Another database of 420k records was also attacked leaking usernames, genders, studio ID’s, and tips/ prices. This leak poses risk for both consumers and models for potential extortion and violence. With this type of breach, expect lewd phishing lures to be used to gain access to people’s information.
https://threatpost.com/adult-cam-model-user-records-exposed-stripchat-breach/176372/
Dhaval Patel says
Cybercriminals targeted Alibaba’s Elastic Computing Service (ECS), and disabled security features. Aliyun the name of the cloud provider has preinstalled security agents that were disabled which allowed the attackers to use crypto-mining malware to create new firewall rules and drop incoming packets from internal IP ranges.
https://threatpost.com/cybercriminals-alibaba-cloud-cryptomining-malware/176348/
Lauren Deinhardt says
OWASP Updates the Top 10 Web Application Security Risks
Given the nature of this week’s lecture, I thought the new release of OWASP Top 10’s 2021 update was perfect to report on.
OWASP (Open Web Application Security Project) is a nonprofit community focusing on promoting secure coding practices. Their resources and research are free for companies to use, such as application security tools, corporate presentations/videos, conferences, etc. OWASP is highly known for their OWASP Top 10 Web Application Security Risks publication, which is a publication enhancing awareness of the most notorious coding risks/vulnerabilities. The 2021 update reinvigorated the previous version from 2017, including 3 new risks. In 2017, the OWASP Top 10 were: injection, broken authentication, sensitive data exposure, XML external entities (XXE), broken access control, security misconfiguration, cross site scripting (XSS), insecure deserialization, using components with known vulnerabilities, and insufficient logging/monitoring—written in that order of performance.
The 2021 version has moved up broken access control to the top OWASP risk; the reason for this is that 3.81% of applications tested by the OWASP staff had indicated one or more common weakness enumerations (CWEs) with more than 318k occurrences of CWEs in this risk category. In this study, the most prevalent CWE was connected to broken access control, outweighing the remaining 9 risks in the OWASP publication.
Cryptographic failures replaced the ‘sensitive data exposure’ risk, due to how cryptographic errors are what leads to many sensitive data exposures. By refocusing on this issue, OWASP believes more organizations will be cognizant of this risk versus the undesired outcome.
Injection has moved from 1st top risk to 3rd; this now includes XSS. OWASP concluded that injection vulnerabilities are overall less than the amount of broken access control risk measured in this study, causing it to be downgraded from the 2017 OWASP ranking.
Insecure design is a new OWASP risk in the 2021 publication, topping the charts at #4. Applications need to begin focusing on more security functions designed at the application layer (ie threat modeling, secure reference architectures, etc.) If an application is not secure at nature, additional security controls like firewalls will provide little protection. I am forecasting this ranking to result in more developers being trained in secure coding (which is also a big part of PCI DSS compliance).
Due to the industry shift into using highly configurable software, the risk of security misconfiguration has moved up. XXE has also been encompassed into this category.
Vulnerable and outdated component usage was moved up due to how impactful this risk is, and highlights the importance of continually patching applications.
Broken Authentication was recategorized as Identification and Authentication Failures, becoming less of a focus and shifting from its high spot on the Top 10. The increased availability of secure standardized authentication frameworks is believed to help in lessening this risk (such as NIST SP 800-53).
Insecure Deserialization is now included in the new category Software and Data Integrity Failures. This focuses on developers making assumptions on the integrity of software updates without proper verification.
Security Logging and Monitoring Failures moved from 10th place to 9th, expanded to include different types of logging and monitoring failures. Although I believe this should be a bit higher of importance, since logging and monitoring is critical throughout nearly every portion of information security, the low ranking was due to the difficulty in testability of this risk.
Lastly is Server-Side Request Forgery. This was the top item on the OWASP community survey, but OWASP found insufficient evidence from their resource that it was as important as believed due to the lack of prevalence in this risk.
I know that this was a bit of a long analysis, but I found this interesting since I was the analyst in charge of implementing OWASP top 10 secure coding training at my company. Seeing the changes between 2017 and now provide me with a lot of context, especially tied with the helpful readings this week. I provided the link to the new publication also if anyone is interested!
https://securityboulevard.com/2021/10/owasp-updates-the-top-10-web-application-security-risks/
https://owasp.org/Top10/
Michael Galdo says
FBI Says Its System Was Exploited to Email Fake Cyberattack Alert
Multiple fake urgent warning emails about cyberattacks were sent out by hackers who were able infiltrate the FBI’s email system. Over 100,000 messages were sent out. The hackers infiltrated the system through the FBI’s LEEP (Law Enforcement Enterprise Portal). The FBI describes LEEP as “a gateway providing law enforcement agencies, intelligence groups, and criminal justice entities access to beneficial resources.” The hacker wasn’t able to access any data or personally identifying information. The fake alert had no call to action which makes the goal of the attack unknown.
https://threatpost.com/fbi-system-exploit-email-fake-cyberattack-alert/176333/
Joshua Moses says
The US Department of Homeland Security has developed a new system to hire cybersecurity personnel. This new recruiting system is called Cybersecurity Talent Management System (CTMS). It is not easy filling these roles, but DHS is preparing to use this initiative to hire cyber security talent and fill 150 high priority positions throughout 2022. CTMS will “recruit, develop and retrain cybersecurity pros in the federal government.” (Liam Tung) Moreover, it will be used to screen applicants, test their knowledge, and reduce the time it takes for them to be hired into the department. The article goes on to mention that the compensation for these roles will likely exceed $200,000.
The roles that are currently being scouted for are as follows:
– incident response
– risk analysis
– vulnerability detection and assessment
– intelligence and investigation
– networks and systems engineer
– forensics
– software assurance
Joshua Moses says
https://www.zdnet.com/article/the-us-government-just-launched-a-big-push-to-fill-cybersecurity-jobs-with-salaries-to-match/
kofi bonsu says
The article talks about how application security is the process of determining apps more protected by finding, fixing, and improving the security of apps. And much of those things happen during the development phase, but it includes tools and methods to protect apps once they are deployed. This is becoming increasingly more important as hackers increasingly target applications with their attacks
.Finally, the authority for application security could be spread across many category of teams within your IT department: The network personnel could be capable for managing the web app firewalls and other network-centric tools, the desktop personnel could also be capable for determining endpoint-oriented tests, and several development groups could have other problems. This makes it difficult to determine one tool that will be suitable for everyone’s needs, and that is why the market has become so fragmented.
https://www.csoonline.com/article/3315700/what-is-application-security-a-process-and-tools-for-securing-software.html
Michael Jordan says
The article that I am choosing to summarize for this weeks in-the-news article is titled “OWASP’s 2021 List Shuffle: A New Battle Plan and Primary Foe”.
The article focuses on OWASP’s (Open Web Application Security Project) list of the top ten most common vulnerabilities that hackers exploit.
For a long time, the most common method of information security attack was using code injection vulnerabilities. Code injection techniques are very versatile and are responsible for a wide range of different attacks, from SQL injections to direct attacks against servers using OS injection techniques.
As of this year, the type of attack that has taken the place of code injections as the most common attack method is broken access control. Broken access control attacks “include any instance where access control policies can be violated so that users can act outside of their intended permissions.”
These types of attacks are also very versatile and can be used in a wide variety of ways. Broken access control vulnerabilities can enable attackers to modify URLs, change primary access keys of users so that a host believes they are someone else with higher privileges, change web and access control tokens, and much more.
A main trouble with preventing broken access control vulnerabilities is that few engineers are given training and skills development that go beyond the basics, and fixing localized, code-level bugs that are usually developer-introduced in the first place.
Madou, M. (2021, October 20). OWASP’s 2021 List Shuffle: A New Battle Plan and Primary Foe. The Hacker News. Retrieved from https://thehackernews.com/2021/10/owasps-2021-list-shuffle-new-battle.html.
Victoria Zak says
“Robinhood Trading App Suffers Data Breach Exposing 7 Million Users’ Information”
On November 3, a security breach affected 7 million customers through the Robinhood trading App. The 3rd party is believed to have socially engineered a customer representative to gain access to internal support systems, using it to obtain the email addresses of 5 million users, full names for a different group of about 2 million people, and an additional information such as names, dates of birth, and zip codes for a limited set of 310 more users.
Once the malicious breachers were in, Robinhood stated the infiltrator demanded an extortion payment in exchange for the stolen data, and promoting the firm to involve law enforcement.
Reference:
https://thehackernews.com/2021/11/robinhood-trading-app-suffers-data.html
Michael Duffy says
I know we’re well past this lesson in the beginning of the class. But this is an issue that I see getting a lot worse recently, especially since the cybersecurity industry pre-COVID were already struggling to find workers. This article highlights some industry problems that I have seen personally citing cybersecurity professionals are burnt out from heavy workloads due to shortages. 39 % of organizations are struggling to fill in cloud-security roles, 30% are finding it difficult to fill in vacancies. 29% state that HR doesn’t understand the skills required for cybersecurity.
I actually want to emphasize the last part; because the particular subset of cybersecurity I work in is Risk Management Framework (RMF) and a common theme I’ve seen is that a lot of people misunderstand how to assess risk. It’s also something that Vacca highlights within our first few readings that business very often does not pay attention to cyber which can be a grave mistake.
The bad news is that the industry is struggling. However, on a lighter note – and something that this article highlights – that there needs to be more cybersecurity awareness across the board. I would argue that means in the future demand would increase for cybersecurity therefore raising salaries.
https://www.zdnet.com/article/the-cybersecurity-jobs-crisis-is-getting-worse-and-companies-are-making-basic-mistakes-with-hiring/
Ornella Rhyne says
I found this article very interesting as it’s related to a platform most people used since the start of Covid: Tiktok.
It talks about scammers attempting to attack businesses and people associated with large Tiktok accounts based around the world. They were targeted as part of a recent phishing campaign.
Emails warned that targeted accounts were either in danger of being deleted for copyright violations or eligible for a verification badge. If victims replied to a message, attackers directed them to click a link to a WhatsApp chat, where a purported TikTok representative would confirm their accounts.
While it remains unclear if any accounts were breached, the campaign is the latest to demonstrate how TikTok’s popularity makes its most visible users targets for scammers.
https://www.cyberscoop.com/tiktok-scam-verification-fyp/
Antonio Cozza says
This article by The Hacker News details a newly developed tool by Palo Alto Networks and Stony Brook University researchers which automates discovery and analysis of newly uncovered phishing MITM phishing websites, which have targeted a lot of the most popular domains like Google, Apple, Paypal, Twitter, LinkedIn, etc., “which aim to hijack users’ credentials and carry out further attacks.” The tool, PHOCA, has capabilities that we have previously not seen – like a newly designed method to not only uncover previously unknown MITM phishing “toolkits” ( a streamlined set of files that help conduct a credential theft campaign) on such sites, but also detects and isolates malicious requests from these servers.
2FA has somewhat slowed traditional phishing websites, not in the sense that they are becoming less common – but that they have now evolved along with security like 2FA as well to combat these defensive mechanisms; such new phishing sites with MITM phishing toolkits are well done mirrored examples of the real services that they are impersonating, making connected users feel safe to enter their credentials. During this process, the MITM phishing toolkit essentially functions as a reverse proxy and forwards the requests back and forth between the user and the actual service while also intercepting and stealing the credentials used – including the 2FA code and the session cookie to re-authenticate with a session hijack.
A 1 year examination period of the researchers experimenting with PHOCA led to 1220 new MITM phishing toolkits being discovered, mainly in the US and Europe. PHOCA essentially implements a “machine learning classifier” which analyzes network traffic and compares RTT (round-trip time) of SYN/ACK packets and HTTP GET requests across the network and compares these times to that of connecting to the actual services. With an MITM forwarding the requests, the RTT will be significantly higher according to the researchers.
I think this article is interesting because it is drives the point very strongly that despite any advances in cybersecurity, the attackers are always innovating with equally complex tools to attack everything we try to defend, and that the same relatively primitive attack vectors can always be evolved into new stages with more effective attacks.
https://thehackernews.com/2021/11/researchers-demonstrate-new-way-to.html
Dan Xu says
“Researchers Demonstrate New Fingerprinting Attack on Tor Encrypted Traffic”
A new analysis of Web site fingerprinting (WF) attacks against the Tor Web browser shows that it is possible for attackers to collect websites that are frequently visited by victims, but only if the threat actor is interested in a specific subset of websites that users visit.
The Tor browser routes Internet traffic through an overlay network, providing its users with “unlinkable communications” designed to anonymize the original location and usage of third parties conducting network surveillance or traffic analysis. The researchers concluded that “untargeted attackers aiming to comprehensively monitor users’ Web site access will fail, but focused attackers targeting specific client configurations and Web sites may succeed.”
https://thehackernews.com/2021/11/researchers-demonstrate-new.html
zijian ou says
“Data access strategy helps hotels on- and offboard employees.”
Previously, Village Hotels IT staff had to manually update user access rights and transfer data between current and former employees each time an employee joined or left the organization. The hotel group implemented CloudM’s Software-as-a-Service (SaaS) solution to automate this process, including initial migration to incoming and outgoing employees, data management, and license archiving.
https://www.securitymagazine.com/articles/96535-data-access-strategy-helps-hotels-on-and-offboard-employees
Madalyn Stiverson says
https://www.csoonline.com/article/3640576/6-key-points-of-the-new-cisansa-5g-cloud-security-guidance.html
This article goes into some security concerns for 5g. 5g is starting to get more widespread adoption from consumers as more and more phones are released with 5g capabilities. One of the ways 5g has improved its speed when compared to 4g is by capitalizing on cloud technology. Lateral movement within the cloud is a concern. Multiple organizations and people who rely on the cloud could be impacted by widescale attacks. Therefore, NSA and CISA urge companies to implement zero trust environments.
This article lists some additional key controls that will make 5g and the cloud more secure:
* Implement IdM and IAM solutions
* Keep 5g software updated. You should have a policy for how soon to test and release patches based on criticality.
* Ensure a secure network configuration with segmentation
* Monitor and detect lateral movement
Vraj Patel says
The researchers has found an high-impact vulnerability within the Palo Alto GlobalProtect Firewall/VPN. The CVE for this vulnerability is: CVE 2021-3064. It has a CVSS score of 9.8. It has been rated as highly critical as the attackers could execute the code remotely. This vulnerability has affected the version of PAN-OS 8.1. Systems that are running versions 9.0 and later are secure against this vulnerability. The researcher has also stated that this vulnerability would allow attackers to get access to the firewall remotely and would have full visibility of the internal network. They have also stated that there were 70,000 Firewal/VPN that were vulnerable at that time.
Reference:
https://portswigger.net/daily-swig/palo-alto-globalprotect-users-urged-to-patch-against-critical-vulnerability
Wilmer Monsalve says
In this article it goes over how researchers found a new way to detect man in the middle phishing attacks. Researchers from Stony Brook university and Palo Alto networks used a new fingerprinting technique that identifies MitM phishing kits by utilizing network level properties and automating the discovery analysis for phishing websites. Since the rise of 2 factor authentication phishing websites that mirror real ones have also implemented dual authentication working as a reverse proxy server between user and target webservers. The method used is transport layer security fingerprints and networking timing to classify the MitM toolkits on the reverse proxy servers. Since two distinct HTTPS sessions are maintained during communication between target web server and user the ratio of various packets will be much higher than comparison to user and original web server directly. A year study has uncovered 1,220 sites operated as MitM phishing website, these sites are put on a phishing blocklist.
https://thehackernews.com/2021/11/researchers-demonstrate-new-way-to.html