Inside Security | Inside

[ Inside Security ]

David Strom's in-depth cybersecurity news and analysis

If you aren't yet a Premium subscriber, you missed yesterday's analysis on the joint US/UK warnings about Russian state actors compromising network routers and switches. Go to our Premium page and sign up, subscription plans start at $10/month with multiple newsletters and corporate plans available. Premium subscribers get an additional Thursday newsletter, usually with a single analysis topic.

The RSA Conference was crowded and the venue under massive construction as the conference took over several blocks of downtown San Francisco this past week. I am still sifting through the announcements and presentations today but offer instead my most interesting news stories for the week that cover numerous vulnerabilities, trends and tools.

-- David Strom, editor of Inside Security.

If you think that spear phishing can’t happen to you, follow this email thread that supposedly came from a company’s CEO directing their finance person to transfer funds to a criminal’s bank account. While the names have been redacted, the story appears to be a true one, and I can corroborate it with other similar stories from people that I have known who either were fooled into moving their company’s money or witnessed a similar scheme happen.

To try to better prepare your staff for these and other kinds of phishing attacks, you might want to review this blog post from Pagerduty. They run two kinds of security awareness training seminars: one for all employees, where they discuss things such as social engineering, password management, and data handling; and another for engineering teams, where they discuss common vulnerabilities and how to exploit and mitigate them. They base both sessions on four precepts:

Teach the why, not just the what. Don’t shy away from technical details. Make it accessible for any skill level. It’s OK to be funny.

You can download both slide decks and explanations here.

The Google App Engine is discontinuing a practice called domain-fronting, which let services use Google’s network to get around state-level internet blocks. Until recently, domain fronting worked because of a quirk of Google’s software stack. (See Wikipedia for a more complete explanation.) That quirk has been corrected. Domain-fronting allowed developers to use Google as a proxy, forwarding traffic to their own servers through a domain. That was particularly important for evading state-level censorship, which will be an issue for some website operators in certain countries now.– THE VERGE

Subscribe to Inside Security

Many thanks to Inside Security's corporate supporters.  Please go check them out!


Endgame's endpoint security platform protects the world’s largest organizations from targeted attacks, eliminating the time & cost associated with incident response. Learn more


Nok Nok Labs has the ambition to transform authentication, by unifying it into one standard protocol, giving business the control they need. Learn more


Earlier this week was the first time cyber security agencies from the US and UK have issued a joint warning about potential exploits from Russian state-sponsored hackers. The warnings concern a series of observed exploits dealing with compromised network routers and other infrastructure equipment. The warnings come from the US CERT and the UK National Cyber Security Center.

The exploit uses devices with outdated, unencrypted protocols, unauthenticated services, misconfigured devices, and devices no longer receiving security patches from their manufacturers. The agencies have been tracking attacks for several years on both sides of the Atlantic and have been coordinating their responses. This week’s warning contains a lot of specific information about how the attacks have happened, what types of devices are vulnerable (including SOHO routers as well as more commercial ones), and how businesses can better protect themselves against future attacks.

The purpose behind the attacks is to conduct man-in-the-middle attacks to support espionage, extract intellectual property, maintain persistent access to victim networks, and potentially lay a foundation for future offensive operations, according to the documents released by both governments.

Aside from typical infection vectors such as FTP and Telnet, they also include an exploitation tool called SIET (Smart Install Exploitation Tool) that was posted online in November 2016. This tool allows for easy exploitation of Cisco routers with misconfigured Smart Install clients. Cisco Talos recently warned that threat actors have started abusing this protocol and has issued warnings about its use and prevention.

The CERT has posted a series of mitigations and recommendations for business owners, including the following:

First, ensure that all firmware updates have been applied successfully to routers and switches. Pay particular attention to the sources of these updates and verify that they are coming from trusted sites. Disable the Cisco Smart Install interface with the “no vstack” command before placing the device into operation. Block TFTP from leaving the organization destined for Internet-based hosts. Prohibit remote devices attempting to cross a network boundary over TCP port 4786 via the Smart Interface. Prohibit outbound network traffic to external devices over UDP port 69 via TFTP. Inspect the presence of port 47 traffic flowing to or from unexpected addresses, or unexplained presence of Generic Routing Encapsulation (GRE) tunnel creation, modification, or destruction in log files. Check with your ISP to see if they are using Cisco equipment to connect to your network and ensure that they have put these practices into effect.

The US agencies involved in tracking this exploit encourage recipients who identify the use of tools or techniques discussed in this document to report information to NCCIC or law enforcement immediately.

A little-known data firm called Localblox was able to build 48 million personal profiles without the users' knowledge or consent. They combined data from sites and social networks like Facebook, LinkedIn, Twitter, and Zillow, among others. The data was found by Chris Vickery on an unprotected S3 storage bucket, and his analysis suggests this information was scraped from the Facebook web pages rather than gathered through its API. Company officials confirmed the leak and the bucket was secured quickly afterward. – UPGUARD BLOG

It took Brian Krebs a couple of hours to find more than a hundred Facebook groups whose singular focus was promoting all manner of cyber fraud. He focused mainly on groups engaged in identity theft, spamming, account takeovers and credit card fraud. When he brought the results of this research to Facebook HQ, they took quick action and deleted them. Many of these groups had been around for several years. Facebook pledged to be more proactive about policing its network for these types of groups. --  KREBS ON SECURITY

On Monday, TaskRabbit notified users about a cybersecurity incident and advised users to change their passwords. The crowdsourced chore company also took its app and service totally offline for two days before service was eventually restored. Their CEO apologized for the exploit, claiming an authorized user had gained access to their systems, and he promised to beef up their cybersecurity practices. The company is owned by Ikea.

SquirtDanger is a commodity botnet malware family that has multiple layers of embedded code, authored by a hacker that goes by the name The Bottle. Once run on the system, it will persist via a scheduled task that is set to run every minute. SquirtDanger uses raw TCP connections to communicate. It can take screenshots, delete malware, clear browser cookies, and list processes, among other tasks. Researchers found 1,277 unique SquirtDanger samples used across multiple campaigns, running on more than 100 servers, mostly in Russia.– PALO ALTO RESEARCH BLOG

Researchers have found that the ARS VBS Loader not only downloads and executes malicious code, but also includes a command and control application written in PHP that allows an attacker to issue commands to a victim’s machine. This means the malware behaves more like a remote access Trojan. This post goes into details about how it operates. – FLASHPOINT BLOG

This week saw the passing of Carl Kasell, one of the longer-running announcers for NPR and noted for being involved with the game show “Wait, Wait, Don’t Tell Me.” Contestants would compete for Kasell to record pithy answering machine messages. We’ll miss him. He was 84.  -- NPR

Three years ago, only 15 percent of websites worldwide used a valid SSL certificate for their operations. Times have certainly changed. In April 2018 that figure has jumped to 50 percent. This post in The New Stack has more stats about which CAs are being used to protect websites these days. Certainly, as more free SSL certs and the changing Google algorithms have motivated a lot of website operators to move to HTTPS configurations.

-- David Strom, editor of Inside Security

This interview of David Damato, the CSO of Tanium in ITSecurity Guru has some interesting insights into the job of a CSO at a security vendor. CSOs need to quickly answer questions about missing patches or how long does it take to apply them, according to Damato. Enterprises should focus less on “who did it” but rather “how they did it,” he said. The biggest threats are still misconfigured or unmanaged systems, which is why we all need to improve our response time to attacks. There is a lot of additional wisdom in this interview.  -- ITSECURITY GURU

A new survey has found that most high-profile security breaches result from routine security lapses like failing to apply security patches rather than increasingly sophisticated attacks. The report shows that AV, firewalls and other countermeasures are trivially easy to bypass and that most of these defenses can be breached within 15 hours before being detected. – NUIX REPORT (reg. req.)

According to the audit of more than 1,000 serverless apps by Israeli security firm PureSec, a fifth of them have critical security flaws. Most of these vulnerabilities were caused by copying and pasting insecure sample code into real-world projects, poor development practices, and lack of serverless education. The vendor has published a paper describing common errors to avoid. – NETWORK WORLD

A common webcam has built-in vulnerabilities, according to security researchers. The Axis M3044-V camera can be easily hacked and used to distribute malware across your network. Because Axis cameras support installation of third-party apps, all it takes is a compromised authentication.


Here is an article about the challenges of cyber insurance policies. No two breaches are exactly alike, and predicting the future based on past performance is tough for underwriters. -- WIRED

Security researchers have been warning about an ongoing malware campaign called Roaming Mantis. It hijacks the DNS settings on Internet routers and distributes Android banking malware that steals users' sensitive information, login credentials and the secret code for two-factor authentication. It has been seen on more than 6,000 endpoints, mostly in Asia. -- SECURELIST

A group of researchers from Princeton University have created a real-time IoT monitoring station than detected compromised devices that are part of DDoS botnets. The station is constructed from a Raspberry Pi and spare parts and captures packets that are then used to test out several machine learning algorithms to detect the botnet activity. – ACADEMIC PRE-PRINT

From the Pi to the Arduino. An internal hackathon at Flashpoint’s offices got the participants interested in hacking an Internet-connected appliance.  Here is their tale. – FLASHPOINT BLOG

Here is the latest compilation of most wanted malware out from Check Point. XMRig, a cryptominer, is on the rise, and other cryptominers have made their top ten most list too. Curiously, the Conficker worm, which has been around for ten years, is also becoming more popular. – CHECK POINT BLOG

load more stories