Inside Security | Inside

[ Inside Security ]

David Strom's in-depth cybersecurity news and analysis

I have been fortunate to visit Japan a few times, and noticed how punctual their transit is. Well, now you know too, with one agency actually apologizing for running a train seconds too early. But let's get serious about the rest of the news for the week. The big news was the discovery of the VPNFilter malware and how it has infected thousands of low-end routers.  I have found some great posts for you, including stories about how phishing is everywhere it seems. And a couple of posts that go into detail about the new TLS specs. Enjoy your Memorial Day weekend if you are celebrating. We will be too: see you back in your inbox on Tuesday.

-- David Strom, editor of Inside Security

Hackers have infected at least 500,000 routers and storage devices in more than 50 different countries in a campaign that Ukraine said was preparation for a future Russian cyber-attack. Affected devices are from Linksys, MikroTik, Netgear Inc, TP-Link and QNAP. The attack is being called VPNFilter, and is quite versatile because it can steal website credentials and monitor industrial controls or SCADA systems. The VPNFilter malware is different from another attack on Linksys routers discovered by Kaspersky. The malware communicates over Tor and even contains a deliberate kill switch for routers and leaves code behind that survives reboots. The FBI was quickly on the scene, attributing it to the Fancy Bear Russian state-sponsored hacking group. The Department of Justice announced it has taken down a domain related to the command servers of the botnet. Talos researchers document its various stages as shown here. – CISCO TALOS BLOG

A good summary of what developers should look for in cloud security is posted here. To that point, this brings up the age-old issue over who should take the lead on security matters: developers or the IT security team. That is explored in another post. But making both parties part of the process benefits everyone and prevents security-after-the-fact. It also helps to make security burden-free, too. -- TECHBEACON

Subscribe to Inside Security

Many thanks to Inside Security's corporate supporters.  Please go check them out!


Endgame's endpoint security platform protects the world’s largest organizations from targeted attacks, eliminating the time & cost associated with incident response. Learn more


Nok Nok Labs has the ambition to transform authentication, by unifying it into one standard protocol, giving business the control they need. Learn more


 Senator Ron Wyden has sent a letter to Dana Deasy(shown here) He is the CIO of the Department of Defense and earlier this week, Wyden asked him to adopt best practices to secure the department’s public web properties. Few of these sites use HTTPS and many have feeble authentication processes. “The DoD cannot continue these insecure practices,” Wyden said, noting that failing to heed these warnings “will erode the public’s trust in the department and its ability to defend against sophisticated cyber threats.” One of the websites cited was that of Deasy’s own office. As Wyden reminded him, per Office of Management and Budget guidelines, all public websites should be using HTTPS and deploying trusted digital certificates by now. Wyden asked for an action plan by the end of July. Other industries have been adopting HTTPS at a rapid clip, thanks to actions of Google, Let’s Encrypt and other major vendors in this area. It is unfortunate that the feds, and especially our defense agencies, can’t lead by example here.

Elsewhere on Capitol Hill, other senators were hearing testimony from a group that first appeared in 1998, the members of L0pht Heavy Industries hacking organization. (shown here) Here is the link to a recorded stream of this testimony. (Video quality is wanting but the audio is solid.)

In this week’s outing, they traded jokes about how little hair they now had. But there was a serious undertone to the reunion. A poorly recorded stream can be found here. The members were given nameplates with their nom de hacking both then and now, not just to be cute but because they were afraid of lawsuits. Back in 1998, they warned that computer networks were embarrassingly insecure and bragged that any one of them could take the entire Internet down in a few minutes, thanks to weaknesses in the core BGP routing protocols. In this week’s testimony, four of the group returned to say that while technology has improved, some things haven’t changed. The same BGP flaws were used to in the MEWkit attack earlier this month. Joe Grand (Kingpin) said, “Nearly all of what we said 20 years ago still holds true. Yes, there have been improvements, but the general class of problems are the same.”

Since their trip to the Hill, they have mostly remained in cybersecurity. Some have founded security vendors or VARs, others conduct research for the government, and some have gone very corporate. Space Rogue, Cris Thomas, now works for IBM’s X Force for example.

They testified that state-sponsored hackers and international criminal organizations, once just a hypothetical menace, have emerged as a top digital threat to governments and companies around the world. Thomas said this week that “we have better visibility into our network endpoints, if we choose to gather it, and can make educated decisions about where to apply our limited resources (10:00)… Strong encryption is more prevalent, but we aren’t applying the knowledge of how to make something secure evenly.” (12:00) (I have provided time codes keyed to the video stream, in case you are interested in tracking on your own.)

Chris Wysopal (Weld Pond) is now the CTO of CA/Vericode. He said, “There are so many more threat actors now. We have gone from teenagers to nation states doing the hacking.” 

Peiter Zatko (Mudge) said that “while it feels better to buy the more complex security solution, it might have a larger attack surface and be more vulnerable.” (1:03:00)

If you have time to review either or both recorded streams, you can see how little we have accomplished in the 20 years, and how many of the L0pht warnings haven’t been acted on.

Phishing attacks result in 95 percent of data breaches. And while simulations are useful, they shouldn’t replace full-on user training. That is the focus of this post, which explores what simulations do and don’t accomplish. That relates to a new report about the state of enterprise remote access uses telemetry from the vendor’s own sensors to dive deep into the phishing process, as you can see from the summary graphic below. The sad fact is that 15 percent of users had outdated browsers, including almost everyone running the mobile Firefox browser. – DUO BLOG

This week’s data leak from an AWS S3 bucket was the LA County 211 service, a referral agency for social services. It includes detailed call notes with personal information of the callers and more than 30,000 Social Security numbers. Ironically, it took researchers ten days of regular phone calls to reach the right person within the agency before the bucket was secured.  -- UPGUARD

The Turla hacking group has created a new exploit called Mosquito that leverages the Metasploit framework as a first-stage backdoor attack. It is distributed via a fake Flash installer and targets embassies in Eastern Europe. – WE LIVE SECURITY (ESET)

Here are the top mistakes that analysts make when trying to hide their identity online. Why is this important? Because you might need to do forensics on your attackers or do more sensitive competition research. Forgetting to use identity masking tools, failing to separate our online accounts or using the wrong account, and exposing your location are just some of the more common errors. -- SECURITY WEEK

Intel acknowledged that its processors are vulnerable to another dangerous speculative execution side channel flaw that could give attackers unauthorized read access to memory. The new vulnerability, disclosed by Google Project Zero and Microsoft’s Security Response Center, is called Variant 4. Intel issued this bulletin; Microsoft recommends developers review its advisory here. This post summarizes what we know about the flaw and what else you can do to mitigate it. -- THREATPOST

Last month the IETF approved v1.3 of the TLS specification to move to the standards track. The actual draft specification is here, and a technical review of it is here. If you want something more general (suitable for management, perhaps) you should review this post. It tells you what you need to do to move to the new standard and what has changed. There are benefits to faster webpage loading times, better security posture, and more extensive encryption across your network. – GIGAMON BLOG

A dissection of a new industrial control malware group called Xenotime can be found here. It has been active since 2014. It was responsible for the Triton attack on Schneider’s Triconex ICS last December, and uses credential capture and replay to move between networks, Windows commands, standard command-line tools such as PSExec, and proprietary tools for operations on victim hosts. Many believe the attack is state-sponsored by Iran. -- DRAGOS

Getting too many GDPR privacy update notices in your email box? While you delete them, you might want to play this song (with delightful irony, especially if you watch the video until the end) and read this tweet. Call me, maybe? -- JOHN EGAN@ TWITTER

How does a customer support scammer operate? Here is a tale from MalwareBytes. The author, who works for the company, called a scammer and recorded the steps that he was taken through to diagnose his perfectly fine operating PC. During the call, the scammer never checked his system with any actual diagnostic tools and was just doing his best to scare the author into purchasing malware or a phony support plan. It is a sobering account. Lots more today, including some nifty open source tools for pen testers. 

-- David Strom, editor of Inside Security

If you want a convenient list of tips to secure your web apps and servers, this is a nice one. There are suggestions for securing databases (such as encrypting data at rest), for improving authentication (use password rules and MFA), for DDoS protection (enforce limits on size and structure of user-submitted data requests), and numerous others, including creating a security incident plan. Well worth reviewing, even for experienced hands. – MICHAEL O’BRIEN @ MEDIUM

If you already use Burp Suite, you might be interested in this open source project called SleuthQL that can ferret out potential SQL injection vulnerabilities across your network. It works in conjunction with SQLmap and automates the discovery process. The project is written in Python, and looks for values that match SQL syntax. It can scan a variety of application code, including JSON and XML. – RHINO LABS

Researchers have been following a new botnet they have dubbed Brain Food. It has a PHP script that has compromised more than 5,000 servers and has gotten more active in the past week. It uses URL shorteners that lure users in and try to get them to purchase diet pills. The polymorphic script also contains several layers of obfuscation. -- PROOFPOINT

Roaming Mantis uses Android malware which is designed to spread via DNS hijacking. It initially targeted mostly Asian smartphones and will install a Trojan banking app. Since its discovery, it has expanded its reach to the rest of world, included iOS devices, added a Coinhive cryptominer and is available in 27 different languages. – SECURELIST

Greenwich University (UK) has been fined by the Information Commissioner £120,000 after a 2016 incident in which the personal details of nearly 20,000 staff, students and alumni were stolen in a breach. This is the first such fine from this office. If the incident had happened next week (after GDPR goes into effect), it could have been a much higher fine. – INFOSEC MAG

This researcher added some code to his SSH server to capture hacked password attempts and compiled the results. He got queries from all over the world (see map). Yes “123456” was at the head of the list. But if you want to try this experiment at home, he walks you through the steps involved. -- HACKERNOON

If you have passed on blockchain technology, take another look at private chains. Focus on how a distributed, immutable ledger with integrated analytics can reduce the friction, time and resources that impact the delivery of your organization’s products and services. This post goes into why private ones can be more useful. – ENTERPRISE TECH

load more stories