Inside Security | Inside

[ Inside Security ]

David Strom's in-depth cybersecurity news and analysis

Earlier this week, British Airways cancelled numerous Heathrow flights after a third-party IT supplier issue. The airline tweeted about the situation and things returned to normal by yesterday. This is just another example of securing your supply chain. We have lots more to talk about, including attacks in Ukraine, breaches at LabCorp and Robocent, and new ways to detect email spam from those ever-active researchers in the Israeli desert at BGU.

-- David Strom, editor of Inside Security


1.  This week’s AWS S3 storage buckets exposure involves Robocent, a Virginia-based political robocalling center. It contained thousands of files that have already been indexed by the dark web. The storage was quickly secured once the company was notified by researchers. -- LINKEDIN


2. Earlier this week LabCorp, the largest domestic blood testing lab, announced a data breach on its medical diagnosis systems. While there was no seeming misuse of data, it is somewhat disturbing, given that the single largest part of any patient record is almost always diagnostic tests. LabCorp connects electronically to many physicians' electronic medical record/electronic healthcare record systems. – DATABREACHES.NET


Subscribe to Inside Security


Many thanks to Inside Security's corporate supporters.  Please go check them out!

Endgame

Endgame's endpoint security platform protects the world’s largest organizations from targeted attacks, eliminating the time & cost associated with incident response. Learn more

 

Nok Nok Labs has the ambition to transform authentication, by unifying it into one standard protocol, giving business the control they need. Learn more

 
   
   

Normally you get this newsletter every Monday, Tuesday and Friday, but today you are also receiving the issue we send to just our premium subscribers. Today’s issue is going to everyone thanks to Meeting Owl. If you want to start receiving these premium issues, which feature my extensive analysis on a single infosec topic, please upgrade your subscription here

David Strom, editor of Inside Security


Last week, Mueller’s GRU indictment was announced. It named various individuals involved in the hacking of political organizations’ networks. The document makes for interesting reading and shows the lengths that Russian spies went to penetrate the DNC and the Clinton campaign. Here are just some of their techniques:

Spearphishing emails using URL shorteners to hide malware webpages, in one case using a phony email account that differed by a single character that mimicked a Clinton staffer email Spoofing Google security notification email messages Stealing account credentials to obtain emails from DNC and Clinton staffers Using the malware-infested document hillaryclinton-favorable-rating.xlsx that linked to a GRU-created website Entered the DNC network using open source tools to install various RATs and keyloggers to obtain additional credentials Copied and exfiltrated documents to a GRU computer in Illinois Using PowerShell scripting attacks to compromise their Exchange email servers Deleting log files and other traces deliberately to hide their presence Setting up various websites: some mimicked a typical political fundraising page, others that appeared to be news sites with negative stories on the DNC Making cloud-based site backups and then used them to create their own accounts to steal additional DNC data Creating fake Facebook and Twitter accounts to leak DNC data and promote the leakers' websites

It is pretty clear to me that this was an extended and deliberate effort to compromise our electoral processes. Many of these fake accounts, domains and servers were purchased using bitcoins to hide their identities, and some of these bitcoins were mined specifically for funding these transactions. The indicted members of the GRU were first seen in these networks in June 2016, at which point the DNC hired CrowdStrike to investigate further. However, the GRU spies continued to operate their RAT tools and persist on the DNC network until October 2016.

These efforts have been known for some time: Motherboard ran a story in April 2016, and then came out in July with this piece from Thomas Rid that offered a detailed technical explanation, saying that the forensic evidence about Russia is very strong. And a December 2016 story in the New York Times actually shows one of the rack-mounted servers breached by the GRU, sitting in the DNC offices. The Times documents the "series of missed signals, slow responses and a continuing underestimation of the seriousness of the cyberattack."

If we want to be accurate, there are actually 140 servers, according to The Daily Beast, which facetiously goes into detail, “The server is saying shut up. No machines are actually missing.”

As many security analysts well know, you don’t remove the physical servers anymore. That is strictly old school. Instead, forensic investigators make digital copies of their hard drives and memory so that they can preserve their state and detect in-memory exploits that would be gone if the machines are unplugged. This is called imaging and has been around for decades. I found a paper from the SANS Institute from 2001 that provides a nice overview here.

Part of the imaging process is to preserve the chain of custody of a server, and also useful in case an analyst destroys some part of the data by mistake. “It makes a secure forensically sound copy to media that can be retained” for future analysis. It is similar to the technologies that are used to make backup copies, only more thorough.

There are a number of imaging and other forensic tools that security researchers use, here are several lists of them:

A variety of digital forensic tools, not just disk imaging but others such as file, mobile device and email analyzers that are all available on open source. This list is fairly current and has brief descriptions of each tool. Another current list of 20 free digital forensics tools can be found here. One of them is CrowdStrike’s CrowdResponse, which is their free data collection tool. Forrester last did a study of digital forensic tools last September. They look at the major vendors in this market, including CrowdStrike Falcon, Mandiant, and others. Some of these tools are also used for endpoint detection purposes. I last did a review of them for Network World back in July 2016, where I looked at Encase and Falcon along with eight others.

Whatever the outcome of our elections this year, it's clear that every political campaign needs to ramp up their security measures and increase their investments in cybersecurity -- starting now.


3. Two new variants of the Spectre side channel attack have been discovered, neither of which is mitigated by previous Spectre security patches. The two can allow data exfiltration and sandbox immunity. While these are complex exploits to pull off, defenders should be aware of them. As we mentioned Monday, Google has embarked on a program to improve Chrome browsers to better isolate sites to help with this effort.   -- ESENTIRE


4. Researchers at the Ben-Gurion University of the Negev Malware Lab in Israel have developed a new method for detecting malicious emails. It is more effective than the top 60 antivirus engines on the market, as shown in this infographic. It is called Email-Sec-360 and relies on 100 telltale features in each email message, using machine learning to calculate a potential risk. When the researchers trained their method, they found it was significantly more effective than commercial AV solutions. -- TECHREPUBLIC


5. This is an interesting origin story about the team at Google that developed safe browsing techniques ten years ago. The reporters interviewed many of the original engineers that worked on the feature. It began as an anti-phishing browser plug-in and grew from there to run on more than three billion devices. -- WIRED


6.  The city of Pittsburgh has a cyber security problem. Reporters were able to decode a redacted document (shown here) that lays out a remediation plan that was produced by Deloitte. This was part of a consulting contract to improve the city’s security posture. Mentioned in the report are items such as beefing up physical data center security, better threat tracking, more frequent disaster recovery exercises and better documentation of the city’s network infrastructure.  – PUBLICSOURCE.ORG


7. Susan Atrach, a 21-year-old from Ridgefield Park, N.J., was charged with 11 felony counts of attempted hacking into actress Selena Gomez’ online accounts and posting photos online. Atrach used publicly available information to answer the “secret questions” on Gomez' accounts to authenticate herself and gain access. She could face up to nine years in prison. – LA COUNTY


8. Here is an analysis of an ongoing cyber espionage campaign against Ukrainian government targets which contains three different malware strains written in .NET. The hackers have infected endpoints with Quasar, Sobaken and Vermin RATs to steal documents. The three seem to originate from the same author and use the same control infrastructure. They also make use of a common technique to schedule a repeating task for every 10 minutes to check to see if it is still running. – WE LIVE SECURITY  (ESET)


9. A survey of 3,000 CIOs from around the world by Gartner show that only 65 percent of their organizations currently have a cybersecurity expert on staff. Many organizations are still experiencing shortages of major skilled cybersecurity staffers. A little more than a third of those surveyed have implemented a digital security plan. – HELPNET SECURITY


10.  This post describes the Silver Ticket exploit on Kerbos authentication tokens. Hackers can forge these tokens and login to Windows systems. The infographic shows a variety of techniques you can use to defend your network, including applying a patch to prevent hackers from gaining access as a domain administrator. – VARONIS BLOG


Calling all non-math majors. I am sure you have experienced this frustration once upon a time. – JOELCOMM @ TWITTER


The number of data breaches continues unabated today. There is news about Mega (credential stuffing), Telefonica (injection through bad website design) and Dahua webcams (a combination of errors). While these top our list today, there is a lot nastier stuff to tell, along with plea deals for a seller of Trojans and another criminal who broke into academic email accounts. Plus an update on the age-old Peanuts conflict of Lucy and the football.  

-- David Strom, editor of Inside Security


1. Over 26,000 mobile devices and laptops were lost on the Transport for London network between April 2017 and April 2018. About half were phones, the rest eReaders, tablets and laptops. The survey makes a number of suggestions to protect enterprises, given this statistic, such as better identity verification on mobiles, increased security training, and scraping trust as a valid policy element. -- PARLIAMENT STREET (PDF) 


HOOT HOOT! Meeting Owl celebrates Amazon Prime day with free Owls

Our favorite Meeting Owl is paving the way for better meetings...and giving away free Owls via its Amazon Prime day special.

Buy 5 Meeting Owls on Amazon and one will automatically be free. Get this deal by adding 5 Owls to your cart. A $799 discount will automatically appear during checkout.

(Go quick! Prime Day ends at midnight!)

Check out the Meeting Owl on Amazon


2. The infamous New Zealand file storage service Mega has had thousands of account credentials leaked online. The information was discovered by a security researcher and verified by reporters. Mega was the site once run by Kim Dotcom. The site was most likely compromised by duplicate credentials that were previously compromised on other sites. -- ZDNET


3. Spanish telecom Telefonica had a data breach yesterday, potentially exposing millions of its customers' data. It was quickly fixed and reported to authorities. Both identity and payment information was exposed. The breach happened through poor website security: a small change in a URL could access customer data. A Spanish consumer rights group notified the company after receiving a customer complaint. – THE INQUIRER


load more stories