Archive | April, 2016

Cyber Criminals Get Sophisticated – Daily Security Byte EP. 254

Last week, Marc Laliberte talked about the total lack of network security that led to an $81 million dollar cyber bank heist. In today’s video, I share new information about the malware used in the heist, and how it affects the threat landscape. Watch to learn more below.

(Episode Runtime: 4:38)

Direct YouTube Link: https://www.youtube.com/watch?v=TFbETWfF5bg

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

Spotify Password PSA – Daily Security Byte EP. 253

Was Spotify hacked? No one seems to know for sure. However, we do know that some Spotify credentials have shown up on Pastebin, and accounts have gotten hijacked. Watch Tuesday’s Byte to learn more about it, and what you should do if you use Spotify.

(Episode Runtime: 2:06)

Direct YouTube Link: https://www.youtube.com/watch?v=Ad1f_lEkWnc

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

Whitehat Finds Blackhat on Facebook – Daily Security Byte EP. 252

Bug Bounty programs are great ways for companies to get security researchers to help find and fix vulnerabilities in their products or infrastructure, but no one expected them to also reveal hackers in your network. Watch today’s video to hear how one pen-tester found more than he bargained for when researching Facebook’s network.

(Episode Runtime: 3:38)

Direct YouTube Link: https://www.youtube.com/watch?v=8WruUtxLHko

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

Big Changes Ahead for this Blog – Your Feedback is Appreciated!

Over the past 6 years WatchGuard has been publishing breaking news and in-depth analysis on the most important network security issues on this blog.  Even before that, we shared security articles, podcasts, and various malware analysis videos with our LiveSecurity subscribers. This content has been well-received by our loyal audience, but we want to do even more to help our followers and the network security community.

To achieve this goal we have decided to completely redesign the blog. In fact, you probably already noticed a few small changes, including more content from new writers. However, our more strategic plan is to create a broader industry community and forum for all network security professionals. You can help us achieve this vision.

Your feedback is important to us, and will play a major role in the quality and direction of our blog redesign. If you’d like to make sure our new blog meets your needs, please fill out our survey below. It takes less than 5 minutes, and will ensure that we deliver content that serves you. Your input and time is very much appreciated. — Corey Nachreiner, CISSP (@SecAdept)

http://secure.watchguard.com/blog-redesign-survey

 

How Not to Protect a National Bank

In early March, malicious hackers stole $80 Million from a U.S. Federal Reserve account for Bangladesh’s central bank. Early investigation found that the attackers used stolen credentials for the Society for Worldwide Interbank Financial Telecommunication (SWIFT) payment processing network to attempt nearly $1 Billion in fraudulent transfers before the compromise was discovered. SWIFT is a messaging network that banks primarily use to send payment orders between one another. SWIFT hardware is deployed on-premises at financial institutions and then connected back to central data centers using IP network infrastructure.

This month, investigators discussed some of the security failures that made this attack possible. As it turns out, Bangladesh’s central bank used cheap unmanaged switches on their internal network and, worse yet, completely lacked any firewall. The SWIFT equipment, while in a separate room, was only separated from the rest of the building’s network by a $10 second-hand switch.

While we still don’t know all the details behind this attack, we can begin to see why the criminals succeeded. Without proper network segmentation, attackers can move laterally between hosts unhindered and undetected. If the attackers were able to compromise a single host, perhaps through a phishing attack or an infected USB drive, they could then easily pivot and compromise the SWIFT systems on the same network.

It is not clear whether the bank’s complete lack of network security was an attempt to save money, or just plain incompetence. Regardless, you can use this incident as an opportunity to refresh some important network security basics. Administrators should always deploy critical systems on a separate network from general workstations, whether by the use of VLANs or even different physical cabling. Not only should you leverage a firewall to segment those networks and to inspect inter-network traffic, but you should use a UTM appliance that also scans the traffic that you do allow between the segments. Not only could a proper firewall implementation have protected Bandladesh’s central bank from losing $80 Million, it could have also provided important visibility into the attack to help identify the criminals and prevent them from attacking again elsewhere. — Marc Laliberte

Oracle and Cisco Patches – Daily Security Byte EP. 251

In today’s quick Security Byte video, I cover the Oracle and Cisco patches that have come out over the past few days. If you use products from either company, watch the video for highlights, and check the links below.

(Episode Runtime: 2:20)

Direct YouTube Link: https://www.youtube.com/watch?v=uIc7UrapLus

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

Hacking Team Breach Unveiled – Daily Security Byte EP. 250

Almost a year ago, an Italian security company called the Hacking Team suffered an embarrassing network breach. This week, the alleged attackers behind the hack detail exactly how they did it. Watch today’s Byte to see what you can learn from this particular attack.

(Episode Runtime: 5:02)

Direct YouTube Link: https://www.youtube.com/watch?v=p9yEvODyGZI

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

Congressman’s Mobile Hacked – Daily Security Byte EP. 249

Over the weekend, a 60 Minutes segment covered how a researcher could hack a congressman’s phone just by knowing its number. Sound familiar? It should, because I covered almost the same story last year. Nonetheless, watch today’s video to learn more about the latest research into a weakness in a phone protocol called SS7.

(Episode Runtime: 3:03)

Direct YouTube Link: https://www.youtube.com/watch?v=6bkjoSi6pyw

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

Remove QuickTime for Windows – Daily Security Byte EP. 248

Trend Micro researchers found two serious vulnerabilities in Quicktime for Windows. Normally I’d tell you to patch, but instead I’m suggestion you remove. Watch today’s video to find out why.

(Episode Runtime: 1:36)

Direct YouTube Link: https://www.youtube.com/watch?v=9JmCwViLPuM

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

Watch Out For Malware In Your New IoT Devices

Over the weekend, security researcher Mike Olsen published an article about his experience with a set of PoE security cameras that he ordered from Amazon.com. While troubleshooting a display issue, Mike found that the web portal for his cameras was using an HTML iframe element to silently load a malicious web site without his knowledge. This type of attack is a perfect example of a Cross Frame Scripting (CFS) attack.

An HTML iframe element allows one web page to load and display a second web page as part of its own page content. As an example of a legitimate use for an iframe element, WatchGuard Dimension uses iframes to display the Web UI for Fireboxes that are managed via Dimension Command. In the security cameras that Mike purchased however, the iframe was styled to load a known malicious web site into an effectively invisible 1 x 3 pixel window at the bottom of the web portal.

By using a hidden iframe, the browser loads the malicious web site without the victim’s knowledge. The malicious web site can then exploit unpatched browser vulnerabilities to preform attacks like stealing web authentication cookies or preforming drive-by-downloads of malware onto the client machine, all without any warning to the victim.

Manufacturer-delivered malware isn’t anything new. In 2014, TrapX discovered industrial barcode scanners delivering malware via infected firmware. In 2015, security researchers found adware performing man-in-the-middle attacks on HTTPS connections pre-installed on Lenovo laptops. Even way back in 2006, a small batch of iPods were shipped pre-infected with the RavMonE worm. How or why a product becomes compromised is not always easily answered. Was the manufacturer accidently infected by something that was then transferred to their product? Did an external attacker or insider specifically target the product? Or did the manufacturer itself knowingly deliver their product with this type of issue? One thing is obvious; we assume out new purchases will arrive in a clean state and bad actors exploit that trust.

As IoT devices continue to become more popular, opportunities for bad guys to launch attacks on your other network connected devices will increase. Consumers should make an effort to avoid purchasing products from non-reputable manufacturers or at least search online for reviews that might expose shady behavior. Administrators should continue following best practices of testing and monitoring new devices in a sandboxed environment before moving them into production where they could cause real harm. — Marc Laliberte

%d bloggers like this: