In large metropolitan areas, tourists are often easy to spot because they’re far more inclined than locals to gaze upward at the surrounding skyscrapers. Security experts say this same tourist dynamic is a dead giveaway in virtually all computer intrusions that lead to devastating attacks like data theft and ransomware, and that more organizations should set simple virtual tripwires that sound the alarm when authorized users and devices are spotted exhibiting this behavior.

In a blog post published last month, Cisco Talos said it was seeing a worrisome “increase in the rate of high-sophistication attacks on network infrastructure.” Cisco’s warning comes amid a flurry of successful data ransom and state-sponsored cyber espionage attacks targeting some of the most well-defended networks on the planet.

But despite their increasing complexity, a great many initial intrusions that lead to data theft could be nipped in the bud if more organizations started looking for the telltale signs of newly-arrived cybercriminals behaving like network tourists, Cisco says.

“One of the most important things to talk about here is that in each of the cases we’ve seen, the threat actors are taking the type of ‘first steps’ that someone who wants to understand (and control) your environment would take,” Cisco’s Hazel Burton wrote. “Examples we have observed include threat actors performing a ‘show config,’ ‘show interface,’ ‘show route,’ ‘show arp table’ and a ‘show CDP neighbor.’ All these actions give the attackers a picture of a router’s perspective of the network, and an understanding of what foothold they have.”

Cisco’s alert concerned espionage attacks from China and Russia that abused vulnerabilities in aging, end-of-life network routers. But at a very important level, it doesn’t matter how or why the attackers got that initial foothold on your network.

It might be zero-day vulnerabilities in your network firewall or file-transfer appliance. Your more immediate and primary concern has to be: How quickly can you detect and detach that initial foothold?

The same tourist behavior that Cisco described attackers exhibiting vis-a-vis older routers is also incredibly common early on in ransomware and data ransom attacks — which often unfurl in secret over days or weeks as attackers methodically identify and compromise a victim’s key network assets.

These virtual hostage situations usually begin with the intruders purchasing access to the target’s network from dark web brokers who resell access to stolen credentials and compromised computers. As a result, when those stolen resources first get used by would-be data thieves, almost invariably the attackers will run a series of basic commands asking the local system to confirm exactly who and where they are on the victim’s network.

This fundamental reality about modern cyberattacks — that cybercriminals almost always orient themselves by “looking up” who and where they are upon entering a foreign network for the first time — forms the business model of an innovative security company called Thinkst, which gives away easy-to-use tripwires or “canaries” that can fire off an alert whenever all sorts of suspicious activity is witnessed.

“Many people have pointed out that there are a handful of commands that are overwhelmingly run by attackers on compromised hosts (and seldom ever by regular users/usage),” the Thinkst website explains. “Reliably alerting when a user on your code-sign server runs whoami.exe can mean the difference between catching a compromise in week-1 (before the attackers dig in) and learning about the attack on CNN.”

These canaries — or “canary tokens” — are meant to be embedded inside regular files, acting much like a web beacon or web bug that tracks when someone opens an email.

“Imagine doing that, but for file reads, database queries, process executions or patterns in log files,” the Canary Tokens documentation explains. “Canarytokens does all this and more, letting you implant traps in your production systems rather than setting up separate honeypots.”

Thinkst operates alongside a burgeoning industry offering so-called “deception” or “honeypot” services — those designed to confuse, disrupt and entangle network intruders. But in an interview with KrebsOnSecurity, Thinkst founder and CEO Haroon Meer said most deception techniques involve some degree of hubris.

“Meaning, you’ll have deception teams in your network playing spy versus spy with people trying to break in, and it becomes this whole counterintelligence thing,” Meer said. “Nobody really has time for that. Instead, we are saying literally the opposite: That you’ve probably got all these [security improvement] projects that are going to take forever. But while you’re doing all that, just drop these 10 canaries, because everything else is going to take a long time to do.”

The idea here is to lay traps in sensitive areas of your network or web applications where few authorized users should ever trod. Importantly, the canary tokens themselves are useless to an attacker. For example, that AWS canary token sure looks like the digital keys to your cloud, but the token itself offers no access. It’s just a lure for the bad guys, and you get an alert when and if it is ever touched.

One nice thing about canary tokens is that Thinkst gives them away for free. Head over to canarytokens.org, and choose from a drop-down menu of available tokens, including:

-a web bug / URL token, designed to alert when a particular URL is visited;
-a DNS token, which alerts when a hostname is requested;
-an AWS token, which alerts when a specific Amazon Web Services key is used;
-a “custom exe” token, to alert when a specific Windows executable file or DLL is run;
-a “sensitive command” token, to alert when a suspicious Windows command is run.
-a Microsoft Excel/Word token, which alerts when a specific Excel or Word file is accessed.

Much like a “wet paint” sign often encourages people to touch a freshly painted surface anyway, attackers often can’t help themselves when they enter a foreign network and stumble upon what appear to be key digital assets, Meer says.

“If an attacker lands on your server and finds a key to your cloud environment, it’s really hard for them not to try it once,” Meer said. “Also, when these sorts of actors do land in a network, they have to orient themselves, and while doing that they are going to trip canaries.”

Meer says canary tokens are as likely to trip up attackers as they are “red teams,” security experts hired or employed by companies seeking to continuously probe their own computer systems and networks for security weaknesses.

“The concept and use of canary tokens has made me very hesitant to use credentials gained during an engagement, versus finding alternative means to an end goal,” wrote Shubham Shah, a penetration tester and co-founder of the security firm Assetnote. “If the aim is to increase the time taken for attackers, canary tokens work well.”

Thinkst makes money by selling Canary Tools, which is a paid version of Thinkst that is powered by a small hardware device designed to be installed on the local network as a canary token server.

“If you’ve got a sophisticated defense team, you can start putting these things in really interesting places,” Meer said. “Everyone says their stuff is simple, but we obsess over it. It’s really got to be so simple that people can’t mess it up. And if it works, it’s the best bang for your security buck you’re going to get.”

Further reading:

Dark Reading: Credential Canaries Create Minefield for Attackers
NCC Group: Extending a Thinkst Canary to Become an Interactive Honeypot
Cruise Automation’s experience deploying canary tokens

Read More

The research also highlights a shift in hacker tactics toward exploiting network server flaws

Read More

The MS-ISAC has worked with CISA to update its #StopRansomware Guide that you can use to strengthen your ransomware defense.

Read More

Jamie Trigg has done a lot to support CIS Linux Benchmarks. Hear his story about volunteering for the CIS Benchmarks Community.

Read More

ESET’s investigation also revealed that certain Spacecolon versions contain Turkish strings

Read More

People who use devices like smart cameras and Wi-Fi-enabled baby monitors should strongly consider taking the following steps to protect their devices:

1. Update your devices. Manufacturers often advise consumers to update their software to the latest version and enable further security features. Updating your devices regularly increases the chances that you’ll receive security improvements soon after they become available.  

2. Do not connect to your smart cameras, baby monitors, and other devices through public Wi-Fi. Accessing these devices via a smartphone app from an unprotected network can compromise the security of your devices. Use a VPN or a secure cellular data connection instead. 

3. Use strong, unique passwords. Every device of yours should have one, along with a unique username to go along with it. In some cases, connected devices ship with default usernames and passwords, making them that much easier to hack. 

Further protect your connected cameras, baby monitors, and other devices 

With those immediate steps in place, this security advisory offers you a chance to take a fresh look at your network and device security overall. With these straightforward steps in place, you’ll be  more protected against such events in the future—not to mention more secure in general.  

1. Use two-factor authentication 

Our banks, many of the online shopping sites we use, and numerous other accounts use two-factor authentication to help validate that we’re who we say we are when logging in. In short, a username and password combo is an example of one-factor authentication. The second factor in the mix is something you, and only you, own or control, like your mobile phone. Thus, when you log in and get a prompt to enter a security code that’s sent to your mobile phone, you’re taking advantage of two-factor authentication. If your IoT device supports two-factor authentication as part of the login procedure, put it to use and get that extra layer of security. 

2. Secure your internet router 

Your router acts as the internet’s gateway into your home. From there, it works as a hub that connects all your devices—computers, tablets, and phones, along with your IoT devices as well. That means it’s vital to keep your router secure. A quick word about routers: you typically access them via a browser window and a specific address that’s usually printed somewhere on your router. Whether you’re renting your router through your internet provider or have purchased one, the internet provider’s “how to” guide or router documentation can step you through this process. 

The first thing to do is change the default password of your router if you haven’t done so already. Again, use a strong method of password creation. Also, change the name of your router. When you choose a new one, go with name that doesn’t give away your address or identity. Something unique and even fun like “Pizza Lovers” or “The Internet Warehouse” are options that mask your identity and are memorable for you too. While you’re making that change, you can also check that your router is using an encryption method, like WPA2, which helps secure communications to and from your router. If you’re unsure what to do, reach out to your internet provider or router manufacturer. 

3. Set up a guest network specifically for your IoT devices 

Just as you can offer your human guests secure access that’s separate from your own devices, creating an additional network on your router allows you to keep your computers and smartphones separate from IoT devices. This way, if an IoT device is compromised, a hacker will still have difficulty accessing your other devices, like computers and smartphones, along with the data and info that you have stored on them. You may also want to consider investing in an advanced internet router that has built-in protection and can secure and monitor any device that connects to your network. 

4. Update! 

We mentioned this above, yet it’s so important that it calls for a second mention: make sure you have the latest software updates for your IoT devices. That will make sure you’re getting the latest functionality from your device, and updates often contain security upgrades. If there’s a setting that lets you receive automatic updates, enable it so that you always have the latest. 

5. Protect your phone 

You’ve probably seen that you can control a lot of your connected things with your smartphone. We’re using them to set the temperature, turn our lights on and off, and even see who’s at the front door. With that, it seems like we can add the label “universal remote control” to our smartphones—so protecting our phones has become yet more important. Whether you’re an Android or iOS device user, get security software installed on your phone so you can protect all the things it accesses and controls—in addition to you and the phone as well. 

And protect your other things too 

Using a strong suite of security software like McAfee+ Advanced, can help defend your entire family from the latest threats and malware, make it safer to browse, and look out for your privacy too. 

The post How to Protect Your Smart Cameras and Wi-Fi Baby Monitors appeared first on McAfee Blog.

Read More

DIGIHEALS will call for proposals for technologies originally designed for national security

Read More