4 ways cybercriminals hide credential stuffing attacks

Read Time:51 Second

Credential stuffing is a cyberattack in which exposed usernames and passwords are used to gain fraudulent access to user accounts through large-scale, automated login requests. High account usage, password reuse, and vast volumes of breached credentials on the dark web create the perfect storm for cybercriminals to carry out credential stuffing campaigns, while tactics used by malicious actors make identifying and preventing credential stuffing attempts a significant challenge for organizations.

Adding to pressures is the fact that attackers purposely disguise credential stuffing to make fraudulent access attempts appear legitimate and escape detection. “Credential stuffing attacks are emulating the sorts of requests that a legitimate user would make,” Troy Hunt, security researcher and founder of data breach notification service Have I Been Pwned, tells CSO. “Attackers are asking: What does it look like to make a legitimate request? How can we emulate that? Where it starts to get really interesting is when we look at the combativeness between defenders and attackers.”

To read this article in full, please click here

Read More

FBI arrests social engineer who allegedly stole unpublished manuscripts from authors

Read Time:27 Second

On January 5, 2022, the Department of Justice (DoJ) announced the FBI’s arrest of Italian citizen Filippo Bernardini at JFK International Airport in New York for wire fraud and aggravated identity theft. With the arrest of Bernardini, the DoJ unsealed a grand jury indictment dated July 14, 2021, of Bernardini that revealed a “multi-year scheme to impersonate individuals involved in the publishing industry in order to fraudulently obtain hundreds of prepublication manuscripts of novel and other forthcoming books.”

To read this article in full, please click here

Read More

Smashing Security podcast #257: Pokemon-hunting cops and the Spine Collector scammer

Read Time:21 Second

Who has been playing video games rather than hunting down criminals? How is a man alleged to have stolen manuscripts of unpublished books from celebrity authors? Which pot contains an elephant? And why has Graham been listening to podcasts about pest control marketing?

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault.

Read More

[R1] Stand-alone Security Patch Available for Tenable.sc versions 5.16.0 to 5.19.1: Patch 202201.1

Read Time:22 Second
Tenable.sc leverages third-party software to help provide underlying functionality. One of the third-party components (Apache) was found to contain vulnerabilities, and updated versions have been made available by the providers.

Out of caution, and in line with best practice, Tenable has upgraded the bundled components to address the potential impact of these issues. Tenable.sc Patch 202201.1 updates Apache to version 2.4.52 to address the identified vulnerabilities.

Read More

Faking an iPhone Reboot

Read Time:1 Minute, 3 Second

Researchers have figured how how to intercept and fake an iPhone reboot:

We’ll dissect the iOS system and show how it’s possible to alter a shutdown event, tricking a user that got infected into thinking that the phone has been powered off, but in fact, it’s still running. The “NoReboot” approach simulates a real shutdown. The user cannot feel a difference between a real shutdown and a “fake shutdown.” There is no user-interface or any button feedback until the user turns the phone back “on.”

It’s a complicated hack, but it works.

Uses are obvious:

Historically, when malware infects an iOS device, it can be removed simply by restarting the device, which clears the malware from memory.

However, this technique hooks the shutdown and reboot routines to prevent them from ever happening, allowing malware to achieve persistence as the device is never actually turned off.

I see this as another manifestation of the security problems that stem from all controls becoming software controls. Back when the physical buttons actually did things — like turn the power, the Wi-Fi, or the camera on and off — you could actually know that something was on or off. Now that software controls those functions, you can never be sure.

Read More

Multiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code Execution

Read Time:36 Second

Multiple vulnerabilities have been discovered in Adobe Products, the most severe of which could allow for arbitrary code execution.

Connect is a suite of software for remote training, web conferencing, presentation, and desktop sharing.
Magento is a leading provider of cloud commerce innovation to merchants and brands across B2C and B2B industries.

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Read More

Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution

Read Time:31 Second

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Google Chrome is a web browser used to access the Internet. Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with the application, an attacker could view, change, or delete data. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

Read More

Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution

Read Time:31 Second

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Google Chrome is a web browser used to access the Internet. Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with the application, an attacker could view, change, or delete data. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

Read More

Is fighting cybercrime a losing battle for today’s CISO?

Read Time:10 Minute, 52 Second

At times, the quest to stay on top of web application security can seem futile. It seems as though the adversaries are always a step ahead, and all we can do is try our best to contain the breaches.

In this blog, we’ll look at the root causes of concern for today’s CISO and share some practical strategies to deter cybercriminals.

Web apps, the big attack opportunity for cybercriminals

The CISO role can be an unenviable one. With ongoing reports of new application vulnerabilities and threats on an upward trajectory, the race to safeguard your organization’s digital assets is unending.

And as a CISO, you have the ongoing struggle of understanding the scope of the issue yet managing the finite and appropriate resources to secure web applications. The most obvious cybersecurity strategy is to take a people-centric approach, with a 70-80% focus on staff awareness. This works as a stop gap measure, however, in the meantime cybercriminals are actively working to expand their attack methods to target weaknesses in web applications.  

We are living in a software-defined world, and the vulnerability of web apps is a growing problem. Unfortunately, web app vulnerabilities can remain unremediated for an extended period of time – and cybercriminals know this.

Protecting your web apps in the real-world

Actively monitoring key web applications is difficult but necessary. While comprehending where you are vulnerable is critical, so is the requirement to act within real-world constraints without endangering your larger perimeter. So it’s understandable that, at times, the challenges may seem insurmountable.

Application defects require priority alignment with development teams, and protection tools must comply with customer experience (CX) and governance requirements. Additionally, cybersecurity skills are in high demand, and budgets are tight.

While it may be of little comfort – you are not alone – it’s equally difficult for other businesses to compete with the hugely successful and profitable business of cybercrime.

You may decide to pick your battles and only protect the sites connected to sensitive data, while ignoring the security of third-party hosted or brochureware sites. But the reality is that even brochureware sites offer rich assets for cybercriminals keen to harvest user passwords and credentials.

Is the cyber deck stacked against today’s CISO?

At first glance, it appears that the odds are against you being able to protect your web apps, let alone the entire perimeter. So let’s look at those odds and see why they are so daunting.

The asymmetry of task. Cybercriminals just need to find one way in, but you need to either eliminate or contain all of the ways in. While the traditional approach is only to protect what matters, those untended brochureware and third-party sites can become a real security problem.
The asymmetry of knowledge: Cybercriminals use a community approach to executing attacks, whereas you’re stuck in a stance of independent defense. There’s little communication or sharing of expertise from company to company; knowledge is siloed.
The asymmetry of resources: It’s hard to fight cybercrime on an uneven playing field. While the cybercriminals use stolen resources and criminal economics, you must battle for resources in a competitive job market and buy expensive, legitimate tools.
The asymmetry of incentive: Cybercriminals have a massive financial incentive to ‘win’. Whereas only disapprobation awaits you and your team should you fail to secure your entire perimeter.
The asymmetry of timing and target: Cybercriminals get to choose when and where they attack. But it’s unlikely that your internal expert cybersecurity team is equally ready and waiting to counterstrike at 2 a.m.  over a long holiday weekend.

Even with all your organization’s resources and focus made available to you, the incredibly tough and constantly evolving external environment means the odds are clearly not stacked in your favor.

If you own the risks, who owns the elimination?

Now that we have established the difficulties in the external environment, let’s discuss your freedom to address these problems in a typical company.

As CISO, you are usually accountable for the security of the application fleet. For example, you own the governance, risk, and compliance (GRC) process, commission the application security testing, and own the risk register. But how much control do you have to directly address the identified risks?

The responsibility for eliminating risk through fixing or replacing apps sits with the product team. To align priorities, you must advocate with the product and development team. However, it’s not uncommon for product teams to assign a bug or a mistake in their code as a vulnerability and hand it back to your security operations team with a request to contain the threat. Passing the parcel from team to team is an exercise in frustration, wasted time, and distracted resources.

Balancing business with security

While the emphasis must be on attempting to eliminate all cyberthreats, that containment can’t interfere with the normal functioning of your applications. Although numerous security tools can detect suspicious activity through signatures and heuristics, you still need to decide what to block or allow and consider the impact (financial or otherwise) on the customer experience.

Should your security tool block a legitimate customer transaction, the response from the business revenue owner (or even higher in the organization) to ‘sort your security stuff out or it’s going to be removed!’ is usually swift.

As CISO, you are required to implement a method that both minimizes CX mistakes and rapidly addresses them. This requires extensive testing with your application (not just a generic tool) and the services of a 24x7x365 end-user facing expert response team – available at even 2 a.m. over a long holiday weekend.

So, where do you find these people, how do you afford them, and how long unitl they are executing with CMMI 3.0+ maturity?

Given that security flaws, published threats and application changes are continual, the requirement to mitigate them is incessant. You may be up to date today, but tomorrow, another 50 vulnerabilities are going to be released, and you need to start all over again.

Control your own destiny, or someone else will

Then, there’s the question as to whether changes to security tools settings are subject to change management. Does fine tuning your environment for new threats and making modifications to containment configurations comply with your GRC policy? Is turning things on or off at will a sound policy?

What about risk management? If you tune something out, is the risk measured, identified, reported, and audited in line with the changing threat landscape? And are the impacts of those changes assessed for incremental risks?

The risk to CX introduces a significant pressure on the CISO to incrementally remove security controls. It’s only by proving the financial benefit of any introduced tools that the business and security get an equal vote. The necessary proof of value, however, only comes with an audit, and these tend to be well spaced throughout the year, and only focussed on specific apps. Namely, those connected to sensitive data, and not to brochureware.

Enough despair. There are practical strategies to help you hold cybercriminals at bay.

If you measure it, you can improve (and prove) it

By applying the same rigorous tests to your security operations models as you do to software design, you get a head start. Proven approaches include operational programs that apply a military style to defining functional requirements, i.e. observe, orient, decide and act. In short:

Observe the problems so you can determine what they are
Find, orient, and prioritize your issues on a weekly cadence
Decide how you will fix them
Act by allocating development time and security operations time

And audit. It’s one thing to present a threat chart, but only a cost and benefit analysis holds real sway when it comes to security reporting.

Build a compelling business case for an adequate security budget

Now we have established the costs to build what is required. What is the value to the business of this investment?

Considering the key value being reduction in expected breach loss, industry reports from the likes of IBM/Ponemon provide benchmarks by reporting average impact and likelihood of breach across industry, location and organization size.

If you consider an organization of US Healthcare company with 7,500 employees:

the average loss of a breach is $16M ($600 per employee). This scales up and down by industry (166% up for healthcare) and location (eg 220% up for US)
the likelihood of breach sits at 30% over two years
therefore expected loss is $5.3M

As this is all loss from breaches the web application component should be prorated. VDBR states that approximately 40% of breaches can be attributed to web application incursion, therefore the web application contribution is $2M over 2 years or $1M per year

So, with an annual budget which anticipates a loss of $1 million, what should you spend on avoiding it? 

Economic researchers from the University of Maryland, Gordon-Loeb, have famously published research that concludes that 37% of expect losses from cyber events should be spent on avoidance.

This leads to a web application security program budget of $400k per annum and final reason to despair:

If a 7,500 person US Healthcare company has more than 5 web applications to protect, the business case is woefully underfunded.

Share the burden of elimination

Development costs are a major consideration for any CISO, so it’s small wonder that so many focus on only a few business-critical apps and don’t address the perimeter. And, the good news is – there are some game-changing strategies to be aware of:

You can stop waiting for developers, and turn to edge compute

Empower your security team to write code objects that manipulate the behavior of applications and eliminate threats and risks.

Edge compute introduces a range of benefits, including:

The ability to modify app behavior without touching it directly
Resolving vulnerabilities in hard-to-access legacy or third-party apps
Addressing apps under strict compliance without requiring recertification
Focused regression testing

The use of edge compute can divide your costs by 30. And if you look at the price of your threat protection, you can divide that by 10. So, we’re talking orders of magnitude change.

Enlist independent services to redress the balance

If outsourcing is acceptable to the business, contract a 24X7X365 specialist team of skilled security developers to build and deploy security controls and address development flaws outside of the cost base.

For a given scope, time, and price you’ll get committed time/cost outcomes. As well as running always-on teams of developers, these organizations have libraries of fixes, and utilize machine learning, automation, and edge compute deployment and operational experience to enhance outcomes. They have a community of knowledge, are aware of other defenses and attackers, and introduce cross-company knowledge to promote a community effect. And that’s before they even start to rely on tools.

So, what asymmetry problems does this approach solve for you?

Asymmetry of task: Cybercriminals just need to find one way in, but the economics of a third-party team allow you to cost-effectively eliminate or contain all threats to your entire perimeter.
Asymmetry of knowledge: Fight fire with fire. Cybercriminals use a community of attack, but the power of enhanced cross-company knowledge levels up the playing field.
Asymmetry of resources: While cybercriminals use stolen resources and criminal economics, your investment in shared resources narrows the competitive advantage.
Asymmetry of incentive: Cybercrime pays big time. But the specialist organization that fights cybercrime stands to benefit financially and reputation-wise from doing it well.
Asymmetry of timing and target: Cybercriminals never sleep, and neither does the always-on specialist security team that becomes an extension of your own team.

Summary:

By applying existing techniques that are proven and effective in other parts of the business, and in other industries, to cybersecurity, the cause is hopeful.

However, there are specific challenges that you need to address including the external asymmetry which favors the cybercriminal. It’s also important to take a real-world approach to internal constraints; consider and address them and build them into a program where they are solved (before you deploy any security tools).

It’s also critical to align priority and budget. Manage the customer experience risks and ensure that auditing produces an equal vote in terms of giving security a proper seat at the table.

And seriously consider the value of edge compute. At a time where tools on their own are not enough, it provides a genuine alternative to advocating with the development manager. Consider outsourcing to specialist teams, or even augmenting your own team with AI (which can be built internally or purchased) and apply it to the tasks of risk elimination and threat containment.

It’s a tough environment out there and understanding your capabilities and limitations to secure the business is just part of the journey.

AT&T Cybersecurity Consulting with the help of RedShield can start you on the path to managing risk in your application portfolio.

Read More

News, Advisories and much more

Exit mobile version