Article: Hackers Say Humans Most Responsible for Security Breaches

Via: SecurityWeek.com

Hackers Say Humans Are the Weakpoint and That Traditional Defenses Cannot Protect Them

Under the principle of set a thief to catch a thief, 250 hackers at Black Hat 2017 were asked about their hacking methods and practices. By understanding how they work and what they look for, defenders can better understand how to safeguard their own systems.

Thycotic surveyed (PDF) a cross section of hackers attending Black Hat. Fifty-one percent described themselves as white hats; 34% described themselves as grey hats using their skills for both good and bad causes; and 15% self-identified as out-and-out black hats.

The hackers’ number one choice for fast and easy access to sensitive data is gaining access to privileged accounts (31%). Second is access to an email account (27%), and third is access to a user’s endpoint (21%). All other routes combined totaled just 21%.

The hackers also confirmed that perimeter security, in the form of firewalls and anti-virus, is irrelevant and obsolete. Forty-three percent are least troubled by anti-virus and anti-malware defenses, while 29% are untroubled by firewalls. “Hackers today are able to bypass both firewalls and AV using well known applications and protocols or even VPN that hide within expected communications,” explains Joseph Carson, Thycotic’s chief security scientist. “For example, VOIP, streaming services etc. Because of the ability to hide within normal business applications or the use of authenticated stolen credentials, they are stating that these technologies are no longer sufficient to prevent cyber-attacks on their own.”

Overall, the hackers find MFA and encryption their biggest obstacles. “As hackers increasingly target privileged accounts and user passwords,” explains Thycotic, “it’s perhaps not surprising that the technologies they considered the toughest to beat include Multi-Factor Authentication (38%) and Encryption (32%), with endpoint protection and intrusion prevention far behind at 8% and 5 % respectively.”

Ultimately, however, the hackers believe that humans are most responsible for security breaches. Only 5% consider that insufficient security software is the problem, while 85% named humans as most responsible for security breaches. The problem is ‘cyber fatigue’.

Cyber fatigue is blamed on the constant pressure to obey policy and good practice. “‘Remembering

and changing passwords’ was the top source of cybersecurity fatigue (35%), a major vulnerability that hackers are all too willing to exploit,” notes Thycotic. “Other contributing factors included ‘Information overload’ (30%), ‘Never ending software updates’ (20%) and ‘Living under constant cyber security threats’ (15%).”

Perhaps surprisingly, hackers do not consider threat intelligence solutions to be an obstacle. “Because Threat Intelligence solutions are also accessible to hackers, they may be able to easily identify how they work and therefore avoid detection them,” suggests Thycotic.

The survey suggests that humans are a weakpoint, traditional perimeter defenses are ineffective, and user credentials are the target. “With traditional perimeter security technologies considered largely irrelevant, hackers are focusing more on gaining access to privileged accounts and email passwords by exploiting human vulnerabilities allowing the hacker to gain access abusing trusted identities,” comments Carson. “More than ever, it is critical for businesses to mitigate these risks by implementing the right technologies and process to ward off unsuspecting attacks and access to sensitive data.”

His conclusion is that “The new cybersecurity perimeter must incorporate an identity firewall built around employee and data using identity and access management technology controls which emphasizes the protection of privileged account credentials and enhances user passwords across the enterprise with multi-factor authentication.”

Source: http://www.securityweek.com/hackers-say-humans-most-responsible-security-breaches

Alert: Online Scammers Require Payment Via Music Application Gift Cards

Via: IC3

Source: https://www.ic3.gov/media/2017/170801.aspx

Suspicious Email with Subject “Scanned image from MX-2600N” Sent to the Fordham Community on 7/31/17 –

This is a Suspicious email that has been reported. This message was
received on or about July 31st, 2017. Please DO NOT respond to this
message or anything that looks like it. You may disregard and delete
this message. If you have any questions about the validity of this email
please contact IT Customer Care at 718-817-3999 or via email:
helpit@fordham.edu.

——————–Begin Message ——————————

From: <noreply@fordham.edu>
Date: Mon, Jul 31, 2017 at 11:59 AM
Subject: Scanned image from MX-2600N
To: user@fordham.edu

Reply to: noreply@fordham.edu <noreply@fordham.edu>
Device Name: Not Set
Device Model: MX-2600N
Location: Not Set

File Format: Microsoft Office Word
Resolution: 200dpi x 200dpi

Attached file is scanned image in DOC format.
Document password: LRAKRFT
Creation date: Mon, 31 Jul 2017 20:29:21 +0430

*This Email Has An Attached Word Document That Is Password Protected*

——————–End Message ——————————

Article: Three Telltale Signs a Hacker Has Been in Your Account

Via: Imperva.com

“Imperva’s latest Hacker Intelligence Initiative (HII)report, Beyond Takeover – Stories from a Hacked Account, was just released. With this research, we set forth to learn about the dynamics of phishing attacks from the victim’s perspective and shed some light on attacker practices. Our intent was to learn how accounts are taken over once credentials are compromised through a phishing campaign.

To achieve this, we maintained 90 personal online accounts (“honey accounts”) over nine months in platforms that are well-known phishing targets. We invited attackers in by leaking the credentials of these accounts to selected phishing campaigns and traced their activity.

One of the more interesting areas of the research was uncovering which practices attackers used to cover their tracks, destroy evidence of their presence and activities in the account, and evade detection. In this post, we’ll share attacker techniques, how they cover their tracks, and three signs that indicate your account has been hacked.

Phishing: A Glance at Attacker Practices

What Do Attackers Look For?

After leaving the front door open, it was interesting to watch what happened in the house once a burglar got in. We spread decoys as breadcrumbs to lure attackers into our traps and we saw many take the bait. We collected and analyzed alerts to reach the (not too surprising) conclusion that attackers first and foremost are looking for sensitive information, such as passwords and credit cards numbers.

Phishing decoys - types by percentage - 1

Figure 1: Distribution of accessed decoy data types

Manual Labor or Automatic?

We were curious to know if the attackers worked manually or used automated tools. To answer this, we checked timing of triggered tokens. We noticed that attackers approached tokenized items selectively rather than sequentially, e.g., only part of tokens were approached and not in any visible order. The time intervals between approaches were very different and ranged from a few seconds to over 10 minutes. Moreover, we saw that 74% of the first decoys were accessed within three minutes of account penetration, which indicates that attackers access the content online manually and do not download and examine it with automated tools. These observations together indicate that exploration of the accounts was primarily done manually.

How Attackers Cover Their Tracks (But Not All Do!)

Attackers can leave tracks behind during the attack process, such as generating suspicious new-device login alerts or spam messages in the sent items folder. Erasing evidence of a compromise is mandatory for an attacker who wants to remain obscure, continue using/exploring the account and avoid a trace back. We observed three different techniques attackers use to cover their tracks:

  • Delete sign-in alerts from the inbox (and permanently delete them from deleted items/trash)
  • Delete sent emails and failure notification messages
  • Mark read messages as unread

Our research also showed that not all attackers take equal care in covering their tracks. We were surprised to find that only 17% made any attempt to cover their tracks. And those who did sparingly used track covering practices (see Figure 2):

Percentage of track cover and track cover practices - 2

Figure 2: Percentage of track covering and track covering practices

Attackers’ oversight in covering up their tracks is key to identifying if an account has been hacked.

The Telltale Signs

Since not all attackers cover up their tracks, that means many leave evidence behind. This allows users to be aware that a hack has taken place if they’re looking for the right things in the right places. Here are three telltale signs that an attacker has been in your account.

Telltale Sign #1: Suspicious Sign-In Email Alerts

Following a hacker’s penetration into an account, a lot of visible hints are likely to remain which can be seen by a simple search for suspicious sign-in alert emails in the inbox.

In only 15% of the account penetrations, we saw that new sign-in alert emails were deleted from the inbox (see Figure 2). Even then, they were usually forgotten and left in the trash folder—only 2% of the attackers deleted a new sign-in alert permanently. Users should be on the lookout for suspicious sign-in email alerts in their inbox and periodically scan deleted items or trash folders for them as well (see Figure 3).

undeleted sign-in alert found in Gmail trash - 3

Figure 3: New sign-in alert found in Gmail trash, not deleted by a hacker

Telltale Sign #2: Messages Marked as Read (That You Didn’t Read)

Another technique we saw was attackers marking email messages as unread after opening them to bring the mailbox back to its original condition. Following is an example from a Yandex email log (Figure 4). Yandex is an email provider and search engine used in Russia, the Ukraine, Belarus, Kazakhstan and Turkey (their search engine has about a 65% market share in Russia). It’s used as an example here as other mail providers (such as Gmail, Yahoo and Microsoft Hotmail/Outlook) don’t contain activity logs for read/unread messages. This type of strange read/unread email activity indicates a hacker has been in the account.

email messages marked as unread 4

Figure 4: Examples in a Yandex activity log of a perpetrator marking email messages as unread after opening them.

Telltale Sign #3: Sent Items (You Didn’t Send) and Delivery Failure Notification Messages

Thirteen percent of attackers deleted emails they sent from compromised accounts (such as those sent to launch a new phishing campaign) as well as the failure notification messages, which inform the sender about the inability to deliver a message. These emails are typical when using the account for spamming purposes when the email provider identifies the spamming attempt and blocks the burst of spam emails. Of course, if 13% deleted sent items and failure notifications, then the vast majority—87%—did not and left evidence behind that they hacked the account.

Protecting Accounts

Despite the various actions attackers used for covering their tracks, many of them left considerable traces in the hacked accounts, showing that in some ways hackers are no different than their victims. Users can be lax when it comes to security awareness and get themselves in trouble by not being more attentive of their actions. Hackers can be sloppy too—their lack of attention can alert a victim that their account has been compromised.

If an account has been compromised, the first course of action should be to change the password. Two-factor authentication remains the tool of choice for protecting accounts from takeover, or at least a recovery email or phone number to be immediately alerted to alternative accounts/devices about possible threats to the account’s security. However, being watchful for attack hints like suspicious items in the sent items or trash folders, suspicious sign-in messages and messages marked as read which users don’t remember reading, can lead to early detection of account takeover and give the victim the opportunity to take back control of their account.”

Source: https://www.imperva.com/blog/2017/07/three-telltale-signs-a-hacker-has-been-in-your-account/

“Wire Transfer” Scam Email Sent to the Fordham Community on July 5, 2017

This is a Scam email that has been reported. This message was
received on or about July 5, 2017. Please DO NOT respond to this message or anything that looks like it. You may disregard and delete this message. If you have any questions about the validity of this email please contact IT Customer Care at 718-817-3999 or via email: helpit@fordham.edu.
———————-———-——Begin Message ——–——————————

From: <CustomerService@interaudibank.com>
Date: July 5, 2017 at 10:51:32 AM EDT
To: <user@fordham.edu>
Subject:Wire Transfer

A wire request has been sent to Interaudi Bank on 07/05/17 at 08:13:59 AM to transfer 10000.00 to your account.
The confirmation ID for this request is ******.
Please do not respond to this confirmation. This is an unmonitored mailbox, and replies to this email cannot be read or responded to.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The information contained in this message is privileged and confidential and protected from disclosure.

If the reader of this message is not the intended recipient, or an employee or agent responsible for

delivering this message to the intended recipient, you are hereby notified that any dissemination,

distribution or copying of this communication is strictly prohibited.

If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer.

Thank you.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

———————-———-——End of Message ——-———-———————

How Risky is Your Online Behavior? (Training)

How Risky is Your Online Behavior?

It’s not if a cyber attack occurs at Fordham University. It’s when.

But that’s not only true for Fordham. It’s the reality throughout higher education, as well as in the business world.

You’ve already taken a few steps to reduce your and the University’s risk of a cyber attack. For example, your Fordham AccessIT ID password is at least 8 characters long. Multi-factor authentication (MFA) is now part of your routine. This collective effort reduces some of our risk.

Do you need to do more? Yes, as long as cyber threats remain.

What can you do? It’s actually pretty easy. Learn when you’re engaging with technology in a risky way and then change your habits. We have just the tool for helping you: The online, self-paced UISO Security Training. To access, go to Blackboard (fordham.blackboard.com) and look for it under “My Organizations.”

About the UISO Security Training

As part of Fordham University’s efforts to address the increasing threats to the security of our digital resources and data, the University Information Security Office has made cyber security awareness training available on-line to the University community. The training is comprised of 17 modules, ranging from one to four minutes each. You can stop and continue the training as your schedule permits.

Each member of the University community has a responsibility to safeguard the information assets entrusted to us. This computer-based training program will better prepare you to fulfill this responsibility and to strengthen your defenses and the University’s against future attacks. Adopting behaviors that protect information benefits the University, and can benefit you and your family.

The training material will:

  • Provide information that will help mitigate the risk and subsequent impact of data exposure.
  • Teach you to protect your personal information, which reduces opportunities for identity theft.
  • Highlight the risks associated with social networking, email, and general Internet usage.
  • Explain the importance of password hygiene (e.g., strong and unique passwords).
  • Educate you on the importance of mobile and physical security best practices.

Why participate?

  • In the first 3 months of 2017, prior to the implementation of multi-factor authentication, over 80 Fordham employee AccessIT ID usernames and passwords were compromised as a result of phishing emails. Fortunately, that number has declined since MFA became required.
  • Untrained staff can unknowingly create security vulnerabilities. A recent study of 887 companies spread across 30 countries discovered that employee error caused 30% of data breaches.
  • Studies have shown that 48% of data breaches were caused by accidental data exposure.
  • Studies have also shown that weak, default, or stolen passwords account for 63% of confirmed data breaches in 2015.
  • The average cost of a data security breach is more than $158 per record. A breach involving only 50,000 records would amount to an approximate loss of $8 million dollars to the University.

Content designed for easy understanding and busy schedules

  • The training’s 17 modules are self-paced and can be completed in several sittings. You do NOT need to finish in one session.‎
  • You may pause and save your work and continue at another time. At the end of each subject area, you will be asked to take a short quiz to test your understanding of the material.‎
  • The total time for all modules is approximately two hours, however you do not need to view all of them in one session.

Access the training

My.fordham.edu > Blackboard > My Organizations > UISO_Employees:UISO Security Training for Employees > IT Security Awareness Course > Continue to the home screen.

 

Alert: New DHL Phishing Emails Targeting Fordham Community

Please be advised that there are suspicious emails circulating that are targeting members of the Fordham Community. The email contains what appear to be images of package slips. However, the images redirect you to a malicious phishing site.

These are not legitimate emails and should be reported immediately.
Please remain diligent and avoid giving any personally identifiable information through email. Pay attention to the sender of the email and if something appears suspicious, contact the sender directly to verify the messages legitimacy. DO NOT respond via email. If direct contact with the sender is not possible, please contact ITCC for assistance.

The content of the email is as follows:

———- Start of Message ———-
From: DHL Service <baqader1407@gmail.com>
Date: Tue, Jun 27, 2017 at 9:50 AM
Subject: DHL delivery details ……
To:

Dear  Customer ,

Please find attached DHL AWB , pls printed and given to courier upon arrival .
Thanks

Best regards

DHL Expess Team

DHL receipt.pdf
—————End of Message—————-

 

Please remember that Fordham IT will NEVER ask you for your username and password or ask you to click any links to validate or verify your account or password. If you receive questionable or suspicious communications, contact IT Customer Care and allow the University Information Security Office (UISO) to validate the legitimacy of these communication attempts.

Alert: Suspicious E-Mails Targeting University Staff

Please be advised that there are suspicious emails circulating that are targeting University faculty and staff to include secretaries, assistants and receptionists. We have received reports of several different emails circulating requesting the recipient to reply.

These are not legitimate emails and should be reported immediately.
Please remain diligent and avoid giving any personally identifiable information through email. Pay attention to the sender of the email and if something appears suspicious, contact the sender directly to verify the messages legitimacy. DO NOT respond via email. If direct contact with the sender is not possible, please contact ITCC for assistance.

Please remember that Fordham IT will NEVER ask you for your username and password or ask you to click any links to validate or verify your account or password. If you receive questionable or suspicious communications, contact IT Customer Care and allow the University Information Security Office (UISO) to validate the legitimacy of these communication attempts.

Article: Apple fixes dozens of security bugs for iPhones, Macs.

Via: ZDNet

“Apple has squashed dozens of security bugs in its latest releases of its iPhone, iPad, and Mac operating systems.

The Cupertino, Calif.-based company rolled out 23 security fixes in iOS 10.3.2 and another 30 fixes in macOS 10.12.5, both of which were released on Monday.

Among the bugs, two bugs in iBooks for iOS could allow an attacker to arbitrarily open websites and execute malicious code at the kernel level. Over a dozen flaws were found in WebKit, which renders websites and pages on iPhones and iPads, that could allow several kinds of cross-site scripting (XSS) attacks.

A separate flaw in iBooks for macOS desktops and notebooks could allow an application to escape its secure sandbox, a technology used to prevent data loss or theft in the case of an app compromise.

Almost half of the bugs found were attributed to Google’s Project Zero, the search giant’s in-house vulnerability-finding and security team.

One of the iOS bugs credited to Synack security researcher Patrick Wardle described a kernel flaw in which a malicious application could read restricted memory, such as passwords or hashes.

In a blog post last month, Wardle explained how he found the zero-day flaw following a supposed fix in an earlier version of macOS 10.12. He said that Apple’s patch “did not fix the kernel panic” and worse, “introduced a kernel info leak, that could leak sensitive information” that could bypass the operating system’s security feature that randomizes the kernel’s memory address locations.

In an email, Wardle admitted he “didn’t realize it affected iOS too.”

Patches are available through the usual automatic update channels.”

Source: http://www.zdnet.com/article/apple-fixes-dozens-of-security-bugs-in-ios-10-3-2-macos-updates/?loc=newsletter_large_thumb_related&ftag=TREc64629f&bhid=22897651806331074555632548278564

Alert: Critical Microsoft Vulnerability

Description

Initial reports indicate the hacker or hacking group behind the WannaCry campaign is gaining access to enterprise servers either through Remote Desktop Protocol (RDP) compromise or through the exploitation of a critical Windows SMB vulnerability. Microsoft released a security update for the MS17-010 vulnerability on March 14, 2017. Additionally, Microsoft released patches for Windows XP, Windows 8, and Windows Server 2003 operating systems on May 13, 2017. According to open sources, one possible infection vector is via phishing emails.

Impact

Ransomware not only targets home users; businesses can also become infected with ransomware, leading to negative consequences, including

  • temporary or permanent loss of sensitive or proprietary information,
  • disruption to regular operations,
  • financial losses incurred to restore systems and files, and
  • potential harm to an organization’s reputation.

Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.

Defending Against Ransomware Generally

Precautionary measures to mitigate ransomware threats include:

  • Ensure anti-virus software is up-to-date.
  • Implement a data back-up and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location. Backup copies of sensitive data should not be readily accessible from local networks.
  • Scrutinize links contained in e-mails, and do not open attachments included in unsolicited e-mails.
  • Only download software – especially free software – from sites you know and trust.
  • Enable automated patches for your operating system and Web browser.