Cyber Security Training from QA

Cyber Pulse: Edition 11

Read the latest edition of Cyber Pulse, our roundup of Cyber news.


20 April 2018

Tech giants sign major cyber-security alliance

Several of the world's biggest technology companies have signed an agreement to help defend users from online attacks. Among the companies pledging their support are Microsoft, Symantec, Facebook, SAP, HP Inc., Nokia and Oracle. Called the “Cybersecurity Tech Accord”, this agreement promises stronger defences, capacity building and collective action. Collective action, for example, means companies will establish new formal and informal partnerships with industry, civil society and security researchers to boost technical collaboration, improve how everyone shares information on vulnerabilities and threats, and to make introducing malicious code into cyberspace a more difficult endeavour. It also promises to oppose efforts to misuse, tamper with, or exploit our products and services and won’t help anyone use them to launch cyberattacks against our customers and users. The devastating attacks from the past year demonstrate that cybersecurity is not just about what any single company can do but also about what we can all do together. The tech sector accord will help take a principled path towards more effective steps to work together and defend customers around the world. The signatories will meet for the first time during the RSA Conference in San Francisco, where they will discuss capacity building and collective action. It was also said that they might discuss jointly developing guidelines.

Microsoft ups IoT security with Azure Sphere

Microsoft will secure microcontroller-based devices with custom silicon, a Linux-based OS and a new cloud service. Microsoft is aiming to better secure IoT devices with the announcement of Azure Sphere at RSA 2018 which will allow device manufacturers to create highly-secured, Internet-connected microcontroller (MCU) devices. Azure Sphere is made up of three components that work together to protect and power devices at the edge. Azure Sphere certified microcontrollers (MCUs) are a new cross-over class of MCUs that combine real-time and application processors with built-in Microsoft security technology and connectivity. Each chip also contains custom silicon security technology from the company based on 15 years of experience with Xbox that help secure this new class of MCUs and the devices they will power. Azure Sphere OS is an operating system built from the ground up to offer unequalled security and agility. Microsoft's new OS will offer multiple layers of security by combining security innovations from Windows, a security monitor and a custom Linux kernel. Together these three parts create a highly-secured software environment that provides businesses with a trustworthy platform on which they can build new IoT experiences. Azure Sphere Security Service is a turnkey cloud service that protects every Azure Sphere device. The service utilises certificate-based authentication to allow for devices-to-device and device-to-cloud communication. It is also able to detect emerging security threats across the entire Azure Sphere ecosystem thanks to online failure reporting and software updates will keep its security up to date.

Government report reveals NHS still fails to meet cyber security requirements

The government's Public Accounts Committee has today released the findings of its report into the WannaCry ransomware which hit the NHS in May 2017, revealing that not one NHS trust is up to an acceptable standard of cyber security. Following the WannaCry attack, the report said, the NHS has assessed the cyber security level of 200 trusts. Disappointingly, however, every single trust failed the cyber security assessment - in some cases because they had failed to apply critical patches to their systems, which is the main reason WannaCry was able to spread so widely in the first place. The Department and NHS Digital told us that trusts had not passed the test, not because they had not done anything on cyber security, but rather that the Cyber Essentials Plus standard against which they are assessed is a high bar. However, some trusts had failed the assessment solely because they had not patched their systems - the main reason the NHS had been vulnerable to WannaCry. NHS England states that it is also concerned that trusts that were not infected by WannaCry could become complacent over cyber security and not keep on top of their cyber security risks. On top of this, NHS Digital told the committee that it still lacks key information on the cyber security posture of local healthcare facilities, such as the use of anti-virus software and IP addresses. The committee set out several recommendations for the Department for Health as part of the report, including that it should provide support and guidance for local healthcare organisations on how to efficiently patch systems with minimal disruption, as well as ensuring that staffing plans focus on IT and cyber security. The report also recommended that all of the NHS' contracts IT and equipment vendors include guarantees for support and protection to guard against cyber-attack.

Mastercard calls for global online payments standard

Mastercard is pushing for a global standard for online card payments similar to existing standards for point-of-sale payments, eventually leading to a globally recognised and trusted online payment checkout button. Global standards for point-of-sale payments have led to improvements, most notably in security, and Mastercard and its partners in the project want to emulate this for online card payments. “We are taking the same kind of approach that we have taken to securing and improving payments at the point of sale, such as moving from mag stripe technology to chip technology, and applying a similar approach in the online world,” said Mike Cowen, vice-president digital payments at Mastercard UK. Cowen said Europay, Mastercard and Visa, the organisations that make up EMV, the technology behind the move from mag stripe to chip, will define the new standards for online payments. Security is one of the main drivers, as fraudsters’ tactics evolve. “For example, we want to improve the security of online payments to include things like every payment having a dynamic cryptogram to protect information,” said Cowen. He said the system will take advantage of the security technologies available today, such as EMV tokenisation and customer authentication mechanisms including biometrics, which will mean people do not have to remember passwords and codes. “This is a call to action for organisations like us as well as banks and retailers,” said Cowen. “For standards to work, everybody has to participate.”

PCI Council releases vastly expanded cards-in-clouds guidance

The Payment Card Industry Security Standards Council (PCI SSC) has issued a big update to its guidance on using payment cards with cloud computing services. A lot has happened in the cloud since 2013, when the last version was published. Which may explain why Wednesday’s version three hit 83 pages, 31 pages more than version two. On The Register’s reading of the document, the big changes kick in around the new Section 6.5 on Vulnerability Management. This re-written section adds advice on testing web applications, internal networks and penetration testing. Section 6.4 is new, too, and suggests “Customers should contractually require data breach notification from their Providers in clear and unambiguous language, taking into consideration the need to comply with local and global regulatory/breach laws, data privacy, security incident management and breach notification requirements.” As you’d expect, new technologies like software-defined networking and the internet of things score a mention, along with guidance on how they impact PCI compliance. Hypervisor introspection, the practice of peering into workloads to ensure they aren’t doing anything unexpected, has been given a long consideration because “… it can bypass role-based access controls and that it can be used without leaving a forensic audit trail within the VM itself.” Desktop virtualization, especially cloud-hosted desktops, has also require substantial new guidance. There’s also a long list of things a container platform needs to do before it can be considered ready for duty handling payment card information in the cloud. Another new and very modern recommendation concerns testing of automation to ensure that resources created in elastic cloud inherit the security controls required for PCI compliance. The new document contains hundreds of changes. Perhaps the best way to assess the main points is by considering the updates to the section on “PCI DSS Compliance Challenges.” The new version adds a warning that “… it may be particularly challenging to validate PCI DSS compliance in a distributed, dynamic infrastructure such as a public or multi-tenant environment.” Both documents warn that it is hard to understand what infrastructure a cloud provides. The new one adds that is therefore “difficult to identify which system components are in scope for a particular service or identify who is responsible for particular PCI DSS controls.” Many changes concern scoping a cloud to ensure it is PCI compliant and plenty of those concern work to determine exactly what parts of a cloud are certified as PCI-compliant, who has responsibility for their security and how to make sure that an incident doesn’t end up with lots of finger-pointing that can’t help card-holders.

Hacker botnets can automate a cyber attack in 15 seconds

Researchers find advanced tools being used by low-level attackers. Hackers are using botnets to automate the process of hacking into networks, security researchers have found. The discovery was made when a 'honeypot' of fake user data was released to the dark web to tempt hackers into exploiting the data. Masquerading as data from a financial services company, the security firm released usernames and passwords for the Remote Desktop Protocol (RDP) for three servers in the network to dark markets and paste sites to see how hackers would respond, according to a blog post by Ross Rustici, head of intelligence services at Cybereason. He said that once set up, automated bots came along to the honeypot to carry out the groundwork for human attackers before they entered the network environment, including exploiting known vulnerabilities, scanning the network and dumping the credentials of compromised machines. The botnet also created new user accounts, which would allow the attackers to access the environment if the users of the compromised machines changed their passwords. And the botnet carried out these functions in approximately 15 seconds. “For defenders, automatic exploitation in a matter of seconds means they’ll likely be overwhelmed by the speed at which the botnet can infiltrate their environment,” Rustici said.

TaskRabbit Takes Site Offline After Security Incident

Odd-job marketplace TaskRabbit has taken its website offline and urged users to change any online passwords reused on the platform after a suspected breach. The IKEA-owned firm posted a brief statement on the holding page, claiming it is investigating a cybersecurity incident. Their entire team is working around the clock with an outside cybersecurity firm and law enforcement to determine the specifics. The app and the website are offline while our team works on this. In the interim, we have dispatched a large team to work with Taskers and clients via phone to help them schedule and complete pending tasks,” it said. “We’re working to get the site back online as quickly as possible and continuing our investigation into the incident. We will be back in contact with you with more information once we have it. As an immediate precaution, if you used the same password on other sites or apps as you did for TaskRabbit, we recommend you change those now.” The final piece of advice would seem to suggest that at least some log-ins have been compromised as a result of the “incident.” Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies, claimed that taking its site offline threatens the firm’s brand, but that it was probably the right approach. "If the company had continued to process sensitive information such as card data while vulnerability was open, the cost could have been far greater,” she added. “Stopping business temporarily is sometimes the best option, and is certainly a far better approach than that taken by Equifax, for example, which continued operation in spite of a vulnerability." Last week, UK train company Great Western Rail was forced to reset passwords for one million accounts after a small number, around 1000, were accessed by unauthorized parties.

Malware disguised as a painting app infects 40,000 Facebook users

It took crooks just days to infect tens of thousands of Facebook users with malware capable of stealing credit card details and other personal information. Last week, security researchers at Radware detected the malicious activity of a group that was sending out phishing emails to Facebook users around the world. Attached to the messages was a link to download a seemingly innocuous painting application designed to relieve stress. But the “Relieve Stress Paint” app did the opposite of what it promised, infecting users with an appropriately named malware called Stresspaint. To throw users off its tracks, the bad actors disguised “Relieve Stress Pain” as aol.net on search engines and in emails using Unicode characters. Its true address is a much scarier “xn--80a2a18a.net.” You can see below how a search query for getting rid of stress pulls up the malware in a fake AOL domain. Once an unknowing user presses on it, a window pops up that looks similar to Microsoft Paint. The program will act like a legitimate paint program, allowing users to switch colors and line size. While they’re tinkering, the malware infects the computer, downloads Chrome cookies and Facebook passwords, and immediately deletes itself after about a minute. The cookies are transferred and queried at a new location where additional data, like the number of friends an account has, whether an account manages a page, and payment data is gathered from predefined Facebook URLs. Stresspaint copies the files each time the program is opened or when an infected user restarts their computer. Nissim Pariente, director of security analytics and research and development at Radware, told the Daily Dot that he can only guess what the bad actors may have stolen from accounts, but it’s likely that payment information, personal messages, and sensitive images were compromised. It’s also unclear what the information is being used for. Radware suspects the criminals will either sell the data, use it as ransomware/espionage, or engage in identity theft by reusing the credentials. However, since the malware is only focusing on Facebook members with a large following, Radware fears it will use accounts to spread propaganda or create malvertising campaigns.


Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.

 

Useful links

Cyber Pulse: Edition 1

Cyber Pulse: Edition 2

Cyber Pulse: Edition 3

Cyber Pulse: Edition 4

Cyber Pulse: Edition 5

Cyber Pulse: Edition 6

Cyber Pulse: Edition 7

Cyber Pulse: Edition 8

Cyber Pulse: Edition 9

Cyber Pulse: Edition 10

 

Edited and compiled by

 

James Aguilan

James Aguilan

Cyber Security Specialist

James has worked on many high complexity eDiscovery Projects and Forensic Investigations involving civil litigation, arbitration and criminal investigations for large corporation and international law firms across UK, US, Europe and Asia. James has assisted on many notable projects involving: one of the largest acquisition and merger case of all time – a deal worth $85 billion, multijurisdictional money laundering matter for Government bodies, and national cyber threat crisis including the more recent ransomware, phishing campaigns, and network intrusion. James has comprehensive knowledge of the eDiscovery lifecycle and forensic investigation procedures in both practise and theory with deep focus and interest in Forensic Preservation and Collection and Incident Response. In addition, He holds a first class bachelor’s degree in Computer Forensics and is accredited as an ACE FTK certified examiner.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.