APT | Bach Seat

Tag Archive for APT

RB | October 11, 2019

Comments Off

How Secure are Your Printers?

Printers are under the security microscope again. Printers are IoT devices that sit on the network and never get updated. I have covered some of the problems that printers cause a number of times on the Bach Seat. And now more vulnerabilities have been identified by UK-based security consultancy NCC Group in six popular enterprise printers.

Vulnerabilities in printers

The research team was made up of Daniel Romero, managing security consultant and research lead, and Mario Rivas, security consultant at NCC Group. They identified several classes of vulnerabilities in printers including:

Denial of service attacks that could crash printers;
The ability to add back-doors into printers to maintain attacker persistence on a network.
The ability to spy on every print job sent to vulnerable printers.
The ability to forward print jobs to an external internet-based attacker.

Matt Lewis, research director at NCC Group told ComputerWeekly,

Because printers have been around for decades, they’re not typically regarded as enterprise IoT [internet of things devices], yet they are embedded devices that connect to sensitive corporate networks and therefore demonstrate the potential risks and security vulnerability posed by enterprise IoT.

Who to blame

There is plenty of blame to share for most of these latest vulnerabilities. Mr. Lewis says the manufacturers are causing these problems by neglecting to build security into their products.

Building security into the development life-cycle would mitigate most, if not all, of these vulnerabilities and so it’s therefore important that manufacturers continue to invest in and improve cybersecurity, including secure development training and carrying out thorough security assessments of all devices.

End-users have to take some of the blame as well according to NCC Group

Corporate IT teams can also make small changes to safeguard their organization from IoT-related vulnerabilities, such as changing default settings, developing and enforcing secure printer configuration guides, and regularly updating firmware.

Impacted printer models

The printers tested by the researchers were from HP, Ricoh, Xerox, Brother, Lexmark, and Kyocera.

The NCC Group found vulnerabilities in HP (HPQ) printers. The Color LaserJet Pro MFP M281fdw printers have buffer overflows, cross-site scripting (XSS) vulnerabilities, and cross-site forgery countermeasures bypass.

HP has posted firmware updates to address potential vulnerabilities to some of its Color LaserJet series. “HP encourages customers to keep their systems updated to protect against vulnerabilities,” the company said in a statement.

The vulnerabilities in Lexmark CX310DN printers NCC Group found include denial of service vulnerability, information disclosure vulnerabilities, lack of cross-site request forgery countermeasures, and lack of account lockout.

The NCC Group found Vulnerabilities in Kyocera (KYO) Ecosys M5526cdw printers. The security holes include buffer overflows, broken access controls, cross-site scripting vulnerabilities, and lack of cross-site request forgery countermeasures.

NCC Group identified stack buffer overflows, heap overflows and information disclosure vulnerabilities in Brother (6448) HL-L8360CDW printers.

The vulnerabilities reported in Ricoh (RICOY) SP C250DN printers include buffer overflows, lack of account lockout, information disclosure vulnerabilities, denial of service vulnerabilities, lack of cross-site request forgery countermeasures, and hard-coded credentials.

NCC Group claims the Xerox (XRX) Phaser 3320 printer vulnerabilities include buffer overflows, cross-site scripting vulnerabilities, lack of cross-site request forgery countermeasures, and lack of account lockout.

All of the vulnerabilities discovered during this research have either been patched or are in the process of being patched by the relevant manufacturers. NCC Group recommends that system administrators update any affected printers to the latest firmware available, and monitor for any further updates.

HP Has No Easy Way Out of Printer Jam (Wall Street Journal)

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: 2019, APT, Backdoor, Brother, data theft, DDOS, HP, IOT, NCC Group, Printer, Security, Xerox

RB | June 29, 2019

Comments Off

Presidential Wannabe’s Don’t Use Email Security

We are in the run-up to the 2020 ~~silly~~ U.S. Presidential election season. Not much has changed in the three years after ~~Trump operatives~~ Russian hackers targeted and breached the email accounts of Hillary Clinton’s presidential campaign. Email security firm Agari reports that nearly all 2020 presidential candidates have learned nothing. They have not implemented email security. They are not protected against email attacks, fraud, and data breaches typically run by nation-states.

During the 2016 presidential campaign, the chairman of Hilary Clinton’s campaign, John Podesta, was the victim of a spear-phishing attack. That attack led to the now-infamous WikiLeaks email publication. The WikiLeaks release derailed the campaign and influenced the result of the election. Agari’s CMO, Armen Najarian, explained the importance of DMARC email protection;

DMARC is more important than ever because if it had been implemented with the correct policy on the domain used to spearphish John Podesta, then he would have never received the targeted email attack from Russian operatives.

Which campaign practices email security

Data released by the California-based firm found that just one presidential hopeful uses DMARC for email security. Democratic candidate Elizabeth Warren’s campaign is the only one that uses DMARC for email security. The Warren campaign has completely secured its campaign against the types of email threats that took down Clinton and harmed her campaign staff, potential donors, and the public.

Agari suggested in a blog post that the remaining 11 candidates it checked do not use DMARC. This includes Bernie Sanders, Joe Biden, and presidential incumbent Donald Trump. All do not use DMARC on their campaign domains to secure their email accounts. The company warned that the candidates risk their campaigns being impersonated in spam campaigns and phishing attacks.

Agari also analyzed advanced email security controls of the campaigns. They found that 10 of 12 have no additional protection beyond basic security included in Microsoft Office 365 or Google Suite.

Email alphabet soup

DMARC is not an email authentication protocol. It sits on top of the authentication standards SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Mail). With SPF and DKIM, DMARC supplements SMTP, the basic protocol used to send email, because SMTP does not include any mechanisms for email authentication.

A properly configured DMARC policy can tell a receiving server whether or not to accept an email from a particular sender. DMARC records are published alongside DNS records, including:

SPF
A-record
CNAME
DKIM

Matt Moorehead at Return Path explains that DMARC is the latest advance in email authentication. DMARC ensures that legitimate email properly authenticates against established SPF and DKIM standards and that fraudulent activity appearing from domains under the organization’s control is blocked. Two key values of DMARC are domain alignment and reporting.

DMARC’s alignment feature prevents spoofing of the email “header from” address. To pass DMARC, a message must pass SPF authentication and SPF alignment and/or DKIM authentication and DKIM alignment. A message will fail DMARC if the message fails both (1) SPF or SPF alignment and (2) DKIM or DKIM alignment.

rb-

Using email authentication to prove that an email comes from the person it says it is is important because nearly 30% of advanced email attacks (PDF) come from hijacked accounts. Without email, authentication accounts are vulnerable to email security-initiated breaches – attacks typically run by nation-states. The 2018 Verizon DBIR found that nation-state groups accounted for at least 23% of the attacks in successful breaches by an outsider.

DMARC is a widely deployed technology that can make the “header from” address (what users see in their email clients) trustworthy. DMARC helps protect customers and brands; it discourages cybercriminals, who are less likely to target a brand with a DMARC record.

How to fight 2020 election hacking: Here’s what cybersecurity experts say (Fast Company)

Category: Uncategorized | Tags: 2019, APT, Bernie Sanders, Clown, DKIM, DMARC, Donald Trump, Elizabeth Warren, email, Joe Biden, Phishing, POTUS, Security, SMTP, SPAM, SPF

RB | June 25, 2016

Comments Off

Malware Steals Your Cash At ATM

On September 2, 1969, America’s first automatic teller machine (ATM) started dispensing cash to customers at Chemical Bank in Rockville Center, New York. Since then ATMs have been a trusted avenue for many banking transactions. However, Business Insider warns that the next time you pull cash out of the ATM, or “Tap the Mac” you should take extra care. BI reports that Internet security firm Kaspersky Lab has announced the return of a newer and more dangerous version of the Skimer malware.

The report characterizes Skimer as an especially dangerous malware that turns whole ATMs into card-skimming machines. The malware first appeared in 2009 and has been distributed at ATMs all over the world.

The majority of ATM fraud takes place through card skimming. Card skimming is usually physical, as criminals typically install an illegal card-reading device into ATMs, film people entering their PINs on keypads, and then create duplicate cards for sale and use, reports the New York Times. Fortunately, users can uncover these card skimmers because they’ll spot a problem with the card reader or notice an unusual camera.

Skimer is particularly problematic because it is software-based. The article explains the threat is undetectable to the common ATM user since there is no physical sign of the ATM being tampered with. The Russian-based program lets criminals access an ATM remotely, install the malware, and then gather data such as PINs, card numbers, and account numbers over the course of time. A “money mule” can then insert a special magnetic stripe card into the ATM to access the stolen data, take out money, or print card numbers onto a receipt.

The attack begins by gaining access to the ATM system either through physical access or via the bank’s internal network. Then Backdoor.Win32.Skimer malware is installed which infects the core of the ATM. The ATM core is responsible for the machine’s interactions with the banking infrastructure, cash processing, and credit cards. After that, the ATM has become a skimmer. The compromise allows the attackers to withdraw all the funds in the ATM or grab the data from cards used at the ATM, including customers’ bank account numbers and PIN codes.

Kaspersky is trying to help banks detect Skimer and is providing techniques for identifying affecting machines and securing their ATM networks in the future. Sergey Golovanov, a principal security researcher at Kaspersky Lab explains it is possible for banks to stop Skimer.

We have discovered the hardcoded numbers used by the malware, and we share them freely with banks … they can proactively search for them inside their processing systems, detect potentially infected ATMs and money mules, or block any attempts by attackers to activate the malware

To prevent ATM attacks, Kaspersky recommends that banks:

Perform regular AV scans,
Use whitelisting technologies,
Have a good device management policy,
Enable full-disk encryption,
Protect the ATM’s BIOS with a password,
Only allow HDD booting,
Isolate the ATM network from any other internal bank network.

Despite a way to control Skimer, ATM fraud continues to grow according to BI. A recent FICO study found the number of compromised ATMs in the U.S. surged 546% from 2014 to 2015, thanks in large part to the slow EMV migration of debit cards and ATMs. The article speculates that EMV upgrades would stop Skimer. The resistance to EMV means ATM fraud could grow even more from 2015 to 2016.

John Heggestuen, at BI Intelligence, explains that EMV cards are being rolled out with an embedded microchip for added security. The microchip carries out real-time risk assessments on a person’s card purchase activity based on the card user’s profile. The chip also generates dynamic cryptograms when the card is inserted into a payment terminal. Because these cryptograms change with every purchase, it makes it difficult for fraudsters to make counterfeit cards that can be used for in-store transactions.

EMV cards Retail card fraud cost U.S. retailers approximately $32 billion in 2014, up from $23 billion in 2013. To solve the card fraud problem across all channels, payment companies and merchants are implementing new payment protocols that could finally help mitigate fraud. In the article, BI’s Heggestuen describes some of the other technologies that financial institutions are utilizing to reduce fraud risks.

• Encryption of payments data is being widely implemented. Encryption degrades valuable data by using an algorithm to translate card numbers into new values. This makes it difficult for fraudsters to harvest the payments data for use in future transactions.• Point-to-point encryption electronically changes sensitive payment data from the point of capture at the payments terminal all the way through to the gateway or acquirer. This makes it much more difficult for fraudsters to harvest usable data from transactions.

• Tokenization increases transaction security. Tokenization assigns a random value to payment data, making it effectively impossible for hackers to access the sensitive data from the token itself. Tokens are often “multiuse,” meaning merchants don’t have to force consumers to re-enter their payment details. Apple Pay uses one emerging form of tokenization.
• 3D Secure is an imperfect answer to user authentication online. One difficulty in fighting online fraud is that it is hard to confirm that the person using card data is actually the cardholder. 3D Secure adds a level of user authentication by requiring the customer to enter a passcode or biometric data as well as payment data to complete a transaction online.

rb-

The best recommendation to protect yourself from Skimer and other ATM threats is to use the ATMs at your bank or credit union. These ATMs are harder for thieves to install any type of skimmers or malware on because of the higher traffic and monitoring. ATMs located outside a financial institution like at a 7-11 are highly suspect.

Fraudsters Coordinate 14,000 ATM Withdrawals in 3 Hours to Steal $13 Million (theepochtimes.com)

Category: Uncategorized | Tags: 2016, 3D Secure, AAPL, Apple Pay, APT, ATM, Biometrics, Credit card, Debit card, EMV, Encryption, Fraud, Kaspersky Lab, Malware, PCI-DSS, Security, Skimer, Tokenization

RB | March 29, 2012

Comments Off

Social Media Biggest Risk in 2012

The Security Labs over at Websense (WBSN) a provider of Web, data, and email content security have used the Websense ThreatSeeker Network (PDF) which provides real-time reputation analysis, behavioral analysis, and real data identification to announce (PDF) their picks for the top IT security threats for 2012. Social media is the #1 risk in 2012,.

1. Websense says that stealing, buying, trading credit card, and social security numbers is old news. They say that your social media identity may prove more valuable to cybercriminals than your credit cards.

Today, your social identity may have greater value to the bad guys because Facebook (FB) has more than 800 million active users. More than half of FB users log on daily and they have an average of 130 friends. Trust is the basis of social networking, so if a bad guy compromises social media logins, the security firm says there is a good chance they can manipulate your friends. (Stacy Cowley at CNN Money has an excellent article on how this can work with LinkedIn (LNKD). Which leads to their second prediction.

2. According to Websense most 2012 advanced attacks’ primary attack vector will blend social media “friends,” mobile devices, and the cloud. In the past, advanced persistent threats (APTs) blended email and web attacks together. In 2012, the researchers believe advanced attacks could use emerging technologies like: social media, cloud platforms, and mobile. They warn that blended attacks will be the primary vector in most persistent and advanced attacks of 2012.

3. The San Diego CA-based firm says to expect increases in exposed vulnerabilities for mobile devices in 2012. They predict more than 1,000 different variants of exploits, malicious applications, and botnets will attack smartphones or tablets. Websense security investigators predict that a new variant of malware for mobile devices will appear every day.

The Internet security firm stresses that application creators need to protectively sandbox their apps. Without sandbox technology malware will be able to get access to banking and social credentials as well as other data on the mobile device. This includes work documents and any cloud applications on that handy device. The firm believes that social engineering designed to specifically lure mobile users to infected apps and websites will increase. Websense predicts the number of mobile device users that will fall victim to social engineering scams will explode when attackers start to use mobile location-based services to design hyper-specific geolocation social engineering attempts.

4. SSL/TLS will put net traffic into a corporate IT blind spot. Two items are increasing traffic over SSL/TLS secure tunnels for privacy and protection. First, the disruptive growth of mobile and tablet devices is moving packaged software to the cloud and distributing data to new locations.

Second, many of the largest, most commonly used websites, like Google (GOOG ) Search, Facebook, and Twitter have switched their sites to default to HTTPS sessions. This may seem like a positive since it encrypts the communications between the computer and destination. But as more traffic moves through encrypted tunnels, Websense correctly says that many traditional enterprise security defenses (like firewalls, IDS/IDP, network AV, and passive monitoring) will be left looking for a threat needle in a haystack, since they cannot inspect the encoded traffic. These blind spots offer a big doorway for cybercriminals to walk through. (We have started to battle this as we move from a POC system from ~~McAfee~~ another vendor to a modem content filter to be nameless but was just bought and we haven’t solved it yet, the NoSSLSearch for GOOG still needs some work)

5. For years, security defenses have focused on keeping cybercrime and malware out (Also called M&M security, hard on the outside, soft and chewy on the inside). The Websense Security Lab team says that there’s been much less attention on watching outbound traffic for data theft and evasive command and control communications. The researchers say hacking and malware are related to most data theft; they estimate that more than 50 percent of data loss incidents happen over the web. This is aggravated by delayed DLP deployments as vendors use traditional overly excessive processes like data discovery (designed to over-sell professional services?).

In 2012, organizations will have to stop data theft at corporate gateways that detect custom encryption, geolocations for web destinations, and command and control communications. The security firm predicts organizations on the leading edge will add outbound inspection and will focus on adapting prevention technologies to be more about containment, severing communications, and data loss mitigation after an initial infection.

6. The London Olympics, U.S. presidential elections and Mayan calendar apocalyptic predictions will lead to broad attacks by criminals. SEO poisoning has become an everyday occurrence. The Websense Security Labs still sees highly popular search terms deliver a quarter of the first page of results as poisoned.

The researchers expect that as the search engines have become savvier on removing poisoned results, criminals will port the same techniques to new platforms in 2012. They will continue to take advantage of today’s 24-hour, up-to-the-minute news cycle, only now they will infect users where they are less suspicious: Twitter feeds, Facebook posts/emails, LinkedIn updates, YouTube video comments, and forum conversations. Websense recommends extreme caution with searches, wall posts, forum discussions, and tweets dealing with the topics listed above, as well as any celebrity death or other surprising news from the U.S. presidential campaign.

7. Scareware tactics and the use of rogue anti-virus, will stage a comeback. With easy to acquire malicious tool kits, designed to cause massive exploitation and compromise of websites, rogue application crimeware will reemerge Websense says. Except, instead of seeing “You have been infected” pages, they expect three areas will emerge as growing scareware subcategories in 2012: a growth in fake registry clean-up, fake speed improvement software, and fake back-up software mimicking popular personal cloud backup systems. Also, expect that the use of polymorphic code and IP lookup will continue to be built into each of these tactics to bypass blacklisting and hashing detection by security vendors. (Rival IT Security firm GFI Software proves Websense’s point by reporting a “new wave of fake antivirus applications (or rogue AV)” since the start of the year and are “a popular tactic among cybercriminals.”)

Browsing Security Predictions for 2012 (paulsparrows.wordpress.com)

Category: Uncategorized | Tags: 2012, APT, Cloud computing, Data, Facebook, FB, GOOG, Google, Internet, LinkedIn, LNKD, McAfee, Mobile device, Network, Security, Social, SSL, Theft, WebSense

Bach Seat

Tag Archive for APT

How Secure are Your Printers?

Vulnerabilities in printers

Who to blame

Impacted printer models

Related articles

Presidential Wannabe’s Don’t Use Email Security

Which campaign practices email security

Email alphabet soup

rb-

Related articles

Malware Steals Your Cash At ATM

Related articles

Meta