Infosec News Brief - 2015 Year in Review

Adobe Flash Becomes Clearly the Biggest Source of Desktop Vulnerabilities

Flash has been viewed as very seriously problematic for some time now, but it shared mind-share with Java, IE, Acrobat, and Office as a source of vulnerabilities on the desktop. All of these have continued to provide new client-side vulnerabilities for hackers to exploit (though Java and Acrobat/Reader have had very few in the past year compared to previous years), but this year Flash clearly dwarfed them all. There were 279 Flash vulnerabilities published on the CVE (Common Vulnerabilities and Exposures) list during 2015 with CVSS (Common Vulnerability Scoring System) scores of 9 or higher (10 is the highest possible score, and a LOT of these 279 have scores of 10). Some industry sources estimated that 2/3 of the desktop breaches in 2015 were due to Adobe Flash.

If you don't have a method in place to ensure Flash is patched rapidly when an update is available, be sure to get one. ​During one particularly serious period of time when some actively-exploited zero-day vulnerabilities had not yet been patched, Firefox and Chrome briefly dropped support for Flash. While browsers soon began supporting Flash again after a patch was available, it seems that for most organizations the smartest option is to disable Flash entirely or configure some form of whitelisting or click-to-play.


Simple Fraud, with an Internet Twist, Makes a Comeback

It has often been said that the biggest hacks are low-tech, and that was proven true last year several times. The rash of "CEO fraud" or "business email compromise" incidents was serious enough to prompt a highly publicized FBI warning. These cases involve emails purporting to be from a CEO or other senior official, usually sent to a firm's CFO or other senior financial personnel, requesting an urgent wire transfer to a business partner or supplier. Some of these cases involve sophisticated groups who developed detailed knowledge of the organization's overseas business dealings in order to facilitate their fraud, and in some cases had dedicated phone lines with people waiting at a designated number to "confirm" the request's legitimacy. Others, aimed at smaller amounts from smaller organizations, are shorter on background legwork and detail.

In two high-profile cases, Bonnier Publications and Ubiquiti Networks lost $3 million and $40 million, respectively, to wire transfer fraudsters in 2015 (both eventually recovered a large portion of their losses). However, businesses large and small have been on the receiving end of attempts of this type, and the FBI's estimate was that US firms lost nearly a BILLION dollars to this type of fraud in the past two years.


More Data Breaches: OPM, Anthem, Ashley Madison, Experian

It seems like every year gets declared "the year of the data breach," as such breaches become bigger and more notable. One trend to note in breaches this year was the decreasing emphasis on breathes seeking credit card information, as the financial value of credit card numbers on the black market continues to fall (due to market saturation as well as improved security measures from the card issuers). Instead, cyber criminals are after more detailed personal information, such as complete health care or human resources records, as well as credit bureau information. Such data goes for a larger premium on the black market, and is useful in larger-scale identity theft.

The implications of this trend for mid-sized organizations are two-fold:
  • Make sure you know what sensitive personal information on individuals your organization stores, and ensure that you have beefed-up authentication requirements and monitoring of these storage locations.

  • You should evaluate how the potential compromise of employees' information in other breaches could affect your organization, such as if you use this information as supplemental authentication information when performing password resets, etc.

The "Internet of Things" Really Became a Thing

The phrase “the Internet of things” (IOT) has gained currency over the past several years as more devices aside from traditional computing devices are being connected to the Internet. The term was coined in a 1999 presentation on the use of radio-frequency ID (RFID) chips to track items in the manufacturing and delivery process. Since then it has become a major issue in technology circles and a subject of much concern regarding the security implications of such Internet-connected "things." In 2014, "Internet of Things" made it to the top of Gartner's "Hype Curve," but it was in 2015 that the security implications of the massive amount of "things" connected to the Internet started to become apparent.

Last year saw the first serious proof-of-concept of hacks aimed at cars connected to the Internet, as hackers showed they could remotely access a Jeep Cherokee and disable the brakes or shut it down. Medical devices are also increasingly networked, and increasingly vulnerable to potentially life-threatening manipulation. This is on top of creepy tales of hacked baby monitors and vulnerable home security/monitoring cameras. Smoke alarms, thermostats, and other devices can be vulnerable as well.

If your organization has devices like this online (and if you think you don't, you may well be surprised what you find if you check closely), you should consider what additional security measures you can take for them. Some recommendations include accessing them via VPN rather than directly via the Internet and/or segregating them to a separate network.


Mobile Vulnerabilities and Attacks Dramatically Increase

As more and more of our working and computing time is spent on smartphones and tablets, security threats have followed us there. This was the year that malware finally hit the official Apple and Google app stores is significant quantities. However, the most widespread threats are still found in apps loaded from outside the official app stores. Ensuring that any devices on your organizational networks are not "jailbroken" or "rooted" and are set to load apps only from the official sources is a key step to avoid mobile malware.

Beyond that, ensuring that updates are installed in a timely fashion is becoming as important as on desktop systems. This is fairly easy with Apple devices, but with Android it can be quite difficult. Google is not releasing updates on a regular schedule, but your device's manufacturer and, often, your mobile phone carrier must integrate these updates in order for you to get them. This often takes a long time. The huge, and widely publicized, "Stagefright" vulnerability, for instance, is still un-patched on many devices. Some vendors, such as Samsung, have committed to a rapid release cycle for updates, so if you are going with Android devices it is worthwhile to check out the vendor's update release schedule to ensure fixes will be available in a timely fashion.


Windows 2003 Server Rides into the Sunset

Extended support for Windows 2003 Server (W2K3) ended in July of 2015, and the product is now officially end-of-life. We are talking about a server operating system over ten years old, but it is still in very wide use in many organizations. Now that it has been five months since the last security updates were published for for W2K3, it is often the largest source of vulnerabilities discovered when scanning organizational networks.

Comments

Post a Comment

Popular posts from this blog

Weekly Infosec News Brief: 14-20 March

Image
Major Media Websites Caught up inNew Malicious Advertising Attacks Last week multiple major advertising networks, including Google's DoubleClick, AppNexus, Rubicon, and AOL were abused by attackers to serve up malicious advertisements on major media sites. These malicious advertisements were redirecting to the "Angler" exploit kit, which uses multiple means to attempt to compromise a browser and install malware. While such malicious ads are common on smaller websites, they are not unheard-of on major media sites. This outbreak, however, was unusually large and long-lived, lasting at least the better part of two days. Given how common malicious web ads are, some security experts are recommending the use of ad blocking technology in web browsers. http://www.computerworld.com/article/3044565/security/advertising-based-cyberattacks-hit-bbc-new-york-times-msn.html Malicious Macros in Word Documents Used to Install Malware with No Files Needed Everything old is new a
Read more

Weekly Infosec News Brief 20-26 July

Image
FBI Sees Massive Increase in Espionage, Including Industrial Espionage, Against the US The FBI on Thursday issued a press release discussing what they believe is an increasing threat of economic espionage against US companies. They estimate that such espionage may cost the US as much as "hundreds of billions" of dollars a year. This espionage is not just directed against large industrial companies, but any place where trade secrets and innovations might be found, including third-party organizations (e.g. business partners, vendors, consultants, lawyers, etc.) affiliated with targeted companies. A key take-away is that the threat is more widespread than most people think, and that few organizations are immune. https://www.fbi.gov/news/pressrel/press-releases/fbi-announces-economic-espionage-awareness-campaign http://www.cnn.com/2015/07/24/politics/fbi-economic-espionage/ Microsoft Releases Out-of-Cycle Patch for Critical Font Driver Bug A flaw uncovered in connecti
Read more

Critical Vulnerability Discovered in IIS 6.0 Web Services

Image
IIS 6, the version that runs on Windows 2003 Server, was revealed this week to have a serious vulnerability that could allow an attacker to run malicious code on the server. The vulnerability has apparently been known to some malicious groups for some time, as attacks exploiting this vulnerability have been observed as far back as summer of 2016. But last week a proof-of-concept exploit for the vulnerability was posted to GitHub, bringing public attention to the problems and providing potential attackers with a head start on developing their own exploit code.  That is likely to take this from a secretive exploit used by a few actors to one that will be widely used by many attackers, meaning anyone running a vulnerable server is a likely victim. Vulnerability announcements are common, but this one is especially problematic for several reasons: IIS 6.0 is a part of the Windows 2003 Server operating system, which aged out of support from Microsoft almost two years ago. There are an
Read more