A Milestone for Microsoft Australia and Shearwater


We are very excited about Microsoft’s announcement that the Australian Signals Directorate (ASD) has certified a number of Microsoft’s Australian based online services offerings.

The majority of these newly certified services are simply not available from any other cloud service. With these certifications, Australian hospitals, educators and government agencies at federal, state and local level can all take advantage of sophisticated capabilities like machine learning and analytics, internet-of-things, and advanced threat protection – all in the cloud – with the confidence that these services are verified and certified by the Australian government.

We are proud to say that the Shearwater team with their combined expertise have played a key part in enabling this milestone. and in helping Microsoft demonstrate compliance with the Australian Government requirements for ICT systems.

In his LinkedIn article, Microsoft’s Chief Technology Officer, James Kavanagh, wrote “ We chose to engage an Australian company called Shearwater to lead that (IRAP) assessment because of their reputation for rigour and expertise. They performed their work in multiple stages and then presented their reports to Australian Signals Directorate.”

Engagements such as these are incredibly exhaustive. Our Canberra Team has worked tirelessly in Australia and the US to understand each cloud service architecture, review documentation and processes, interview stakeholders, and to validate that the right controls are in place and effective.

Our senior consultants have the necessary ASD IRAP experience and were able to execute on a methodology that successfully addressed Microsoft’s and ASD’s IRAP program requirements. They have handled what was a really complex set of objectives and demonstrated the wealth of experience and expertise that sets us apart from the crowd.

No two engagements are ever the same; the ability to use multiple tools and tailor a solution that delivers the best possible outcome for customers means that we’re always able to inform a strong, successful strategy.

Microsoft’s exciting announcement is just the start of a new and more connected future for government and business. We couldn’t be more delighted to be involved in the journey to guide one of the world’s most influential organisations through Australian Government ICT security requirements.

Well done team for delivering on our values of offering a magical customer experience and owning the outcome.

For more information on Microsoft’s latest offering, please check out these links:

LinkedIn
ARN
Computer World
The Australian
Australian Financial Review

Ten things you should know about ISO/IEC 27001


By Shannon Lane

1.    What it ISO 27001

ISO 27001 is an international standard for information security management.

2.    Why is ISO 27001 important to me?

Information is the lifeblood of most contemporary organisations’. It provides intelligence, commercial advantage and future plans that drive success. Most Organisation store these highly prized information assets  electronically. Therefore, protection of these assets from either deliberate or accidental loss, compromise or destruction is increasingly important. ISO 27001 is a risk-based compliance framework designed to help organisations effectively manage information security.

3.    Why are international standards like ISO 27001 important?

Many Industries and many Governments have adopted ISO 27001 as the de facto standard for information security management practices. ISO is particularly popular at the State Government level within Australia where it is often mandated, and in industries such as ICT and data centre hosting.International Standards provide significant benefits overall to the domestic and global economy.

For Consumers
Proof of conformity to International Standards helps reassure consumers that products, systems and organisations are safe, reliable and good for the environment.

For Business
International Standards can be a strategic tool to help businesses tackle challenges and compete on a global stage.
Adoption can: open up new markets, improve competitiveness through greater customer satisfaction, reduce costs, streamline systems and processes, and increase productivity.

For Society
Standards improve safety, quality and environmental outcomes as well as encouraging international trade.

4.    Why is ISO 27001 important?

Having an international standard for information security allows a common framework for managing security across business and across borders. With an ever more connected world, the security of information is increasing in importance.

Data and information needs to be safe, secure, and accessible. The security of information is important for personal privacy, confidentiality of financial and health information and the smooth functioning of systems and supply chains that we rely on in today’s interconnected world.

ISO 27001 provides the framework for you to effectively manage risk, select security controls and most importantly, a process to achieve, maintain and prove compliance with the standard.
Adoption of ISO 27001 provides real credibility that you understand security and take security seriously.

5.    What are the elements of ISO 27001?

ISO 27001 is made up of a number of short clauses, and a much longer annexe listing 14 security domains and 114 controls. The most important of the short clauses relate to:

  • The organisational context and stakeholders
  • Information security leadership and high-level support
  • Planning of an Information Security Management System (ISMS), including risk assessment; risk treatment
  • Supporting an ISMS
  • Making an ISMS operational
  • Reviewing the system’s performance
  • Adopting an approach for corrective actions

Based on the risk profile of the organisation, controls may be selected to manage identified risks. Within the Annex, the 114 listed controls are broken down into 14 key domains which are listed below:

  • Information security policies
  • Organisation of information security
  • Human resource security
  • Asset management
  • Access control
  • Cryptography
  • Physical and environmental security
  • Operations security
  • Communications security
  • System acquisition, development and maintenance
  • Supplier relationships
  • Information security incident management
  • Information security aspects of business continuity management
  • Compliance

6.    How does it work? – What is a Risk-Based Approach to Compliance?

Unlike other security standards, for example, the Payment Card Industry – Data Security Standard (PCI-DSS) and Sarbanes-Oxley (SOX), which are highly prescriptive and control driven, ISO takes a risk-based approach to security compliance. In other words, there are no defined set of security controls that must be implemented regardless of the type of business operation, as is the case with PCI-DSS. Controls are selected based on their ability to mitigate risks to the organisation

ISO 27001 is concerned with the process of continual improvement and a demonstrated commitment to managing information security based on risks to the organisation’s information assets.
A risk-based approach to managing information security ensures that security risks are appropriately prioritised, cost effectively managed as well as ensuring that only those controls that are necessary to manage these risks are implemented. It is a comply or explain approach. Based on your organisations’ risk, you can comply with the controls that help manage risk, or simply explain why they aren’t relevant and why you don’t need them. There is no compliance for the sake of compliance with ISO.

7.    Where should I start?

Before starting out on the path to certification, it may be worthwhile understanding if certification is required, or if compliance will suffice. For many organisations, certification is not a requirement.

For those industries where certification is a requirement, the path to achieving certification should not be treated as a one-off project. Firms that successfully maintain certification over multiple years, treat information security as a critical business process and invest time, resources and effort into ongoing compliance. Certification is the logical consequence of compliance, and should be relatively easy if a solid compliance regime is established and maintained.

For most organisations, the logical place to start is to conduct a gap analysis against the requirements of ISO 27001.

8.    The Audit Process

External certification can only be conducted by an Accredited Certification Body (CB). In Australia, Shearwater recommends certification services from reputable CB’s only, such as BSI and SAI Global.

The initial audit process is undertaken in two stages:

  • Stage 1 – A Documentation Review that focuses on a desktop review of available ISMS documentation and processes. Sufficient evidence of a functioning ISMS is required in order to progress to the Stage 2 audit.
  • Stage 2 – Focuses on evaluating the implementation and effectiveness of the management system. The audit will assess evidence and will typically require the ISMS to have been running for a period of at least three months.

The certification cycle also requires regular external surveillance audits to be performed and evidence that the management system is being actively maintained. Surveillance audits for ISO 27001 are typically performed every six months, however, mature systems in low-risk industries can be extended to an annual audit cycle in consultation with the certification body. ISMS re-certification occurs every 3 years.

9.    Who wrote ISO 27001? – History

ISO (International Organization for Standardization) is the world’s largest developer of voluntary International Standards. Many Countries have their own national standards governing everything from railway gauges, electrical power point specifications, building materials, personal protective equipment and children’s toys, to name just a few. When a standard reaches maturity and has widespread application in more than one jurisdiction, ISO forms a working group and works towards publishing an International Standard.
The original forerunner of ISO 27001 was written by the UK Government’s Department of Trade and Industry (DTI), and then published by the British Standards Institute (BSI) as BS 7799 in 1995.

10.    Tips, trick and pitfall avoidance

Before Certification
Don’t underestimate the number of stakeholders you will need to consult. In large organisations, stakeholder management can be a large undertaking and key requirement for a successful compliance activity.

Partner with experienced information security providers who know the implication of advice, in particular with respect to the selection of information security controls. Many controls sound like a good idea, but the implementation can be much more challenging.
Start with an understanding of risks and development of a management system before jumping into controls and technology. Investing time up front to understand your risk posture will pay long-term benefits.

During Certification

Avoid anybody who guarantees certification within 1 month. They can’t! Certification Bodies require at least 3 months of evidence at the stage 2 Audit to make a recommendation for certification to the Accreditation Body.

Certification Bodies are prevented under another ISO standard (19011) and scheme rules from performing certification and consulting/advisory services due to conflict of interest issues. Some get around this by offering extended pre-assessments of gap analysis. Whilst these may appear cheap, there are limits to the amount of actionable recommendations that can be provided.

After Certification
You will be entitled to display an ISO 27001 certification mark. The certification mark is tangible proof that you take care of information, are committed to protecting data entrusted to you, and are fulfilling your commercial, contractual and legal responsibilities with respect to information security. A great idea would be to promote this certification on your marketing collateral and website as a source of differentiation from your competitors.

What should I look for in a Threat Intelligence Solution?


This blog article is part of a series: Part 1 | Part 2 | Part 3

In this final article in this series, I provide some guidance on what to look for in a CTI solution.

The four important questions when assessing CTI should be:

  1. How current is the Threat Intelligence Provided?
  2. How broad is the coverage?
  3. What contextual information is available to help understand the risk?
  4. Integration and automation

One other consideration on what to look for in a CTI solution is related to the importance of attribution. A lot of time and effort is spent arguing over the importance of attribution, and I don’t believe there is a definitive answer. I believe it depends upon your circumstances, resourcing and the sector in which you work. Attribution, may not matter at all for certain sectors or companies, but it is will certainly be important if you are a specialist manufacturer with process secrets, who is being infiltrated by a lead competitor. Similarly, if you are a large government defence agency, it is probably important to understand if a nation states is behind an intrusion. Cybercriminals, issue motivated groups, hacktivists, disgruntled employees, or some other disenfranchised assortment can certainly cause many problems, but attribution may not be important at all in looking at CTI solutions. If attribution is important to your organisation, then that should be a fifth consideration when assessing CTI solutions.

After going through these questions, you may also find that you have sufficient coverage currently with the Threat feeds you are getting via your existing vendors or via various open source providers.

CTI information currency is all important. Put simply, the more frequent the updates, the smaller the potential threat window is. Frequent, meaningful updates are important to keep your threat intelligence information updated and current over time. Real time, or near real time updates are optimal.

Coverage is the second important assessment criteria. It is impossible to cover all threat sources, and any vendor that promises this should be avoided. Coverage really comes down to being a big data issue. Some useful measures include:

  1. the number of IP addresses monitored.
  2. the number and variety of Threat Intelligence sources. A good cross section is important, and could include: verified existing feeds; anonymised customer data; Internet registries; known Botnets; DNS information; geolocation information (down to the country, state, city and ideally GPS coordinates); deployed honeypots; darknet data; deployed crawlers; anonymous proxy information (including TOR); free DNS services; and wherever financially viable external networks (although this can be costly).
  3. the volume of traffic monitored on a daily basis.
  4. Catch rate improvements, verified by independent and respected test authorities.
  5. The last consideration may be if internal threat information is used from other customers and can this data be broken down based on a particular data categorisation such as industry.

Contextual data should include all the metadata that relates to the threat intelligence, such as the time that the intelligence is collected, the type of threat, the geolocation to enable high risk geographies to be highlighted, and the source of the intelligence (internal, external, free). Probably the most important piece of contextual information, is how the threat intelligence is rated from a risk perspective. Here is where it can get a little tricky, as most CTI vendor will promote their own proprietary algorithm or methodology. The only real way to get to grips with this element is to run a proof of concept before purchasing and take up site references and specifically drill into this element with current clients. Because things change pretty quickly in cyberspace, currency of this contextual information is also very important.

Automation and integration is the last important factor in assessing CTI. Automation makes the intelligence actionable from a technology configuration perspective. Integration is important to ensure that automation is possible within your chosen technology stack. Broad support of common technologies is important, as is an accessible or open API.

In summary the issues to focus on when selecting a CTI solution should therefore come down to speed, reach, accuracy across a seemingly infinite data set, together with the ability to integrate and automate.

I hope that you enjoyed this series on cyber threat intelligence. If you would like to learn more about the subject or would like to talk to me, I can be contacted via email at: slane@shearwater.com.au

Is Cyber Threat Intelligence worth investing in?


This blog article is part of a series: Part 1 | Part 2 | Part 3

In this blog article, I am seeking to address the question of whether CTI is worth investing in.

Many vendors of Web Proxies, SIEM solutions, IPS, Firewall, UTM’s and email filtering technologies already provide a threat feed. The question that needs to be asked is how effective these feeds and blacklists are. Can they protect and block threats to your organisation? Can these threat feeds be positioned in the right place to stop threat agents/attackers from doing their dirty work? If you restrict your attention solely to the roughly 4 Billion IP addresses within the IPV4 address range, it is estimated that more than 16 M are currently, or have been, put to use for malevolent means. Clearly there are challenges to keeping tabs on all these dubious IP addresses from which threats manifest. I’d challenge you to name more than a handful of organisations globally who have the inclination or capacity to keep track of what is happening within these Internet locations. Sure, vendors and the open source community are trying. However, vendors are somewhat blinkered by the user base they can draw on, and the security function they focus on. At the other extreme, open source offerings are always best effort and in this space regrettably slow to react. IP Addresses are clearly only one part of the picture, when you include URL’s, domain names, known bad hosts and payloads into the items needing to be managed, it is clear that automation and intelligence is required.

The problem with many mainstream accepted security technologies, is that they become less and less effective over time, require superior analytical skills to operate (skills that are hard to find), and can be somewhat reactive. These issues prompt security professionals and business managers to seek out better ways of working and more advanced technologies to increase effectiveness.

Is CTI any different to the traditional security vendors? Unfortunately, only partially. It certainly needs highly skilled people to operate, and it is likely to be less effective over time, as hackers develop countermeasures to hide their tracks from specific CTI tool sets. The one ray of light, is that CTI does try and avoid the old paradigm of waiting for something to arrive that is known to be bad and then blocking it. Cyber professionals are trying to get ahead of this preventative mindset and become agile with threat detection and response. Any approach that can offer the potential of reaching out into the dark web, blending in, uncovering what is happening in real time and then giving you actionable intelligence, ideally coupled with workflow and automation is a significant benefit.

The business problem that CTI attempts to solve is still dependent on skilled people. By investing in CTI, you may be able to uplift your internal capability, but to deliver real results you do need a team there to start with. If you do have a specialist team in place, CTI has potential to act as a multiplier effect and save you money. CTI is categorically not an appropriate or intelligent security investment for organisations that do not have adequate skills in place and are looking at new technology as a cure all. There must also be clarity about what you are seeking to achieve from CTI. Without a clear vision of what it is that you wish to achieve, then delivering results may be difficult. This vision may of course change over time as you start to leverage CTI and assess the benefits produced.

As with all security investments, context is all important in evaluating new technologies. With the right prerequisites, CTI should appear on your investment radar. So, in summary, is CTI worth investing in? conceptually yes, provided you have the highly skilled people needed to make this effective. If you don’t have these people, then the answer becomes a very clear no. CTI should not be considered until you have an appropriate internal resource capability available, or a suitable managed service provider capable of bringing to bear the right skills, technology, business insight to effectively manage risk.

In my last blog in this series, I will endeavour to round out this series with a third and final post that will focus on what to look out for in a Threat Intelligence Solution.

What business problem does Cyber Threat Intelligence (promise to) solve?



This blog article is part of a series: Part 1 | Part 2 | Part 3

The cyber industry is certainly excited by CTI, and I don’t want to make any predictions on whether the excitement will blow over any time soon. The Threat Intelligence approach, does provide some hope, yes hope, of lessening a really difficult issue of knowing what to trust and what not to trust on the Internet. Even slowing down malevolent Internet based threats should be treated as a success. Is that the whole picture though, what business problem does CTI solve?

I’m not planning to run through all of the potential impact that stem from cybercriminals, hacktivists, nation states, malicious insiders and careless users, other than to say that recent history demonstrates that the impacts from these threat actors can be significant. In fact, they can send businesses out of business. The accessibility and prevalence of hacking tools, malware, bots, darknets and hacking services for hire, should help to crystallise these risks.

So CTI provides the promise of:

  1. Prevention – by pre-emptively blocking attacks from hitting and hurting your organisation. Prevention is achieved through the ingestion of CTI feeds within existing security infrastructure such as firewalls, IPS and SIEM and configuration of automated responses based on pre-set rules.
  2. Increasing visibility – of emerging threats that could be an issue now or in the future. Increased visibility can be delivered via simple manual searches conducted by an analyst within a CTI platform.
  3. Detection and reaction – to compromises that are happening now. Detection and reaction can be a combination of both methods, coupled with intervention or as part of an integrated incident response process.

CTI can help to more fully inform the risk assessment process by providing real time actionable intelligence about the types of threats that are relevant to an organisation and the frequency and severity of these threats. Information on threat actors, frequency and severity of threats are vital inputs into the risk assessment process.

At a very high level, there are three broad categories of CTI available within the market at the moment. the differences could be the subject of a separate series of articles, so this high level view is anything but comprehensive. The three broad categories are:

  1. Open Source CTI – provides some pretty handy threat intelligence data, but like all open source efforts, it relies on community involvement and may lack the necessary contextual information that makes CTI actionable for specific organisations and sectors. There may be a lot of noise to be sifted within the data to derive truly useful intelligence.
  2. Vendor Provided CTI – has the advantage of providing more contextual data. Many vendors have sharing arrangements in place and their own research and analysis teams that leverage these sharing arrangements and the open source feeds available. They also draw from their client community. You do need to be a little careful in selecting vendors, as some draw heavily from open source information only. The only real advantage that you get here is the convenience of not having to collect and sift available open source information yourself.
  3. CTI Vendor solutions – have the benefit of generally being the sole commercial focus of these CTI vendors. CTI vendors have their own research and analysis teams, leverage other feeds and often possess big data driven infrastructure to contextualise the intelligence. Such feeds can be very granular and can stem from application intelligence and social media. As a consequence, these vendors can provide flexible and highly customised CTI feeds to clients.

Additionally, CTI feeds can be produced by internal systems within an organisation, via Government entities or independent groups such as the Internet Storm Centre within SANS. Irrespective of whether you chose to deploy open source , vendor bundled, or stand-alone commercial CTI vendor solutions, other benefits can be delivered by a CTI approach. One important potential improvement delivered by dedicated threat intelligence equipment (CTI appliance) is the freeing up of other technology resources and traditional tools to operate more efficiently. Reducing the load on your existing security stack, in particular firewalls and IDS/IPS, which can potentially extend the working life of your infrastructure and hence save money. For appliance based CTI that sits in front of existing security infrastructure, whereby CTI can identify threats before reaching firewalls and IDS/IPS, then configuration complexity and processing loads on these technologies can be reduced. Dynamically blocking is happening, but the reality is that people need to invest time in support of CTI. Without smart people constantly tuning, then you run the risk of blocking legitimate traffic or wasting your money on the investment.

The promise of Threat Intelligence is that it will increase your agility of response, guiding your operational security decisions and optimising the efficiency of your existing security stack. The Ultimate aim being to reduce the number of annual security incidents.

In the next blog in this series, I will discuss whether CTI is worth investing in.

December 2016 Internet Security Report


Merry Christmas and a Happy New Year! December 2016 was full of the usual Phishing, Malvertising, weak security of IoT devices and large breaches of user accounts that the rest of the year had delivered. If you have a Yahoo email account or an email service that is run through Yahoo’s mail service, please change your passwords for those accounts and consider moving to another provider as Yahoo has had two major publicly disclosed breaches in 2016 alone.

If you are still thinking of a new year’s resolution, please consider “changing your passwords to passphrases”.

Threats

Breaches

  • Yahoo released in December that there was another breach, separate from the previously disclosed breach earlier in the year. In this newly disclosed breach, the thieves stole more than a billion user accounts’ data. Yahoo states that “potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or un-encrypted security questions and answers.”
    If you have a Yahoo account please change your password for this account. If you have used your Yahoo account password for anything else, please change that password too.
    https://krebsonsecurity.com/2016/12/yahoo-one-billion-more-accounts-hacked/

Patches and Updates

What is Cyber Threat Intelligence? And when do you need it?


Cyber Threat Intelligence (CTI) appears to be one of the hot topics in information security at the moment. Almost every vendor as well as the open source community has their unique take on what is, and what is not important in the CTI arena. I have been asked a number of questions by clients and colleagues alike about CTI. Many questions focus on whether threat intelligence is worth investing in right now, or budgeting for. It is a good question, but to be honest I am probably the wrong person to ask. After close to twenty years in the information security industry, I am always a little sceptical of the next big thing, given the long line of next big things I have seen during my career. My scepticism is exacerbated when vendors claim that their method or technology is better or more robust than those of their competitors. My scepticism is magnified when vendors keep their approach secret or don’t provide any data or evidence to back up their claims. A good recent example is that of Norse Corporation, who had a rapid, well publicised and complete unravelling, when it was revealed that their secret CTI methods and products proved little more than highly polished marketing claims.

Perhaps a better question would be, ‘what business problem will CTI actually solve for me and my organisation?’ or ‘how long until CTI is mature enough to justify investment?’ or even, ‘What do I need to consider before investing?’

In this post series, I’ll be answering these three questions in turn:

  1. What business problem does CTI actually solve?
  2. Is CTI worth investing in now?
  3. What do I need to consider before investing?

November 2016 Internet Security Report


The ransomware threat continued to thrive with new variants, payloads and even using social media as a delivery platform. A vulnerability found in a German ISPs router caused havoc in late November with almost 1 million users knocked into darkness as the result of a recent increase in Mirai worm activity. Social engineering was brought into the spotlight again as the hospitality industry was targeted through customer service channels in order to compromise payment services. Data breaches also got their fair share of coverage in November with credit card information being stolen and the insider threat re-emerging to create headaches.

Threats

  • The ransomware threat continues to bother internet users with a new Locky variant employing the use of .zzzzz extensions. This variant was first seen in late November and is delivered through office documents (mainly .xls and docm) containing an encrypted .dll payload that is unencrypted, dropped into the users /temp/ directory and executed by rundll32. This is different to the other variants of the ransomware that typically used macro embedded documents to retrieve the payload from the internet before executing. This threat can be better mitigated by ensuring that AV is up to date and where possible controls are in place to stop the execution of files from the /temp/ directory. Further to this, as most of these new variants are delivered emails from spoofed addresses, it acts as a reminder to review your domains and email servers’ SPF records and policies.
  • November saw the re-introduction of social media messaging being used to compromise users through malicious image attachments containing ransomware. Dubbed ‘ImageGate’ by researchers at CheckPoint the attack uses Facebook and LinkedIn messaging services to spam and compromise users with Locky ransomware at scale. This attack leverages the trust of your social media friends and contacts to lure users into clicking on seemingly harmless files. The issue has since been patched, however, this serves as a reminder to always think before you click and when in doubt ask.

Read More
http://thehackernews.com/2016/11/facebook-locky-ransomware.html
http://www.csoonline.com/article/3143173/security/malicious-images-on-facebook-lead-to-locky-ransomware.html

  • Social engineering attacks leverage a user’s trust in order to get them to perform an action that negatively affects them. These attacks can range from simple phishing campaigns looking for easy money or passwords to complex multi-stage operations that aim to compromise internal networks for theft of sensitive information or destruction. One recent example of a complex social engineering operation was identified in November where actors possibly related to the Carbanak Gang targeted a number of hospitality companies in order to compromise payment systems to steal credit card information. The attacks were centralised around customer service call centres where attackers would claim to have issues in accessing online services. The attacker would then email the customer service staff containing malicious attachments and persist until the employee opened the attachment and downloaded the malware. This attack serves as a reminder to businesses to understand their external facing teams that have unvetted access to the public (service desks, HR, finance, legal, reception etc.) that could possibly be vulnerable to this sort of attack.

Read More
http://www.computerworld.com/article/3141735/security/malware-attack-starts-with-a-fake-customer-service-call.html
https://www.trustwave.com/Resources/SpiderLabs-Blog/New-Carbanak-/-Anunak-Attack-Methodology/?page=1&year=0&month=0

 

Breaches

  • On Friday the 25th of November, SFMTA’s Municipal Rail was infected by Mamba Ransomware. “Computer screens at MUNI stations displayed a message: “You Hacked, ALL Data Encrypted. Contact For Key(cryptom27@yandex.com)ID:681 ,Enter.” MUNI Spokesman Paul Rose spoke to the Examiner and noted that his agency was “working to resolve the situation,” but refused to provide additional details.

Read More
http://www.theverge.com/2016/11/27/13758412/hackers-san-francisco-light-rail-system-ransomware-cybersecurity-muni
https://krebsonsecurity.com/2016/11/san-francisco-rail-system-hacker-hacked/

  • In the last week of November, a large number of Deutsche Telekom customers had their routers infected with a computer worm which takes full control of the router. Once the worm has control of the device, it is joined to a network of other routers and IoT (Internet of Things) devices to be used in a botnet. These botnets are then used mainly for DoS (Denial of Service) attacks against public facing websites and other infrastructure. “More than 900,000 customers of German ISP Deutsche Telekom (DT) were knocked offline this week after their Internet routers got infected by a new variant of a computer worm known as Mirai.

Read More
https://krebsonsecurity.com/2016/11/new-mirai-worm-knocks-900k-germans-offline/

  • The Madison Square Garden Company has announced that hackers spent up to a year harvesting credit card credentials of potentially millions of visitors as a result of the compromise of a payments processing system. Although the exact number of affected cards is unknown it was determined that cards used to buy merchandise, food, and drinks between November 9, 2015, and October 24, 2016, may have been affected. The incident itself was identified by banks noticing a trend of fraudulent transactions on cards that were used at MSG venues. On informing MSG an investigation was conducted into the network which revealed unauthorised third parties access the payment processing systems.

Read More
http://www.zdnet.com/article/madison-square-garden-admits-hackers-spent-a-year-harvesting-visitor-credit-card-data/
http://notice.themadisonsquaregardencompany.com/customerupdate/

  • UK network operator ‘Three’ experienced a suspected insider threat attack in which 3 were arrested after having accessed a database containing customer’s phone upgrade information as a means to intercept the delivery of new phone handsets.

Read More
http://www.infosecurity-magazine.com/news/three-arrested-after-suspected/
http://www.infosecurity-magazine.com/news/three-breach-hit-133000-customers/

Patches and Updates

  • There is a live, actively exploited 0-Day vulnerability that has just had a patched released by Mozilla Firefox. The vulnerability is CVE-2016-9079. The patched version number is 50.0.2.

Read More
http://arstechnica.com/security/2016/11/tor-releases-urgent-update-for-firefox-0day-thats-under-active-attack/

  • Microsoft has released an overview of the number of ransomware based detection improvements that were implemented as part of the Windows 10 Anniversary Updates.

Read More
http://wincom.blob.core.windows.net/documents/Ransomware_protection_in_Windows_10_Anniversary_Update.pdf

Other

  • Software made by Shanghai ADUPS Technology has been siphoning text messages and call records from cheap Android-based mobile smart phones and secretly sending the data to servers in China. ADUPS software is typically bundled with smart phones made by dozens of global wireless firms including ZTE, BLU, and Huawei. Most of these devices are very cheap in comparison to leading devices, partly due to these devices having on-screen advertisements.

Read More
https://krebsonsecurity.com/2016/11/chinese-iot-firm-siphoned-text-messages-call-records/

  • Big W has confirmed that it experienced a technical glitch in early November that resulted in customer information being pre-populated with other users’ information on its online store. Post investigation Big W announced that no passwords, bank or credit card details were compromised and that they were notifying the affected users.

Read More
http://www.zdnet.com/article/big-w-confirms-customer-data-exposure/

  • WordPress recently found and patched a major vulnerability that luckily was not being actively exploited. There was a remote code execution flaw found in an open-source PHP webhook within the WordPress update server, api.wordpress.org. This problem with the webhook is that it let developers supply their own hashing algorithm to verify that code updates are legitimate. “Given a weak enough hashing algorithm, attackers could brute-force attack the webhook with a number of guesses that wouldn’t trigger WordPress’s security systems.
  • WordFence managed to come up with an algorithm that reduced the amount of guesses from 400,000 to only 100,000 guesses, with randomly generated keys, at the hash value of the shared secret key. That guessing would only take a few hours. With the door successfully battered down, attackers could then send URLs to the WordPress update servers, which would then push them out to all WordPress sites.”

Read More
https://nakedsecurity.sophos.com/2016/11/25/the-wordpress-megahack-that-wasnt/

  • Deliveroo in the UK had a number of accounts hijacked and a number of fraudulent orders placed. Deliveroo are stating that their application was not in fact to blame for the hijacked. They are claiming that the cause of the fraudulent transactions is a result of users having the same username and password for multiple services/accounts and that another company must have been breached for the credentials./li>

Read More
https://nakedsecurity.sophos.com/2016/11/25/fraudsters-eat-for-free-as-deliveroo-accounts-hit-by-mystery-breach/

October 2016 Internet Security Report


Joomla takes the cake for most serious exploits doing the rounds this month, with a combination of account creation and privilege escalation vulnerabilities proving an easy way to take complete control of various versions of Joomla. The diagnosis is grim for anyone who was not paying enough attention to patch within 24 hours as mass exploitation of these vulnerabilities have been reported, if you have not patched you should assume your Joomla site is already compromised.

Threats

  • Joomla 3.6.4 was released to address account creation, elevation, and modification vulnerabilities that are being actively exploited in mass across the web just days after the vulnerabilities were disclosed. Anyone who has not already updated should consider their site compromised.
    https://www.joomla.org/announcements/release-news/5678-joomla-3-6-4-released.html
  • Microsoft patched 45 security flaws in their October 2016 patches, one of which is being actively exploited as part of a malvertising campaign. This also being Microsoft first month with their new patching approach, removing the ability to pick-and-choose patches to apply. This new system puts much more pressure on software maintainers to push out patches for their applications that break due to patching, as companies would otherwise have to choose with being vulnerable to exploits, or have a functional application.
    https://technet.microsoft.com/en-us/library/security/ms16-oct.aspx
  • Google has released some unpatched 0-day vulnerabilities in Windows after the time limit of responsible disclosure of actively exploited vulnerabilities ran out. This vulnerability has no patch available and is “local privilege escalation in the Windows kernel that can be used as a security sandbox escape”. Windows 10 Anniversary update is not vulnerable and Microsoft reports that older versions of Microsoft will provide patches on Tuesday, November 8.
    https://security.googleblog.com/2016/10/disclosing-vulnerabilities-to-protect.html
    https://blogs.technet.microsoft.com/mmpc/2016/11/01/our-commitment-to-our-customers-security/
  • Linux Kernel local privilege escalation vulnerability known as Dirty COW has been patched 9 years after its introduction. As this vulnerability has existed for so long, it will affect practically all Linux-powered devices, from cars, to android phones, routers, etc… Cleaning up this Dirty COW is not going to be easy, with many devices simply no longer supported, or patches take months to be released.
    http://dirtycow.ninja/
  • DNS hosting provider DynDNS has been hit by a huge DDoS attack that shook much of their services offline. Being a DNS provider this had very long reaching effects with many major websites being brought offline because users were unable to perform DNS lookups for websites using DynDNS services.
    Read more on Krebs on Security website
  • Spam has been found to be delivered through a calendar invite file “.ics” that contained a cancellation request with many recipients. Depending on how the calendar invite is managed it could cause the spam email to be forwarded to all the recipients from your email address.
    https://isc.sans.edu/forums/diary/Spam+Delivered+via+ICS+Files/21611/

Breaches

Other

  • The Privacy Amendment (Notifiable Data Breaches) Bill 2016 has passed its second reading in the Australian House of Representatives. If passed, this bill will require entities subject to the Privacy Act 1988 to issue a notification in case personal information (that may result in serious harm) gets lost.
  • The Register has published an interesting post on the potential liabilities of being hacked.
    http://www.theregister.co.uk/2016/10/14/been_hacked_what_are_you_liable_for/