Researchers have found seven different vulnerabilities on various Zoho ManageEngine applications, which have been fixed by the company. They range from authentication issues to script injections that can result in remote code executions. – DIGITAL DEFENSE BLOG
Inside Security: Inside
Dec 19, 2017
Share with Your Network
If you aren’t yet a Premium subscriber, you missed yesterday’s analysis about the zero trust extended platform, and what you should do about it. Go to our Premium page and sign up, subscription plans start at $10/month with multiple newsletters and corporate plans available. Premium subscribers get an additional Thursday newsletter, usually with a single analysis topic.
Iran has been encouraging more of its businesses to get online, and it has built a “halal Internet” that restricts what is available, similar to China’s Great Firewall. However, Iran has struggled with both supporting and at the same time blocking particular Internet apps, such as encrypted messaging app Telegram, that is useful for business as well as personal communications. This report describes the evolution of Iran’s censorship activities and the conflict between being open and controlling information access.
Attacks and vulnerabilities
There is a vulnerability in the Cisco Adaptive Security Appliance firewall productthat can allow remote code execution. A variety of ASA products (such as this unit shown) are affected along with the FTD v6.2.2 firmware, and there is an update to fix this. – CISCO TOOLS BLOG
Does the zero trust extended model make any sense?
Several years ago, John Kindervag at Forrester Research put together a new enterprise security model called Zero Trust. The idea was that defending the perimeter was obsolete, given that boundaries were becoming more porous and that hackers could penetrate just about anything and traverse networks at will. And as enterprise networks became more global and more intertwined with the public Internet and mobile devices, it also became harder to defend perimeters.
So zero trust, or verify and never trust, started to become a popular model. The original idea is shown in this diagram that centers around a next generation firewall that links to different network segments and acts a data distribution hub. It relies on careful network segmentation, and assumes that all network traffic isn’t trusted and must be scanned from malware and bad actors. In addition to better firewalls, zero trust also means that virtual network infrastructure and network orchestration tools will be needed.
Palo Alto Networks’ Cyberpedia has a nice definition of zero trust, that includes these elements:
- Ensure all data and resources are accessed securely, based on user and location.
- Adopt a least-privileged access strategy and strictly enforce access control.
- Always verify, meaning inspect and log all traffic.
- Add more authentication methods to counter credential-based attacks.
- Never trust, always keep adding context and keep your roles up-to-date.
These recommendations are now several years old.
Most security professionals would agree with everything mentioned so far, at least in theory. But when it comes to actually implementing zero trust networks, they admit that there is little to show for it. Firewalls are still based on outdated assumptions, trust relationships bleed across network boundaries, and few security operations centers can handle the traffic loads to really effectively scan much of anything.
This is why in the past several months Forrester has updated its advice with a new “Zero Trust Extended” (ZTX) series of recommendations. At their core is a “strategy to become a Zero Trust ecosystem, not buy a Zero Trust technology item and hope things are now Zero Trust,” as several analysts say in a new blog post. The analysts have put together an implementation plan that can help move the ball forward and explains the different pieces of ZTX architecture. The table of security vendors below is just a partial “who’s who” listing the relevant technologies in different portions of the ZTX framework.
Does this mean that zero trust’s time is finally here? Perhaps. Part of the problem is that to really accomplish zero trust will require an expensive infrastructure upgrade. If you are still using older model firewalls or a mixture of protection vendors, you will have to carefully assess which tools can work together in a zero trust world. Second, ease of use needs to be determined from the user’s point of view and has to be the focus: all the security tech in the world won’t help if a user needs 27 factors to sign in to use your network resources. Forrester has several other suggestions in its ZTX report, such as using a robust partner, and ecosystems that support better and more unified security policy management solutions.
It is certainly worth considering, especially as you begin to replace outdated security products.
Tools
Before deploying behavioral analytics, there are a few key things every security team should consider in maximizing their effectiveness, such as a unified security data set, having pre-set workflows to act on attacks in progress, and analytics based in the cloud for quick delivery. – SECURITY WEEK
Microsoft is updating how it categorizes scareware, or programs that try to coerce users into purchasing them to “improve” their security posture. Often, this software is really malware with better marketing messages. Beginning next month, Windows Defender will detect and remove these programs. – MICROSOFT CLOUDBLOGS
Reports
A Pentagon report from April 2001 was remarkably prescient about the growing danger and nature of cyber attacks. This post describes what it said, now that it has been declassified. “A lot of people told us we were being too alarmist at the time,” Stuart Staniford, the lead author of the report shown here, feels vindicated about its conclusions, such as segregating critical infrastructure controls from the public Internet, using white hat hackers, and mandating breach reports. — NEXTGOV
The Docket
Britain’s Court of Appeals has ruled on Tuesday that the current UK mass digital surveillance program is illegal. The program, called the Data Retention and Investigatory Powers Act, was passed in 2014. The court said it did not lawfully restrict government agencies’ access to personal citizen information, including phone records and web browsing history, and didn’t contain adequate oversight safeguards. – THE GUARDIAN
New products and services
The Munich airport authority launched its Information Security Hub, a competency center where IT specialists with the airport operating company will work together with experts from the European aviation industry to develop strategies for defending against cyberattacks and new approaches to the fight against cybercrime.
COMPTIA has created an early version of a new pentest certification exam this week. Called PenTest+, it is designed for security professionals who want to prove their vulnerability assessment and management skills in a series of hands-on simulations using open source tools and testing frameworks. It joins other COMPTIA cybersecurity analyst exams and is scheduled to go into production in the fall. The test costs $50 and takes almost three hours.
Kaspersky Security for Microsoft Office 365 offers a SaaS-based tool to protect Exchange Online installations. Included are protections from malware and phishing threats and is managed from a web-based console. Pricing is $22.90 per protected mailbox per month, with quantity discounts available.
Just for fun
What if tech support writers worked for our federal government? Hilarity ensues. – THE NEW YORKER
David’s Take
Today’s newsletter is a grab-bag of numerous cryptocurrency-related exploits, with our top story showing how patient one attacker can be to rob victims of their virtual wallets. But that’s not all we have for you.
I am a big fan of data visualizations, and this story about how the fitness trackers of various active duty military members can show the downsides. It points out where some secret bases are located and gives me pause. The data collected by the Strava app has been analyzed and given how often military exercise and in dense numbers can make spotting these locales fairly easy. This is just one more IoT issue to worry about.
If the annual Pwn2Own hacking contest isn’t on your radar, the increased prize purses and the opportunity to try to find weaknesses in a new Windows 10 preview build might whet your appetite. This year Microsoft and VMware are upping the ante at the CanSecWest conference in Vancouver held in March. Contestants these days need to do a lot more than just find a single vulnerability to win money. Rewards typically require researchers to string together multiple exploits.
—David Strom, editor of Inside Security
Top Story: The long-term Iota attack explained
Usually, when we think about attacks on particular destination sites, we tend to focus on a point in time when the breach occurs, and how a company should have done a better job at defending themselves leading up to that moment. The story over the past week about the Iota attack is very different, and we learned that a hacker systematically spent the last several months working to steal four million dollars from other people’s cryptocurrency wallets, using a combination of misdirection, bad random-number generators, social media come-ons, and phished emails. The research into how this happened is described in detail here, where Alex Studer (who is a Dalton high school student with some mad skills) concludes by saying, “You should never rely on online services, like seed generators or web wallets, for holding any amount of currency you care about, and you should make sure that you use software that is open source and has been carefully reviewed and audited by the community.” Wise words to heed. – BLEEPING COMPUTER
Cryptocurrency attacks
eSentire has observed an unknown threat actor attempting to deploy a Monero cryptocurrency miner to multiple customers. The threat leveraged Kaseya’s Virtual Systems Administrator agent to gain unauthorized access to multiple customer assets
YouTube was recently caught displaying ads that covertly leach off visitors’ CPUs and electricity to generate digital currency on behalf of anonymous attackers, who were abusing Google’s DoubleClick ad platform to display them to YouTube visitors in select countries, including Japan, France, Taiwan, Italy, and Spain. The malware also contained malicious JavaScript that also displayed ads for fake AV programs. — ARS
Report
AppRiver has published its year-end report summarizing exploits it has tracked across its security infrastructure. For example, they observed a major increase in phishing efforts, reaching peak levels over the summer. Some of this they attribute to a very clever phishing attack using a Docusign-based infected PDF (illustrated here). There are other attacks including filing up your inbox with spam to distract you from seeing financial account transaction notification messages and a summary of various ransomware campaigns. — APPRIVER
Just for Fun
All the hub-bub over a simple black square. That is being an influencer! — SWIFTONSECURITY @ TWITTER
David’s Take
The U.S. Secret Service quietly began warning financial institutions that jackpotting attacks have now been spotted targeting cash machines here in the United States. According to Brian Krebs, accomplices stand near ATMs and remove the cash when an attacker issues the right sequence of commands. Apparently, the targeted stand-alone ATMs are routinely located in pharmacies, big box retailers, and drive-thru ATMs. The thieves typically need physical access to the inside of the ATM to make this exploit work. For some reason, jackpotting has been seen more in other countries, including Mexico.
—David Strom, editor of Inside Security
Top Stories: Amazon and Google make strides in security
Two major announcements from last week deserve additional commentary. The first is the purchase of Sqrrl by Amazon. The Cambridge, Mass.-based company helps analyze a variety of sources to track and understand security threats quickly using machine learning. Its main product is called the Threat Hunting Platform, a system designed for cybersecurity teams which connects link analysis, machine learning algorithms, and multi-petabyte scalability to assist them in detecting and tracking down enterprise threats. Sqrrl will continue to work with its existing customers as its technology gets folded into yet another AWS offering. The company was founded by former NSA employees and has raised $26M since 2012. While terms of the deal were not disclosed, Axios reported in December a potential deal estimate of at least $40 million. — ZDNET
The second noteworthy announcement last week was Alphabet (Google’s parent) and a new service called Chronicle. The service is designed to help companies more quickly make sense of and act on the mountains of threat data produced each day by cybersecurity tools. Stephen Gillett will be the new venture’s CEO. The announcement is short on details, although it will leverage Google’s other property, Virus Total. One security researcher says this new company could be a meteor aimed at planet Threat Intel.
Funding and M&A news of the week
Tigera, a Kubernetes-focused startup in Silicon Valley that specializes in secure application connectivity, has raised an additional $10M in funding to further improve secure application connectivity across all cloud environments. Their lead investor is Madrona Venture Group and their CEO is Ratan Tipirneni.
HackerOne, a hacker-powered security platform, has acquired Breaker 101, an online web security course designed to educate the next generation of ethical hackers. The interactive content and coursework, now known as Hacker101, is available for free on GitHub.
Allure Security has raised $5.3M in seed funding from Glasswing Ventures to drive R&D for the company’s data loss detection and response platform. The Boston-based company’s CEO is Salvatore Stolfo.
Dominode has raised a $1.3M round with Blockchange Ventures in the lead. The Boca Raton-based company has a new digital ID solution, and its CEO is John Toohey.
Centrallo has raised a $1.5M seed round with Responder in the lead. It’s developing new emergency response techniques, is based in NYC and its CEO is Michael Sher.
Cylus has raised a $4.7M seed round led by Zohar Zisapel of The RAD Group. The company is based in Tel Aviv and its CEO is Amir Levintal and it is working on cybersecurity geared towards railways and metro systems.
Hysolate has raised an $8M round led by Team8. It’s also based in Tel Aviv and is developing another endpoint protection solution, this time using air gap technologies. Its CEO is Tal Zamir.
SheerID has raised an $18M B round led by Centana Growth Partners for a new digital verification enterprise platform. It’s based in Portland, Ore. and its CEO is Jake Weatherly.
Attacks and vulnerabilities
Windows, Linux and Mac systems are subject to a new piece of malware called CrossRAT, which appears to come from the Dark Caracal hacking group. The malware can enable remote access (hence its name), run arbitrary executables, and doesn’t rely on any zero day exploits. It is written in Java and contains an inactive keylogger, perhaps for future enhancements. – THE HACKER NEWS
Security researchers have discovered more than 2,000 WordPress sites are infected with a keylogger that’s being loaded on the WordPress backend login page and an in-browser cryptocurrency miner being installed on their frontends. The result is that what is typed in the forms is sent to the hackers even before the user has clicked on the log in button. –BLEEPING COMPUTER