7.4.18

Study: White House email domains at risk of being misused for phishing scams



Most of the White House’s email domains have yet to deploy an email authentication protocol known as DMARC that is designed to reduce the risk of attackers impersonating legitimate email addresses for distributing spam or phishing messages.
Nearly all email domains overseen by the Executive Office of the President (EOP) of the United States – including WhiteHouse.gov – are vulnerable to being hijacked for large-scale phishing campaigns, a report by the Global Cyber Alliance (GCA) has shown.
According to the security advocacy group, only one out of 26 email domains managed by the EOP has fully implemented the Domain-based Message, Authentication, Reporting and Conformance (DMARC) protocol, which is intended to detect and prevent email spoofing.
Another seven domains have put the email authentication protocol in place, but only at a level of implementation that allows for monitoring emails; it does not actually prevent delivery of spoofed emails. The remaining 18 email domains under the EOP’s purview have yet to even begin implementing the protocol.
Email spoofing involves creating email messages using forged sender details so that the e-mail appears to come from someone other than the actual sender. Such spoofing is commonly used for distributing spam or phishing messages that contain malicious attachments or links.
The GCA found that the highest setting of the DMARC policy has only been deployed for the max.gov email domain. The policy for this domain is set at “reject”, making sure that messages that fail authentication are blocked at the email server, before they can actually be delivered.
The Alliance notes that the subpar level of DMARC’s deployment is “surprising”, given that the US Department of Homeland Security issued a directive on October 16, 2017, requiring all federal agencies to have the protocol in place this year. The directive mandates at least the lowest DMARC policy for all second-level agency domains within 90 days (i.e. mid-January). The highest-level DMARC policy is required to be implemented within a year since the directive was issued. The measure is designed to increase security for anyone who receives email from federal agencies.
“Email domains managed by the EOP are crown jewels that criminals and foreign adversaries covet,” Philip Reitinger, president and CEO of the Global Cyber Alliance, is quoted as saying. He added that the lack of full DMARC deployment “poses a national security risk”. The EOP manages a range of domains – including Budget.gov, OMB.gov or USTR.gov – that could be valuable for phishers.


5.4.18

World Backup Day: Banks having each other’s back



As World Backup Day reminds us, robust backups are integral to healthy information security practices of any organization. This is doubly true for those operating in critical sectors.
Picking up where we left off in Part 1, we will now look at how many US financial institutions apparently aim to attain ultimate safety for their critical account data. First, however, let us stop to consider what contributed to putting such considerations on the front burner.
Increasingly, some types of attacks have been trending towards outright destruction, as opposed to “mere” disruption or theft. A number of organizations have learned this the hard way in recent years, including Saudi Arabian state-owned oil and gas firm Saudi Aramco and entertainment company Sony Pictures Entertainment. They both saw tens of thousands of their computers wiped out in particularly destructive attacks.
The onslaught at Sony, in October 2014, was one of the first massive hacks of an American corporate infrastructure that was largely aimed at data destruction. As part of its toll, the attack completely erased half of the company’s servers and computers, reducing a number of employees to using pen and paper to do their jobs.
This incident raised concerns across the board. US banks, for example, took part in a series of regular cybersecurity simulation exercises between 2014 and 2016 that were aimed at testing their ability to ward off similarly destructive attacks. Lessons learned during these drills, known as the “Hamilton Series”, gave rise to a last-resort mechanism that is intended to further step up the banks’ game vis-à-vis data resilience.
“The significant other”
Enter an initiative dubbed “Sheltered Harbor”, which requires its participants to convert their up-to-date customer account and transaction information into a standardized format, before encrypting and placing it into secure, air-gapped and offsite “data vaults”. Also, according to the high-level overview of the program, the data must be unalterable and, if ever needed, must be retrieved from the “fallout shelter” exactly as when they were archived.
Crucially, the initiative seeks to add an extra layer of resiliency on top of the standard “restore and recovery” programs in that the affected institution would not be left to its own – at that time incapacitated – devices. Banks need to form pairs. If a member of the pair is unable to quickly restore normal service on its own, it can fall back on its backup peer, which loads the affected bank’s data into its own systems. This would be possible thanks to the standardized format required by the program.
However, focusing too much on a single bank would be missing the point. At the end of the day, the goal is not to salvage the hapless bank. The key idea is to ensure that if a bank crumbles under the weight of an egregious cyberattack or a particularly destructive accident, the incident won’t snowball. The ripple effects of such a scenario are all but impossible to predict. However, the main concern is that a particularly serious incident could spook the public and trigger a sweeping run on not only the impacted bank.
This is because, on top of downtime and financial fallout, attacks targeting the confidentiality, integrity or availability of critical bank account data share another possible consequence – the loss of consumer trust. That is saying something for a sector that is essentially predicated on consumer confidence. Trust is a fickle mistress, and we all know that its erosion can trigger a chain of events with hardly-predictable ramifications.
Collectively, the participating banks are said to hold some two-thirds of retail accounts in the US, and it’s claimed that a sizable portion of retail brokerage accounts are also being included. Having a contingency plan that involves industry-wide collaboration is particularly sensible in a sector in which the roof may cave in with a particularly loud bang.
Indeed, a solid backup and disaster recovery solution in general can ultimately mean a difference between a few days’ inconvenience and lost service (followed by months or years rebuilding trust) and total business collapse. In a way, then, Sheltered Harbor may be thought of as insurance that is good to have, but that nobody wants to ever use.
In conclusion
All told, the value of a reliable backup plan in general is especially apparent when dealing with a situation that is not entirely under our control. Data may be lost or corrupted in various ways, but successful recovery is conditional on a dependable backup strategy. There is no denying that the current cybersecurity climate dictates paying increasing attention to data restoration and recovery, which are themselves intrinsic to the cybersecurity defense playbook.
Although World Backup Day comes only once a year, we all know that both individuals and organizations need to create their backups much more often. Implementing a solid backup routine clearly goes a long way towards bolstering our data defenses. And while we’re at it, we should not forget that ensuring that we’re actually able to restore data from a backup is equally as important. Happy World Backup Day!
https://www.welivesecurity.com/2018/03/29/world-backup-day-banks-others-back/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

The 5 IT security actions to take now based on 2018 Trends


Implementing the five actions described in this article can help reduce your organization’s cyber risk and bolster its security defenses
Securing the information systems that keep your organization running is an ongoing endeavor that needs to evolve over time in response to trends in the threat landscape. As our IT systems grow in scale and complexity, new cyber risks arise. At the same time, threat actors have been growing in number; and their means, methods, and motivations are evolving.
I’ve identified five action items to reduce your cyber-risk and fine-tune your cybersecurity program, based on the trends identified by ESET security researchers in Cybersecurity Trends 2018:
·         Review your ransomware response plan
·         Check your power supply
·         Map data for better security and compliance
·         Update server protection
·         Push IT security training wider and deeper
In addition, you can watch my short webinar for a closer look at 2018’s trends and challenges—and how to respond to them.
1.      Review your ransomware response plan
If you’ve read my colleague David Harley’s chapter on ransomware in the Trends 2018 report, you will know this threat is not likely to recede in 2018. Maliciously encrypting someone’s files so they cannot use them is proving to be a popular attack. We anticipate a continued growth of ransomware in three main categories: broad attacks, targeted attacks, and destructive attacks. While attacks in the first two categories typically involve a good faith offer to provide the victim with a key to unlock their files in return for payment, attackers in the final category have no intention of providing a key.
While a properly deployed and appropriately managed endpoint protection product offers a strong defense against all three forms of attack, there is always a chance that the bad guys will find a gap in your defenses – like a forgotten server that IT never knew about, or an employee who just won’t stop clicking in all the wrong places.
That is why every organization needs to have a ransomware response plan in place. This plan tells everyone in the organization what they need to do if there is a ransomware attack, from the first sign of compromise to the technical escalation process, management notifications, PR handling, and so on.
Your organization should already have some sort of breach response plan in place (if not, then ESET researcher Lysa Myers has some good advice on that and you can download a very useful 50-page “Cyber Incident and Breach Readiness Guide” from the Online Trust Alliance, an initiative of the non-profit within Internet Society).
In fact, you may already have a section in your response plan that addresses malware incidents; however, a ransomware attack is sufficiently different to warrant its own section. This should be reinforced with ransomware scenarios in your crisis response manual, scenarios for which you need to practice (with tabletop exercises, for example).
If you’re not convinced that a ransomware attack is sufficiently different to warrant specialized response planning, try answering these questions:
·         Does your organization have a written policy prohibiting payment of IT-related ransoms and extortion demands without management approval?
·         Is there a process in place for determining whether or not a ransom demand will be paid?
·         Does the organization currently hold or can it quickly acquire crypto-currency such as Bitcoin for ransomware emergencies?
·         Has your legal counsel advised you on the breach notification requirements that may, or may not, apply to data compromised by ransomware?
If there is one thing worse than being hit with a ransomware attack, it is not being ready to respond to a ransomware attack. Consider this your number one cybersecurity action item for 2018.
2.      Check your power supply
The second action item concerns the supply of electricity that makes all of this digital technology work. In the Cybersecurity Trends 2018 chapter that I wrote on critical infrastructure, I was very mindful of the multiple malware-enabled power outages in the Ukraine. Those events provided proof that bad actors can abuse connected industrial control systems to disrupt the power supply. I was also thinking of the multiple power supply issues that have crippled air travel in recent years at major hubs like London’s Heathrow and Atlanta’s Hartsfield-Jackson International. Even though these incidents were not hacking-induced, they show how disruptive and costly targeted attacks on the power supply could be.
So what has this got to do with your organization’s cybersecurity? The answer lies in your response to this question: What steps has your organization taken to continue operating in the event of a power outage? Do employees know what to do when the power goes out? Is there an office-wide backup power generator? How quickly does it kick in? While your organization may have the answers to these questions, do you know where they are documented?
A lot of organizations use a data center for data processing, app hosting, offsite backup, and so on. If you use a data center, think about the last time you visually inspected their power arrangements. Did they have a large bank of batteries to power everything until the diesel generator spins up? And where is that generator located? Well above flood level, I hope. Now might be a good time to check that your data center has updated its risk assessment to account for weather extremes. When Hurricane Sandy hit the East Coast in 2012, at least eight data centers were impacted.
Remember, availability is one of the three pillars of cybersecurity (the other two being confidentiality and integrity). If your systems don’t have power they are not going to provide availability.
3.      Map data for better security and compliance
The third action item arises from changes in the world of data privacy that were highlighted in the 2018 Trends chapter penned by my ESET colleague, Tony Anscombe (see his related blog post here). Tony and I agree that new privacy laws and lawsuits in 2018 will increase regulatory risk for many organizations, and not just because of this thing called General Data Protection Regulation (GDPR).
Since we are just a few months away from GDPR’s implementation deadline, I trust that every company in the world that has an internet connection also has a basic understanding of what GDPR means for its data privacy and security practices. (If you’re not sure, take our free compliance check to get a detailed report customized to your organization.)
But GDPR is not the only regulatory factor at play. In the U.S., there are new state regulations in place, and very likely more to come. If your organization operates in the State of New York then you probably know about 23 NYCRR 500. This is a cybersecurity regulation with which some covered entities are required to be in compliance by March 1, 2018. In 2017, the policy wonks at CompTIA, the technology industry association, spotted nearly 700 pieces of privacy/security legislation at the state level. Many of these bills will not pass, but state laws can add to the cost of security failures; for example, in 2017, we saw California levy a multi-million dollar data breach fine. Not sure what affects you? Take a look at ESET’s security technologies and compliance cheatsheet.
All this means that it is more important than ever for your organization to know what data it is handling, along with why, where, and how. In other words, you need to carry out what is variously called a data inventory, a data audit, or data flow mapping. The idea is to make sure that all the uses of data by the organization are documented so that they can be appropriately protected and compliance data privacy requirements are being met.
Fortunately, the International Association of Privacy Professionals (IAPP) has written extensively about this process and many of the articles – like this one – are freely available. While the information is presented in terms of GDPR – Article 30 of which obliges organizations to “maintain a record of processing activities under its responsibility” – the strategy described can be broadly applied. There are data mapping tools available, including one that is free to IAPP members. However, according to a 2016 survey, “66 percent of companies conduct data inventory and mapping informally with email and spreadsheets.”
Whichever approach you take, I can guarantee that a thorough data inventory and mapping project will uncover data of which the organization was not appropriately aware. The classic case is a marketing database that was created for a project that ended but was never properly retired. Sadly, we have seen breach after breach where hackers found servers “outside the fold” and weakly protected.
4.      Update server protection
Your data “audit” should produce a catalogue of all of the organization’s servers that are processing or storing vital data. This provides input for the fourth action item: updating server protection. We saw attacks on internet-accessible servers increase in 2017 and we expect this trend to continue in 2018. Classic attacks include brute-forcing credentials for Remote Desktop Protocol (RDP) access, then turning off endpoint protection and encrypting the server contents for ransom.
In some cases, server attacks are almost too easy, like typing “admin” for the user name and password (which worked against an Equifax server in Argentina last year, an incident overshadowed by the company’s larger 143 million record breach due to delayed patching of a widely-reported server code vulnerability).
So, now is the time to check how well your servers are protected against outsider attacks. Here are four key questions to ask about each server:
1.      Is access to this server protected by two-factor authentication?
2.      Is this server running properly configured and appropriately managed endpoint protection (which would prevent unauthorized attempts to turn off protection)?
3.      Is data on this server appropriately encrypted?
4.      Is the server regularly backed up with archives stored off-site and off-line?
These days you need to be able to answer “yes” to all four questions, with no exceptions. Why? Because those exceptions are what criminal hackers look for when they want to: steal credentials for resale, create spam or DDoS botnets for rent, steal IP and PII for resale, ransom files, or pivot to infest the rest of your network.
5.      Push security training wider and deeper
The fifth and final action item stems from two 2018 trends that concern ESET researchers: continued growth of criminally malicious hacking and something you might call socially-malicious hacking, like efforts to disrupt elections and other pillars of civil society. Both of these trends remind us that information security is a society-wide problem. Smart organizations know that “security is everyone’s responsibility.” One clear implication of this reality is that everyone in your organization needs security awareness training.
There are many ways to implement a baseline of security awareness training for everyone but some organizations still struggle to do this. For example, a recent studied revealed that 70 percent of employees in some industries “lack awareness to stop preventable cybersecurity attacks” and workers in some sectors are even less prepared to play their part: “78% of Healthcare Workers Lack Data Privacy, Security Preparedness.”
Statistics like that help explain why ESET decided to provide free online cybersecurity awareness training. This training is offered on demand, and allows organizations to document their employees’ progress to a baseline of cybersecurity awareness, including how to identify and respond to threats like malware, phishing, and social engineering.
This is one way to address the problem of that employee who keeps clicking in all the wrong places, and almost 10,000 people have taken that training so far. However, your organization’s cybersecurity training and awareness efforts need to go well beyond a baseline for all employees.
Any sizable organization also needs training that is tailored to the specific needs and policies of your company as well as specific roles within the company. One of the most effective programs that I have worked on operated at three levels: all-hands, management, and IT security staff. A fresh set of timely training materials was produced each quarter around a “hot” threat category and tailored to each of the three levels. Programs like this can be executed in house or by contracting with one of the well-established companies that specialize in this type of work.

Google banishes cryptocurrency mining extensions from Chrome Web Store


The tech giant is taking the measure after a rise in malicious browser extensions that mine digital money by hijacking the processing power of users’ computers. The clampdown follows Google’s recent move to stop serving any and all adverts promoting virtual currencies and initial coin offerings.
Google will no longer allow cryptocurrency mining extensions in its Chrome Web Store, regardless of whether or not they are upfront about what they do, according to an announcement on the technology giant’s Chromium blog on Monday. As a result, no new mining extensions are accepted into the store in a measure effective as of Monday April 2nd, while existing ones will be removed in late June.
Google’s extensions platform product manager James Wagner wrote that the store had previously permitted cryptocurrency mining extensions with the proviso that this was their sole purpose and the user was kept up to speed about what such an extension did.
However, Google has found that around nine out of ten extensions that include mining scripts failed to play by the book, prompting the company to introduce the blanket ban.
“Over the past few months, there has been a rise in malicious extensions that appear to provide useful functionality on the surface, while embedding hidden cryptocurrency mining scripts that run in the background without the user’s consent,” according to Google.
For example, in December, Google booted a Chrome extension that, in addition to its stated purpose, had also roped unsuspecting users into mining digital coins. The extension had amassed more than 105,000 installations over the span of several weeks.
Meanwhile, extensions with blockchain-related purposes other than mining get off scot-free in the new policy.
The latest clampdown follows a measure in March whereby Google introduced a ban, also as of June, on all adverts that promote digital currencies. This mirrored a policy change that Facebook adopted in January. Twitter followed suit in late March.
Cryptojacking, or the hijacking of the computer processors of unsuspecting users to generate virtual currencies, has exploded in popularity in recent months. Scripts mining virtual currencies have become notorious for chewing up much of a computer’s processing resources, thus affecting system performance and driving up energy bills for the usually unsuspecting users.
While malicious cryptocurrency mining is not a new phenomenon, covert campaigns picked up extra steam with the launch of the Coinhive in-browser mining service in September. Coinhive’s JavaScript has been co-opted by scammers looking to make a quick buck. The explosion in illicit coin mining roughly coincided with the dramatic rise in the prices of digital currencies.
Coinhive’s script and numerous copycats have been detected on thousands of websites, including many legitimate but compromised websites, as well as in browser extensions and plugins, and on typo-squatted domains.
Surreptitious mining scripts have also been supplied alongside malware, in malvertising campaigns, and through hijacked cloud services. Miscreants have also smuggled the scripts into at least 19 apps in Google Play Store.