Profile cover photo
Profile photo
Rich O'Hanley
7 followers -
Publisher for IT, business, and security at CRC Press and Auerbach Publications.
Publisher for IT, business, and security at CRC Press and Auerbach Publications.

7 followers
About
Rich's posts

Post has attachment
Rich O'Hanley commented on a post on Blogger.
The latest ransomware is using disk level encryption infecting master files that can only be un-encrypted if payment is made. The new ransomware is called Petya and victims are being targeted through phishing emails.

Travis Smith, Senior Security Research Engineer at Tripwire, explains, “By encrypting the entire disk, it increases the cost to legitimately recover files without paying the ransom.  Consumers may not have the technical capability to re-install their operating system and other applications accumulated over the life of the PC.  For businesses, the increased costs means criminals can charge a higher ransom knowing their targets will have to also spend more on an alternative solution. End users must stay vigilant in the fight against ransomware.  Don't click on links or open attachments which are unsolicited.  Backups should be kept up to date and offline to reduce the likelihood of having to pay to recover critical data.”

Post has attachment
Rich O'Hanley commented on a post on Blogger.
Dodi Glenn, VP of cyber security at PC Pitstop says that we are beginning to see changes within the Locky ransomware. It’s becoming more complex and far reaching.

“We are seeing an increase in the amount of Locky ransomware attempting to execute on our customers’ computers," said Glenn. This version of ransomware is becoming more common this year as they advance the technology and take on new strategies behind distributing it, including:
• Recently modifying the DGA (Domain Generating Algorithm) so that the Command and Control servers are different each day.
• Creating a new variant of Locky which attacks network shares and other attached storage, using blank/null credentials or the locally logged in user credentials.
• While they are sticking to 104.239.213.7 as the server, they are registering multiple domains.
• Partnering with the Exploit Kit (EK) developers to bundle Locky – with this, we can expect to see a drastic increase in the number of samples being distributed via exploits and spam."

Post has attachment
Rich O'Hanley commented on a post on Blogger.
Dodi Glenn, VP of cyber security at PC Pitstop says that we are beginning to see changes within the Locky ransomware. It’s becoming more complex and far reaching.

“We are seeing an increase in the amount of Locky ransomware attempting to execute on our customers’ computers," said Glenn. This version of ransomware is becoming more common this year as they advance the technology and take on new strategies behind distributing it, including:

• Recently modifying the DGA (Domain Generating Algorithm) so that the Command and Control servers are different each day.

• Creating a new variant of Locky which attacks network shares and other attached storage, using blank/null credentials or the locally logged in user credentials.

• While they are sticking to 104.239.213.7 as the server, they are registering multiple domains.

• Partnering with the Exploit Kit (EK) developers to bundle Locky – with this, we can expect to see a drastic increase in the number of samples being distributed via exploits and spam."

Post has attachment
Rich O'Hanley commented on a post on Blogger.
In light of increasing news reports of ransomware attacks including a warning from the FBI, Imperva CTO Amichai Shulman today issued the following comments. Note blame placed on law enforcement.

“Ransomware is thriving because of law enforcement’s approach to the issue and the longtime negligence of cybercrime by authorities.  There are two things that people need to understand about ransomware. First, at the personal level, the best way to address ransomware is by having a cloud backup system. Secondly, at the enterprise level, individual infections can quickly escalate into an enterprise problem. Ransomware running on a local employee machine usually encrypts any file shares that are accessible from that machine. While most enterprises keep a proper backup system, the operational hassle is substantial. Thus, by using proper file activity monitoring solutions, enterprises can quickly detect ransomware operating from end stations and quarantine those before they have a significant impact.”

Post has attachment
Rich O'Hanley commented on a post on Blogger.
Cisco Warns of Security Risks Tied to Internet of Things

According to TechHive, Cisco says it identified three flaws in a connected-thermostat product being marketed by Trane that could give hackers remote access to consumer living rooms. According to a Cisco report, the vulnerability was found in Trane's ComfortLink II smart thermostat in 2014, and final corrections were completed in January

http://www.techhive.com/article/3031218/security/flaws-in-trane-thermostats-underscore-iot-security-risks-cisco-says.html

Post has attachment

Post has attachment

Post has attachment
Rich O'Hanley commented on a post on Blogger.
Tony Berning, senior manager at security firm, OPSWAT, posts:

"As attacks become more sophisticated, and digital control systems increase in complexity and levels of automation, it is increasingly difficult to prevent threats from impacting the operation of critical infrastructure. As a security measure, most critical infrastructure systems are air-gapped, or isolated from external networks. Because of this, portable media is a primary vector for cyber-attack; it is often the only way to transport files to and from secure areas. As key attack vectors for malware, it is extremely important that extra attention is placed on securing the portable media devices that are brought in and out of a secure facility.

"While imperative to the protection of critical infrastructure, securing portable media devices is not easily done, and there are many requirements that can impact the portable media security policies for operators of critical infrastructure. In many cases, there is no single source for an organisation’s portable media security policy, and individual facilities may require unique security policies.

"Because SCADA systems control key functions in critical infrastructure, such as nuclear plants, successful attacks on SCADA systems could potentially cause disruptions in services that we all depend on every day. For this reason, SCADA attacks are often politically motivated and backed by foreign state actors with motives such as industrial espionage or military sabotage.

"Many SCADA and ICS (Industrial Control Systems) systems were built decades ago when cyber security was not yet an issue. To add cyber security defences to these systems is a major task, coupled with the fact that due to their critical nature, downtime for system upgrades is virtually impossible.
Given these challenges, what can be done to improve the security of critical infrastructure? Here are five ways to improve SCADA security:

"1. Air-Gap Systems: Since many SCADA systems do not include cyber security controls, it is important to physically separate these systems from the Internet and corporate network. If the systems are connected to the network, strong firewalls, intrusion detection systems and other security measures must be put in place to protect against unauthorised intrusion.

"2. Avoid Default Configurations: Avoid using default configurations on network and security appliances. Factory passwords must be changed immediately and a system of strong passwords and regular password updating should be enforced.

"3. Apply USB & Portable Device Security: Since air-gapped systems are not connected to the network, often the only way to bring files in and out of the SCADA system is by using portable media such as USB drives or DVDs. As key attack vectors for air-gapped networks, it is very important to deploy a portable media security system that thoroughly scans portable devices for any threats before they are allowed to connect to the secure SCADA network.

"4. Defend Against Advanced Persistent Threats (APT): Attacks are becoming more and more sophisticated, with malware lying in wait undetected for a long period of time. It is important to fight APT’s at different levels; not only trying to prevent APT’s entering the network, but also detecting APT’s that have already gained entry. An effective way to detect APT’s is to use a multi anti-malware scanner that will scan files with multiple anti-virus engines using a combination of signatures and heuristics and will therefore be able to detect more threats. In addition, technologies such as data sanitization can prevent zero-day and targeted attacks that may be missed by anti-malware engines by converting files to different formats and removing any possible embedded threats and scripts. Devices should be continually monitored for any abnormal activity and files on the network should be continually scanned with multiple anti-virus engines; a threat that was previously not detected could be found by an updated signature database.

"5. Perform Penetration Testing: Regular penetration testing and vulnerability assessments, if possible conducted by a third party, are very helpful to get realistic input on the current security level and shed light on which areas still need additional security precautions.

"The above measures, along with employee awareness training and continuous evaluation, will significantly boost the security of critical infrastructure systems."

Post has attachment
Rich O'Hanley commented on a post on Blogger.
Fred Touchette, manager security research at web and email security company AppRiver [www.appriver.com], explains “The Love Bug originated in May 2000 and was a self-propagating worm that attached itself to emails with the subject line, “ILOVEYOU” and an attachment labelled “LOVE-LETTER-FOR-YOU”. The attachment was made to look as if it were a simple .txt file though it actuality was a .vbs (Visual Basic Scripting) file that ran when the file was opened. The fact that the file had a hidden double extension was due to how Windows operating systems interpreted the filenames at the time of reading them (from left to right and stopping after the first period it came across), thereby hiding the rest of the filename and its true file type. Once executed, The Love Bug would replace the majority of files on its new host computer with copies of itself and would then go as far as to place itself in the Windows Registry to make sure it ran at every startup. The worm would also propagate by sending its malicious payload to every contact in the infected machine’s contact list, which allowed it to travel quickly and spread across borders in a matter of hours. In the end, it was said that ‘ILOVEYOU’ spread to at least 20 countries and caused more than $15 billion dollars in damages.”

Touchette also explained the techniques of the Love Bug in comparison to more recent campaigns, including Stuxnet.
“The Internet worm has evolved since its early inception as a self-propagating concept. In the past, worms like The Love Bug relied on email to get from machine to machine, but nowadays, that’s just one of the arrows in their quiver of tricks. Now an Internet worm can seek out attached media devices or traverse network shares. Or in the case of Stuxnet, even jump onto an air-gapped network and make its way through very specific industrial control systems.”

“We still see these types of cyber tricks that attempt to manipulate users’ heart strings and encourage rash decisions. Such attacks can –and do- propagate quickly over social media as well as other, more traditional methods such as email and infected websites. When The Love Bug made its initial rounds in 2000, there were an estimated 361 million people using the internet. Today, there are about 1.23 billion active monthly users on Facebook alone and an estimated 3.1 billion Internet users. That is a huge target demographic primed and ready to click on the first love letter that appears in their inbox.”

Whilst we still see these attacks today, the security landscape has changed. Enterprises and homes are more equipped than ever before and yet there are still warning signs to look out for.
“It’s amazing to think of the leap in technology in just the last 15 years and the dangers that have evolved alongside it. Back in 2000, Anti-virus and Firewalls were a foreign concept to many computer users.  Now they’re both considered baseline security measures and come pre-installed and run alongside the most common operating system.

“Malware authors are always looking for a chance to leverage a newly-discovered vulnerability. That’s why it is so important for users to remain vigilant.  If it looks too good to be true, it is. If you don’t recognize the sender or you weren’t expecting a piece of mail that shows up in the inbox, it’s best to air on the side of caution and just delete it. Stay informed and in touch with potential pitfalls. If we all use a little more caution we can make a great impact in IT security so that everyone can enjoy this holiday with loved ones rather than formatting hard drives and monitoring bank accounts for illicit activity.”

Post has attachment
Rich O'Hanley commented on a post on Blogger.
TK Keanini, CTO, Lancope adds:

"If you only read one page, or have one take away from the report, it will be the concept of the ‘detection deficit’ as it is appropriately named the primary challenge to all of our defense strategies against this advanced threat.

Figure 5 called the Defender-Detection Deficit - "...the proportion of breaches discovered within days still falls well below that of time to compromise. Even worse, the two lines are diverging over the last decade, indicating a growing “detection deficit” between attackers and defenders. We think it highlights one of the primary challenges to the security industry."

"This is an architectural problem as many of the networks were built back when advanced telemetry was a nice to have and not mandatory to operations.  There are just too many places for the attackers to hide and remain hidden as they carry out their objective across the attack continuum.  If you are not detecting and remediating attackers on a weekly or monthly basis, chances are they are in your network, you just don’t know it yet."
Wait while more posts are being loaded