Friday, 31 July 2015

NatWest Online Banking Crashes - Again

Blogger: Hannah Doughty

The social media team at @NatWest_help has gone into overdrive, fending off hundreds of complaints from customers over online banking and payment problems afflicting the glitch-prone UK bank.
The latest tech failure comes just six weeks after the bank suffered an embarrassing breakdown that caused over 600,000 transactions and hundreds of thousands of pounds in payments to go missing.

Today's problems could be even more serious, arriving at the end of the month when customers traditionally look to draw down their monthly salary payments. The bank's IT team is scrambling to find the source of the problems, much to the fury of customers who have been expressing their anger on Twitter.
NatWest parent RBS and Ulster Bank were hit with a £56 million fine by regulatory authorities last year over a computer malfunction in 2012 that locked customers out of accounts and knocked out payments processing systems.

At the time, RBS chief Ross McEwan admitted that the bank had failed to invest properly in its IT system for decades and promised to invest an extra 750 million pounds by the end of 2015 to enhance the security and resilience of its IT systems.

Following last month's meltdown, RBS bosses pledged to invest a further £150 million a year to improve the resilience of its IT systems.
Have you been affected? 

Hanesbrands Inc Suffer 900k Customer Data Breach

Hanesbrands Inc. (an American Clothing company) said on Wednesday that a customer order database was breached by a hacker in June, compromising information for about 900,000 online and telephone customers.
The hacker gained access to general customer information through the company’s website by posing as a “guest” customer checking an order, meaning they weren't registered on the site. The hacker was able to get information including addresses, phone numbers and last four digits of a credit or debit card of other customers, Hanesbrands spokesman Matt Hall said.
“They were able to manipulate the system like they were a customer,” Hall said. “They could check order status using a screen grab.
Customers are being notified by email or mail.
Hall said the hackers weren't able to enter corporate software systems. He also said Hanesbrands was notified by the hacker “to let us know that it had been done.”
“We brought in cybersecurity personnel to determine if the vulnerability was there and the data was viewable, and it was,” Hall said.
Have you got an Incident Response plan in place?

Monday, 27 July 2015

John McAfee Hacks Ashley Madison - Again

Wildcard former securityware kingpin John McAfee reckons the Ashley Madison adultery-site hack threatens to "literally destabilise society", and was definitely the work of an individual acting alone.

For reasons that no doubt seem good to him, he said he has also breached the site again himself.

The one-time Guatemalan trinket peddler's pronouncement follows his earlier judgment that May'sAdult Friend Finder hack was "one of the scariest hacks since the existence of computers".

That title, in McAfee's mind, now clearly belongs to the breach of Ashley Madison. He made his latest assertion using popular blogging platform and IB Times.

Portraying himself as somewhere between giggling and despairing at the Ashley Madison events, less than 24 hours after the breach McAfee decided to find out how difficult it might be to penetrate the infidelity institution once again.

From the comfort of his own bed, he claims, he called Avid Life Media, Ashley Madison's parent company which also runs the Cougar Life and Established Men websites. These "were all hacked" he reminded readers. "So we are really talking about 50 million people, not 37 million."

Phoning around and compiling the names of the the IT department head and those of the head's inferiors, McAfee rang each until he found a number which did not provide an answer, which, he wrote, offered him a key social engineering opportunity.
I called the corporate headquarters back and agitatedly informed them that I had an urgent legal matter with that person and that I must immediately speak with his assistant or secretary, and that only they could help me.
Without question, and immediately, I was connected with his secretary. I posed as a member of an international enforcement agency – that does not really exist, by the way – and implied that her boss might have been involved in the recent hack and I needed to verify that she really was who she said she was.
Within 30 seconds of saying hello I had both her password and her boss's password written down.
McAfee claims to have thrown both passwords away and to have no intention of doing anything with them.

Following a breach, have you got policies and procedures in place to deal with this?

Monday, 20 July 2015

Breach Fatigue #ITSecurity #vulnerability

Nick Prescot

We welcome Nick Prescot, Infomation Security Manager at ZeroDayLab as our first new blog contributor.

 by Nick Prescot.

To those out there that have missed my blogs since January, fear not, I have been in a job transition and so busy with the new job that it has only recently become apparent that there was some point in continuing the blog as the marketing manager pushed me to get it going again!  So that’s enough about me and I hope to continue in my observations and musings about infosecurity.

There’s one thing that hasn’t changed over the last 6 months and that’s the continuum of breach notifications that has been hammering us on a daily basis.  On the back of the heartbleed and poodle bug that got everyone in the industry very excited, there seems to be a chase for the next big ‘bug’ that will get every infosec manager in the land the magic 15 mins of attention where they can remind everyone the importance of security and once it’s fixed, wait for the next one.

Having been the internal infosec manager for a while, and now on the other side of the fence where I’m being the consultant in this space, one does start to wonder about the impact that information security has in many of today’s businesses.  Every company has a different risk/threat picture, so just because you can’t have a scenario where email is down for more than 3 mins, or your payment gateway requires 99.99999%, it doesn’t mean that robust and resilient systems should take second precedence over availability and usability.

The infosec world seems to be chasing the next immediate action to the next zero-day vulnerability so that the SOC can prove themselves that they can react, respond, eradicate and contain any ‘bad’ that comes into their network and system…and then brag about it!

So, before I see another vulnerability that comes across my twitter feed, it’s always worth a look at how the airline industry and the car industry share their safety vulnerabilities that come into play…they are not hiding it but they are openly sharing information.  The infosec world could and should a lot better in this respect.  There are many aspects where CERT releases threats that are in the open…but the reality is that when I’m onsite and you are looking for patches and change management in response to the threat, quite often it’s not there because it’s too scary/painful/bureaucratic to deal with.

Therefore, there is a big gap in the culture between many of the teams, departments, divisions and corporations against the modus operandi of the safety-focused culture of the airline and the car industry. To give a classic example, the Euro NCAP rating is used as a tool to help the wider public know if their cars are safe; there are similar measures such as the CSA STAR alliance program that gives hosting providers that similar level of assurance to the wider public about their security posture which goes some way towards this but is unfortunately not widely adopted.

Going back then to the concept of breach fatigue.  We know that cars (and not so much, planes) crash or have faults the whole time, but we also learn from and adopt the safety improvements made to ensure that the future risks are kept to a minimum.  However, the same cannot be wholly said for the retail/commercial sector, for example.  When we shop online it’s sometimes hard to find the part on the website that shows that it’s secure.  We all assume that online banking is safe, but we are doing this on a basis of the fact that many online banking websites force us to use 2-factor authentication….but how many people check that the page is on HTTPS with a valid 3rd party signed certificate?

So, when you’re next reading the news about the latest vulnerability that affects Adobe Flash and Skype, think of the basics that stem from the security standards and apply them!  Whether you’re an infosec manager or a silver surfer…a lot of these breaches can be mitigated against;
     1) Make sure that your anti-virus is kept up-to-date (ok, people with an Apple Mac might scoff at this!)
     2) Update your laptop and phone ASAP.  Yes, that little number on settings on the iphone, there might be an update…it might be there to change things but it’s also there to download the latest security updates.
     3) If you use a browser, check for the extensions that you are using (especially Chrome).  Same goes for internet explorer toolbars.
     4) Check the padlock on HTTPS websites….and that it’s not a self-signed cert; especially when using online payments.
     5)  Use verified tools that scan your computer for unknown applications…Whilst they might not be malicious; if you don’t need ‘em..delete ‘em

Now, instead of looking like a puzzled minion when you do get breached, because you don’t know what to do or how to react, the above are some simple steps.  You wouldn’t buy a car without brakes or airbags on the open road, so why would one ignore the above?  This is for personal use, but if there is a bigger security problem you’re grappling with…er…ahem…this is what I do for a living so do contact me if there’s a bigger issue!

More about Nick...

'Nick Prescot is currently a Senior Information Security Manager at ZeroDayLab ltd. and is responsible for Governance, Risk and Compliance (GRC) and Incident Response (IR) consultancy and advisory services at ZeroDayLab.  Nick aims to assist companies whom are looking to improve the cyber resilience and posture in the ever ongoing battle against the emerging and continuing cyber threats.  By taking a detailed and holistic view of client's policy and governance infrastructure entwined with incorporating information assets within corporate risk registers, Nick is able to provide a clear strategy to client in order that their infosec operations and processes are aligned to industry practice.

Nick is also a seasoned incident response manager and when there is a security and/or availability incident, Nick is able to ensure that the incident is remediated as soon as possible and deploy the specialist response assets can remediate the incident. Nick also assists with the crisis management and media elements so that all parties are correctly informed as part of the resolution efforts.'

Friday, 17 July 2015

Disgruntled Morrisons Worker Leaks 100k Employee Records

After being warned against using the mailroom to send out private parcels, former Morrison employee, Andrew Skelton, 43, leaked bank and personal data of nearly 100,000 supermarket staff.
The data breach at the company's Bradford head office cost the firm more than £2 million to amend.
Information which included salaries, National Insurance numbers, dates of birth and bank account details of employees were sent to The GuardianTrinity Mirror and the Bradford Telegraph & Argus last year as well as data sharing websites.
Mr Skelton was disciplined in 2013 after a package was found in the HQ post room. Skelton had been conducting eBay deals using the post room.
The defendant bore a grudge against Morrisons, leading to his offending in this case. A draft resignation letter found by detectives and written by Skelton spoke of his “little concern for the company”.
Skelton of, Liverpool, denies counts of fraud by abuse of position, unauthorised access to data with intent to commit an offence and disclosing personal data. The trial continues.
Todd Partridge, director at Intralinks says, “The consequences of an attack from the inside can be every bit as serious as being hacked from the outside. Research by the Ponemon Institute shows that 51 percent of respondents aren't convinced their organisations have the ability to manage and control user access to sensitive documents and how they are shared.”
How do you managed privileged users? 

Thursday, 16 July 2015

D-day Has Arrived: End of Life for WindowsXP

Anti-Malware Support For Windows XP Ended By Microsoft even as it remains very much in circulation.

On April 8, 2014, Microsoft had decided to stop supporting Windows XP, which is popular for running businesses and government servers. However, for another year and a half, the company decided to provide anti-malware updates for its security apps running on this particular OS version, in order to help keep Windows XP users moderately safe while they planned their upgrades.
Effective yesterday, Microsoft’s security solutions will no longer get updates on the 14-year-old operating system, as the anti-malware support for Windows XP has come to an end, something that it had been warning users about for months. Those still running Windows Server 2003 will be increasingly vulnerable to hackers.
In other words, it means that newly found security holes won’t be fixed and will remain available for cybercriminals to exploit, encouraging the risk of a security breach. That risk could lead to some businesses being barred from accepting credit card payments. However, the software still works, for now.
How are you dealing with this in your organistion? 

Monday, 6 July 2015

Sun Partially Cloudy and Botnets - ZeusVM

The Internet could see a new wave of botnets based on the ZeusVM banking Trojan after the tools needed to build and customize the malware program were published
The source code for the builder and control panel of ZeusVM version was leaked sometime in June, according to a malware research outfit called Malware Must Die (MMD). The leak was kept under wraps by the researchers as they tried to stop the files from becoming widely available, an effort that ultimately exceeded their resources.
As a result, the group decided to go public with the information Sunday in order to alert the whole security community so that mitigation strategies can be developed.
ZeusVM, also known as KINS, is a computer Trojan that hijacks the browser process in order to modify or steal information from websites opened by victims on their computers. It's primarily used to steal online banking credentials, but other types of websites can also be targeted as long as attackers list them in the configuration file downloaded by the Trojan from the Internet.
As its name suggests, ZeusVM is based on the infamous Zeus Trojan, whose own source code was leaked in 2011 after years of being the primary malware tool used for online banking fraud.
Do you carry out regular Source code reviews?