Month: September 2017

North Korean Hackers Blamed for Bitcoin Attacks

North Korean Hackers Blamed for Bitcoin Attacks

North Korean state hackers are increasingly looking to steal crypto-currency to fund the regime and circumvent tightening sanctions, according to FireEye.

The security vendor’s ‎senior cyber threat intelligence analyst, Luke McNamara, revealed a spike in spear-phishing attacks targeting South Korean Bitcoin exchanges since May.

The timing is important because April saw the US announce increased economic sanctions against North Korea.

“The spear-phishing we have observed in these cases often targets personal email accounts of employees at digital currency exchanges, frequently using tax-themed lures and deploying malware (PEACHPIT and similar variants) linked to North Korean actors suspected to be responsible for intrusions into global banks in 2016”, he explained.

Those raids are thought to have been the work of sophisticated North Korean state group Lazarus.

“Add to that the ties between North Korean operators and a watering hole compromise of a bitcoin news site in 2016, as well as at least one instance of usage of a surreptitious cryptocurrency miner, and we begin to see a picture of North Korean interest in cryptocurrencies, an asset class in which bitcoin alone has increased over 400% since the beginning of this year”, said McNamara.

By compromising an exchange, the attackers could steal cryptocurrencies from online wallets, swap them for more anonymous digital currencies or send the funds to wallets on different exchanges to withdraw as fiat currencies.

The latter tactic takes advantage of the fact that, in some countries, anti-money laundering rules around online currencies may be relatively lax, McNamara argued.

The news comes as Kaspersky Lab revealed a huge increase in the number of computers attacked with malware designed to conscript them into a botnet and silently install cryptocurrency mining software.

Hackers are using two armies of botnet controlled machines to mine Bitcoins and the like, with the Russian AV vendor observing criminals making off with more than £151,538 ($200,000) from a botnet of just 5000 PCs.

In 2013 Kaspersky Lab protected around 205,000 users globally targeted by this type of threat. In 2014 the number jumped to 701,000, and it has more than doubled again in the first eight months of 2017 to reach 1.65 million.

“The major problem with malicious miners is that it is really hard to reliably detect such activity, because the malware is using completely legitimate mining software, which in a normal situation could also be installed by a legitimate user,” argued Evgeny Lopatin, malware analyst at Kaspersky Lab.

“Another alarming thing which we have identified while observing these two new botnets, is that the malicious miners are themselves becoming valuable on the underground market. We’ve seen criminals offering so-called miner builders: software which allows anyone who is willing to pay for full version, to create their own mining botnet. This means that the botnets we’ve recently identified are certainly not the last ones.”

Romanticizing Bugs Will Lead to Death of Information Security

Too much focus on vulnerabilities and their impact is leading information security into a slow death.

Romanticizing Bugs Will Lead to Death of Information Security

Speaking in the keynote address at 44CON in London, security researcher Don A. Bailey said that while “we’re getting good at reducing problems and addressing problems, information security is dying a death it has earned.”

Focusing on bugs and vulnerabilities, Bailey said that his initial perception of information security was about reducing risk for consumers, but that perception was “so off base as all we do is talk about bugs but we are blind to what they mean and are composed of.

“We see new technology coming out, the punditry reel starts spinning with a cool new ‘whatever’ and we ignore technology and where it comes from and how it is sold and what manufacturing looks like, and we ignore the engineers that put effort into building the technology.”

Calling the concept “bug fetishizing’, Bailey pointed at the Blueborne vulnerability, which has received fresh attention this week after Microsoft issued a patch for it. Bailey argued that while the bug is massive, it has been around for a while and it is super easy to remediate it.

“People use it to raise money and we see it in the community all the time and not only by start-ups, but to raise money creating an environment in how cool a vulnerability is,” he said.

“I get a bit tired of hearing about these issues over and over as there is nothing new about Bluetooth vulnerabilities, it is the same old crap as we found a couple of years ago. This is nothing new and not pushing things forward.”

Bailey highlighted what he called the “romantic nature of bugs” and their “reproduction”, saying that we “see vulnerabilities in the wild and they are reproduced a million times” which is not reducing vulnerabilities in any way.

He also said that we are taking extremely small issues and blowing them up, and also focus more on intricate vulnerabilities than the defenses against them.

“Finding bugs that are useful is a great thing, but doing something with it is another thing; we want real models in information security and IoT that we can resolve.”

Bailey concluded by saying that information security is in a worse state than 10 years ago, and 10 years ago there were probably 10 consultancies and now, only a few organizations are doing groundbreaking research.

“Companies say specialize in information security but outsource for skills and don’t feel like paying someone for expertise when they can hire, with reputable universities pumping out graduates with information security degrees. It is true we need more people but who needs them: consultancies who break ground, or companies who need more people – a fraction of a % are doing groundbreaking research and that is why information security is dying.”

Four Things Businesses Should be Doing to Protect from Cyber-Attacks

It’s a fact that every business needs to accept: everyone is at risk of a cyber-attack. What’s unfortunate is how many companies aren’t taking this seriously.

There are a host of basic best practices that a majority of corporate networks are failing to implement, and it’s leaving them critically vulnerable.

At the very minimum, there are four things every business should be doing to protect their online presence and to protect their customers from the fallout from a cyber-attack: instituting employee password policies; encrypting and hashing sensitive information; hosting their whole site over HTTPS; and keeping their software up-to-date.

Password Policies
If anything in the cybersecurity industry can be called an epidemic, it has to be bad password habits. It’s a serious problem, and one that has been poorly addressed. People are using poorly designed passwords, and they’re using them for a multitude of online profiles, meaning that if their login is cracked once, it’s cracked everywhere.

Part of the problem is how we’ve addressed it so far. Some websites and systems take it upon themselves to enforce password requirements mechanically, rejecting passwords for new profiles unless they meet certain criteria. This is problematic for two reasons: first, when faced with the prospect of having to generate yet another complicated “P@s5w0rd!” the user either comes up with something painfully simple and easy to guess with a dictionary attack, or they reuse a password that has worked in the past. Neither is a safe practice.

The other problem is on the hacker’s side. If they know that a website requires a number, a capital, and a special character, then they can trim their dictionary attack, removing all options that don’t include those values. So rather than making the passwords harder to crack, it actually makes it a lot easier.

The matter has been discussed by a number of very smart people, who have all commented on how flawed the system is. While the issue is hard to address with the general public (who tend to use paths of least resistance), something can definitely be done with regards to employees of a company. Good password habits (including the optional use of a password manager) can and should be taught, and a password policy instituted. It won’t fix every case, but a majority of people can get on board, it will significantly reduce the risk of intrusion.

Encryption and Hashing
For reasons that are hard to fathom, many businesses are still keeping sensitive information stored in cleartext. Everything from customer information to login passwords are left vulnerable and unguarded, just waiting for someone to guess the manager’s “justinbieber4eva” password and gain root privileges.

This is a basic practice that so many have neglected; hash what you can, encrypt everything else. Even in smaller businesses that don’t always have access to the same level of cyber talent, it’s not that hard to get in touch with experts who can help with that sort of thing.

HTTPS Hosting
HTTPS came out in all the way back in 2000. Nearly 20 years later, and data transfer protocols are still a serious issue. The sooner each business gets on the bandwagon and hosts their whole website over HTTPS, the sooner we can migrate the majority of the internet to more secure protocols.

The reason it’s important to host the whole website on HTTPS is that leaving portions of the site unencrypted leaves a backdoor access to more sensitive areas for hackers. We’re past the point where just encrypting the page where you enter credit card information is good enough. If you have an online presence, it should be hosted on HTTPS. What’s more, keeping keys and certificates in order is also important. The whole system is essentially useless if unscrupulous individuals gain access to valid certificates.

Software Updates
The uninitiated think software updates are annoying. The rest of us, though, are well aware that, in many cases, the updates are all that stand between you and the hacker. If you’re one of the enlightened, be sure you’re spreading the word at your company, so that those with administrator privileges are keeping things up-to-date.

If you aren’t aware, here’s your infosec crash course. Software updates do three things: fix bugs, add features, and plug security holes. Without software patches, when a hacker learns to exploit a flaw in the software, there’s nothing stopping them, or any of their friends they talk to about the hole. When developers find these gaps in security, they patch them. You shouldn’t be frustrated that Microsoft or Apple just pushed out another update for the OS. You should be thanking them.

If we, and the businesses we work for, could catch up in these four areas, it would go a long way towards defending against incursion. It’s true that no system is 100% secure. Let’s be honest though; the ones we’ve got now could do a lot better.