Winners of a security quiz staged by Taiwan’s Criminal Investigation Bureau may be wondering why they tried so hard to do well after some of the USB drives handed out as prizes turned out to be wretched hives of malware and villainy. According to the Taipei Times, the Bureau hosted1 an infosec event in December 2017, and gave 250 drives to people who won a cybersecurity quiz. It’s since emerged that 54 of the 8GB drives were infected by a computer used by an employee of supplier Shawo Hwa Industries Co to transfer an operating system to the drives and test their storage capacity .
While the dongles were manufactured in China, the Taipei Times said there’s no suggestion that espionage was a motive. The good news is that the infection was an old virus Chinese-language site Liberty Times names2 as XtbSeDuA.exe that tries to steal personal data from 32-bit machines. The CIB says stolen data was forwarded to a relay IP address in Poland which in 2015 was associated with 2015 Europol raids on an electronic funds fraud ring .
The police added that the server receiving the data from the latest infections has been shut down.
The prizes were handed out from December 11 to December 12, when complaints from the public started arriving, but 34 of the drives are still in circulation somewhere.
In late November it was revealed that Uber reportedly paid cyber attackers $100,000 to delete breached data obtained and concealed for over a year . In the wake of the news, Uber’s chief security officer Joe Sullivan had to resign from the company. Uber s breach highlights the fact that passwords and simple two-factor authentication are no longer enough to stop attackers .
81 percent of data breaches come from attackers using stolen credentials and Uber is now responsible for losing another 57 million usernames and passwords . In Uber s case the weak link was the authentication process around GitHub and AWS. This breach will have knock on effects in the cyber-security industry as stolen credentials often lie dormant on the dark web or in the possession of cybercriminals only to resurface in the future . Uber users should reset their account passwords for the app and all other accounts where it may have been re-used. Organizations (especially global businesses like Uber!) need to implement smart, adaptive methods of authentication with contextual risk analysis built in throughout, negating the damage of stolen or lost credentials. Here s a recap of how the Uber attack took place: attackers gained access to a private GitHub coding site used by Uber software engineers . They then used login credentials obtained there to access data stored on an Amazon Web Services (AWS) account that handled computing tasks for the company . From this point, the hackers were able to uncover a valuable archive of rider and driver information . Armed with this data, they contacted Uber to demand money.
Learning from Uber s mistakes, there s three key steps businesses can take to ensure they don t fall victim to a similar attack: 1 . Protect GitHub repositories with strong, multi-factor authentication (MFA): additional authentication steps can be triggered by characteristics including suspicious originating network behaviour (such as using anonymous proxy or any high-risk IP) or unfamiliar location and device usage phone.
2 . Invoke code review processes and make sure all credentials are scrubbed from GitHub repositories: This is best practice that should be adopted by all development teams. 3 . Protect systems running in AWS with Adaptive Authentication: adaptive access controls provide additional security beyond just passwords or even MFA . Looking at contextual risk factors around every user means businesses can deny high-risk or unusual access attempts. Breaches like Uber s can also be prevented by fundamentally changing the way businesses approach identity and security . Taking a proactive approach to protecting identities and credentials should be the number one focus of any IT security team . This not only prevents the misuse of user credentials but more importantly will reduce risk of cyber-attacks. Organizations often try to sweep breaches under the rug .
This may be due to fear of brand damage, reputation, a hesitation to reveal company details, fear of further questioning on practices and policies or simply the costly clean up required after a breach . All of these are valid concerns . However, by effectively and promptly disclosing breaches, businesses can get in front of the story (and backlash), helping the wider industry to learn from the breach and act accordingly to minimise the chance of it happening again. There s plenty of data available to develop mitigation strategies, specifically tailored for vertical sectors or business sizes . This data can help protect an organization, or even best practices within an entire industry . Data can help reveal where the threats are and the scope and size of the problem. The less-than-1% scenario, .003% to be exact, is the deadliest for enterprises . These are the access attempts from suspicious or known bad IPs . In these cases it is almost certain that an attack is underway .
Legitimate users do not, with few exceptions, come in from bad IPs or anonymous proxies . This is classic attack behaviour and we stop it by requiring additional factors. To further explore these risks, SecureAuth released its inaugural State of Authentication report this year . Over the course of twelve months, our team gathered data from approximately 500 customers using Adaptive Authentication . We then analysed 617.3 million user authentication attempts to identify success rates, how often multi-factor authentication was required, and the reasons behind failed authentication attempts . Nearly 90 percent of the time authentication took place without a hitch. However, the remaining 69.1 million authentication attempts were either denied outright or stepped up for additional authentication, such as a one-time-passcode (OTP) or push/symbol-to-accept . The top five reasons for denying access were as follows:
- Incorrect Passwords: 60.3 million times.
- Suspicious IP address: 2.45 million access attempts stepped up to multi-factor authentication because a log-in request was coming from an unusual IP address.
- An unrecognised device used: 830,000 times.
- Suspicious one-time passcode used: 524,000 times, including when ‘deny’ was hit on the push-to-accept request.
- Self-service password reset: 200,000 password change requests were denied.
Of the 2.45 million authentication attempts coming from suspicious IP addresses, further analysis found that over 77,000 were denied outright because the IP address was deemed to be malicious, which is very concerning . Malicious IP addresses include those known to be associated with anomalous internet infrastructure, advanced persistent threat (APT) activity, hacktivism, or cybercriminal activity.
Examining many of the high-profile breaches in recent years, and most recently Uber, it only takes a single successful misuse of credentials to expose highly sensitive and confidential company and customer data . These events can incur severe costs to the business and damage that may take brands years to recover from . As businesses plan for 2018 they should ensure all their systems are secured with multi-factor or adaptive authentication technology .
This essential step provides a dynamic defence against opportunistic cyber-criminals and is vital for protecting valuable business data.
Image Credit: Rawpixel.com / Shutterstock
Security researchers from the University of Birmingham last week went public about security shortcomings in mobile banking apps that leave millions of users at a heightened risk of hacking. The researchers developed a tool called “Spinner” to perform semi-automated security testing of mobile phone apps . After running the tool on a sample of 400 security critical apps, they were able to identify a serious flaw in many banking apps including those offered by HSBC, NatWest and Co-op as well as Bank of America’s Health account app. The researchers found that although banks had been diligent in building security into their apps, one particular technology used – so-called certificate pinning – which normally improves security, meant that standard tests failed to detect a serious vulnerability that could let attackers take control of a victim’s online banking.
Dr Flavio Garcia, one the the researchers, explained: Certificate Pinning is a good technique to improve the security of a connection, but in this case, it made it difficult for penetration testers to identify the more serious issue of having no proper hostname verification. The security weak spot created a possible mechanism for an attacker – providing they are connected to the same network as the victim (eg, a Wi-Fi hotspot) – to perform a so-called “man in the middle attack” and retrieve the user’s credentials, such as username and password/PIN code . Other potential avenues for attack were also found, including the possibility for a wrong-un to do some in-app phishing in software offerings from Santander and Allied Irish bank. These attacks would have allowed the rogue take over part of the screen while the app was running and use this to phish for the victim s login credentials.
All the fixings
The University of Birmingham researchers worked with the banks involved, and the UK government’s National Cyber Security Centre to fix all the vulnerabilities, and the current versions of all the apps affected by this pinning vulnerability are now secure. Banking customers using the same old Apple device that the researchers used (probably a 1st generation iPad, which is limited to iOS 5.1.1) should probably think about using something else for their banking, according to app security firm Arxan. Winston Bond, technical director EMEA at the firm, urged banks to review the research and push updates to their customers.
Banks should fix vulnerabilities as quickly as they can and push updates to their customers, Bond said .
One of the issues highlighted by this research is that users of older Apple devices, which are restricted to older iOS versions, can’t pick up any updates once the app developer moves the minimum OS version for the app beyond their version . They are stuck on the last compatible version, with whatever bugs and vulnerabilities that includes.
For banks and other organisations to protect themselves from outdated apps, every major app developer has to balance the relentless pressure to adopt the latest iOS features against the need to keep updating the users of older devices, he added. More robust cryptographic technology deployments by banks would also guard against attacks even in cases where users are connecting into services from ageing or not fully patched devices.
Certificate pinning is a way to make sure that a mobile app will only talk directly to the server that it is meant to, Bond explained . All the communications traffic is strongly encrypted and it can only be understood when it gets to the right place . In this case, it stops anyone getting between you and the bank and seeing how much money you have in your account or changing the details when you tell the bank to pay someone.
“There are several ways to implement certificate pinning, with some trade-offs between flexibility and security, he added.
It’s also worth noting that the University of Birmingham team managed to carry out these attacks while following the app store licence agreement rules which prohibit reverse-engineering or modification of apps . Real attackers won’t play so nicely. Mark James, a security specialist at anti-malware firm ESET, added: Using financial services through your mobile device, either a smartphone or tablet, should ideally be done through your cellular mobile connection if possible, or if not, then through a VPN to minimise the chances of your connection being hijacked.”
Some initial results were given in the paper A Security Analysis of TLS in Leading UK Banking Apps presented at the Conference on Financial Cryptography and Data Security in January .
The full results were given in the paper Spinner: Semi-Automatic Detection of Pinning without Hostname Verification which was presented last week at the 33rd Annual Computer Security Applications Conference in Orlando, Florida in the US.