security bulletin november 2017 · 2017-11-06 · that android, linux, apple, windows, openbsd,...

Security Bulletin November 2017

Contents

1

“KRACK” Wi-Fi Flaw Leaves Nearly All

Networks Vulnerable

2

KnockKnock Campaign Targets Office 365

Corporate Email Accounts

3

Leaving Employees to Manage Their Own Password Security

4

Everyone Needs a Password Manager

5

Do Board Members Treat Cybersecurity As a Top

Priority?

October 2017

1 “KRACK” Wi-Fi Flaw Leaves Nearly All Networks Vulnerable A new vulnerability could impact all devices using WPA2 protocols to secure their Wi-Fi networks, according to a report released in the last few weeks. This vulnerability was discovered by Mathy Vanhoef and Frank Piessens at KU Leuven and announced by the United States Computer Emergency Readiness Team (US-CERT) on Monday, 16th October 2017. The "serious weakness" in the WPA2 protocol allows for attackers to not only read and steal information transmitted across Wi-Fi, but also potentially manipulate the data or insert malware.

Figure 1 – Quote from Mathy Vanhoef of imec-DistriNet, KU Leuven

To prevent the attack, users must update affected products as soon as security updates become available. Note that if your device supports Wi-Fi, it is most likely affected. During initial research, it was discovered that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks. The KRACK (key reinstallation attack) vulnerability isn't a problem with the encryption itself, but rather in the "handshake process" and the way the device connects to the access point. The attack works by leveraging the four-way handshake that is part of the WPA2 protocol process, which allows users to connect to a network and then confirm their credentials for access – a process that is used by all modern Wi-Fi networks. The key reinstallation attack leverages this process by forcing the reset of the incremental transmit packet number (nonce) to zero, which allows for the same encryption key to be used with previous nonce values. This allows for attackers to replay, decrypt or forge packets. Story continues over the page


Wi-Fi Protected Access 2

“WPA2”

• WPA2 is a network

security technology commonly used on Wi-Fi wireless networks. It's an upgrade from the original WPA technology, which was designed as a replacement for the older and much less secure WEP.

• It provides enterprise and consumer Wi-Fi users with a high level of assurance that only authorized users can access their wireless networks.

• WPA2 is used on all certified Wi-Fi hardware since 2006 and is based on the IEEE 802.11i technology standard for data encryption.

1 “KRACK” Wi-Fi Flaw Leaves Nearly All Networks Vulnerable (Cont.) In practice, that means hackers could steal your passwords, intercept your financial data, or even manipulate commands to, say, send your money to themselves. An attacker needs to be physically in range of a particular Wi-Fi network to carry out the assaults, an important limitation. But given the ubiquitous use of WPA2 on tens of millions of Wi-Fi enabled devices around the world, the problem has enormous scope. For consumers, immediate actions like changing your Wi-Fi password or getting a new router won't protect against “Krack” attacks. As is too often the case, consumers will largely be at the mercy of manufacturers and software developers, relying on them to release patches and hoping there's an easy way to apply them.

Figure 2 – Quote from Lily Hay Newman of Wired Security

For now, you should still use WPA2. Its protections are still worth the risk that someone might be exploiting “Krack” somewhere near you. The best thing you can do to protect yourself is to install updates for as many of your devices as possible as soon as they come out, and make sure you only share sensitive data on sites that use HTTPS encryption. For large institutions, the key is architecting networks with multiple layers of protection, so data security doesn't hinge on any one standard. For more information please visit https://www.krackattacks.com/


Things you need to know

• For Wi-Fi on your smart

phones, presently no handsets are safe, so please minimise the use of pubic Wi-Fi on your smartphone if you have any work related information e.g. email

• Use tethering from your smart phone to get online and do without public Wi-Fi, until the patches are applied to your laptops.

• Contact your IT Department if you have any doubts or questions and they can provide you advice.

“To prevent the attack, users

must update affected products

as soon as security updates

become available.”

https://www.krackattacks.com/

2 KnockKnock Campaign Targets Office 365 Corporate Email Accounts Researchers uncovered KnockKnock, an attack on Office 365 Exchange Online email accounts, originating from 16 countries around the world and targeted organizations in manufacturing, financial services, healthcare, consumer products and US public sector. The attackers behind KnockKnock targeted automated corporate email accounts not tied to a human identity, which often lacked advanced security policies. This campaign is based on a unique attack strategy of targeting administrative accounts commonly used to integrate corporate email systems with marketing and sales automation software. Since these accounts are not linked to a human identity and require automated use, they are less likely to have protection with security policies such as multi-factor authentication (MFA) and recurring password reset. On gaining access to an enterprise Office 365 account, the KnockKnock campaign typically exfiltrates any data in the inbox, creates a new inbox rule and initiates a phishing attack from this controlled inbox in an attempt to propagate infection across the enterprise. The KnockKnock campaign began in May 2017 and is still ongoing, with the bulk of activity occurring between June and August. With a focus on precision targeting instead of high volume targeting, attacks averaged five email addresses for each customer. Skyhigh Networks’ researchers detected these attacks when logins to Office 365 were from unusual locations and the activities defied standard behavioral patterns as analyzed by Skyhigh’s machine learning algorithms. This analysis offered a detailed map of the attacks:

• Hackers used 63 networks and 83 IP addresses to conduct their attacks.

• Roughly 90 percent of the login attempts came from China, with additional attempts originating from Russia, Brazil, U.S., Argentina and 11 other countries.

• Targets included Infrastructure and Internet of Things (IoT) vendors, as well as departments related to infrastructure and IoT in large enterprises, across industries such as manufacturing, financial services, healthcare, consumer products and the US public sector.

• Almost all of the accounts were confirmed to be ‘non-human’ system accounts.


Two Factor Authentication, also

known as 2FA, is an extra layer

of security that is known as

"multi-factor authentication"

that requires not only a

password and username but

also something that only, the

user has on them.

Using a username and password

together with a piece of

information that only the user

knows makes it harder for

potential intruders to gain

access and steal that person's

personal data or identity.

Many systems now support 2FA

and once setup is simply a

matter of entering another code

thats sent to your phone or

generated by a token, so spend

some time and ensure your

personal accounts are protected

by 2FA if available.

Consider Multifactor

Authentication

3 Leaving Employees to Manage Their Own Password Security Despite the clear and present danger that weak passwords pose to organizations, many remain focused on implementing technology based on policy, not the user, to address the problem. More than half of IT executives surveyed rely on employees alone to monitor their own password behavior, subsequently leaving the company at risk, shining a light on the disconnect between IT policy and human behavior. The report, for which Ovum surveyed hundreds of IT executives and corporate employees globally, found that 78 percent of IT executives lack the ability to control access to the cloud-based applications used by their employees. Most companies are aware of this lack of visibility and control, yet the majority are not doing enough, if anything at all, to address the situation.

A lack of control puts excessive reliance on end users. 61 percent of IT executives surveyed rely exclusively on employee education to enforce strong passwords. Employees are essentially on their own, with no technology in place to enforce any password strength requirement. Outdated manual processes still prevail. IT executives at four in ten companies surveyed still rely on entirely manual processes to manage user passwords for cloud applications. Defense against password sharing is far too weak. When asked how they guard against unnecessary password sharing, 64 percent of IT execs surveyed had no technology in place, and only 14 percent had automated control facilities in place to know when it is happening. Weak password systems put users and businesses at risk. More than three-quarters of employees reported that they regularly have problems with password usage or management. Password usage problems are exacerbated by the lack of single sign-on (SSO) in many organizations. In fact, 56 percent of the organizations surveyed did not have SSO available.


Cyber crime damage costs will hit $6

trillion annually by 2021.

The cybersecurity community and major

media have largely concurred on the

prediction that cyber crime damages will

cost the world $6 trillion annually by

2021, up from $3 trillion just a year ago.

This represents the greatest transfer of

economic wealth in history, risks the

incentives for innovation and

investment, and will be more profitable

than the global trade of all major illegal

drugs combined.

Cybersecurity spending will exceed $1

trillion from 2017 to 2021.

The rising tide of cyber crime has pushed

information security spending to more

than $86.4 billion in 2017, according to

Gartner. That doesn't include an

accounting of Internet of Things (IoT),

Industrial IoT, and Industrial Control

Systems (ICS) security, automotive

security, and other cybersecurity

categories.

Cyber crime will more than triple the

number of unfilled cybersecurity jobs.

Which is predicted to reach 3.5 million by

2021. The cybersecurity workforce

shortage is even worse than what the

jobs numbers suggest. As a result, the

cybersecurity unemployment rate has

dropped to zero percent.

4 Everyone Needs a Password Manager The hackers who recently breached security at Equifax made quite a haul—personal information of about 143 million Americans. They got names, addresses, birth dates, credit card numbers and driver's license numbers. The reports don't mention passwords being part of the hack, but it's certainly possible. Hot on the heels of this major breach, we've now learned that the user database in Equifax's Argentina office had "admin" as both username and password. Unbelievable! Don't be like Equifax. Using a unique, strong password for every site is tough, but you can get help. Install a password manager, teach it your passwords, and start upgrading them all to some unguessable string of gibberish, generated by (and remembered by) the password manager.

The typical password manager installs as a browser plug-in to handle password capture and replay. When you log in to a secure site, it offers to save your credentials. When you return to that site, it offers to automatically fill in those credentials. And, if you've saved multiple logins for the same site, the password manager offers you multiple account login options. Most also offer a browser toolbar menu of saved logins, so you can go straight to a saved site and log in automatically. Getting all of your existing passwords into the password manager is a good first step. Next, you need to identify the weak and duplicate passwords and replace them with tough ones. Many password managers flag weak and duplicate passwords, and some offer help with the update process. The very best ones can automate the password-change process for you. When you create a new secure account or update a weak password, you don't want to strain your brain trying to come up with something strong and unique. Why bother? You don't have to remember it. All but one of the top-rated products include a built-in password generator. Make sure your generated passwords are at least 16 characters long; all too many products default to a shorter length. Entering a password like @2a&AY8mePu8HU@H on your smartphone's tiny keyboard can be tough. Fortunately, almost all of the top password managers can sync across all of your Windows, Mac, Android, and iOS devices. A few even let you authenticate on iOS or Android with your fingerprint rather than typing the master password. Most include some form of two-factor authentication, be it biometric, SMS-based, Google Authenticator, or something else entirely.

Contents

1

HBO hackers demand money, leak more

stolen data

2

Banking Trojan Uses Mouse Movements to Distinguish Users from

Virtual Machines

3

NIST Analyst: Our Security Guidance

Was Wrong


Password Managers

https://www.lastpass.com

https://1password.com

https://www.passwordboss.com

5 Do Board Members Treat Cybersecurity As a Top Priority? Despite high profile cyberattacks continuing to occur, almost half of IT decision makers (ITDMs) at 250+ employee organizations around the world still believe that business executives are not making cybersecurity a significant enough priority or focus, according to Fortinet. Many IT professionals believe that the transition to the cloud as part of their organizations’ digital transformation will in turn make security a growing priority. Board members are not treating cybersecurity as a top priority. 48% of IT decision makers believe that IT security is still not a top priority discussion for the board. This doesn’t seem to affect budgets since 61% of enterprises stated that they spend over 10% of their IT budget on security, which is a high investment. 71% of the surveyed respondents said their IT security budget has increased from the previous year. Now, IT decision makers feel strongly that cybersecurity should become a top management priority with 77% of the respondents saying that the board should actually put IT security under greater scrutiny. Three key drivers for cybersecurity becoming a top priority: Increase in security breaches and global cyberattacks: In the last two years, 85% of businesses have experienced a security breach, with the most common vector of attack being malware and ransomware for 47% of respondents. 49% of ITDMs said there has been an increased focus on IT security following global cyberattacks, such as WannaCry. The scale and profile of global cyberattacks is bringing security to the attention of the board. Security is no longer just an IT department discussion.

Contents

1

HBO hackers demand money, leak more

stolen data

2

Banking Trojan Uses Mouse Movements to Distinguish Users from

Virtual Machines

3

NIST Analyst: Our Security Guidance

Was Wrong


Figure 3 – Average Spending in IT Security

5 Do Board Members Treat Cybersecurity As a Top Priority? (Cont.) Increased pressure from the regulators: Another important driver of board awareness is the proliferation of regulation, 34% of respondents reported. With major fines threatening the bottom line, such as the impending GDPR compliance for European data, the board now has a mandate to take interest. Transition to the cloud as a catalyst for security priorities: As organizations look at migrating to the cloud as part of their digital transformation, 74% of IT security decision makers believe that cloud security is becoming a growing priority. 77% of the respondents also affirm that cloud security – along with the investment in security to support it – is becoming a key priority for the board. As a result, half of those surveyed (50%) are planning investment in cloud security in the next 12 months.


All of our IT services are delivered from a security-led perspective.

We see IT differently. Fluid not stuck. Future not legacy. Personal not corporate.

Liquid IT | Floor 4, 56 Victoria St, Wellington 6011, PO Box 9410

www.liquidit.nz

Figure 4 – Industry thoughts of importance on Security

All of Government

18th October 2017

Exciting news for Liquid IT as we have now been formally welcomed on to the new Security and Related Services Panel by the Department of Internal Affairs (DIA). This is the first step in our journey towards greater representation on government panels as we continue to grow our Connectivity and Security managed services capability.

Visit us at our new premises in Wellington and Auckland and speak to our team of 30 quality Security, Connectivity and Workspace Architects, Consultants and Engineers. We are available to deliver you a more kiwi approach to IT by delivering world leading solutions on time and on budget.

http://www.liquidit.nz/

security bulletin november 2017 · 2017-11-06 · that android, linux, apple, windows, openbsd,...

Documents