City of London police commissioner warns cyber crime is now of greater threat than drugs trade

The City of London police commissioner Adrian Leppard recently spoke at an industry conference where he said that incidences of cyber crime are significantly underreported to police, with only 20 percent of cases being reported.   Leppard blamed unwillingness by organizations, particularly banks, to report breaches, a lack of police capability to respond, as well as the international nature of cyber crime.  Leppard insisted that the way cyber crime is dealt with needs to fundamentally change as the traditional police approach to crime of gathering all the details to understand what has happened before dealing with it does not work when it comes to online threats.

What Adrian Leppard has said rings very true for those of us working to tackle cyber crime at the front line.  While his comments mainly call for a change in the way the authorities deal with the investigation of threats, organizations themselves should also take heed of his warnings.  Cyber criminals don’t care about a couple of firewalls or other point security solutions – they can, and will, easily get past them.  Attempting to prevent a breach has therefore become relatively futile, and instead focus needs to be placed on identifying and dealing with threats as quickly as possible.

Every organization in every industry is at risk.  Anyone reading the news recently will know this – from bugs in software, to malicious insiders, as well as outsiders, the cyber landscape has become incredibly treacherous and requires a dedicated and long-term strategy to safely navigate.  By reducing the amount of time it takes to detect and respond to the breaches businesses have a far greater chance of containing any damage.  We need to make everyone aware of the fact that the time between detection and response is when they are at their most vulnerable, and without a strategy in place to effectively and efficiently deal with the problem, the consequences could be far reaching.

As such, businesses need to take an intelligent approach to security, ensuring that they are continuously monitoring their networks so that they can identify and deal with any threats as soon as they arise.  With so much data now crossing networks, security teams can struggle to distinguish the good from the bad and adopting a security intelligence model is the only way to see the wood from the trees.  The authorities can only work with what they are given, and every organization needs to give them a helping hand by ensuring they have the right systems in place to limit the threat at the source

none | Uncategorized


Security Awareness Training – Secure Remote Access to Corporate Infrastructure

In this installment of Lab’s weekly series, Security Awareness Training, we’ll be discussing appropriate methods for users remotely accessing corporate or cloud infrastructure. Many of us work remotely at some point and need to access corporate file shares and other network resources.  As an organization, the employees are as much of an effective (or defective) means to securing remote access into a network as IT solutions that are applied.

In a recent Security Awareness Training installment by another LogRhythm Lab’s team member, Zack Rowland, he discussed the need for sound authentication techniques, such as 2-factor authentication, which are very much applicable to securing remote access into the corporate network.  However, the end users are just as important as the technology solutions being applied.

Here are some areas of best practice to consider:

Always utilize Virtual Private Networks (VPNs): All authorized users should connect to a centrally authenticated VPN.  The client software associated with that VPN may need to be installed on your local machine.  For connections where strict data confidentiality is required, as seen with intellectual property for example, remote access devices should leverage end-to-end encryption.

Confirm you are logging into a legitimate site or access point:  This includes both the coffee shop up the street (public Wi-Fi) as well as your own home network.  To reiterate from Greg Foss’ message around securing your home network, it’s important for end users to take ownership for ensuring they are connecting to a legitimate, secure access point. In some public access points where a VPN is not available, data associated with strict confidentiality should not be sent over that access point.

Ensure the login page is served up via HTTPS: When logging into a web page over HTTP, it should be noted that credentials will be sent in clear text.  This means that any man in the middle or sniffing techniques could obtain those credential or session tokens and lead to a potentially compromised account.  As compromised account credentials are a leading factor in opening the back door into the network, it is vital for users to be aware of this.

Only use IT approved software or applications when using business related machines: The only time domain credentials should be used are when logging into the domain itself or through services known to be part of single-sign-on.  Lastly, when leveraging web facing applications, ensure they are approved and are associated to the business such as, SharePoint, Egnyte, etc.

Ensure critical updates and patches are current: Keeping your laptop or other device connecting remotely to the network up to date on updates and patches is necessary to mitigate risk relating to contracting malware or viruses on your device.  Any indication that critical updates or patches were not installed successfully on your device should be communicated with IT to address the issue before traveling or working remotely.

Notify IT of any travel outside of your normal locations before you leave:  For some of us, travel is a normal occurrence, especially in sales. Travel that may deviate from your normal locations or to countries known for a heightened presence of malicious cyber activity should be communicated to IT before departing.  Procedures may be recommended to limit the risk exposure and for IT to be aware of any authentications to the network from uncommon or risky locations.

Only use IT approved software or applications relating to file sharing: When using business related machines, it is important for employees to leverage file sharing solutions that are approved by IT.   When using public file sharing solutions, such as Drop Box, this brings business content, proprietary information, or information relating to compliance (PCI, HIPAA, SOX, etc.) outside of IT security controls. As mentioned before, reliance is placed on the end-user to adhere to IT security policies and usage agreements.

Notify IT of any rogue or potentially malicious access points:  It is best to identify these before accessing them; however if you do connect to a rogue wireless access point, this should be communicated to IT so they can validate no infectious malware or executables were installed on your machine. If this occurs, the next step is to contain any compromised machine as soon as possible.  As mentioned above, AD credentials should only be used in approved, known IT services or applications.

Be vigilant about where you leave your computer or device: Many of us are aware of the risks associate with leaving your computer unattended in public places such as coffee shops or airports.  When in these public environments, be sure to keep your computer with you at all times and to lock your computer when not in use.  Other methods of privacy can be used, such as privacy screens, if working with confidential information.  Something else to consider is how we store our computers when traveling to and from work.  We may stop at a store and leave the device in our locked vehicle, unknowingly putting the business device at risk.  Many computers are stolen from cars that have been broken into.  To mitigate this risk, ensure your computer is out of sight and locked in the trunk if you are unable to take it with you. If a business device is stolen or lost, you should communicate this to IT right away to limit the risk of compromising the device.  IT can even wipe the device if a solution has been deployed, disabling the thief’s ability to access the network or content on the computer.

In closing, IT can deploy many solutions, services and/or applications to promote secure, remote sessions for users.  However; many of these controls can be trumped by end-users not being vigilant of their own security practices.  Having the appropriate IT solutions deployed and an educated user base is imperative for establishing secure remote sessions into the company’s network.

Until next time,

Bob Swanson

Tags: ,

none | Security


British Airways breach puts passwords under the spotlight again

Earlier this week, it was reported that British Airways had suffered a data breach which exposed the details of a number of frequent-flier Executive Club accounts.  It is thought that the breach is the result of a third party that used information obtained elsewhere on the internet to gain access to some accounts using an automated process. British Airways has reassured customers that their sensitive information was unlikely to have been affected, but has advised users to reset their passwords as a precaution.

On a similar note, taxi app Uber has been forced deny claims that its servers were hacked after reports that thousands of customer usernames and passwords were available to buy online.

These two stories provide yet another example of the importance of strong online passwords that are not reused across numerous websites and online services. Cybercriminals are becoming increasingly determined to access user credentials, with advanced automated tools that are designed to seek and steal usernames and passwords with minimal effort.  As such, we hear time and time again about breaches stemming from hackers using these smash and grab techniques to build a database of credentials and then effectively ‘trying every key in the lock’ until it opens.

No matter how watertight a business believes its IT security position to be, there will always be a weak point just waiting to be exploited by cybercriminals and these are often linked to password security. Organizations must, without exception, be continually monitoring their systems for any anomalous activity that could indicate a breach – particularly those with a strong emphasis on customer service, like British Airways.  This protective monitoring will shorten the time to detect and respond to security incidents, leading to reduced fallout for their customers.  On that note, British Airways should be commended for identifying the breach and taking the proactive step of locking down all user accounts before any real damage could be done.

none | Uncategorized


A New Variant in POS Malware

I’d like to talk a little bit about a new POS Malware variant called LogPOS. Being a researcher at LogRhythm I feel it is my duty to talk about any Malware with the word “Log” in it. Ironically this malware does not store its stolen credit card data in a log, instead it utilizes mailslots. Mailslots, just like the name implies, are a virtual representation of a physical mailbox. It’s a mechanism developed by Microsoft that allows processes to communicate with each other. A process can write to a mailslot with the intention that another process can read from it later on. They are similar to named-pipes only they are not connection oriented and can be used for broadcast. The use of mailslots by malware is nothing new and their existence helps this malware fly under the radar of simple POS malware scanners -scanners that look for plain text credit card information which is stored locally on the POS terminal.

LogPOS starts by creating a mailslot named \\.\mailslot\LogCC. Once that mailslot is created the malware systematically searches the host for processes that are not in the white list, shown below. My guess is that these are known common processes that you might find on POS terminals (with the exception of steam.exe) that are not used for scanning credit card data. So, it’s eliminating a few processes right off the bat, maybe for efficiency, but more likely to remain undetected.

  • windbg.exe
  • logounui.exe
  • taskmgr.exe
  • skype.exe
  • thunderbird.exe
  • devenv.exe
  • steam.exe
  • winlogon.exe
  • wininit.exe
  • csrss.exe
  • smss.exe
  • svchost.exe
  • firefox.exe
  • chrome.exe
  • explorer.exe
  • psi.exe
  • pidgin.exe
  • System

Once the malware finds a process not included in the list above, it will inject shellcode into that process. That newly compromised process will then repeat the search looking for more new processes to pwn (again, ignoring white listed processes) and injecting shellcode until all other processes have been hijacked. At this point the malware uses Luhn’s Algorithm to search for credit card numbers. Once a credit card is found it is written to the opened mailslot where the main program will read from it. Once a credit card is read it is then sent to a remote server via GET request.

If you want to take a look and see if you’ve been hit by LogPOS in your environment, you can use this simple search in the LogRhythm Network Monitor to reveal any outbound communication from the POS malware:

Method:GET AND DestPort:(80 OR 443) AND HeaderRaw:(encoding= AND t= AND cc= AND process= AND track=)

Figure 1 : Example LogPOS Traffic in LogRhythm Netwok Monitor (click to enlarge)

Figure 1 : Example LogPOS Traffic in LogRhythm Netwok Monitor (click to enlarge)

On Top of that you can also utilize LogRhythm’s Advanced Intelligence Engine’s white listing capabilities to detect new outbound connections from your POS terminals. This rule along with dozen more are part of LogRhythm’s Retail Cyber Crime Module.

Figure 2 : POS: Abnormal POS Network Communication Detection (click to enlarge)

Figure 2 : POS: Abnormal POS Network Communication Detection (click to enlarge)

The security researchers over at did some great research on this malware. If you’d like to know more about how the malware operates you can read that write-up here.


none | GeneralSecurity


7 Home Network Security Tips

The home network is equally important to secure as the organization you work for. Think about it, this is the network that you use when not in the office; you plug your work laptop in, access sites that are unfiltered/unprotected by your company’s proxy, and then bring the laptop back in to the office the next day and plug it in to the production network. This has the potential to introduce significant risk to the organization. This risk is only exacerbated if someone is able to compromise your home network. In fact, using work laptops outside of the company network is one of the most common ways malware makes it into the organization.

For these reasons it is important to take security seriously both inside and outside of the office. To help with this, I’ve put together 7 steps that you can take to improve the security of your home network.

1. Encrypt your home network using WPA2 and a strong password

Open wireless networks should be avoided unless there is no other option. When using open networks, a VPN should be employed to protect your data while in transit. When it comes to your personal home network, there is absolutely no reason to leave the wireless network open. Encryption is built in to every standard Wi-Fi router so there is absolutely no reason to not enable this. More importantly, Wi-Fi Protected Access 2 (WPA2) should be used as it is the most secure Wireless protocol available for home use. WEP and standard WPA can be cracked and are not considered secure.

In addition to enabling encryption, a very strong password should be used. This doesn’t need to be something ridiculously hard to remember, or so complex that you need to write it down. Remember, when it comes to password strength it’s all about entropy. So, the longer the password the better. This could be something as simple as a sentence with a few capital letters, spaces, and maybe one special character. This makes it very hard to guess but easy to remember, and if someone is able to capture the challenge-response, it will be very difficult for them to crack.

2. Change default router passwords and settings

Just do it… This is the very first thing that every penetration tester will try once connected to a wireless network. If they can log in to the administrative interface using a default or easily-guessable password, then all bets are off. The same goes for default settings. The fact that they are ‘default’ means that they are generally public knowledge and a quick google search will give an adversary everything they need to gain access to your network.

Aside from passwords — which should be changed for obvious reasons, the main setting of concern is the default IP address. This is normally 192.168.x.1 and various exploit kits are hard-coded to take advantage of these default configuration settings. Simply changing the IP address to anything else (IE: will greatly improve the security of the router and subsequently, your home network as a whole.

One other setting that should not be overlooked is Wireless Protected Setup (WPS). This feature is prone to well-known and simple proximity attacks and can be broken very easily. When using WPS to configure devices such as printers or similar technology, it is best practice to enable WPS, add the device, and then disable WPS once the device has associated with the access point.

3. Set up a guest network for family and friends to use when they visit

Guest networks are a simple and effective way to segment your devices from potentially untrusted devices on the network. Sometimes a friends system can contain malware that could infect other systems over the network. Or, if you have guests regularly (think Air BnB) that connect to your network, do you really want them to be able to access your computer, servers, or other systems on your personal network? Another aspect to consider if you have ‘untrusted guests’ is to lock the router away to deter physical access attacks.

Many routers have a built-in guest feature. If yours doesn’t support this, you may want to consider purchasing another cheap router and bridge this off of your normal access point. This segments the network and keeps untrusted devices off of the main network. This could also be key if someone uses your guest network to download torrents or perform other illegal activities, as showing that this was conducted over your guest network by a device that you don’t own could get you out of hot water.

4. Set up a separate network for Internet of Things (IoT) devices

If you can control your lights from the internet, so can anyone else who happens to guess the password to your Internet of Things control center. What’s worse is that if they can get to your lights, what else can they access on your network? With the rise in home automation and remote access to physical devices, it is important to segment the network to reduce the risk of an outsider gaining access to the internal network by way of an exposed service.

5. Disable remote access to your home network

Many routers come with the ability to allow remote access. This can be very dangerous, especially if default passwords are still in place. Once someone gains access to the router remotely, they can sniff traffic and access systems on the internal network from anywhere in the world. Often these technologies are only protected by a username and password, which can be easily broken with a dictionary attack, often without the owner even knowing. This is why it is very important to only enable remote services when you can compensate for the risks by adding protections such as multifactor authentication.

The same precautions should be taken when running a demilitarized zone (DMZ) and exposing Windows or Linux servers to the internet. Unless it is absolutely necessary to access these systems directly from the internet, a VPN with multifactor authentication should be used instead. This will allow you to access your home network remotely in a more secure manner. If you are running a web server or something similar and need to have these services directly exposed, any remote administration protocols such as RDP or SSH should be protected using a public/private key pair in addition to the username/password combination.

6. Use a firewall

Firewalls are a cheap and effective way to curb attacks against your home network. Plus, they give you additional insight into the traffic that is traversing over the network boundary, in addition to maintaining a separate record of traffic history. Firewalls can also be implemented on the router directly, in fact most modern routers come with the built in ability to block specific ports or even filter specific types of traffic. A really good one that I would highly recommend is pfsense.

If you are exposing servers to the internet, Honeyports are a free and easy to use tool can be used to detect and ban IP addresses as attacks are observed. Artillery is one of my favorite tools for this and it can be installed on the server and up and running in minutes. This will prevent known-bad IP addresses from reaching your server once a connection attempt has been made against one of the exposed Honeyport services.

7. Log out of the router when not using it

Many of the attacks against routers today are done by forcing the client to perform an action within the administrative interface of the router on behalf of the attacker. This attack is commonly referred to as Cross-Site Request Forgery (CSRF) and is a very effective means of gaining access to a router. Some of the attacks simply enable remote access to the router and change the administrative password while others completely take over the device and backdoor it. For these reasons, it is important to always log out of the router’s web interface when you are done administering the services.

Tags: , , , , , ,

none | Security