Internet of Things Security Policies Still Lagging, Report Finds

1 of 9

Internet of Thing Security Policies Still Lagging, Report Finds

Internet of things (IoT) security has been a growing concern in recent years, with vulnerabilities continuing to be reported and hackers continuing to launch attacks. IoT security vendor Pwnie Express released its 2018 Internet of Evil Things report on May 16, providing insight from a total of 708 cyber-security professionals around the world. Among the high-level findings in the report is that 85 percent of respondents hold the view that a major attack on critical infrastructure is likely within the next four years. While organizations are aware of IoT risks, the study found that only 23 percent of organizations actually monitor their networks for IoT device threats and barely one-quarter have an IoT security policy. In this slide show, eWEEK looks at some of the highlights of the 2018 Internet of Evil Things report.

IDG Contributor Network: One year later: security debt makes me WannaCry

It is hard to believe that it’s already been a year since the WannaCry malicious software was released upon the world. Thousands of systems were destroyed and many took the option of paying the attackers for the key to decrypt their unstructured data. Files that, for whatever reason, had not been backed up. All of this because of SMB v1 was, and in many cases, is still in use today.

Apply today for a Startup Alley Exhibitor Package at Disrupt SF ‘18

Every tech founder worth their title knows that investors, customers and media exposure form the life blood of every early-stage startup. And there’s no better way to place your startup in front of these three essential groups than to exhibit in Startup Alley at Disrupt San Francisco 2018. The conference takes place on September 5-7, but if you want to secure your spot you need to apply to purchase a Startup Alley Exhibitor Package before the application window closes.

Internet of Things Security Policies Still Lagging, Report Findss

1 of 9

Internet of Thing Security Policies Still Lagging, Report Finds

Internet of things (IoT) security has been a growing concern in recent years, with vulnerabilities continuing to be reported and hackers continuing to launch attacks. IoT security vendor Pwnie Express released its 2018 Internet of Evil Things report on May 16, providing insight from a total of 708 cyber-security professionals around the world. Among the high-level findings in the report is that 85 percent of respondents hold the view that a major attack on critical infrastructure is likely within the next four years. While organizations are aware of IoT risks, the study found that only 23 percent of organizations actually monitor their networks for IoT device threats and barely one-quarter have an IoT security policy. In this slide show, eWEEK looks at some of the highlights of the 2018 Internet of Evil Things report.

Trump Scraps Cyber Czar Position

President Trump has scrapped position of cyber security coordinator, commonly referred to as the cyber czar. Ross Rustici, Senior Director of Intelligence Services at Cybereason commented below.

A look into Drupalgeddon’s client-side attacks

Drupal is one of the most popular Content Management Systems (CMS), along with WordPress and Joomla. In late March 2018, Drupal was affected by a major remote code execution vulnerability (CVE-2018-7600) followed by yet another (CVE-2018-7602) almost a month later, both aptly nicknamed Drupalgeddon 2 and Drupalgeddon 3.

These back-to-back vulnerabilities were accompanied by proof of concepts that translated into almost immediate real-world attacks. For many website owners, this situation was frustrating because the window of time to patch is getting considerably smaller. Additionally, updating or upgrading Drupal (or any other CMS for that matter) may have side effects, such as broken templates or functionality, which is why you need to make a full back up and test the changes in the staging environment before moving to production.

Rolling out a CMS is usually the easy part. Maintaining it is where most problems occur due to lack of knowledge, fear of breaking something, and, of course, costs. While this is an earned responsibility for each site owner to do due diligence with their web properties, the outcome is typically websites being severely out of date and exploited, often more than once.

Sample set and web crawl

We decided to choose a number web properties that had not yet been validated (including all versions of Drupal, vulnerable or not). Our main source of URLs came from Shodan and was complemented by PublicWWW, for a total of roughly 80,000 URLs to crawl. We were surprised to start hitting compromised sites quickly into the process and were able to confirm over 900 injected web properties.

Many of the results were servers hosted on Amazon or other cloud providers that were most likely set up for testing purposes (staging) and never removed or upgraded. Thankfully, they received little to no traffic. The other domains we encountered spanned a variety of verticals and languages, with one common denominator: an outdated version (usually severely outdated) of the Drupal CMS.

Figure 1: Crawling and flagging compromised Drupal sites using Fiddler

Drupal versions

At the time of this writing, there are two recommended releases for Drupal. Version 8.x.x is the latest and greatest with some new features, while 7.x.x is considered the most stable and compatible version, especially when it comes to themes.

Figure 2: Drupal’s two main supported branches

Almost half the sites we flagged as compromised were running Drupal version 7.5.x, while version 7.3.x still represented about 30 percent, a fairly high number considering it was last updated in August 2015. Many security flaws have been discovered (and exploited) since then.

Figure 3: Percentage of compromised sites belonging to a particular Drupal version

Payloads

A large number of Drupal sites that have been hacked via these two recent exploits were also infected with server-side malware, in particular with XMRig cryptocurrency miners. However, in this post we will focus on the client-side effects of those compromises. Neither are exclusive though, and one should expect that a hacked site could be performing malicious actions on both server and client side.

Unsurprisingly, web miners were by far the most common type of injection we noticed. But we also came across a few different social engineering campaigns.

Figure 4: Breakdown of the most common payloads

Web miners

Drive-by mining attacks went though the roof in the fall of 2017 but slowed down somewhat at the beginning of the year. It’s safe to say that the recent Drupal vulnerabilities have added fuel to the fire and resulted in increased activity. Coinhive injections remain by far the most popular choice, although public or private Monero pools are gaining traction as well.

We are seeing the same campaign that was already documented by other researchers in early March and is ensnaring more victims by the day.

Figure 5: A subdomain of Harvard University’s main site mining Monero

Fake updates

This campaign of fake browser updates we documented earlier is still going strong. It distributes a password stealer of Remote Administration Tool (RAT).

Figure 6:  A compromised Drupal site pushing a fake Chrome update

Tech support scams (browlocks)

Redirections to browser locker pages—a typical approach for unveiling tech support scams. The most common redirection we were able to document involved an intermediary site redirecting to browser locker pages using the .TK Top Level Domain (TLD) name.

mysimplename[.]com/si.php window.location.replace("http://hispaintinghad[.]tk/index/?1641501770611"); window.location.href = "http://hispaintinghad[.]tk/index/?1641501770611";

TippingPoint Threat Intelligence and Zero-Day Coverage – Week of May 14, 2018

It’s one thing when your security solutions help protect your organization from a devastating cyberattack. It’s another thing when the company who develops your security solutions takes it to the next level to actually help catch those responsible for some of the biggest cyberattacks in the world. Earlier this week, Trend Micro disclosed the details of its exclusive investigative cooperation with the Federal Bureau of Investigation (FBI) to identify, arrest and bring to trial the individuals linked to the infamous Counter Antivirus (CAV) service Scan4You.

A look into the Drupalgeddon client-side attacks

Drupal is one of the most popular Content Management Systems (CMS), along with WordPress and Joomla. In late March 2018, Drupal was affected by a major remote code execution vulnerability (CVE-2018-7600) followed by yet another (CVE-2018-7602) almost a month later, both aptly nicknamed Drupalgeddon 2 and Drupalgeddon 3.

These back-to-back vulnerabilities were accompanied by proof of concepts that translated into almost immediate real-world attacks. For many website owners, this situation was frustrating because the window of time to patch is getting considerably smaller. Additionally, updating or upgrading Drupal (or any other CMS for that matter) may have side effects, such as broken templates or functionality, which is why you need to make a full back up and test the changes in the staging environment before moving to production.

Rolling out a CMS is usually the easy part. Maintaining it is where most problems occur due to lack of knowledge, fear of breaking something, and, of course, costs. While this is an earned responsibility for each site owner to do due diligence with their web properties, the outcome is typically websites being severely out of date and exploited, often more than once.

Sample set and web crawl

We decided to choose a number web properties that had not yet been validated (including all versions of Drupal, vulnerable or not). Our main source of URLs came from Shodan and was complemented by PublicWWW, for a total of roughly 80,000 URLs to crawl. We were surprised to start hitting compromised sites quickly into the process and were able to confirm over 900 injected web properties.

Many of the results were servers hosted on Amazon or other cloud providers that were most likely set up for testing purposes (staging) and never removed or upgraded. Thankfully, they received little to no traffic. The other domains we encountered spanned a variety of verticals and languages, with one common denominator: an outdated version (usually severely outdated) of the Drupal CMS.

Figure 1: Crawling and flagging compromised Drupal sites using Fiddler

Drupal versions

At the time of this writing, there are two recommended releases for Drupal. Version 8.x.x is the latest and greatest with some new features, while 7.x.x is considered the most stable and compatible version, especially when it comes to themes.

Figure 2: Drupal’s two main supported branches

Almost half the sites we flagged as compromised were running Drupal version 7.5.x, while version 7.3.x still represented about 30 percent, a fairly high number considering it was last updated in August 2015. Many security flaws have been discovered (and exploited) since then.

Figure 3: Percentage of compromised sites belonging to a particular Drupal version

Payloads

A large number of Drupal sites that have been hacked via these two recent exploits were also infected with server-side malware, in particular with XMRig cryptocurrency miners. However, in this post we will focus on the client-side effects of those compromises. Neither are exclusive though, and one should expect that a hacked site could be performing malicious actions on both server and client side.

Unsurprisingly, web miners were by far the most common type of injection we noticed. But we also came across a few different social engineering campaigns.

Figure 4: Breakdown of the most common payloads

Web miners

Drive-by mining attacks went though the roof in the fall of 2017 but slowed down somewhat at the beginning of the year. It’s safe to say that the recent Drupal vulnerabilities have added fuel to the fire and resulted in increased activity. Coinhive injections remain by far the most popular choice, although public or private Monero pools are gaining traction as well.

We are seeing the same campaign that was already documented by other researchers in early March and is ensnaring more victims by the day.

Figure 5: A subdomain of Harvard University’s main site mining Monero

Tech support scams (browlocks)

Redirections to browser locker pages—a typical approach for unveiling tech support scams. The most common redirection we were able to document involved an intermediary site redirecting to browser locker pages using the .TK Top Level Domain (TLD) name.

mysimplename[.]com/si.php window.location.replace("http://hispaintinghad[.]tk/index/?1641501770611"); window.location.href = "http://hispaintinghad[.]tk/index/?1641501770611";

GDPR is coming

In less than a week, the European Union’s General Data Protection Regulation (GDPR) will come into effect. Therefore, businesses operating in Europe — or just processing or collecting European citizens’ personal data — need to comply with this directive starting May 25.

How Encrypting Data Can Protect Sensitive Company Data

Governance of company data has never been trickier for organisations than in today’s business world. It was not so long ago that the bulk of company data simply resided either on premise or within a company datacentre, with supervision of that data proving to be a relatively manageable task for IT teams. The widespread adoption of cloud infrastructures has halted this trend, however, with many enterprises increasingly keen on embracing the cloud to help digitally transform their businesses.

5 Behaviors of Leaders Who Embrace Change

Executive Summary

Successful change-agile leaders at all levels in the organization respond to changes in the business environment by seizing opportunities, including throwing out old models and developing new ways of doing business. They try to make change thinking contagious, embedding it into everything they do from the most fundamental daily interactions to the most complex strategy. Change-agile leaders demonstrate several integrated behaviors that, together, create a competitive advantage for the organization. They share a compelling, clear purpose with employees. They look ahead and see new opportunities.  They create a safe psychological space for teams to discuss the challenges of working together and of the integration overall. They promote calculated risk-taking and experimentation, and encourage cross-boundary collaborations to build products, attract customers, and achieve results.