Archive for category Vulnerability Management

British Airways faces Data Breach of 380,000 Accounts

A malicious JavaScript code had been planted within British Airway’s website, leading to data breach of around 380,000 accounts.

 

 

RELEASE DATE: September 14th, 2018

 

 

INCIDENT

 

 

Starting from August 21st, around 380,000 accounts have been compromised in a major data breach of British Airways, revealing customers’ information. Cybersecurity organization RiskIQ believes that the Magecart attackers were involved in the breach, who have previously been associated with the Ticketmaster UK breach, earlier this year.

 

The attackers were successful in obtaining names, street and email addresses, credit card numbers, expiry dates and security codes of the airline’s customers, which could potentially lead to theft from user accounts.

 

British Airways informed that all the payment information processed through the airline’s website and mobile app between August 21st and September 5th had been exposed.

 

 

ATTACK VECTOR

 

 

The evidence reveals that a malicious JavaScript code had been planted within British Airway’s website.

 

Magecart has traditionally stolen data by injecting the malicious script into payment forms.

 

RiskIQ further informed that hackers used only 22 lines of code to get a hold of the data. (attached below)

 

 

 

The attack compromised British Airways’ own Web server, making it a highly targeted attack that aimed for this particular website and its mobile Application.

 

“This skimmer is attuned to how British Airways’ payment page is set up, which tells us that the attackers carefully considered how to target this site in particular.” Yonathan Klijnsma, head researcher at RiskIQ said.

 

 

ROOT CAUSE

 

 

The Magecart’s association with the attack was identified because the attack is web-based and targeting credit card data. The attackers focused on the unique site structure and functionality of the British Airways website and exploited their security lapses. RiskIQ crawled the scripts on the British Airways’ site and traced how they changed over time. During the process, the researchers found a modified script in the compromised site.

 

The BA site is found to be utilizing a JavaScript library called an API, on a malicious Web server at baways.com. It’s a virtual private server hosted by a provider in Lithuania, using a TS certificate registered through Comodo (to appear legitimate) on August 15. The code was injected through the JavaScript library.

 

When a customer enters information on the website’s payment form and clicks “submit”, the 22-lines of code export the entered data to the malicious server as a JSON object.

 

The customer’s transaction is not disturbed and appears to be over a secure session while the attackers receive a full copy of the payment information. The attackers also added a “touchend” callback to the script, extending the attack to BA’s mobile App as well, which also called the same modified script.

 

 

LESSON LEARNED

 

 

The British Airways website seems to be operating without visibility into its Internet-facing web assets. Therefore, the British Airways could not detect this compromise and data breach until it was too late.

 

With so many attack vectors and ever-increasing techniques of cyber-attacks, organizations should make sure that they have an intact cybersecurity implementation. With proper measures, visibility and regular penetration testing, such attacks can be nipped in the bud before they cause any damage.

 


Internal Attacks and their Impact on Organizations

THE WORLD OF INFORMATION SECURITY

 

The World of IT is not safe. With the growing techniques of hacking and information breach, it’s possible to decrypt almost all kinds of codes. However, considerable amount of effort is being invested in protecting your information from breaches. Numerous information security firms are there to ensure every client organization is safe from external attacks.

 

How stupid would you feel if despite all your safety measures and monetary investments your data gets leaked out just because an end user was not vigilant enough or had malicious intent?

 

Almost 40 percent of IT security breaches are perpetrated by people inside the company.” Estimates a Research conducted by the US Computer Emergency Response Team (Cert).

 

Well, Internal attacks are a real thing, and they can have devastating impacts on an organization in extreme cases. This is one of the reasons why insurance premiums for cyber-crimes are on the increase.

 

WHAT ARE INTERNAL ATTACKS?

 

An individual or a group of employees with system privileges and technical expertise may attack an organization’s system internally, if they can benefit from the disruption of system or exploitation of organization’s assets. The internal attacks may also be unintentional in most of the cases.

 

 

 

MOST COMMON INTERNAL ATTACKS

 

  • Weak passwords

 

Generally, employees tend to be very careless about passwords. They may login to multiple sites with the same password, which can be exploited. Likewise, they keep their passwords simple, write them down in password hints, or give them over to unauthorized people or malicious websites. This non-skeptical casual behavior gives way to the success of phishing attacks.

 

Employees need to be trained on how their accounts can be exploited. Only then will they understand the importance of complicated passwords. Additionally, multi-factor authentications should be enforced for logging in to the system.

 

 

 

 

  • Falling victim to Phishing Attacks

 

Attackers use social engineering to obtain passwords or other sensitive information from employees, who if untrained about phishing will easily give into those attempts. This may give attackers login credentials to access a system.

This problem is recurrent worldwide, for which a clear information security policy is needed in every organization which should be followed strictly.

 

The end users are the weakest component of a network system. Therefore, there’s a strong need of training sessions for employees to enlighten them about why certain measures are necessary and how phishing works, otherwise they may dismiss the security measures as unimportant.

 

 

  • Fraud

 

Internal fraud can prove to be a very threatening act for an organization. It can be for monetary benefits or may harm an organization’s reputation if employees make fraudulent deals with people in the name of the organization.

 

Moreover, frauds may include misuse of sensitive information of the organization, leakage of private secrets or data of clients or even theft of intellectual property or plans of the organization, that could be sold to competitor organizations for monetary gains.

 

In extreme cases, some employees have been found to be working for external organizations who joined as intruders for leaking secrets of the company.

 

  • Misuse of gadgets

 

Misuse of office gadgets is a common problem in offices. Even though it does not compete to an intentional cyber-crime involving attacks and viruses, it may damage a system as much.

 

Office staff tends to visit inappropriate sites when they are ‘surfing the internet’. These sites can be malicious or may exploit vulnerabilities to drop malicious backdoors on a system. Likewise, office gadgets can also be used to pass confidential data to unauthorized users.

 

LexisNexis Industrial Relations Services conducted a survey last year that found almost one third of UK firms dealing with disciplinary cases of internet abuse.

 

These information leakage attacks can also be unintentional, but they still require considerable amount of effort, assets and time to limit the damage caused by them.

To prevent misuse of intellectual property or personal data, proper internet monitoring strategies need to be implemented.

 

  • Malicious downloads

 

The DTI’s latest InfoSec survey shows that 83% of the UK’s great firms have received infected e-mails or files, one-third of which carried 100 different viruses. Microsoft office or excel files are the new common means of zero-day exploits. Employees may compromise a system by downloading such unverified malicious files carrying viruses and malware.

Furthermore, downloads from the internet should be restricted to files from verified sources only. Without such restrictions and monitoring of their implementation, employees may download unneeded malicious software or games on the office gadgets which may compromise the system.

 

 

HOW TO PREVENT INTERNAL ATTACKS?

 

One of the most common practices against internal attacks is implementing an intrusion detection system. It should be configured to scan for both external and internal attacks. Moreover, access privileges of employees should be segregated, based on the requirement of their duties, to help protect against internal attacks.

 

Many kinds of software are available for automating the monitoring of online activities of employees to protect against internal attacks. Installation of updated anti-virus, firewalls and intrusion detection systems are some of the essential steps for keeping information security intact.

 

WRAP UP

 

Staff training is essential to keep an organization internally safe. Also, system monitoring is crucial for ensuring an organization’s safety. However, the approach must comply with active laws such as the Data Protection Act.

When monitoring is implemented, staff must be informed about the monitoring along with their rights and claims regarding the policies. This ensures smooth implementation of security, without being offensive to your staff.

There can also be internal attacks which are deliberate cyber-attacks, which will be discussed later.


Gear up for WannaCry 2.0

WannaCry 2.0 In The Making?

After the disasters of WannaCry in the global cyberspace last year, and the on-going fiasco of cyber-attacks involving the name, it’s predictable that these attacks aren’t likely to end here.

 

WannaCry is being played with to create even more powerful attacks and techniques.

 

Being the most impactful attack worldwide, WannaCry sets a historical example of both monetary losses and physical damages a cyber-attack can lead to. This standardized malware aiming to attack windows machines hindered real-life activities, like employees getting to work and patients receiving speedy medical treatments.

 

The current damages caused by WannaCry 1.5 phase are an indicator of the approaching WannaCry 2.0 phase, getting ready to unleash its malicious tactics for ransom-hungry hackers to use.

 

WannaCry 2.0 seems real because of the following advantages:

 

1.   Delayed Patching

Organizations fail to update and implement the available patching cycles on time. A patch for EternalBlue released in March 2017 is an example of delayed patching, as organizations were affected by it even in May 2017 due to untimely patching.

 

 

2.   Consistency in Hacking

The hackers don’t seem to be resting at all. Continuous streaks of zero-day and one-day vulnerabilities are being found every single day. Hackers are being inventive and trying to create hacking and ransomware streaks as big as WannaCry.

 

 

Government Agencies under pressure

 

Government agencies are under massive pressure as the global cyberspace turns into a battalion threatening national security and breaching confidential data of organizations. Government organizations responsible for keeping the cyberspace safe for general use are required to exercise hyperactive precautions to make sure any vulnerabilities found in the system are not leaked or exploited by attackers. These confidential and exploitable vulnerabilities could yield catastrophic results when accessed by hackers.

 

Several vulnerabilities and codes leaked from governmental organizations have already been accessed and exploited by hackers. WannaCry and EternalBlue are two major examples of ransomware exploiting this leaked data. Spreading at an exponential rate, these leaked codes invite not only the ransomware attacks but also crypto miners like Monero. The pressure on organizations to set up a strong defense plan is therefore becoming more nerve-straining with every passing day.

 

 

Guide for Enterprises and IT professionals  

 

The speedy overnight patches required by these fast-leaking vulnerabilities have pressurized enterprises to seek help from IT professionals. The mass scale exploits like the Careem data breach and the Nadra data breech, along with the ransomware like the EternalBlue, targeting institutions, employees, customers and stakeholders have put IT professionals on the edge to find speedy solutions for every vulnerability they detect.

 

Security professionals should keep these things in mind to mitigate threat factors.

 

• Understand vulnerability databases

 

IT professionals need to conduct detailed analysis and testing for any found vulnerabilities and demonstrate how the problem will affect the organization. They should focus on the risk factors and determine the severity of every vulnerability. The IT professionals should then help organizations in deciding an action plan against the threat and suggest solutions to the problem.

• Out-of-the-ordinary workflow

 

Timely patching is hard for organizations with bulk workflow. However, that doesn’t lessen the importance of patching. To safeguard all the hard work that goes into running a business successfully, it is recommended to dedicate a team of tech experts fully focused on mitigating threat factors. The dedicated team can run timely testing and perform any patching and software updates available in the market against new discoveries of threats.

 

 

If you think you are a victim of a cyber-security attack, immediately send an email to info@rewterz.com  for a rapid response.


An Insight into Vulnerability Management

People tend to underestimate the intricacies involved in a Vulnerability Management program. The traditional approach of ‘Find them – Kill them’ tends to faint out when it comes to sweeping through a plethora of servers, platforms, protocols and not to mention end user systems.

A more effective approach has always been to plan your initial  efforts, focus on your primary and secondary assets and analyze the life cycle span of the entire process.

In this article, we’ll discuss some proven methodologies known to efficiently deliver results.

Step 1. Many organizations fail to grasp the essence of VM and tend to regard it as a part of the IT administrator’s responsibilities. Though this may be true for smaller organizations (read very small) but any larger organization must have a dedicated team assigned solely responsible for hunting down and patching vulnerabilities.

Step 2.  Create an index of all IT assets currently owned by the organization, specifically highlighting systems connected to IP networks. This database will act as your ‘Evaluation Base Line’ that will indicate the patching status of your entire inventory.

Step3. Vulnerability management is an ongoing process. New vulnerabilities emerge every instant and require continuous monitoring. Similarly a change in configuration might make a relatively secure system prone to attacks.

Step 4.  Prioritize patch implementations when it comes to choosing in between ease of accessibility and security. Every system can hardened to become virtually impenetrable but at the cost of user friendliness.

Step 5.  Simulate post patch scenarios in advance. New patches can sometimes cause unexpected changes in systems like conflicts with system registry and occasional incompatibility issues.

Step 6. Create a database of all patches. Since computers at an organization are perpetually being changed, formatted or simply being restored, an archive of all patches helps you to quickly cover up vulnerable systems, without having to search through patch releases for individual software all over again.

Step 7. Automate! Integrate easily available patching solutions or updating utilities at your organization to reduce manual overhead.

Step 8. Never assume. Assumptions in security have taught many professionals expensive lessons. A system isn’t safe unless it has withstood an attack. Make a habit of frequently simulating attack scenarios on systems likely to face rogue traffic, you’ll surprised at what your findings!

, , ,


How good are you at utilizing your Vulnerability Management program?

Here is our take on making the most of your vulnerability management system.

Act right away!

As much as people like to document their scan results in reports and refer to them in board presentations, do not loose focus on the primary objectives of these results…..Patch those vulnerabilities NOW. It is unintelligent … to say the least, to have discovered vulnerabilities but to leave the patching for a later date. And speaking of documenting, try to maintain a certain degree of privacy with your vulnerability findings while limiting access to your findings to relevant personnel only.

Patching and thinking you are protected?

Patching should only be a part of your defense strategy. Patching generally mitigates risk caused by faulty or sloppy programming codes, which are relatively easy to identify using automated techniques. The trickier aspect of information security involves logical errors, which  arise due to acute lapses in configuration settings and parameters of the myriad of devices present on networks.

Protecting yourself from Zero day attacks…

Zero day attacks are quite understandably the worst fears of any security professional. While you cannot predict what the future has in store for your network, there are certain practices that will minimize the potential of your systems being targeted.

–          Harden your systems

–          Use heuristic protection based Anti viruses.

–          Deny the irrelevant and only allow least privilege to those you permit

–          Finally, educate users to be wary of unsolicited and suspicious email attachments.

A Vulnerability Management System is only as strong as its policies…

The strongest Vulnerability Management programs are always characterized by their elaborate policies. Policies help you regulate the operational effectiveness of your corporate infrastructure. Policies drive your users to

–          Practice better password conventions.

–          Bring in the use of encryption in official emails.

–          Create a realization that security is everyone’s responsibility.

–          Regularize the use of firewalls and antivirus programs.

–          Familiarize people with the risks associated with social media

–          Ascertain the confidentiality of organizational data and prevent instances of data leakage.

, , ,


Acid test your Security with Penetration Testing

By Faiz Ahmad Shuja

This article was featured in the April 2009 issue of CIO Pakistan’s CSO magazine.    

 

In a cruel world, where even slow portals are not forgiven, the uproar in the event of a security breach is not too difficult to imagine.

Today, with the evolution of electronic commerce, online business presence signifies much more than your proactive business approach. The well being of your IT infrastructure relates to the trust of your customers and your corporate identity.

The advent of sophisticated threats and attacks over the Internet have added to the concerns of organizations globally. Blended malwares, sophisticated attacks, identity thefts, DDoS attacks and financial scams are just some of the predicaments associated with any system connected to the Internet.

Information security personnel in an organization can either learn their weaknesses the hard way by waiting for an attacker from the dark to exploit one of their vulnerabilities or could save their grace with their own trusted team of ‘Penetration Testers’.

Penetration Testing (Pen-Testing) is a practice of testing security measures by emulating real-world attacks on the IT infrastructure in question, pretty much like testing a supposedly bullet proof armor by showering bullets on it.

Penetration testing is considered one of the most rigorous tests of an infrastructure’s security and stability. Testing involves analysis of each access layer, network, system and application, such as from reviewing the application code of a front-end web application to analyzing the possibility of session hijacking attack on the network.

For most of the security audited organizations that we encountered, we found that previous security assessments generally lacked in-depth examination of the infrastructure, especially on the application layer – a high risk zone.

In fact most of the attacks witnessed in last few years heavily rely on the vulnerabilities existing in various web based applications. A compromised web application can grant mind boggling access to a determined attacker. A common scenario is when an organization has implemented a custom application developed by a third party. Such applications can host an array of high risk vulnerabilities.

Considering the very intricate nature of these tests, a common debate amongst management and information security personnel is whether to carry out these testing by in house personnel or hire a third party specialists. In house testing whilst being easy to rely on tends to be  biased in favor of existing management policies (after all they are the ones who built it in the first place). Whereas a third party usually provides harsh, ruthless analysis of your service and sometimes may go to extents that may be more of an overkill.

With penetration testing being declared mandatory by PCI DSS, other security standards are likely to follow suit. Now is a good time to start looking into your penetration testing requirements. In house penetration testing requires dedicated staff and resources along with some vulnerability research expertise. If however you are not thinking of further investments just yet, then a viable option would be to hire an external consultant.

When looking for a penetration testing service always look for a provider with a comprehensive testing procedures comprising of composite testing methodologies covering all layers of your infrastructure. Ask for their vulnerability research portfolios, such as discovery of any vulnerability in a popular application and issuing of vulnerability advisories. This will help you identify if they employ manual or automatic testing techniques during the tests.

An automatic test involves running specialized software that run through your network for common flaws. A manual test whereas involves in depth examination by seasoned veterans. Due to the complexities of application architecture and business logic, sometime it is almost impossible to detect vulnerabilities through automated tools and that is where expert penetration testing consultants come in. Manual examination reveals the presence of backdoors, obfuscated parameters and manipulation of programming logic to compromise platform integrity.

Another aspect to consider prior to finalizing your agreement is to consider the nature of testing to be carried out by the consultant. Generally there are two main types of testing approaches, Black box and White box.

In black box testing, penetration testers act as external hackers with no inside knowledge of the target network. Whereas, a white box test is carried out with extensive knowledge of the target network provided to the penetration testers. This information generally includes details of network topology, IP addresses, operating system versions, application source codes, etc.

The crux of all your tests, the penetration test report, will be an essential part of your future security roadmap. Report is made to provide an abstract account for key security personnel summarizing the weaknesses discovered and followed by a comprehensive description of the testing methodology adopted, phases of implementation and analytical review of the vulnerabilities detected. The penetration test report is the ultimate yardstick of your organization’s current security state. The penetration test report helps you prioritize remedial action for high risk vulnerabilities. Maintaining confidentiality of the report is a must.

Fortunately with the growth of local information security professionals, offering services akin to renowned international consultants, organizations no longer have to bring in foreign specialists at notorious rates. But before you finalize anything make sure you have carried out some background checks on the consultant’s professionalism. Look for customer testimonials and formal certifications such as CISSP, CPTS, CEH, GSEC, GCIA, GCIH and OSCP. Lastly, formulate legal agreements to ensure any vulnerability detected is kept confidential until remedial action has been taken.

Happy testing!

, , , , , , , , , , , ,


Copyright © Rewterz. All rights reserved.