Test All Apps to Keep Hackers from Penetrating Castle Walls

Four major challenges when protecting apps and how to solve them

Despite all the news about hackers infiltrating major corporations, most businesses continue to leave themselves woefully unprotected. Some surveys estimate more than 70% of businesses perform vulnerability tests on less than 10% of their cloud, mobile and web applications. A majority also confess they have been hacked at least once in the last two years.

While most large businesses have begun application vulnerability testing, there is still a long way to go. After all, you are only as strong as your weakest link; hackers will undoubtedly find and attack any application without sufficient defenses.

Although testing and creating protection for high-value and mission-critical applications is better than not doing anything at all, leaving low-priority applications unprotected is still a major risk. If hackers can exploit just one application, that means they can then access the rest of your infrastructure. They’ll eventually figure out a way to also attack your high-value applications.

Major Challenges When Protecting Applications
W
hy in spite of all the risks are organizations not identifying all the vulnerabilities in their cloud, mobile and web applications? Security professionals typically point to several reasons that hold them back:

  • Limited Budget: Businesses simply don’t allocate enough money to test all applications. Whether additional headcount or technology is required, testing costs money, and most organizations do not set aside sufficient funds.
  • Lack of Expertise: Application security is still not a mature science. Even companies with the budget to hire expertise find it difficult to recruit security experts who really understand application security.
  • Compliance Focus: Most organizations are driven first by compliance requirements rather than security. So the focus is only on applications that help achieve compliance while other applications are ignored. Applications assessed for security are tested in many cases only to get a checkbox for compliance – not necessarily for sufficient security.
  • External Focus Only: One misconception when it comes to application security is that companies shouldn’t worry about testing internal applications with no external interface. But think of insider threats. What if you have an internal human resources application with access to confidential employee information? If a less-than-ethical employee exploits a privilege, they can gain access to sensitive records, and your company becomes non-compliant with various standards.

Recommendations for Protecting Your Business
Despite these challenges, there are practical ways to protect your business. Here are a few recommendations to identify application vulnerabilities:

  • Respect the Impact of Hacking: According to research by Forrester and the Ponemon Institute, the average cost per record in the case of a breach is at least $300. Most companies have thousands of records. And more than 75% of attacks occur through web applications.
  • Outsource: You don’t have to do everything yourself. Consider a managed service or a cloud service to help you secure your cloud, mobile and web applications quickly and affordably.
  • Create a Process: You can cut your costs by creating a pyramid according to the value of all your apps. First identify and then test all your applications. Based on what you find, you can prioritize applications that need deeper penetration testing. This way, you’ll cover all your applications without spending a fortune and taking too long. Automated solutions and a good process can help you get there quickly.
  • Manage Your Risk: You will find hundreds of vulnerabilities within your applications, but you won’t have time to fix them all. Take a risk management approach and prioritize these vulnerabilities based on a quantitative score. The ones with the highest score (i.e., most likely to be exploited) are the most sensitive and should be addressed right away. All others should be blocked with a web application firewall or other methodologies.
CIO, CTO & Developer Resources

Raise Your Castle Walls to Thwart Attacks
Any breach can have a severely adverse impact on your bottom line. Cloud, mobile and web application vulnerabilities are low-hanging fruit for hackers – they would rather pick these than go after the hard stuff.

Hacking, unfortunately for the rest of us, has become a lucrative profession, and intruders will continue to attack to earn their living. Whether their motive is financial gain, espionage, hacktivism or perhaps something even more pernicious, hackers will continue to fire shots until they penetrate.

Although you can’t fire back at the enemy and can’t be 100% secure, you can certainly raise the walls of your castle. This puts you in a much better position to thwart their attempts.

 

Written by Michelle Drolet, CEO of Towerwall
Special to Sys-con Media
 

This article was recently published in Sys-con Media

Towerwall Security/Malware Alert Vol 13.72

When an international law enforcement action earlier this month knocked out theGameover botnet, one happy consequence was the takedown of the servers that the CryptoLocker ransomware needed in order to do its dirty work.

Well, any celebration over CryptoLocker’s demise is certainly premature – encrypting ransomware is alive and well.

With many victims paying up, ransomware is a lucrative business for the crooks, and CryptoLocker has inspired copycats who want in on the loot.

Cryptowall and Cryptodefense

New variants of file-encrypting ransomware called Cryptowall and Cryptodefense have been popping up since at least April 2014.

SophosLabs threat researcher Anand Ajjan says Cryptowall has the same code as Cryptodefense, and only differs in the name.

If you see a message like the one below, you’re in trouble – many, if not most, of the data files on your hard drive or any connected drives will be scrambled, and it’s simply not practicable to crack the encryption used by the crooks.

(You don’t have to pay, of course. Despite losing data, police in the New Hampshire town of Durham showed a bit of public resistance to the crooks, announcing that they were “definitely not paying any ransom.”)

The message gives instructions on how to use the Tor anonymizing proxy to access a website where you can pay to unlock your files:

CryptoDefense-pay-screen-500
If you do go to the payment website, you come to a screen that shows a clock counting down the time you have left to pay the ransom.
Leave it too long and the price to decrypt your files doubles:
cw-cost-500
In broken but intelligible English, the website tells you:
We are present a special software – CryptoWall Decrypter – which is allow to decypt and return control to all your encrypted files.
This website (blocked by Towerwall) includes links to payment options, and offers you the chance to “Decrypt 1 file for FREE”:
cw-ransom-500
Unlike the crooks SophosLabs found who are trying to copy CryptoLocker but without actually encrypting your files, Cryptowall’s encryption can’t be reversed without the key.
That means if your files get locked, you either have to pay up, or “do a Durham,” and kiss your files goodbye.
According to SophosLabs, a common way of spreading Cryptowall infections is through exploit kits called RIG (also known as “Goon”) and Angler.
Exploit kits are web pages containing pre-packaged exploits that can be used to deliver malware of your choice to unsuspecting victims.
Often, one group of cybercrooks will simply “rent” exploit kit services from other cybercrooks on a pay-per-install basis.
So, whereas some ransomware attacks use social engineering in spam to trick you into downloading the malware, Cryptowall can get onto your computer just by visiting a website that is rigged up with an exploit kit.
Sophos Anti-Virus (in endpoint and gateway products) detects and blocks the various components of this threat with the following names:
  • HPmal/Ransom-I: the Cryptowall/Cryptodefense malware itself.
  • Troj/ExpJS-KX: web pages containing the RIG exploit kit.
  • Mal/Generic-S and Mal/ExpJava-AF: other exploit kit pages associated with this threat.

What’s next for ransomware?

Cybercrooks are trying out new variations on the ransomware theme, including moving from Windows to mobile devices.https://sophosnews.files.wordpress.com/2014/06/cw-oleg-170.png?w=170&h=207
File-encrypting Android malware called Simplelocker encrypts files and demands a ransom, while police locker malware called Koler threatens victims with arrest if they don’t pay up.

The trend has spread to Apple devices too.

Some hackers calling themselves Oleg Plissused stolen Apple IDs to lock iPhones, iPads and Macs using the Find My iDevice feature, with a lock screen message demanding payment to restore access to your device.

Russian police arrested a pair of hackers from Moscow who pulled this trick on Russian victims, but it’s worth assuming that others may try this scam again in the future.

There’s a loophole in this iDevice ransom attack to get around paying (if you lock your device with a passcode, you can just enter it to unlock it) – but it might not be too long before the crooks figure out other methods.

 

How to stay safe from ransomware

In the cat-and-mouse game between hacker gangs and law enforcement agencies, the crooks are often tricky to bring to justice.

As part of the recent CryptoLocker takedown, for example, US law enforcement formally charged a Russian man called Evgeniy Mikhailovich Bogachev with fraud and racketeering offences, but so far he remains at large.

 

cw-wanted-500

The FBI notes rather wryly in its Cyber’s Most Wanted pages “Bogachev was last known to reside in Anapa, Russia. He is known to enjoy boating and may travel to locations along the Black Sea in his boat. He also owns property in Krasnodar, Russia.”

Nevertheless, the security industry is doing its part, and you can too.

CryptoLocker ransomware – learn what it is and how to prevent it

A new ransomware program, known as Cryptolocker, was identified recently.

Ransomware can freeze your computer and ask you to pay a fee, but this malicious ransomware does more than just that. (You can use a anti-virus tool to remove the virus.) Cryptolocker is different from other ransomware due to the fact that it allows your computer and software to run while your personal files, such as documents, spreadsheets, and images, are encrypted.

The only copy of the decryption key is then saved onto the criminals computer. Your files cannot be accessed without the key.

The criminals then give you 72 hours to pay a $300 fee for the key.

Each key is unique to every computer. You cannot take someone else’s key to unlock your files.

To understand more how Cryptolocker works, click here.

Contact Towerwall for more information on how to protect your data from Cryptolocker and other ransomware. 774-204-0700

Towerwall Security/Malware Alert Vol 13.71

GameOver Zeus P2P Malware

Original release date: June 02, 2014

Systems Affected

Microsoft Windows 95, 98, Me, 2000, XP, Vista, 7, and 8
Microsoft Server 2003, Server 2008, Server 2008 R2, and Server 2012

Overview

GameOver Zeus (GOZ), a peer-to-peer (P2P) variant of the Zeus family of bank credential-stealing malware identified in September 2011, [1] uses a decentralized network infrastructure of compromised personal computers and web servers to execute command-and-control. The United States Department of Homeland Security (DHS), in collaboration with the Federal Bureau of Investigation (FBI) and the Department of Justice (DOJ), is releasing this Technical Alert to provide further information about the GameOver Zeus botnet.

Description

GOZ, which is often propagated through spam and phishing messages, is primarily used by cybercriminals to harvest banking information, such as login credentials, from a victim’s computer. [2] Infected systems can also be used to engage in other malicious activities, such as sending spam or participating in distributed denial-of-service (DDoS) attacks.

Prior variants of the Zeus malware utilized a centralized command and control (C2) botnet infrastructure to execute commands. Centralized C2 servers are routinely tracked and blocked by the security community. [1] GOZ, however, utilizes a P2P network of infected hosts to communicate and distribute data, and employs encryption to evade detection. These peers act as a massive proxy network that is used to propagate binary updates, distribute configuration files, and to send stolen data. [3] Without a single point of failure, the resiliency of GOZ’s P2P infrastructure makes takedown efforts more difficult. [1]

Impact

A system infected with GOZ may be employed to send spam, participate in DDoS attacks, and harvest users’ credentials for online services, including banking services.

Solution

Users are recommended to take the following actions to remediate GOZ infections:

Use and maintain anti-virus software – Anti-virus software recognizes and protects your computer against most known viruses. It is important to keep your anti-virus software up-to-date (see Understanding Anti-Virus Software for more information).

Change your passwords – Your original passwords may have been compromised during the infection, so you should change them (see Choosing and Protecting Passwords for more information).

Keep your operating system and application software up-to-date – Install software patches so that attackers can’t take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this option is available, you should enable it (see Understanding Patches for more information).

Use anti-malware tools – Using a legitimate program that identifies and removes malware can help eliminate an infection. Users can consider employing a remediation tool (examples below) that will help with the removal of GOZ from your system.

Sophos

http://www.sophos.com/VirusRemoval (Windows XP (SP2) and above)

F-Secure

http://www.f-secure.com/en/web/home_global/online-scanner (Windows Vista, 7 and 8)

http://www.f-secure.com/en/web/labs_global/removal-tools/-/carousel/view/142 (Windows XP)

Heimdal

http://goz.heimdalsecurity.com/ (Microsoft Windows XP, Vista, 7, 8 and 8.1)

Microsoft

http://www.microsoft.com/security/scanner/en-us/default.aspx (Windows 8.1, Windows 8, Windows 7, Windows Vista, and Windows XP)

Symantec

http://www.symantec.com/connect/blogs/international-takedown-wounds-gameover-zeus-cybercrime-network (Windows XP, Windows Vista and Windows 7)

Trend Micro

http://www.trendmicro.com/threatdetector (Windows XP, Windows Vista, Windows 7, Windows 8/8.1, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2)

The above are examples only and do not constitute an exhaustive list. The U.S. Government does not endorse or support any particular product or vendor.

GOZ has been associated with the CryptoLocker malware. For more information on this malware, please visit the CryptoLocker Ransomware Infections page.

Watch Cryptolocker in action:

https://www.youtube.com/watch?v=Gz2kmmsMp