Category: Detect

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

In a world where you can scan the veins in your hand to unlock a smartphone, how do you maintain control over personal data? Biometric authentication, the use of distinctive human features like iris patterns, fingerprints and even gait in lieu of a password, is gaining ground in the tech world.

Proponents tout its inherent, hard-to-replicate qualities as a security benefit, while detractors see the same features as an invasion of privacy. Both sides may be right.

The problems with biometrics

Unlike a password, you can’t forget your face at home. But also, unlike a password, you can’t reset your face — meaning you’re out of luck if someone steals a photo of it.

In 2016, a biometrics researcher helped investigators hack into a murder victim’s phone with only a photo of the man’s fingerprint. While security systems are getting more advanced all the time, current technology also allows cybercriminals to run wild with a single piece of biometric data, accessing everything from laptop logins to bank accounts.

By its very nature, biometric authentication requires third parties to store biometric data. What happens if the information is exposed?

In addition to potential hacking, breaching people’s personal data might reveal something they’d rather keep private. Vein patterns could reveal that a person has a vascular disorder, raising their insurance premiums. Fingerprints could expose a chromosomal disease.

True, people give this same information to their doctors, and a medical data breach could have the same repercussions. But handing off biometric data to a commercial company — which isn’t bound by HIPAA or sworn to do no harm — is a much grayer area.

Another issue that occasionally plagues biometric authentication is injuries and natural bodily changes. A single paper cut can derail a fingerprint scanner, and an aging eye throws iris scanners for a loop. People will have to update their photos every few years to remind the system what they look like.

Some facial recognition programs can even predict how long a person will live. Insurance companies have expressed interest in getting hold of this data, since the way a person ages says a lot about their health. If stolen biometric data fed into an algorithm predicts a person won’t make it past 50, will their employer pass them up for a promotion?

In the event of an accident, your family won’t easily be able to access your accounts if you use biometric authentication, since it’s not as simple as writing down a list of passwords. Maybe that’s a good thing — but maybe not.

Another ethical dilemma with biometric data use is identifying people without their consent. Most people are used to being on camera at the grocery store, but if that same camera snaps a photo without permission and stores it for later retrieval, they probably won’t be too happy.

Some people point out that you have no right to privacy in a public space, and that’s true — to an extent. But where do you draw the line between publicity and paparazzi? Is it OK to snap a stranger’s photo while you’re talking to them, or is that considered rude and intrusive?

The benefits of biometric data

Of course, no one would be handing off a photo of their face if the technology was good for nothing.

It’s quick, easy, and convenient to log into your phone by putting your thumb on the home button. Though it’s possible for a hacker to find a picture of your thumbprint, they’d also have to snag your phone along with it to log in, essentially having to bypass a two-factor authentication system. Who has time for that just to steal a reel of cat photos?

Hackers also can’t brute-force their way into guessing what your face looks like. Letter and number combinations are finite, but the subtle variations of the human body are limitless. Nobody can create a program to replicate your biometric data by chance. Consequently, biometric authentication is an extremely strong security measure.

Police can also use biometric analysis to get criminals off the streets. Unlike a human with questionable accuracy, a camera is a reliable witness. It’s not perfect, of course, but it’s much better than asking shaken crime victims for a description of who mugged them. Smart cameras equipped with facial recognition can prevent wrongful detainments and even acquit people who would otherwise languish in jail.

The flip side is that facial recognition does occasionally get it wrong — people have been arrested for crimes they didn’t commit thanks to camera footage of a lookalike. As camera technology improves, hopefully the incidence of people being wrongfully accused will lessen. But for the few outliers who still get misidentified, the consequences can be grave.

Facing the facts

Ultimately, people will have to decide for themselves if they’re comfortable using biometric technology. You probably won’t encounter any problems using biometric authentication to access your phone or laptop, and it can vastly improve your security. The bigger ethical debate is in how third parties can use publicly available data — whether legal or leaked — to further their own gains. In the meantime, just know that your face is probably already in a database, so keep an eye out for doppelgangers.

The post The ethics of biometric data use in security appeared first on Cybersecurity Insiders.

Website defacement

Websites are central to business operations but are also the target of various cyber-attacks. Malicious hackers have found several ways to compromise websites, with the most common attack vector being SQL injection: the act of injecting malicious SQL code to gain unauthorized access to the server hosting the website. Once on the server, the hacker can compromise the target organization's website, and vandalize it by replacing the original content with content of their own choosing. This criminal act is referred to as website defacement. See Figure 1 for examples of past website defacements.

Figure 1. Examples of past website defacements.

While the act of vandalizing a website may seem trivial, it can be devastating for the victimized entities. If an e-commerce site is publicly compromised, for example, they suffer direct and indirect financial loss. The direct losses can be measured by the amount of revenue that would have been generated had the website not been compromised, and by the time and money spent to repair the damaged site. Indirect losses occur because of reputational damage. Potential customers may be deterred from providing their banking information to an organization portrayed and perceived as incapable of protecting their assets.

Threat actors

Unlike most forms of hacking, website defacement has a public facing component. Assailants are eager to get credit for their success in compromising websites and are notorious for bragging about their exploits across various platforms, including general social media (e.g., Facebook, Twitter, Youtube, etc.) and hacking specific sites. The most popular platform on which hackers report successful defacements is Zone-H. Users of the platform upload evidence of their attack, and once the attack is verified by the site’s administrators, it is permanently housed in the archive and viewable on Zone-H’s webpage. Zone-H is the largest hacking archive in the world: over 15 million attacks have been verified by Zone-H thus far, with over 160,000 unique active users. The archive, as depicted in Figure 2, includes the hackers’ moniker, the attacked website's domain name, and an image of the defacement content (resembling the images depicted in Figure 1).

Figure 2. Zone-H: The largest hacking archive in the world.

Hackers tend to use the same moniker across platforms to bolster the reputation and status of their online identity, which allows for the gathering of digital artifacts and threat intelligence pertinent to the attack and attacker, respectively. Indeed, we have been systematically gathering data on active malicious hackers who report their successful defacements to Zone-H since 2017 and, in doing so, have uncovered several interesting findings that shed light on this underground community. For example, and in direct contrast to Hollywood’s stereotype of the lone actor, we observed an interconnected community of hackers who form teams and develop their skills through collaboration and camaraderie. We also found variation in hackers’ attack frequency: some hackers are extremely prolific and can be classified as persistent threats, while others only engage in a few attacks before disappearing. These findings served as motivation for this study.

Criminal trajectories           

Recently, we built an analytic model capable of predicting which new hackers will become persistent threats at the onset of their criminal career. The study began by identifying 241 new hackers on the Zone-H archive. We then tracked each of these hackers for one year (52 weeks) following their first disclosed website defacement. We recorded their total number of attacks, extracted and analyzed content from their defacements, and gathered open-source intelligence from a litany of social media and hacking sites. In total, the 241 hackers in our study defaced 39,428 websites within the first year of their hacking career. We identified 73% of our sample on a social media site and found that 50% also report their defacements to other hacking archives. Finally, we extracted and analyzed the content of each new hacker's first defacement and found that 39% of hackers indicated involvement with a hacking team, 12% posted political content, and 34% left their contact information directly on the compromised site. 

To plot trajectories, we had to first disaggregate the dataset to determine whether each of the hackers in our sample defaced at least one website each week for the 52 weeks following their first defacement. Upon completion, we employed latent group-based trajectory modeling to determine if, and how many, unique criminal trajectories exist. Results are presented in Figure 3. We found that new hackers follow one of four patterns: low threat (28.8%), naturally desisting (23.9%), increasingly prolific (25.8%), and persistent threat (21.5%). Hackers classified as low threat (blue line) engage in very few defacements and do not increase their attack frequency within one year of their first attack. Those labeled as naturally desisting (red line) begin their careers with velocity, but this is short-lived. Conversely, those classified as increasingly prolific (green line) engage in more attacks as they advance in their criminal careers. Finally, those deemed as persistent threats (yellow line) begin their careers with velocity and remain prolific. To our knowledge, we are the first to plot the trajectories of new malicious hackers.

Figure 3. The one-year trajectory of new malicious hackers.

After plotting the trajectories, we employed a series of regression models to determine if open-source intelligence and digital artifacts can be used to predict the evolution of a new hacker's criminal career. Contrary to our expectation, we found politically driven hackers are at an increased odds of naturally desisting. While these hackers may engage in a high number of attacks at the onset of their career, this is short-lived. We suspect eager new hacktivists simply lose sight, or get bored, of their cause. Conversely, new hackers who post their contact information directly to the compromised site are at a decreased odds of naturally desisting. Tagging a virtual crime scene with contact information is a bold move. We suspect these hackers are rewarded for their boldness and initiated into the hacking community, where they continue defacing websites alongside their peers.

Different patterns emerged when predicting who will become a persistent threat. We found that social media engagement and reporting defacement activity to other platforms increase the odds of being a persistent threat. This may boil down to commitment: hackers committed to building their brand by posting on multiple platforms are also committed to building their brand through continual and frequent defacement activity. The most interesting, yet also intuitive, patterns emerge when predicting who will become increasingly prolific. We found that hackers who report to other platforms and indicate team involvement engage in more attacks as they progress in their career. Joining a hacking team is a valuable educational experience for a new hacker. As a novice hacker learns new skills, it is no surprise they demonstrate their capabilities by defacing more websites.

Taken together, these findings offer insight into the development of proactive cybersecurity solutions. We demonstrate that open-source intelligence can be used to predict which hackers will become persistent threats. Upon identifying high-risk hackers, we believe the next logical step is to launch early intervention programs aimed at redirecting their talent toward something more constructive. Recruiting young hackers for cybersecurity positions could create a safer cyberspace by filling the nation’s skills shortage while simultaneously removing persistent threat actors from the equation.

Acknowledgements

This work was conducted alongside several members of the Evidence-Based Cybersecurity Research Laboratory. We thank Cameron Hoffman and Robert Perkins for their continual involvement on the hacking project. For more information about our team of researchers and this project visit https://ebcs.gsu.edu/. Follow @Dr_Cybercrime on Twitter for more cutting-edge cybersecurity research.

The post Predicting which hackers will become persistent threats appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Amazon Web Services (AWS) is home to almost a third of the world’s cloud clients and boasts huge cyber security features; yet, even Amazon is not immune to attack. The provider has been beset with outages this year, with industry authority Network World highlighting the recent Ohio outage, which lasted 75 minutes, as being of particular interest. While the reasons behind these outages will remain a closely guarded secret, they nevertheless raise the discussion of cyber-attacks. Could malicious actors have been responsible? What level of protection is available behind the scenes, and how far ahead of the game is Amazon? Finally, is AWS up to scratch for the next generation of web users?

Making the balance

AWS is an affordable option, but it nevertheless comes with overhead. With belts being tightened all over the USA and the rest of the world, businesses will necessarily be looking towards their web usage to try and generate new savings. For most businesses, optimizing your AWS expenses it’s an effective way to do this, but it’s crucial to find those efficiencies in the right areas.

One area not to cut back on is cybersecurity. AWS is famed for its built-in security, and, as the internet society W3 highlights, that security works at scale. Leaving that in place is crucial. Instead of looking to economize on security, businesses should seek to find efficiencies in changing their billing profile. For instance, by choosing between quota-based demand systems, and more flexible plans that can benefit those businesses. Focusing on demand, and business priorities, rather than security for cutbacks is really important.

Extra layers of protection

There is a strong track record of data protection within AWS, but not necessarily within the wider Amazon setup. Indeed, as one Wired investigation showed, consumer data that is held on the same data centers as AWS assets has been compromised. However, this was not through attacks but from unauthorized internal access.

As such, adding extra layers of protection onto the business side, and making use of enhanced security packages offered by AWS can ensure that data has multiple key levels of protection. This helps ensure that attacks are minimized and any successful breaches are managed immediately.

Ask for the best

Cyberattacks have been ramping up across the world, according to CNBC. As a result, Amazon and Microsoft have been hoovering up cybersecurity solutions and contractors in order to shore up their own defenses for AWS and Azure respectively.

This may result in new solutions being integrated into the AWS system and made available to customers – and you should be proactive in asking for these protections. It’s important that products are well tested and deployed, of course, to ensure their quality, but being at the forefront of the cybersecurity vanguard within AWS will give your business an extra layer of quality and also help to build your reputation as a forward-thinking and well protected enterprise. This can be absolutely crucial in the world of business, especially with cyberattacks becoming ever more frequent.

Data is the lifeblood of the business – when you protect it you protect the sustainability of the business and your future success. AWS does a lot to help with security, but no solution is without its flaws. As such, take a proactive approach to security measures within AWS, and constantly seek to apply new standards to gain advantage against cyber criminals and help to build your reputation as a forward-thinking business. These approaches are crucial in the ongoing fight against cyber-crime.

The post Working with AWS to secure your data against attack appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.  

Most, if not all, industries are evolving on a digital level heading into 2023 as we take the journey to edge computing. But the automotive industry is experiencing technological innovation on another level. A rise in the production of connected vehicles, new autonomous features, and software that enables cars to self-park and self-drive are great examples of the digital evolution taking the automotive industry by storm. 

According to the AT&T 2022 Cybersecurity Insights (CSI) Report, 75% of organizations plan to implement edge security changes to help mitigate the kind of risks that affect cars, trucks, fleets, and other connected vehicles and their makers. And for a good reason.

These automotive features and advancements have offered cybercriminals an array of new opportunities when it comes to cyberattacks. There are several ways that threat actors are targeting the automotive industry, including tried and true methods and new attack vectors. 

In this article, you’ll learn about the top 8 cybersecurity threats facing the automotive industry heading into 2023 and what the industry can do to prevent threats. 

Automotive Cybersecurity threats

As autos increasingly come with connectivity features, remote threats are more likely. A recent report revealed that 82% of attacks against the automotive industry (including consumer vehicles, manufacturers, and dealerships) were carried out remotely. Plus, half of all vehicle thefts involved keyless entry. 

Automakers, dealers, and consumers play a role in automotive cybersecurity. But as the industry continues to adopt connected technologies, it will become increasingly important that organizations take a proactive approach to cybersecurity. 

When it comes to automotive threats, there are countless methods that hackers use to steal vehicles and driver information and cause problems with the vehicle’s functioning. 

Let’s explore the top 8 cybersecurity threats facing the automotive industry this year.

Keyless car theft

As one of the most prominent threats, keyless car theft is a major concern for the automotive industry. Key fobs today give car owners the ability to lock and unlock their doors by standing near their vehicle and even start their car without the need for a physical key. 

Autos enabled with keyless start and keyless entry are prone to man-in-the-middle attacks that can intercept the data connection between the car and the key fob itself. Hackers take advantage of these systems to bypass authentication protocols by tricking the components into thinking they are in proximity. Then the attacker can open the door and start the vehicle without triggering any alarms. 

EV charging station exploitation

Electric vehicles are becoming more popular as the globe transitions to environmental technologies. Charging stations allow EV owners to charge their vehicles in convenient locations such as public parking lots, parks, and even their own garages. 

When you charge an EV at a charging station, data transfers between the car, the charging station, and the company that owns the device. This data chain presents many ways threat actors can exploit an EV charging station. Malware, fraud, remote manipulation, and even disabling charging stations are all examples of ways hackers take advantage of EV infrastructure. 

Infotainment system attacks

Modern cars require over 100 million lines of code to operate. Most of that code goes into the vehicle’s firmware and software that allows navigation, USB, CarPlay, SOS functions, and more. These infotainment systems also provide criminals an open door to an automobile’s ECU, endangering lives and compromising control of the vehicle. 

There are many code vulnerabilities that manufacturers need to look out for, and as infotainment systems continue to become more complex and sophisticated, there will be even more vulnerabilities to uncover. 

Brute force network attack

Another common attack type that affects the automotive industry is the good old-fashioned brute force network attack. Many of the threats that face connected and automated vehicles and businesses in the automotive industry are similar to common cloud security threats, but that doesn’t make them any less damaging.

Brute force attacks are tried and true cyberattacks that target a network with the goal of cracking credentials. In the automotive industry, the brute force attack can have far-reaching impacts. Manufacturers, dealers, and owners can all become victims of this type of attack. When credentials become compromised, entire systems can easily become the target of sophisticated attacks that can end in faulty firmware, large-scale data leaks, and vehicle theft. 

Phishing attacks

Another way that hackers can obtain the credentials to enter a target network is through social engineering attacks such as phishing. The attacker will send automotive company employees an email where they pose as a trusted sender, complete with official-looking HTML and signature. Sometimes the attacker will ask for the credentials outright, but usually, attackers will place a link with malicious code in the email. 

When the receiver clicks the link, the malicious code is executed, and the cybercriminal can roam freely in the target system, access sensitive data, and perform further attacks from the inside. 

Compromised aftermarket devices

Insurance dongles, smartphones, and other third-party connected devices also pose a cybersecurity threat to the automotive industry. These aftermarket devices are connected directly to vehicle systems, offering hackers another way to launch an attack. 

This threat also leaves much to consider for those that want to buy a used car. Many people choose to sell or trade used cars through car dealerships, where consumers can find a deal on a previously owned vehicle. Connected devices can leave malware and backdoors in the auto’s system, putting the next owner at risk, too. 

Ransomware

Ransomware is one of the most pervasive threats in tech today. Unfortunately, the automotive industry is no exception. Ransomware is a significant threat to the vehicle industry, including OEMs, consumers, and dealers. 

A threat actor can hold an organization’s data hostage in exchange for a significant ransom. Without the right credit protection services, automotive businesses can find themselves in financial trouble. These attacks affect IT systems and operations and can cause expensive shutdowns.

Automotive supply chain attacks

The auto industry utilizes a complex supply chain to source the components that are used to build new vehicles, perform repairs, and provide services. This supply chain presents a huge risk to the industry, as each connected endpoint is a vulnerability waiting to happen. 

But supply chain attacks can trickle down to consumers as well. Updates containing malicious code can be pushed to connected cars, bad actors can compromise firmware, and malware can put supplier operations to a complete halt. 

How the industry can keep automotives secure

Cybersecurity should be a central goal throughout the automotive lifecycle. But it’s also important that automakers improve their cybersecurity expertise to monitor connected and automated vehicles on the road. 

The National Highway Traffic Safety Administration (NHTSA) recently released its recommended cybersecurity best practices for modern vehicles to help strengthen the underlying data architecture of vehicles and protect against potential attacks.

They say that the automotive industry should follow the cybersecurity framework from the National Institute of Standards and Technology (NIST) that focuses on five key functions: identify, protect, detect, respond, and recover. The NHTSA recommendations for vehicles are based on the NIST framework but written specifically for the automotive industry. 

And finally, the Federal Trade Commission (FTC) has also established regulations for connected and automated vehicles. Under the new Safeguards Rule, dealers are expected to meet cybersecurity compliance for their organizations and vehicles by June 2023. 

Final thoughts

Automotive manufacturers, sellers, consumers, suppliers, repairers, and all others in the industry play a critical role in improving the security of connected vehicles in 2023 and beyond. Learn more about how to defend your network from critical incidents. 

The post The top 8 Cybersecurity threats facing the automotive industry heading into 2023 appeared first on Cybersecurity Insiders.

AT&T Cybersecurity received the Palo Alto Networks 2022 Partner of the Year Award for its managed security services at the annual Palo Alto Networks Ignite 2022 conference. The awards are presented to an elite group of Palo Alto Networks partners that have excelled in performance, enablement, and engagement over the past year.

In an era where security collaboration continues to grow in importance, AT&T Cybersecurity stressed the significance of its relationship with Palo Alto Networks. Danessa Lambdin, President of AT&T Cybersecurity explains:

 As one of the largest MSSPs in the world, we are in a unique position to help secure innovation at scale and bring those lessons learned to our broader customer base. Our technology alliances are a fundamental part of evolving our cybersecurity services to meet our customer needs today and tomorrow.  AT&T has long worked with Palo Alto Networks, building new services atop their technology platforms to meet tomorrow's security challenges, especially as customers move to the cloud and edge.

By maintaining a strong relationship with Palo Alto Networks, AT&T Cybersecurity is able to provide cutting-edge security products while leveraging its managed services to make security more accessible by offering trainings, consulting, and management. Don Jones, senior vice present of Ecosystems at Palo Alto Networks states:

Palo Alto Networks partners share our vision of a world where each day is safer and more secure than the one before. Now more than ever, a trusted ecosystem of partners is essential to enabling organizations to easily, more confidently, and more securely transform. We’re proud to recognize AT&T Cybersecurity as Palo Alto Networks 2022 Partner of the Year and we look forward to our continued work together helping mutual customers achieve better security outcomes.

AT&T Cybersecurity combines cybersecurity with consulting services to help organizations meet their network transformation goals. With AT&T’s support, overcome resource obstacles and ease the burden on short-staffed, in-house teams by working with AT&T’s cyber experts to identify and understand cybersecurity risks and exposures, thereby making it safer for businesses to innovate through network resiliency.

For more information on AT&T Cybersecurity please visit this page. For more information on Palo Alto Networks, please visit this page.

The post AT&T Cybersecurity awarded the Palo Alto Networks 2022 Partner of the Year Award appeared first on Cybersecurity Insiders.

Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Extended Detection and Response customers. 

Executive summary

Since mid-June 2022, AT&T Managed Extended Detection and Response (MXDR) Security Operations Center (SOC) observed an enormous number of attacks from Mirai botnet-C2 attempting to gain access to SSH servers instead of Telnet.

Due to the various tactics, techniques, and procedures (TTP) observed, this attack has been associated with RapperBot botnet (Mirai variants.) RapperBot’s goal is still undefined.

According to the analysis that was published by FortiGuard Labs, while the majority of Mirai variants can naturally brute force Telnet servers that use default or weak passwords, RapperBot in particular scans and attempts to brute force SSH servers that are designed to require password authentication.

A large part of the malware is executing an SSH 2.0 client which is able to connect and brute force any SSH server using Diffie-Hellman key exchange with 768-bit or 2048-bit keys and data encryption using AES128-CTR. A unique characteristic of brute forcing in RapperBot is the use of SSH-2.0-HELLOWORLD in order to identify itself to the targeted SSH server during the SSH Protocol Exchange phase.

One of the malicious Mirai botnet IP addresses had allowed network traffic with an asset in an organization over SSH port 22. After some data transferring, the session closed with the client-reset action. The MXDR SOC team quickly identified and recommended mitigation steps to prevent lateral movement and the attacker going further.

Initial alarm review

Indicators of Compromise (IOC)

The alarm initiated with the multiple Open Threat Exchange (OTX)  pulses (Miraibotnet-C2- CDIR Drop List) and an OTX indicator of a known malicious IP. There was network traffic between the known malicious IP and a public IP of an internal asset in an organization. The network traffic was over SSH port 22, and the security system (firewall) action was a deny. The security system (firewall) deny action was evidence of the auto-mitigation. In this case, auto-mitigation means the attack is prevented by firewall rules and threat intelligence by denying the connection from malicious IP.

However, further analysis of the events showed that the traffic was allowed from the malicious IP to another internal asset. In addition to this, there were signs of data transfer from source IP with “sentbyte=1560, rcvdbyte=2773, sentpkt=15, rcvdpkt=13”

** Risk mitigation in Cybersecurity is the reduction of the overall risk/impact of cyber-attacks. Detection, prevention, and remediation are three components of risk mitigation in cybersecurity.

Expanded investigation

Events search

After checking events associated with the alarm, the team always checks the environmental security to see if the malware had further penetrated the environment or attempted any lateral movement.

The team searched events by pivoting on the indicator IP, filtering the past 90 days of events, and the security system (firewall) allowed action types. It was determined that there were a few connections from malicious IP to different internal assets with the client-rst, server-rst, timeout, and closed events.

Client-rst – Session reset by client, Server-rst – Session reset by server

These are usually session end reasons that show who is sending TCP (Transmission Control Protocol) reset and the session terminates – so this does not mean that a security system (firewall) is blocking the traffic. It means after a session is started between client-to-server, it is terminated by (client or server), depending on who sent the TCP reset. Session-end results can be found in traffic logs.

The team suspected that the system might be compromised because the session was reset from the client side (which is the adversary side.) It was then observed that the session was closed (terminated) with a large amount of packet transmissions.

Event deep dive

After further examination of the allowed connections, the malicious IP showed traffic with the customer security system (firewall) over SSH port 22. SSH port 22 uses a TCP connection. Therefore, before transferring data  it needs to establish a reliable connection with the 3-way handshakes.

In order to handshake the header (first two packets), TCP uses approximately 24 bytes and for normal transmission of packet about 20 bytes. Establishing a reliable connection with 3-way handshake needs just three packets to be transmitted. Establishing a connection: ~ 128-136 bytes.

Another observation is that the sent and received bytes with the packet size are indicators of data transferring due to the packets and bytes being bigger than normal packets and bytes of TCP 3-way handshake. This is believed to be an indication of a payload or compromised credentials.

Rapperbots work like an SSH brute-forcing campaign. After it has gained access on a device, it sends its architecture to the C2 server – the device’s IP, and the credentials used. Then the adversary tries to load the main payload binary on the compromised device via binary downloader or software like ftpget, wget, curl, or tftp, that is installed on the device.

Reviewing for additional indicators

At this point, the attacker tried to get “Initial Access (tactic)” into the network by using “Exploit Public Facing Application” technique based on the Mitre Att&ck Framework.

Exploit Public Facing Application is a technique which is used by adversaries to take advantage of vulnerabilities/weaknesses in a program or internet facing computer to gain Initial access to a network. In this case, even though there was evidence of data transfer, evidence of payload or lateral movement activity were not seen.

Response

Building the investigation

An investigation was created by following the incident response process. The investigation included identifying the incident, finding the root cause of the incident and Indicators of compromise. Then we made recommendations to the customer on mitigation/remediation steps. We communicated with the customer to ensure necessary actions are executed. Recommended mitigation steps were:

• Blocking the malicious IP
• Disabling SSH password authentication (if possible)
• Changing passwords to stronger passwords for the device.

Incident response is an organizationed approach and process to manage cybersecurity breaches/incidents or cyberattacks. It includes multiple steps:

• Identifying an incident/attack
• Minimizing damage
• Eradicating the root cause
• Minimizing recovery cost and time
• Learning lessons from the incident
• Taking preventative action

According to the analysis that was published by FortiGuard Labs, Rapperbot developers improved their code to maintain persistence, which differentiates it from other Mirai variants. Even after rebooting infected assets or removing malware, intruders can continuously access infected assets via SSH. Therefore, rebooting the device or removing malware Is not a permanent mitigation option.

The Rapperbot’s primary threat is brute forcing the credentials of SSH. By disabling SSH password authentication (if possible), or changing passwords to stronger passwords for the device, the Rapperbot mitigation can easily be done.

Customer interaction

The customer wanted to be kept in the loop and informed if the attack continues.

Limitations and opportunities

Limitations

In this investigation, MXDR was unable able to see inside the transmitted packets. As a result of the lack of visibility into the network flows in the environment, MXDR has limited access to the customer environment. However, MXDR suspected the data transfer could include the main payload binary on the compromised device.

The post Stories from the SOC – RapperBot, Mirai Botnet – C2, CDIR Drop over SSH appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

A smart device is any device connected to the internet and can be controlled by a computer or smartphone. This includes devices such as home appliances, security cameras, thermostats, doorbells, lighting systems, and other connected gadgets.

Smart devices are becoming increasingly popular due to the convenience they offer. However, with this convenience comes a greater risk to your privacy.

When people talk about smart devices, what they are referring to more broadly is the internet of things (IoT) and its ability to connect all your devices together. This means that all the data collected by each device can be accessed and shared with other connected devices, potentially exposing personal information about you and your home life.

Here are 9 ways in which smart devices can compromise your privacy.

1. Location tracking

Many smart devices track and store users’ locations, which can be used to build detailed profiles of their activities. This data can then be sold to third parties without the user’s knowledge or consent.

This has become a major problem with smart devices such as fitness trackers and smartphones. If you’re not careful, your device could be sharing more data than you think. You might be under the impression that you’re in control of the data it collects, but this is not always the case.

2. Insecure Wi-Fi connections

Many smart devices use Wi-Fi to connect to the internet. This means it can be vulnerable to hackers if proper security protocols are not in place. Hackers can access your device, view sensitive data such as passwords, and even take control of it.

There have been instances of hackers hijacking smart devices via Wi-Fi connections and using them to launch cyber-attacks. This is especially true if you travel with smart devices like phones or laptops, as they may be connecting to unsecured Wi-Fi networks.

3. Vulnerable webcams

Smart devices often come with built-in cameras and microphones, which can be hacked into to gain access to audio and video recordings of the user. This has been a major issue in recent years with reports of “webcam hacking” becoming increasingly common.

It is increasingly common for people to have cameras in their doorbells, in their baby monitors, and even in their TVs. All of these can be hacked into if the user doesn’t take proper security measures.

For example, there have been instances where hackers have hijacked security cameras and used them to spy on unsuspecting users in their homes. This is an extreme case of a privacy violation that can be prevented with proper security measures.

4. Poorly secured cloud databases

Many smart devices store data such as pictures and videos in the cloud, meaning they are accessible from any device. However, this also leaves them vulnerable to hacking.

If the cloud service that stores your data is not properly secured, hackers can gain access to it and view, copy, or delete sensitive information. This could be anything from your banking details to private photos of you and your family.

5. Third-party app permissions

Many smart devices have a range of third-party apps that users can download. However, these apps often require access to certain permissions to work.

For example, an app might need permission to access your contacts or your location data. This means it can collect and share this information with other companies without the user’s knowledge or consent.

It’s important to read through the terms and conditions carefully before downloading any app, as it may be collecting more data than you think.

6. Data breaches

Smart devices often store data on servers located off-site. This means that if those servers are hacked, your data could be exposed to malicious actors. It is important to make sure your device is regularly updated with the latest security patches and that you are aware of any data breaches that could affect it.

As more and more people adopt smart tech, there is an increased risk of data breaches. Both companies and individuals must take extra steps to ensure the security of their customers’ data, or else they face serious consequences.

7. Unsecured Bluetooth connections

Many smart devices make use of Bluetooth technology to connect to other devices wirelessly. While this is convenient, it also leaves the device vulnerable to hackers. If a hacker can access your Bluetooth connection, they can gain access to the data stored on the device.

It is important to keep your Bluetooth connection secure by regularly changing the password and only pairing devices you trust. Additionally, it’s a good idea to periodically scan for any unauthorized connections.

8. Data mining

Many smart devices collect data about users’ habits and activities, which can then be used for targeted advertising or other commercial purposes. This means your device might be collecting more information about you than you realize.

It’s important to be aware of what data your device is collecting and who it is being shared with. You can also adjust the settings on your device to limit the amount of data that is being collected. Even if it's just for commercial purposes, you should know and be able to control what data is being collected.

9. Voice commands

Smart devices often come with voice-activated assistants such as Alexa and Google Home. These are designed to make our lives easier, but they can also be used to gather sensitive information about your home life.

When you speak to a voice assistant, your voice is stored on the company’s servers and could potentially be accessed by other parties without your knowledge or consent. What's more, a lot of people find it creepy that these devices can actually listen to what you are saying even if you are not giving direct commands to the smart device, which can be a huge privacy concern.

Conclusion

Smart devices can be a great addition to any home, but it is important to keep in mind the potential risks associated with them. From unsecured cloud storage and third-party app permissions to data mining and voice commands, there are many ways that these devices could compromise your privacy. By being aware of these potential risks and taking the necessary steps to protect your data, you can help ensure that your privacy remains safe.

The post 9 Ways smart devices can compromise your privacy appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

The world runs on data. That has always been true, but the power of data has perhaps never been greater than it is today. We live in the great age of information — where a seemingly infinite repository of knowledge lies at our fingertips.

But data is not, of course, only to be consumed for personal use. Indeed, the greatest impact of data is on the world of business. Data is the fuel that keeps the engines of enterprise humming.

The truth, though, is that businesses, on average, use less than half the data they accumulate. The rest is lost somewhere in the ether, where it becomes so-called “dark data” that puts your customers, your employees, and your company at risk.

What Is dark data?

One of the most significant challenges in dealing with dark data is that many business managers, even at the highest level, don’t know what it is or how to manage it. That’s a problem because all companies generate tremendous amounts of dark data simply while doing business each day.

Dark data refers to information collected through ordinary business transactions that does not serve a specific business function outside of the immediate transaction. It is information that is generated through ordinary business processes and remains even after its immediate purposes have been served.

This information might include customer email or mailing addresses, phone numbers, or purchase logs.

Because the data has no real business utility, it is often left forgotten, unorganized, and insecurely stored. And this is the true threat that dark data poses, because, even when it serves no legitimate function for your business, it can readily be exploited by bad actors for various cybercrimes, from identity theft to financial fraud.

Finding and identifying dark data 

Understanding that dark data exists and is a problem is a necessary but not sufficient step in mitigating the risk. It’s also imperative that business leaders understand where to find it, how to identify it, and what to do about it.

When it comes to finding, identifying, and managing dark data, your best strategy is going to be data mapping. With data mapping, you’ll be able to determine what data is being generated, when, how, and where. Tracing the sources of your data is often the first step in determining where it goes after it has been generated.

This, in turn, enables you to locate all the once-hidden information that has been lurking around your network, particularly in the cloud. And that means you will be better able to identify which data points have eluded your cloud data management processes and related controls.

Organizing and securing dark data in the cloud

After you’ve found and accurately identified the immense repository of dark data that is likely clogging your system (and potentially costing your company millions of dollars in storage fees each year), it’s time to get organized.

As we’ve seen, dark data can pose a significant risk to your network security and undermine your data security compliance. There is a great likelihood that much of this data is sensitive or private and should be secured but isn’t.

Organizing once “dark” data means subjecting it to rigorous analysis to understand exactly where the data should fall within the scope of your company’s system governance processes. The key is to ensure, for example, that you’re protecting your once hidden data from insider threats, such as access or exploitation by employees who do not possess the appropriate permissions.

Properly organizing your hidden data is also critical for installing an added layer of protection around your company’s sensitive information. For instance, cloud data storage, though providing significant security, is by no means invulnerable.

Cloud systems are at risk of data breaches unless proper procedures are instituted to limit access and amplify security. This might include measures to optimize cloud security such as the use of multifactor authentication processes or the encryption of the most sensitive of your now-organized dark data.

The takeaway

Dark data is an omnipresent but relatively little recognized threat to businesses, workers, and consumers today. It is the inevitable result of ordinary processes of doing business, and yet many business leaders, including highly trained tech specialists, do not know what it is or how to manage it.

Dark data is information that is generated through ordinary business transactions but that has no practical business utility beyond that immediate transaction. The data that result does not disappear, however. Rather, they linger and are often forgotten until they are found and exploited for nefarious purposes by bad actors. Learning to find, identify, and organize dark data, especially when it is stored in the cloud, is critical to protecting companies and consumers against a range of threats, including financial fraud and identity theft. 

The post Identifying and securing your business’s dark data assets in the cloud appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Recent trends show that car dealerships are becoming a prime target for cyber-attacks, partly due to the rise in autonomous and connected vehicles. This is in addition to more traditional attacks such as phishing. Therefore, car dealerships are urged to take measures to improve their cybersecurity posture. 

Throughout this article, we will focus on how to protect your car dealership from cyber-attacks, from technological solutions to raising staff awareness, and more. 

Why are car dealerships being targeted by cybercriminals?

Car dealerships collect a significant amount of data which is often stored on-site. This data includes things like names, addresses, email addresses, phone numbers, and perhaps more importantly, financial information such as bank details and social security numbers. Gaining access to this database can be very lucrative for criminals. 

A cybercriminal’s life is also made much easier if a car dealership uses outdated IT infrastructure and lacks sufficient processes in terms of protecting employee login details. 

How are car dealerships vulnerable to cyber-attacks?

Before we discuss how to protect your car dealership from a cyber-attack, it is important to know what makes a car dealership vulnerable, and what sort of attacks it could be subjected to. 

• Open Wi-Fi networks – Many car dealerships have open Wi-Fi networks for their customers to use freely. However, this provides an opportunity for hackers who can potentially access other areas of the network that store sensitive data.
   
• Malware – Malware is possibly the most likely form of cyber-attack, targeting individuals within your organization with malicious email attachments that execute software onto the victim’s device. This software can then grant the attacker remote access to the system.
   
• Phishing – Phishing emails are much more sophisticated than they used to be, appearing much more legitimate, and targeting individuals within the company. If an email seems suspicious or is from an unknown contact, then it is advised to avoid clicking any links.
   
• User error – Unfortunately, anyone working for the car dealership, even the owner, could pose a risk to security. Perhaps using lazy passwords, or not storing log-in details in a safe place. This is why cyber security training is now becoming mandatory at most businesses. 

The consequences of cyber-attacks on car dealerships

If a small-to-medium-sized car dealership is the victim of a cyber-attack, then it can have a much bigger impact than just a short-term financial loss. Many smaller businesses that suffer a data breach are said to go out of business within six months of such an event, losing the trust of their customer base, and failing to recover from the financial impact.

Research suggests that most consumers would not purchase a car from a dealership that has had a security breach in the past. Failing to prevent a cyber-attack and a criminal from gaining access to customer information is extremely detrimental to a business’s public image. 

How to protect your car dealership from cyber-attacks

Regardless of whether you already have security measures in place, it is always advised to assess how they can be improved and constantly be on the lookout for vulnerabilities within the organization.

In this section, we will discuss how to improve cyber security within a car dealership, breaking down the process into three key stages. 

Stage one – Implementing foundational security

Establishing strong foundational security is key to the long-term protection of your business. When creating your foundational security strategy you should focus on 7 main areas.

1. User permissions 

Ensure administrative access is only provided to users who need it as granting unnecessary permissions to standard users creates numerous vulnerabilities. Ensure that only the IT administrator can install new software and access secure areas. 

2. Multi-factor authentication 

Multi-factor authentication (MFA) means more than just a traditional username and password system. Once the log-in details have been entered, users will also need to enter a PIN that can be randomly generated on their mobile phone, or issued periodically by the administrator.

For added protection, you could also implement a zero-trust strategy. 

3. Data backup recovery processes

The effects of ransomware attacks can be sometimes be avoided if important files are regularly backed up, such as each morning. Once stored, there should also be procedures in place to quickly restore this data to minimize any downtime. 

4. Firewalls and other security software

Many car dealerships continue to use older firewall software and outdated security services. Newer, next-generation firewalls offer much more protection, securing even the deepest areas of the network while being more effective at identifying threats. 

5. Endpoint protection 

The endpoint refers to a user’s mobile device or computer that may be targeted by attacks such as phishing emails. Endpoint protection can help secure these devices, identifying malware and preventing it from spreading to other parts of the network.

Many businesses are also choosing to protect their phone systems by using a cloud solution.

6. Email gateways

Similar to the above, email and web scanning software is essential to protect data and business operations. This can identify threats and warn users to prevent them from clicking on links or opening suspicious attachments. 

7. Email Training

IT departments in many businesses regularly test their workforce by sending fake phishing emails to see how employees respond. If the correct actions are not taken, then the individual can be given cyber security training to raise their awareness so that they take appropriate action in the future. 

Stage two – Security processes

Once all of the above has been assessed and the necessary course of action has been taken, it is time to think about the critical security processes that need to be implemented. These are vulnerability management, incident response, and training. 

1. Vulnerability management 

Firstly, an inventory of your assets (software and devices) needs to take place so you know what needs to be protected. Once this has been done, all software should be checked to determine if it has been patched with the latest update practical.

Finally, vulnerability scans should be run on a monthly or quarterly basis. This can be done via penetration testing or an internal network scan. 

2. Incident response

Policies should be drafted in the case of an incident or data breach. This can help ensure the correct course of action will be taken in terms of contacting necessary internal and external parties. Numerous people should also be trained to respond to an incident should a key individual (such as the IT manager) be unavailable. 

Network analysis needs to take place immediately after an incident, whether this is in-house or externally. This is necessary for insurance purposes.

3. Training

Cybersecurity and Acceptable Use policies need to be created so everyone knows what needs to be done in the event of a breach. This includes defining what everyone’s responsibilities are. This can be combined with thorough security training to increase awareness. 

Stage three – Ongoing security activities

To ensure your business is protected at all times, it is vital that your IT team is on top of things and you do not rest on automated tasks and policies. 

Key activities include:

• Using an encrypted email solution
• Employing a VPN for remote workers to encrypt the connection
• Mobile device security, management, and protection 
• On-going monitoring, risk assessments, and sticking to best practices. 

Protecting your car dealerships from cyber-attacks – summary

Car dealerships are being targeted by cybercriminals who see them as an opportunity to steal sensitive information and financial details. This can be done in multiple ways including phishing scams and malware.

To tackle this, car dealerships must evaluate their cybersecurity, focusing on three key areas, the business’ foundational security, implementing security processes, and performing key security activities on an ongoing basis. 

The post How to protect your car dealership from cyber-attacks appeared first on Cybersecurity Insiders.

There is a possibility that artificial intelligence (AI) will have a significant influence, in either a good or bad direction, on cybersecurity. On the plus side, artificial intelligence (AI) can be used to automate and improve many parts of cybersecurity. AI can find and stop threats, find strange behavior, and look at network traffic, among other things. This might be a game-changer for the industry. On the other hand, artificial intelligence also creates new security holes and problems that must be fixed.

Processing massive volumes of data and seeing patterns that people would overlook are two of the primary advantages that artificial intelligence brings to the field of cybersecurity. This could be especially helpful for finding attacks like zero-day vulnerabilities and advanced persistent threats that are hard to see with standard security systems. Traditional security systems have a hard time spotting these kinds of threats. AI-driven systems can monitor network traffic in real-time and spot any strange behavior. This enables enterprises to take prompt action to thwart assaults.

AI could also be used to automate a lot of the day-to-day tasks that have to do with cybersecurity. This frees human analysts to work on more challenging and complex jobs. Because of this, businesses can make their security activities more effective and efficient. AI may be used, for instance, to monitor social media and other online sources for signs of possible danger. Some signs point to a new vulnerability or use dangerous hashtags on social media.

Still, bad things could happen when AI is used in cybersecurity. One cause for worry is the possibility that adversaries would use AI systems to carry out assaults that are both more complex and more precisely targeted. AI can, for example, make phishing emails that look real, find security holes automatically, and use them.

Another worry is that people with malicious intent might be able to take over or control AI-driven systems in some other way. If an AI system is hacked, it could use the security hole to get around security measures and get private information. This could have terrible consequences, such as confidential information theft or critical system failure.

Another worry is that AI-driven systems might come to the wrong conclusions or make mistakes when making decisions. For example, an AI system might mistakenly label a harmless file as malware, which could cause false positives and stop a business from running. On the other hand, an AI system can miss a real danger, resulting in a security breach.

To deal with these problems effectively, businesses must consider the risks and benefits of using AI in their cybersecurity efforts. This could mean putting in place extra security measures to protect AI systems and data and testing and updating these systems regularly to ensure they work as they should and are up to date.

Using AI raises several critical ethical questions and technological factors that need to be addressed regarding cybersecurity. For example, if artificial intelligence (AI) systems are trained on data that isn't representative of the whole population, they may have biases built in. This may result in some groups being unfairly treated. Organizations need to be aware of these problems and take steps to reduce the chances that they will have harmful effects.

It is expected that the use of artificial intelligence (AI) in cybersecurity will have a large and varied effect. AI has the potential to make security much better, but it also brings up new problems and risks that need to be handled with great care. By taking a comprehensive and proactive approach to AI and cybersecurity, organizations can ensure they are ready to control the changing threat environment and protect themselves from a wide range of threats. This strategy can protect against a wide range of attacks.

The post AI and Cybersecurity: Some observational implications of the intersection between the two appeared first on Cybersecurity Insiders.