ATM Jackpotting, finally hits the US

Posted in Computers and Internet, Security with tags , , , , , , , , on January 30, 2018 by Will

ATM jackpotting has been around for many years all over the world.  In the US, there were reports by Ars Technica, that during Blackhat ATM’s at the conference were 170-atm-image-courtesy-of-shutterstockcompromised in 2010.  In Europe, Bank Info Security reported on ATM attacks in 2016.  And we watched in 2013 as Mexico dealt with the attack, according to Symantec. These attacks have been known at least since 2009 when The Register reported on ATM trojans. So what did the US do to prepare for these attacks?

Apparently US ATM operators didn’t do much to prepare for these attacks.  According to the press releases from ATM manufacturers, Diebold Nixdorf and NCR, these US ATM attacks are focused on old ATM machines.  Machines that both companies recommend updates to.  According to the8054e8dac8afe00d183dea4af1163faf Secret Service memo, these machines are the ones that you generally see in secluded places, like a convenience store and pharmacies.  Keeping your software and hardware up to date is a common theme for the first step of any security operation.

According to Secret Service memo, these are the first known attacks to come over from Mexico to the US targeting ATM’s.  So this is the initial wave of attacks.  ATM operators, banks and others, should be on alert now and should follow all of their vendor recommendations.  One such recommendation has always been to added strong authentication for those administrative accounts, and replace those default passwords immediately.  default passwordsTaking the steps right now to catch up to the rest of the world with regards to ATM security should be on the minds of all of the ATM operators.

Advertisements

Everyone uses 2FA…right?

Posted in Computers and Internet, Security with tags , , , , , , , , , on January 23, 2018 by Will

Last week during the Usenix’s Enigma 2018 conference Google dropped a bomb on two-factor authentication.  For years companies like Google and other providers have encouraged users to use 2FA to protect their accounts.  Most of the security world thought people were listening since they were all telling us how important 2FA is to them and to keeping their accounts secure.  Now Google tells us that less than 10% of users use 2FA with their Google Accounts.  Bloggers and security experts are in disbelief, if everyone wants to secure their information, why aren’t they taking the first step?

Facts continue to pour in about the state of attacks on our users.  A report from Netwrix that came out today states that organizations believe that “employees were considered Netwix_Cloud_2018_5responsible for 58% of security breaches in 2017“.  These attacks should be stopped with users leveraging proper security measures.  Corporations have been using 2FA for years, it should be common practice to follow those users to the cloud with the same requirements and to follow up with those users.

As our platforms evolve, so does the perception of the platforms.  Users become numb to the constant news of the latest attack and latest threat.  Some of the biggest bugs in our time, the Spectre and Meltdown, hit the news and focus the attention on how insecure user data is.  These bugs effected almost every platform currently out there.  Still users haven’t patched and fail to see the major concern of the actual security risk.

As developers and security industry specialists, we need to ensure we are doing our part.  Making tools like 2FA available, is a great first step, but ensuring those same users use those tools and follows up with those users is also a requirement.  When developing mobile applications, taking the base security and applying Application Shielding and Hardening to an application should also be seen as a requirement.  When we rely on our users to properly understand and leverage security technology, we open the door for them to be attacked.

Mobile is not secure

Posted in Computers and Internet, Security with tags , , , , , on January 17, 2018 by Will

It seems strange to have to write it, but, the mobile platform is not a secure platform.  It has many holes both discovered and not-discovered.  Mobile Malware Graph 2015-2017Mobile malware saw the largest single quarter increase ever, over 60%, in the last quarter of 2017, according to McAfee Labs Threat Report, December 2017. Users are moving to the platform in droves.  And of course they are, because all of their apps are going there too.  In 2017, the Google Play Store added 9 million new apps, according to Statista’s reports.

When I talk to mobile users it’s amazing to me that most of them think their mobile devices are secured by their mobile operating system provider.  From a user’s perspective, they think that the operating system providers and the mobile app developers are making sure their experience is secure. When I ask them about the attacks they see on the news, they all seem to say the same thing, “we worry about it”, but it doesn’t stop them from downloading that strange new flashlight app.  With users hanging on to their smartphones for an average of 2.46 years, according to Statista, upgrading apps and patching operating systems should be top of mind for users.  Instead, I see users with a false sense of security and a “if it ain’t broke, why fix it” mentality.

Being in the mobile application security market, I speak with mobile developers fairly regularly, and I know there are a million things on their plates.  Most of us feel like we are being careful when we program and we are trying to be as secure as possible.  We reuse blocks that we know work and libraries that we have faith in and may have used for a number of years. We really do not have the cycles to focus on security unless our project managers focus us on it.

What troubles me is when I hear a developer tell me that they don’t need to focus on security because the operating system manufacturer has it covered.  In today’s mobile application development space, this is the last thing we should be relying on.  Looking back at the Microsoft Windows world, there was a time when developers said the same thing about that platform, but it was quickly wiped away.  Look at Apple’s Mac OS, how many of us still think that it has never been hacked (it has, a few times now too)?  Learn from our past experiences.

Securing a mobile application can be quick and easy.  Yes I work with a mobile application security company, but still, hardening and shielding an application is the least we should be doing.  Some companies, like VASCO, offer a low to no code option of introducing this security technology.  The process is straightforward and can be administered in a matter of minutes.

Sorry for the propaganda, but sometimes I think we all need a little push….

#Cryptocurrency under #attack

Posted in Computers and Internet, Security with tags , , , , , , , on January 16, 2018 by Will

With the rise of cryptocurrency, there have been quite a few bright lights on how big the bubble is.  With these lights, a number of dubious attacks are coming out of the shadows.

Attackers focus on gaining computing power.  The more computing power a cryptocurrency miner can get their hands on, the more cryptocurrency they can gather.  This means that most attacks are Advanced Persistent Threats, Exploits or Malware embedded into common applications (both mobile and traditional desktop applications).

Attackers need to run the cryptocurrency mining software on a CPU.  In one attack, explained in an article in Dark Reading, hackers have been able to create web processes that, when accessed through a web browser of someone simply browsing a hacked site downloads and runs the cryptocurrency miner on the unsuspecting users PC.  This type of attack on the right web properties can be downloaded and run by hundreds of PC’s.  Protecting a user from this style attack involves administrators to find these sites and to block access to these sites.

As the article points out, there is not much harm to come to companies that become wrapped up in this attack, other than users PC slowing down while they are view these infected sites.  However, this attack gains cryptocurrency for the attacker that can then be used to finance other more malicious style attacks.  It can also raise the helpdesk costs of companies as they work to identify why PC’s slow down and which sites need to be blocked.

Beyond these drive by attacks, hackers are also finding other ways into our systems.  A different story from Dark Reading describes a recent exploit made on Oracle Weblogic.  This exploit allowed cryptocurrency miners to load mining software on these high-powered servers that are highly sought after because of the raw power these platforms can offer.  What is most interesting here is that the attackers could have accessed sensitive data in these servers, but instead decided that it was more financially lucrative to install and run mining software on these platforms.  IT administrators had to deal with crashing and slow servers while they identified and applied the required patches to prevent these exploits.

Additionally last year, we saw that attackers were focusing on stealing mobile phones, not for the identities or data on the devices, but instead for access to users cryptocurrency wallets.  These low-tech SMS attacks focused on gaining access to user’s virtual wallets and then siphoning off the cryptocurrency within.  In these cases, it is not a case of being able to still use your device only in a slowed down way, instead, the hackers take the entire device and gain access to the wallet through SMS attacks.  This is a larger monetary attack towards the user, since the user is not only losing the cryptocurrency in their wallet, but also has to replace the phone and the data on that phone.

Users and IT Professionals need to maintain their security while the cryptocurrency is so highly sought after.  Applying patches and ensuring proper strong user authentication to a company’s server farms (virtual or in house) will help reduce the amount of money the hackers out there can generate.  Users need to pay attention to the sites they are visiting and how their PC’s and Phones are running and be aware of security bulletins and applying patches in a timely fashion.  Building trust in your secure platforms, devices, applications and users will help protect everyone from being attacked.

 

https://www.darkreading.com/endpoint/cybercriminals-employ-driveby-cryptocurrency-mining-/d/d-id/1330353

https://www.darkreading.com/vulnerabilities—threats/oracle-weblogic-exploit-used-in-cryptocurrency-mining-campaign/d/d-id/1330791

https://blog.vasco.com/authentication/sms-authentication/

#TrustInAI or maybe not yet

Posted in Security with tags , , , , , , , on January 15, 2018 by Will

Is #AI ready to be used alone?

While thinking about the huge benefits that Artificial Intelligence can add to online fraud, I came across a couple of anti-AI articles that had me rethinking AI.  Both articles center around the ability to fool or trick the AI into thinking one object/task is actually a completely different object/task.  This style attack is called “adversarial examples” and in the most basic form it an attacker simply labels the incorrect object/task with the object/task they want the AI to recognize it as.  The AI needs to read in a number of these adversarial examples before it believes what it reading, but given enough time, this should be trivial to a hacker.

The story on Wired talked about how researchers were able to trick the google AI into thinking a picture of a rifle was actually a picture of a helicopter.  This is scary if you think of the locations where AI is being implemented.  Imagine for a second that AI is being used in an airport scanner and a hacker has attacked that AI and fooled it into believing a rifle is actually just a sock or some other inconspicuous object. There are many other such examples, such as AI managing your bank account, AI driving your cars.  Now the benefits of these examples could be enormous, like if we used an AI to manage our bank accounts, maybe it could save us money or make us money by moving it at the right time, or the car can drive us to work while we focus on work or catching up with the family.  Now think of the dark scenarios where hackers have used “adversarial examples” to train that same AI that specific hacker bank accounts will make your account the most money, or that a red light is actually a green light.  The article concludes that AI’s are being given “a tremendous responsibility” and researchers still “don’t fully understand why adversarial examples cause deep learning algorithms to go haywire.”

Another recent story on TechCrunch showed a more dubious attack where the AI is tricked with a “targeted adversarial image patch.”  This attack is similar to the previous, but instead of changing one object/task into another, this attack simply causes the AI to lose focus and direct its focus on something more challenging.  As TechCrunch points out, this type of attack can lead to an AI not paying attention to things it should and allowing objects to pass its filters unabated.  If you think of how AI’s can be used in recognizing patterns with people movement, and now the AI stops watching the movements and focuses on a specific adversarial image patch instead, it could lead to the AI completely missing the event.

In a world where AI is coming at us from every direction, we are all lead to believe that AI will make things easier for everyone.  In some respects, people equate easier to safer as well.  This is a dangerous connection.  Current AI systems are missing common sense and in some cases are not fully understood.  Leaving an AI to handle all of your security risk is probably not advisable today, but knowing the challenges facing AI technology can also lead to stronger solutions.  AI makes our lives easier and in the future will make things more secure by automating a lot of the tedious human error prone tasks today.

Today’s AI should be used to help provide us with meaningful insights into large data pools.  Today’s AI is a great security tool to help protect against fraudulent transactions and to provide human operators a real-time analytics view of what is happening in their systems.  Data rules in fraud systems today will paint a broad picture, and when used with an AI, a complete detailed picture can be seen.  With human interaction, AI’s can be monitored and adjusted to quickly overcome adversarial attacks.  Simple common sense from a human operator is not factored into most AI, but it is the main solution to many of its flaws.

 

Read more about the Wired story here:

https://www.wired.com/story/researcher-fooled-a-google-ai-into-thinking-a-rifle-was-a-helicopter/

Read more about the TechCrunch store here:

https://techcrunch.com/2018/01/02/these-psychedelic-stickers-blow-ai-minds/

Everyday is a new opportunity

Posted in Uncategorized on January 15, 2018 by Will

Blogging has never been my thing.  I like to add posts to message boards and posts to internal forums to keep people informed as to what is happening in the world.  However, now things are changing.  I plan on blogging a bit more, both here and at the VASCO official blog (https://blog.vasco.com).  The topics I will post here will focus on current topics and I hope will shed light on some dark corners that aren’t getting enough attention.  I may not have solutions to those problems, but at least I want to get them out in the open.  I hope to post things that will encourage you to think and to react and comment on.  So if my view is not complete (which is typical), please feel free to tell me about your view.

In the past, I focused on Security in gaming, today I will graduate and move to security on the internet across many markets.  My background affords me insight into many markets and a number of interesting concepts.  My own enjoyment is that of technology and specifically embracing the latest technology.  I will try to bring a fresh view to the latest technologies and also explain what I would look out for and do to protect myself.  My family still games a lot, but security has grown up more than the gaming industry alone.

I hope everyone will enjoy the new posts and the new direction.  If you have any suggestions, please feel free to reach out!

%d bloggers like this: