PwC Weekly
Security Report
This is a weekly digest of security news and events from around the world. News
items are summarised and web links are provided for further information.
Nasty Trojan spreads global ransomware via email
A fresh wave of infected emails is swirling around the globe, carrying a nasty ransomware payload.
ESET is warning of an increased number of infected emails containing a malicious attachment, which downloads and installs ransomware onto an infected device. ESET telemetry detects this malicious downloader as JS/TrojanDownloader.Nemucod and records its unusually high incidence in Europe, North America (especially Canada), Australia and Japan.
Japan is the hardest hit with a 75% prevalence level.
The wide-spread infected emails contain attached zipped files that contain a JavaScript file that, when opened, downloads and installs Nemucod to the victim PC.
“Emails are written in a very trustworthy way, claiming to be invoices, notices of appearance in court or other official documents,”
researchers noted in a blog. “Attackers are just trying to get users to open the malicious attachment.”
The end payload in this case is a crypto-bug, such as TeslaCrypt and Locky: When opened, it encrypts victims‘ files on their PCs and requires a ransom for decryption. Both TeslaCrypt and Locky use encryption standards similar to those used by financial institutions when securing online payments.
"Ransomware is one of the most active trends in cyber-criminal world, as it has a direct and profitable commercialization model—in some cases, without any significant costs, as most victims have a pretty insecure IT environment,"
InfoArmor chief intelligence officer Andrew Komarov told Infosecurity.
He added that there are some new movements in the ransomware area identified at the beginning of 2016. For example, the bad actors started to use ransomware-as-a-service (RaaS) approach, working with each other, like with affiliates, distributing malware, and receiving 50% of ransom payments.
Source: http://www.infosecurity- magazine.com/news/nasty-trojan- spreads-global/
"Such approach may restructure the current ransomware market and create a large, new number of underground affiliate programs, increasing the number of new infections," he said.
Google tracks use of HTTPS on top 100 websites
Google announced on Tuesday that its transparency report now includes a section dedicated to monitoring the use of HTTPS on the world’s top 100 websites.
Data protection and privacy have become increasingly important, and many organizations have started moving their websites and services to HTTPS. However, the migration process can prove challenging for large services.
Google has been working on implementing HTTPS by default across its services, but the search giant says it still has a long way to go until all its products are protected. In the meantime, the company launched a new transparency report that tracks the progress of encryption efforts for both its own products and the world’s most visited websites.
Google will be tracking the state of HTTPS on the world’s top 100 third-party websites, which, based on data from Alexa and Google, are believed to account for roughly a quarter of all global website traffic.
The list of websites that already run a modern TLS configuration (i.e. offer TLS v1.2 with a cipher suite that uses an AEAD mode of operation) and have HTTPS by default includes facebook.com, instagram.com, ask.fm,
paypal.com, pinterest.com, reddit.com, twitter.com, tumblr.com, whatsapp.com, wikipedia.org, wordpress.com, yahoo.com, linkedin.com, mail.ru and netflix.com.
Google’s new tracking service shows that websites such as Amazon work on HTTPS and have a modern TLS configuration, but default HTTPS has yet to be implemented. There is also a long list of popular websites that still don’t work on HTTPS or don’t have a modern TLS configuration, including sites owned by Alibaba, Amazon, Apple, Baidu, Microsoft, eBay, and many news companies.
Google says it’s prepared to work with all these top websites to help them move to HTTPS by the end of 2016.
Source:http://www.securityweek.
com/google-tracks-use-https-top- 100-websites
“Implementing encryption is not easy work.
But, as more people spend more of their time on the web, it’s an increasingly essential element of online security. We hope this report will provide a snapshot of our own encryption efforts and will encourage everyone to make HTTPS the default on the web, even faster,”
Rutledge Chin Feman and Tim Willis, HTTPS Evangelists at Google, wrote in a blog post.
The new service also includes a certificate transparency feature that allows users and admins to check the name of the certificate issuer for a specified website. The search can also be configured to include expired
certificates and certificates issued for subdomains.
Amex investigates possible data breach
American Express is investigating a potential data breach in California.
Apparently, one of the third-party service providers used by the payment giant’s
merchant partners was compromised, leading to the possible exposure of account numbers, names, expiration dates and other information.
In a notice [PDF] to customers filed with the Office of the Attorney General in California, Amex chief privacy officer Stefanie Ash said that the company was “vigilantly monitoring”
accounts for fraudulent activity. The notice said that customers could receive more than one letter about the incident if more than one account was affected.
“It is important to note that American Express owned or controlled systems were not
compromised by this incident, and we are providing this notice to you as a precautionary measure,” Ash wrote.
The incident is only the latest card breach involving the supply chain. The infamous Home Depot breach in 2014 was due to stolen
credentials from a third-party vendor. Hackers were able to acquire elevated rights that allowed them to navigate to other portions of Home Depot's network and, eventually, to deploy the malware that stole card information from point of sale machines. Similarly, in the Target Breach, hackers gained access via credentials used by its HVAC contractor.
The ongoing attacks through third parties show that institutions are facing sophisticated, well- organized adversaries engaged in what has become a lucrative crime—showing the importance of securing data itself rather than only the network perimeter.
“This third-party incident highlights the need for organizations to take a data-centric approach to securing sensitive information at the source,” said Jason du Preez, CEO of data privacy company Privitar. “This process would ensure only essential data is visible, enabling organizations to confidently pass sensitive information to third parties without the risk of it being connected to an individual.”
Source: http://www.infosecurity- magazine.com/news/amex- investigates-possible-data/
He added that organizations that fail to act will not only find themselves on the receiving end of hefty fines, but they could also suffer from customers voting with their feet. For instance, the fallout from a damaging data breach in October last year continues to affect UK ISP TalkTalk, with figures claiming that the firm lost 7% of its broadband customers in the fourth quarter.
“There is already evidence that the way companies manage and process data has a direct impact on brand and customer loyalty,”
Preez said. “Our own research found that a company’s record for protecting and respecting customer data is one of the main considerations for consumers when choosing a service. With stronger security and greater transparency, consumers will be in a far better position to pick those services that they not only need the most, but feel the most comfortable using.”
UK boards fail to handle cyber-risk, especially at telecoms
UK boardrooms are struggling to cope with cybersecurity risk, especially in the telecoms and utilities sectors, where exposure is dramatic. Overall, a lack of expertise and awareness continues to plague businesses in key sectors.
A new study from CGI reveals that a full 38% of C-suite executives in UK telecoms, utilities, financial services and retail sectors believe a cybersecurity breach at their organization is likely over the next 12 months—at an average total cost over a one-year period of £1.2 million.
But too few of them have real cybersecurity expertise.
On average, almost 30% of UK boardrooms in key sectors of the economy (telecoms, utilities, finance and retail) still view cybersecurity as an IT issue. And, only 35% of boardroom
executives believe their board has a high level of personal expertise in cybersecurity. While boards in these key sectors rely on externally sourced cyber expertise for 15% of their requirements on average, 68% confirmed they plan to increase reliance on external
consultants over the next few years.
The report also found that just 23% of non- executive directors (NEDs) say they have cybersecurity expertise, suggesting the traditional role played by NEDs to offer
‘constructive challenge’ isn’t effective when it comes to managing cybersecurity risk.
Meanwhile, cybersecurity governance is immature across UK boardrooms, to say the least.
Recent high-profile attacks have encouraged almost 80% of UK boardrooms across the UK economy’s key sectors to increase cybersecurity scrutiny. However, it appears on the agenda of only 48% of these boards ‘every few months,’
with many covering it less than twice a year.
Across the sectors surveyed, companies told us they currently assign ultimate responsibility for cybersecurity to CEOs (38%) and CIOs (31%) in the vast majority of cases, with specialist CISOs being empowered at just a handful of firms (3%). Interestingly, CEOs are the preferred choice for B2B companies while CIOs are overwhelmingly responsible at B2C firms.
Source::http://www.infosecurity- magazine.com/news/uk-boards- fail-to-handle-cyberrisk/
“UK boardrooms are struggling to get a handle on the cybersecurity issue,” said Andrew Rogoyski, head of cybersecurity for CGI in the UK. “Boards know it is a risk but are uncertain in their approach, often failing to prioritize spend[ing] on cybersecurity. Unless more is done to improve understanding and
governance at the highest level we can expect to see more high profile breaches.”
In terms of who’s most at risk, econometric modeling of the anticipated severity of an attack and the likelihood of an attack revealed that the telecoms sector is most at risk, closely followed by utilities. The model uses a
combination of perceptions of the nature of sensitive information stored, the value of such data, the expenditure on defending against attacks and the overall awareness of risk to the company and sector to derive an objective risk rating.
SSL encryption: Keep your head in the game
Cryptography isn’t new. Humans have always liked to keep secrets. Or at least try.
More than 400 years ago, Mary, Queen of Scots, tried. Unfortunately, in the encryption- gone-wrong Babington plot, she didn’t fair so well. When one of Queen Elizabeth’s cunning advisors decrypted a coded correspondence about an assassination conspiracy, it was off with poor Mary’s head.
Decryption can be used to your advantage. It certainly was in Elizabeth’s case.
Encryption: The Double-Edged Sword Today, more and more Internet traffic is encrypted. In fact, according to theDell 2016 Annual Threat Report(PDF), nearly 65 percent of it is.
But encryption is a double-edged sword. It’s good when it protects you, your confidentiality, and your data. However, as with most things in life, there’s two sides to every story. And encryption’s not so good when it protects the bad guys, too.
See, in addition to the growth of SSL traffic, studies also show that SSL is one of the fastest growing attack vectors. In fact, in its report,
“Security Leaders Must Address Threats from Rising SSL Traffic,” Gartner predicted that, by 2017, more than 50 percent of network attacks will use encrypted traffic to bypass controls.
Hackers are drawn to encryption because it makes it easier for them to move and hide malware, and, even, take from you the very data and privacy you aim to protect.
By all estimations, not only should a decryption and inspection strategy be viewed as a necessity for businesses, but as a top security priority in 2016.
What’s Fair to Decrypt?
If you’re using a company-issued laptop and company-hosted servers for email, should you be allowed to send work email to your personal Gmail account? Well, not really. Or at least not unless you’re cool with allowing your company to inspect those emails because, you got it, the situation does pose a legitimate security risk.
In the United States, it’s a touchy topic. Many privately held companies have begun to inspect this type of traffic, while many public
companies are awaiting new legislation on the matter. In Europe, even where privacy reigns supreme, when and where to use decryption is coming up for debate more and more.
What’s important is to determine where there’s a clear security rationale for decrypting certain SSL-encrypted streams, and get a better understanding of who's doing the encryption that may be traversing your network. Because, oh yeah, another thing about today’s
encryption: It’s stronger and more difficult to decrypt than ever before. So even if
organizations wanted to decrypt every bit of SSL traffic (which would most certainly make their users uncomfortable with regards to loss of privacy), their networks would take huge performance hits due to the computationally intensive nature of SSL decryption.
Finding a Balance
Most security architectures use multiple inline and out-of-band security and monitoring tools, each responsible for inspecting traffic and performing its own unique function. The problem is complexity and cost. Decrypting and routing SSL traffic to numerous security and analytics tools or enabling those tools with decryption capabilities isn’t simple and can be expensive.
Source:http://www.securityweek.c om/ssl-encryption-keep-your-head- game
Multiple passcode bypass vulnerabilities discovered in iOS 9
Apple’s iOS 9.0, 9.1, and most recent 9.2.1 releases contain multiple connected passcode protection bypass vulnerabilities that affect both iPhone and iPad devices, researchers at Vulnerability Lab warn.
These vulnerabilities allow a local attacker who has physical access to the device to bypass the passcode protection mechanism of the Apple mobile iOS, the bug’s security advisory reveals.
Apple iPhone 5, 5s, 6 and 6s, as well as iPad mini and iPad 1 and 2 are affected by the bug.
The passcode bypass poses a high security risk, with a CVSS (common vulnerability scoring system) count of 6.4.
By successfully exploiting the vulnerability, an attacker can gain device access and compromise sensitive user data, including address-books, photos, SMS, MMS, emails, phone app, mailbox, and phone settings, while also being able to access other default/installed mobile apps.
Vulnerability Lab researchers note that the issues are located in the “App Store,” “Buy more Tones” and “Weather Channel” links of the Clock, Event Calendar, and Siri User Interface. By exploiting the vulnerabilities, a local attacker could request an internal browser link request to the App Store that bypasses the user’s passcode or fingerprint protection mechanism.
According to researchers, an attacker can take advantage of these issues in several ways to gain unauthorized access to the affected Apple mobile iOS devices. Siri, the Events Calendar, and the Clock app of the control panel on default settings can be exploited in these scenarios, the advisory says.
Via Siri, an attacker could place a request for a non-existing app, after which Siri responds with an App Store link to search for it, and a restricted browser window is opened, listing some apps. The attacker can then switch back to the internal home screen by interacting with the home button or with Siri again.
The link to bypass the controls is visible in the Siri interface only and is called “open App Store.” Apple iPhone 5 and 6(s) running iOS v9.0, v9.1, or v9.2.1 are vulnerable to this exploit, the advisory said.
An attacker could also gain access to the non- restricted Clock app by opening it via Siri or via Control Panel, which allows them to open the timer to the end timer or Radar module. The Clock app allows users to buy more sounds for alerts (via an included link) and the attacker can use it to open a restricted App Store browser window, after which they can switch back to the internal home screen as detailed above.
The link to bypass the controls is visible in the Alert - Tone (Wecker - Ton) and Timer (End/Radar), under the name of “Buy more Tones.” The vulnerability affects iPhone 5 and 6(s) with iOS v9.0, v9.1 & v9.2.1.
Source: :
http://www.securityweek.com/multiple- passcode-bypass-vulnerabilities-
discovered-ios-9
About PwC
At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 157 countries with more than 208,000 people who are committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what matters to you by visiting us at www.pwc.com.
In India, PwC has offices in these cities: Ahmedabad, Bengaluru, Chennai, Delhi NCR, Hyderabad, Kolkata, Mumbai and Pune. For more information about PwC India's service offerings, visit www.pwc.com/in
PwC refers to the PwC International network and/or one or more of its member firms, each of which is a separate, independent and distinct legal entity in separate lines of service. Please see www.pwc.com/structure for further details.
©2016 PwC. All rights reserved
pwc.in
Data Classification: DC0
This document does not constitute professional advice. The information in this document has been obtained or derived from sources believed by PricewaterhouseCoopers Private Limited (PwCPL) to be reliable but PwCPL does not represent that this information is accurate or complete. Any opinions or estimates contained in this document represent the judgment of PwCPL at this time and are subject to change without notice. Readers of this publication are advised to seek their own professional advice before taking any course of action or decision, for which they are entirely responsible, based on the contents of this publication. PwCPL neither accepts or assumes any responsibility or liability to any reader of this publication in respect of the information contained within it or for any decisions readers may take or decide not to or fail to take.
© 2015 PricewaterhouseCoopers Private Limited. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers Private Limited (a limited liability company in India having Corporate Identity Number or CIN : U74140WB1983PTC036093), which is a member firm of PricewaterhouseCoopers International Limited (PwCIL), each member firm of which is a separate legal entity.
MP 436 - September 2015 PwC Weekly Security Report edition 5.indd Designed by Corporate Communications, India
For any queries, please contact:
Sivarama Krishnan
[email protected] Amol Bhat
