Tag Archive for: weak

Your telephone system is your security weak spot


While your telephony solution may not immediately spring to mind when you think about security risks, you could inadvertently be giving hackers the keys to the kingdom.

Modern voice-over-IP (VoIP) telephony solutions run on the same kinds of networks that your computing systems do. Unfortunately, says Euphoria Telecom chief technology officer Nic Laschinger, they are seldom secured as tightly as your computer systems and this makes them vulnerable.

“It’s important to realise that if someone can get to your telephony system, they can get to your IT systems. A lot of people define their security at the perimeter. For example, they deploy a firewall to keep people out. Once someone is inside, however, it’s relatively easy for them to get anywhere else, including to your operational IT systems and data,” Laschinger says. “People tend to ignore security on telephony systems as they don’t recognise them as full-fledged computer systems. This can be a costly omission.”

Operational technology, like telephony systems and the systems running factories, power plants and such, are increasingly being recognised as weak areas by attackers.

According to the Fortinet 2022 State of Operational Technology and Cybersecurity Report, 93% of organisations surveyed had an intrusion in the past year, and 61% of those intrusions impacted OT systems. Worse, says Fortinet, it took hours to restore service in 90% of those cases.

Weakness in VoIP systems and network or device compromises are increasing resulting in losses for businesses globally. The 2021 CFCA Global Telecommunications Fraud Loss Survey highlighted that IP PBX hacking resulted in US$1.82-billion worth of fraud that year. Spoofing, the most common telephony fraud method, cost businesses some $2.63-billion.

In addition to standard security measures like implementing IPSec (which secures data traffic across networks) and secure authentication, your cloud telephony provider should be implementing additional features and functions that help keep your telephone system secure. Below, Laschinger outlines some…

Source…

CIA’s ‘weak’ websites led to capture execution of assets in Iran, China: Report


A flaw in the ‘covert’ websites of the Central Intelligence Agency compromised the US spy agency’s assets in countries like Iran and China, according to a report by security researchers. The researchers claimed that the internet security flaw led to the deaths of more than two dozen US assets in China in 2011 and 2012 while other assets in Iran were either executed or imprisoned by the regime. The research carried out by security experts at the University of Toronto’s Citizen Lab also said that the flaw could have been detected by an amateur sleuth, British website The Guardian reported. The security experts began probe following a tip from a Reuters journalist.

Joel Schectmann, the Reuters journalist had reportedly tipped the research group about a CIA asset in Iran who had been captured and later served seven years in prison after using the ‘fatally insecure network’. In 2018, two Yahoo News reporters first reported that a system used by the agency to communicate with its assets had been compromised by Iran and China.

However, the researchers said it was not publishing the full report as a move to avoid putting more CIA assets at risk. But the revelations have led to the agency’s handling of digital safety measures to come under scanner. According to the report, at least 885 websites were identified to have been used by the CIA. They were purportedly websites concerned with news, healthcare, weather etc.

The researcher group said an amateur sleuth could have mapped the entire CIA network and attributed to the US administration. According the report, these websites were active between 2004 and 2013. They were not used by the agency recently but a subset of these websites were still linked to the active employees or assets.

Calling out the ‘reckless construction’ of the infrastructure of CIA, the Citizen Lan claimed that the loophole led to the identification and the execution of the agency assets, while risking the lives of countless other individuals linked to it.

A spokesperson of the CIA said the agency takes it obligations to protect the people work with it extremely…

Source…

Mobile security specialist, Corrata, discovers weak encryption on major websites when accessed using iOS devices | News


DUBLIN, May 17, 2022 /PRNewswire/ — Mobile threat defense solution provider, Corrata, today announced the discovery of poor encryption practices on a number of major websites including Irish telecoms company Eir and German newspaper Bild.  In line with its responsible disclosure practice, Corrata contacted the owners of the websites concerned and the weaknesses have now been remedied.  However it is likely that other websites contain similar vulnerabilities and Corrata urges website owners to make sure that their encryption is in line with industry best practice.

Today the vast majority of websites use encryption to ensure that sensitive data exchanges between users and the website remain confidential.  This confidentiality depends on the use of an internet protocol known as Transport Layer Security (TLS). HTTPS is the implementation of TLS used when browsing websites.  Its use is usually signalled by the appearance of the lock symbol at the top left hand corner of the browser address bar. 

However not all website implementations of https are equally secure.  Some websites use out of date versions of the protocol which are known to be vulnerable to hacking.  This is particularly risky when using Wifi networks because the traffic passing between a mobile phone and a Wifi access point can easily be spied upon.  Internet users rely on the fact that sensitive data is transmitted in encrypted form to combat such spying.  However where weak encryption is used it will fail to protect sensitive data such as passwords, financial information and other confidential data.

The specific weakness discovered by Corrata related to a misconfiguration of the sites’ web servers to favor an old insecure cipher called RC4 when accessed using iOS devices (iPhones and iPads).   Vulnerabilities in this cipher make it vulnerable to hacking and website owners have been strongly advised not to use it for at least ten years.  Devices with Corrata’s mobile threat defense solution installed automatically detect these flaws and prevent users’ data being stolen. It is these routine checks which brought the vulnerability to light. 

About Corrata

Corrata are global leaders…

Source…

Weak Security Controls and Practices Routinely Exploited for Initial Access


Best Practices to Protect Your Systems:
• Control access.
• Harden Credentials.
• Establish centralized log management.
• Use antivirus solutions.
• Employ detection tools.
• Operate services exposed on internet-accessible hosts with secure configurations.
• Keep software updated.

Cyber actors routinely exploit poor security configurations (either misconfigured or left unsecured), weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system. This joint Cybersecurity Advisory identifies commonly exploited controls and practices and includes best practices to mitigate the issues. This advisory was coauthored by the cybersecurity authorities of the United States,[1],[2],[3] Canada,[4] New Zealand,[5],[6] the Netherlands,[7] and the United Kingdom.[8]

Download the PDF version of this report (pdf, 430kb).

Malicious actors commonly use the following techniques to gain initial access to victim networks.[TA0001]

Malicious cyber actors often exploit the following common weak security controls, poor configurations, and poor security practices to employ the initial access techniques.

  • Multifactor authentication (MFA) is not enforced. MFA, particularly for remote desktop access, can help prevent account takeovers. With Remote Desktop Protocol (RDP) as one of the most common infection vector for ransomware, MFA is a critical tool in mitigating malicious cyber activity. Do not exclude any user, particularly adminstrators, from an MFA requirement. 
  • Incorrectly applied privileges or permissions and errors within access control lists. These mistakes can prevent the enforcement of access control rules and could allow unauthorized users or system processes to be granted access to objects. 
  • Software is not up to date. Unpatched software may allow an attacker to exploit publicly known vulnerabilities to gain access to sensitive information, launch a denial-of-service attack, or take control of a system. This is one of the most commonly found poor security practices.
  • Use of vendor-supplied default configurations or default login usernames and passwords. Many software and hardware products come “out of the box” with overly permissive factory-default configurations intended to make the products user-friendly and reduce the troubleshooting time for customer service. However, leaving these factory default configurations enabled after installation may provide avenues for an attacker to exploit. Network devices are also often pre-configured with default administrator usernames and passwords to simplify setup. These default credentials are not secure—they may be physically labeled on the device or even readily available on the internet. Leaving these credentials unchanged creates opportunities for malicious activity, including gaining unauthorized access to information and installing malicious software. Network defenders should also be aware that the same considerations apply for extra software options, which may come with preconfigured default settings.
  • Remote services, such as a virtual private network (VPN), lack sufficient controls to prevent unauthorized access. During recent years, malicious threat actors have been observed targeting remote services. Network defenders can reduce the risk of remote service compromise by adding access control mechanisms, such as enforcing MFA, implementing a boundary firewall in front of a VPN, and leveraging intrusion detection system/intrusion prevention system sensors to detect anomalous network activity.  
  • Strong password policies are not implemented. Malicious cyber actors can use a myriad of methods to exploit weak, leaked, or compromised passwords and gain unauthorized access to a victim system. Malicious cyber actors have used this technique in various nefarious acts and prominently in attacks targeting RDP. 
  • Cloud services are unprotected. Misconfigured cloud services are common targets for cyber actors. Poor configurations can allow for sensitive data theft and even cryptojacking.
  • Open ports and misconfigured services are exposed to the internet. This is one of the most common vulnerability findings. Cyber actors use scanning tools to detect open ports and often use them as an initial attack vector. Successful compromise of a service on a host could enable malicious cyber actors to gain initial access and use other tactics and procedures to compromise exposed and vulnerable entities. RDP, Server Message Block (SMB), Telnet, and NetBIOS are high-risk services. 
  • Failure to detect or block phishing attempts. Cyber actors send emails with malicious macros—primarily in Microsoft Word documents or Excel files—to infect computer systems. Initial infection can occur in a variety of ways, such as when a user opens or clicks a malicious download link, PDF, or macro-enabled Microsoft Word document included in phishing emails. 
  • Poor endpoint detection and response. Cyber actors use obfuscated malicious scripts and PowerShell attacks to bypass endpoint security controls and launch attacks on target devices. These techniques can be difficult to detect and protect against. 

Applying the following practices can help organizations strengthen their network defenses against common exploited weak security controls and practices.

Control Access

  • Adopt a zero-trust security model that eliminates implicit trust in any one element, node, or service, and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses.[9],[10] Zero-trust architecture enables granular privilege access management and can allow users to be assigned only the rights required to perform their assigned tasks.
  • Limit the ability of a local administrator account to log in from a remote session (e.g., deny access to this computer from the network) and prevent access via an RDP session. Additionally, use dedicated administrative workstations for privileged user sessions to help limit exposure to all the threats associated with device or user compromise. 
  • Control who has access to your data and services. Give personnel access only to the data, rights, and systems they need to perform their job. This role-based access control, also known as the principle of least priviledge, should apply to both accounts and physical access. If a malicious cyber actor gains access, access control can limit the actions malicious actors can take and can reduce the impact of misconfigurations and user errors. Network defenders should also use this role-based access control to limit the access of service, machine, and functional accounts, as well as the use of management privileges, to what is necessary. Consider the following when implementing access control models:
    • Ensure that access to data and services is specifically tailored to each user, with each employee having their own user account. 
    • Give employees access only to the resources needed to perform their tasks.
    • Change default passwords of equipment and systems upon installation or commissioning. 
    • Ensure there are processes in place for the entry, exit, and internal movement of employees. Delete unused accounts, and immediately remove access to data and systems from accounts of exiting employees who no longer require access. Deactivate service accounts, and activate them only when maintenance is performed.[11]
  • Harden conditional access policies. Review and optimize VPN and access control rules to manage how users connect to the network and cloud services.
  • Verify that all machines, including cloud-based virtual machine instances do not have open RDP ports. Place any system with an open RDP port behind a firewall and require users to use a VPN to access it through the firewall.[12]

Implement Credential Hardening

Establish Centralized Log Management

  • Ensure that each application and system generates sufficient log information. Log files play a key role in detecting attacks and dealing with incidents. By implementing robust log collection and retention, organizations are able to have sufficient information to investigate incidents and detect threat actor behavior. Consider the following when implementing log collection and retention: 
    • Determine which log files are required. These files can pertain to system logging, network logging, application logging, and cloud logging. 
    • Set up alerts where necessary. These should include notifications of suspicious login attempts based on an analysis of log files. 
    • Ensure that your systems store log files in a usable file format, and that the recorded timestamps are accurate and set to the correct time zone. 
    • Forward logs off local systems to a centralized repository or security information and event management (SIEM) tools. Robustly protect SIEM tools with strong account and architectural safeguards.
    • Make a decision regarding the retention period of log files. If you keep log files for a long time, you can refer to them to determine facts long after incidents occur. On the other hand, log files may contain privacy-sensitive information and take up storage space. Limit access to log files and store them in a separate network segment. An incident investigation will be nearly impossible if attackers have been able to modify or delete the logfiles.[13]

Employ Antivirus Programs

  • Deploy an anti-malware solution on workstations to prevent spyware, adware, and malware as part of the operating system security baseline.
  • Monitor antivirus scan results on a routine basis.

Employ Detection Tools and Search for Vulnerabilities

  • Implement endpoint and detection response tools. These tools allow a high degree of visibility into the security status of endpoints and can help effectively protect against malicious cyber actors.
  • Employ an intrusion detection system or intrusion prevention system to protect network and on-premises devices from malicious activity. Use signatures to help detect malicious network activity associated with known threat activity.
  • Conduct penetration testing to identify misconfigurations. See the Additional Resources section below for more information about CISA’s free cyber hygiene services, including remote penetration testing.
  • Conduct vulnerability scanning to detect and address application vulnerabilities. 
  • Use cloud service provider tools to detect overshared cloud storage and monitor for abnormal accesses.

Maintain Rigorous Configuration Management Programs

  • Always operate services exposed on internet-accessible hosts with secure configurations. Never enable external access without compensating controls such as boundary firewalls and segmentation from other more secure and internal hosts like domain controllers. Continuously assess the business and mission need of internet-facing services. Follow best practices for security configurations, especially blocking macros in documents from the internet.[14]

Initiate a Software and Patch Management Program 

  • Implement asset and patch management processes to keep software up to date. Identify and mitigate unsupported, end-of-life, and unpatched software and firmware by performing vulnerability scanning and patching activities. Prioritize patching known exploited vulnerabilities.

Additional Resources 

References 

[1] United States Cybersecurity and Infrastructure Security Agency 
[2] United States Federal Bureau of Investigation
[3] United States National Security Agency
[4] Canadian Centre for Cyber Security 
[5] New Zealand National Cyber Security Centre 
[6] New Zealand CERT NZ
[7] Netherlands National Cyber Security Centre
[8] United Kingdom National Cyber Security Centre 
[9] White House Executive Order on Improving the Nation’s Cybersecurity
[10] NCSC-NL Factsheet: Prepare for Zero Trust
[11] NCSC-NL Guide to Cyber Security Measures
[12] N-able Blog: Intrusion Detection System (IDS): Signature vs. Anomaly-Based
[13] NCSC-NL Guide to Cyber Security Measures
[14] National Institute of Standards and Technology SP 800-123 – Keeping Servers Secured

Contact

U.S. organizations: To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at [email protected]. To report computer intrusion or cybercrime activity related to information found in this advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch at 855-292-3937 or by email at [email protected]. For NSA client requirements or general cybersecurity inquiries, contact [email protected]

Canadian organizations: report incidents by emailing CCCS at [email protected]

New Zealand organizations: report cyber security incidents to [email protected] or call 04 498 7654. 

The Netherlands organizations: report incidents to [email protected]

United Kingdom organizations: report a significant cyber security incident: ncsc.gov.uk/report-an-incident (monitored 24 hours) or, for urgent assistance, call 03000 200 973.

Caveats

The information you have accessed or received is being provided “as is” for informational purposes only. CISA, the FBI, NSA, CCCS, NCSC-NZ, CERT-NZ, NCSC-NL, and NCSC-UK do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring.

Purpose

This document was developed by CISA, the FBI, NSA, CCCS, NCSC-NZ, CERT-NZ, NCSC-NL, and NCSC-UK in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders. 

Source…