RSA 2016 panel–Malware As A Service: Kill the Supply Chain

Our founder and CEO, Tom Byrnes, will lead a panel at the RSA Conference 2016 entitled “Malware as a Service: Kill the Supply Chain” on Wednesday, March 2, 2016, from 10:20 am to 11:10 am.

Panelists will begin with a discussion on the current state of criminal activity–how attackers are becoming more sophisticated and using the same logistics used by mainstream business to be successful. For example, how the cloud is paving the way to cheaper, faster, broader scale attacks that can be stood up, launched and torn down within hours, undetected. The discussion will move on to an analysis of attack vectors, why security strategies are failing, and how to disrupt the cycle of escalating attacks: hit them where it hurts, in the logistics.

This panel of security luminaries includes Lance James, Chief Scientist of Flashpoint Intelligence, former head of cyber intelligence for Deloitte and internationally renowned information security specialist; Marcus Sachs, CSO of the NERC, and former VP for National Security Policy for Verizon; and Johannes Ullrich, Dean of Research for the SANS Technology Institute, responsible for the SANS Internet Storm Center (ISC). Moderator Tom Byrnes is a noted member of the international security community. He began his career with a 13-year stint in the US Army deploying cybersecurity systems, and later served as senior leadership for three successful security startups.

Attendees will have a seat at the table with security industry experts as they discuss the most critical security issues facing organizations today, and how to take down the malware business.

Surprise: attempted attack on Hilary’s email account

Big news this morning: according to the Associated Press, presidential candidate and former Secretary of State Hilary Clinton’s private email server was the target of a hack.

The Associated Press got a hold of several emails showing how the hackers attempted to get into her system. Apparently the attackers sent an email disguised as a request for payment for speeding tickets with attachments. Downloading the attachments would have allowed the attacker to have control over her machine. No news outlet has mentioned whether or not she clicked through.

I don’t think anyone is surprised about the attack. The question then becomes: this particular incident was discovered, how many others were not? And, what secrets within the former Secretary of State’s email have been accessed by unauthorized third parties and what is the potential fallout?

We need more facts ma’am.

Edward Snowden is now on Twitter — @Snowden

Mr. Snowden made his debut today on Twitter with the @Snowden handle (lucky it was still available). At press time, he was only following a single entity: the NSA, and had already attracted 227K followers.

He describes himself thusly: “I used to work for the government. Now I work for the public. Director at .”

According to Wired, he is using the photo shot for the magazine’s 2014 cover story on Snowden.

ThreatSTOP @ SANS Network Security — “Hackers are Equal Opportunity Businessmen: Everyone’s a Target”

At the recent SANS Network Security event in Las Vegas, John Thompson, ThreatSTOP’s Director, Systems Engineering delivered a presentation titled: “Hackers are Equal Opportunity Businessmen: Everyone’s a Target.” View the presentation here: ThreatSTOP Presentation – SANS LV_09 10 15

The presentation offers interesting insight into what John calls “malware as a service” and offers use cases for “business email compromise” and fast flux attack vectors.

No-one is immune: there may be worms in your Apple

An MS-ISAC Cyber Security Advisory issued yesterday states that multiple vulnerabilities in Apple products could allow remote code execution: “Multiple vulnerabilities have been discovered in Apple iOS and iTunes…These vulnerabilities can be exploited if a user visits or is redirected to a specially crafted webpage or opens a specially crafted file, including an email attachment.”

It further states, “Successful exploitation could result in an attacker gaining the same privileges as the logged on user, remote code execution within the context of the application, and the ability to bypass the security systems.

While some of these have been known previously, seeing the entire list is sobering. There are over 100 of them and many of them permit an attacker to run arbitrary code on the device. For example:


Available for:  iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
Impact:  Processing a maliciously crafted font file may lead to arbitrary code execution
Description:  A memory corruption issue existed in the processing of font files. This issue was addressed through improved input validation.
CVE-2015-5874 : John Villamil (@day6reak), Yahoo Pentest Team

Data Detectors Engine

Available for:  iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
Impact:  Processing a maliciously crafted text file may lead to arbitrary code execution
Description:  Memory corruption issues existed in the processing of text files. These issues were addressed through improved bounds checking.
CVE-2015-5829 : M1x7e1 of Safeye Team (

Dev Tools

Available for:  iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
Impact:  A malicious application may be able to execute arbitrary code with system privileges
Description:  A memory corruption issue existed in dyld. This was addressed through improved memory handling.
CVE-2015-5876 : beist of grayhash

Of particular interest is that CoreText—the font one—sounds very similar to the recent font bugs found in Windows and Adobe Reader. It is yet further evidence that Apple devices share much the same vulnerabilities as Windows PCs and Android devices, and hence the confidence that Apple have enjoyed regarding security from malware no longer applies.

The good news is: no exploits in the wild have been reported. That said, the detailed list of vulnerabilities should attract some attention. Stay tuned.

MS-ISAC recommends the following actions be taken:

  • Apply appropriate updates provided by Apple to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to download, accept, or execute files from un-trusted or unknown sources.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

Try it Free: Three Easy Steps to Domain Name Fraud

Criminals are using fake domains and emails to pose as CEOs, and convince employees to send them money, in some cases millions of dollars. The FBI calls this scam business email compromise (BEC), or CEO fraud. In January 2015, the FBI warned that cyber thieves stole nearly $215 million from businesses in the previous 14 months through such scams, which start when crooks spoof or hijack the email accounts of business executives or employees.

It is easy and cheap. There is no barrier to entry for criminals to set up new domains. And, they can set them up using a completely anonymous throw away email address so it can’t traced back. And, it’s free, because domain issuers often run promos for free, 30-day trials. BEC has been reported in all 50 states and 80 countries.

How to get started:

  1. Pick an organization you want to defraud.
  2. Get any credit card number (stolen or fake) and throw away free email address.
  3. Use the credit card number and email account to sign up for a free new domain of your choice and an associated email address using any one of the myriad providers that give away services as a marketing promotion. Pick a domain name very similar to the target organization’s domain, with a slight misspelling. For example, if you are targeting, you could sign up for the domain (notice it is short an “n”) and then set up a fake email account for the CEO,

Case in point: Vistaprint offers a month’s free web hosting with the available domain of your choice plus an email account that uses said domain. They do not verify the requestor’s identity, nor charge the card used to sign up. This offer has proven to be very attractive to fraudsters. They can instantly stand up a domain and email account and immediately begin perpetrating fraud. Our research shows that the average time between setting up the domain and email, to sending the first fraudulent email is minutes.

Here’s an example of how it works: criminals begin by sending a fake CEO email request to the accounting department for an immediate wire transfer payment for an urgent purchase. The request will include wire transfer payment information for a bank account controlled by the criminal. The accounts payable clerk receives the meticulously crafted CEO email request with only one likely undiscernible error—the company email address is missing a letter. There is a high likelihood that accounting will ask for more information, but enough transactions of this type are completed without any questions from accounts payable to make this scam profitable.

And even if it is questioned initially, a confident fraudster can manage the follow-up email conversation well enough to get the money transferred. Whether the scam succeeds or fails, the stolen credit card and disposable email address make tracking down the perpetrator difficult.

A couple of successful scams include:

With all of the criminal activity perpetrated via domain names and email, one would think that certain safeguards would be put in place. Some thoughts:

  • Organizations should put in place a security policy that blocks sending and receiving of emails that are similar to the genuine domain, but slightly different. There are also services that monitor the registration of a domain – though they may be too slow to be effective.
  • The domain registration process could build in lag time, perhaps 24 hours, between the request and standing up the site so they can complete some minimal verification of the domain chosen, perhaps confirm that the website is not too similar to an existing website and/or that the user and or credit card are real.
  • Of course the problem here is that having a human vet the registration, even by spending a single minute reading the form data, adds cost and that cost threatens the viability of the intended business model. Though possibly not as much as the potential class action lawsuit from the fraud victims.

Registration of fake domains by fraudsters and hackers is a real problem that is relatively easy to solve and even a very simplistic fix would prevent a great deal of crime. The BEC scam is just one example of how criminals use fake, free domains to perpetrate crimes. One would hope that domain vendors take notice of this issue, and begin to put policies and processes in place to help stamp out this type of criminal activity.

Ashley Madison is Telling the Truth

Ashley Madison’s CEO is quoted as saying that the recent incident which exposed very personal information about its 32 million users was an inside job. Your first reaction might have been: of course they are going to say it was an inside job, they don’t want to expose the fact that their security systems were not adequate to stave off an attack.

A review of the data set by ThreatSTOP Labs indicates they may be telling the truth. This type of attack typically results from a SQL injection which breaks down the data set’s table structures and returns lines of data. The tables in the Ashley Madison data set, widely available on the Internet, is nicely organized in its original tables with the proper table names. This suggests that the person who grabbed the data files, which compressed come out to 9.9 gigabytes, likely had legitimate network credentials and was able to dump the data intact, complete with indices and foreign keys. These types of very large data dumps are more typical of the sort of activities of an Edward Snowden or Bradley Manning who used locally attached hard drives to exfiltrate data.

Another data point to support this claim is that the mere size of the data dump would have set off myriad service-level alerts indicating large amounts of data were gushing out the door. Not to mention the outbound traffic would have slowed network operations to a crawl. BTW: Impact Crew claims to have the image files as well, and has yet to make those available on the Internet. Those files will make the data dump exponentially larger and harder to distribute.

While not a network level hack, this does demonstrate hacking the human (in this instance, the HR team) is still highly effective.

« Older Entries