phishing

Auto Added by WPeMatico

Enterprise security attackers are one password away from your worst day

If the definition of insanity is doing the same thing over and over and expecting a different outcome, then one might say the cybersecurity industry is insane.

Criminals continue to innovate with highly sophisticated attack methods, but many security organizations still use the same technological approaches they did 10 years ago. The world has changed, but cybersecurity hasn’t kept pace.

Distributed systems, with people and data everywhere, mean the perimeter has disappeared. And the hackers couldn’t be more excited. The same technology approaches, like correlation rules, manual processes and reviewing alerts in isolation, do little more than remedy symptoms while hardly addressing the underlying problem.

The current risks aren’t just technology problems; they’re also problems of people and processes.

Credentials are supposed to be the front gates of the castle, but as the SOC is failing to change, it is failing to detect. The cybersecurity industry must rethink its strategy to analyze how credentials are used and stop breaches before they become bigger problems.

It’s all about the credentials

Compromised credentials have long been a primary attack vector, but the problem has only grown worse in the midpandemic world. The acceleration of remote work has increased the attack footprint as organizations struggle to secure their network while employees work from unsecured connections. In April 2020, the FBI said that cybersecurity attacks reported to the organization grew by 400% compared to before the pandemic. Just imagine where that number is now in early 2021.

It only takes one compromised account for an attacker to enter the active directory and create their own credentials. In such an environment, all user accounts should be considered as potentially compromised.

Nearly all of the hundreds of breach reports I’ve read have involved compromised credentials. More than 80% of hacking breaches are now enabled by brute force or the use of lost or stolen credentials, according to the 2020 Data Breach Investigations Report. The most effective and commonly-used strategy is credential stuffing attacks, where digital adversaries break in, exploit the environment, then move laterally to gain higher-level access.

Powered by WPeMatico

Menlo Security announces $100M Series E on $800M valuation

Menlo Security, a malware and phishing prevention startup, announced a $100 million Series E today on an $800 million valuation. The round was led by Vista Equity Partners with help from Neuberger Berman, General Catalyst, JP Morgan and other unnamed existing investors. The company has now raised approximately $250 million.

CEO and co-founder Amir Ben-Efraim says that while the platform has expanded over the years, the company stays mostly focused on web and email as major attack vectors for customers. “We really focused on a better kind of security outcome relative to the major threat factors of web and email. So web and email is really how most of the world or the enterprise world at least does its work, and these channels remain forever vulnerable to the latest attack,” Ben-Efraim explained.

He says that to protect those attack surfaces, the company pioneered a technology called web isolation to disconnect the user from the content and send only safe visuals. “When they click a link or engage with a website, the safe visuals are guaranteed to be malware-free, no matter where you go or you end up,” Ben-Efraim said.

With a valuation of $800 million, he’s proud having built his company from the ground up to this point. He’s not quite ready to discuss an IPO yet, but he expects to take this large influx of cash and continue to grow an independent company with an IPO perhaps three years out.

With an increase in business and the new capital, the company, which has 270 employees of which around 70 came on board this year, hopes to continue to grow at that pace in 2021. He says that as that happens the security startup has been paying close attention to the social justice movements.

“As a management team and for myself as a CEO, it’s an important topic. So we were paying close attention to our own diversification goals. We want Menlo to become a more diversified company,” Ben-Efraim said. He believes the way to get there is to prioritize recruiting channels where they can tap into a wider variety of potential recruits for the company.

While he wouldn’t discuss revenue, he did say in spite of the pandemic, the business is growing rapidly and sales are up 155% in terms of net new sales over last year. “The momentum for that being customers specifically in critical infrastructure, financial services, government and the like are seeing an uptick in attacks associated with COVID, and are looking at security as essential in an area that they need to double down on. So despite the financial difficulties, that’s created a bit of a tailwind for us strangely in 2020, even though the world economy as a whole is clearly being challenged by this epidemic,” he said.

Powered by WPeMatico

Apple, Opera and Yandex fix browser address bar spoofing bugs, but millions more still left vulnerable

Year after year, phishing remains one of the most popular and effective ways for attackers to steal your passwords. As users, we’re mostly trained to spot the telltale signs of a phishing site, but most of us rely on carefully examining the web address in the browser’s address bar to make sure the site is legitimate.

But even the browser’s anti-phishing features — often the last line of defense for a would-be phishing victim — aren’t perfect.

Security researcher Rafay Baloch found several vulnerabilities in some of the most widely used mobile browsers — including Apple’s Safari, Opera and Yandex — which if exploited would allow an attacker to trick the browser into displaying a different web address than the actual website that the user is on. These address bar spoofing bugs make it far easier for attackers to make their phishing pages look like legitimate websites, creating the perfect conditions for someone trying to steal passwords.

The bugs worked by exploiting a weakness in the time it takes for a vulnerable browser to load a web page. Once a victim is tricked into opening a link from a phishing email or text message, the malicious web page uses code hidden on the page to effectively replace the malicious web address in the browser’s address bar to any other web address that the attacker chooses.

In at least one case, the vulnerable browser retained the green padlock icon, indicating that the malicious web page with a spoofed web address was legitimate — when it wasn’t.

An address bar spoofing bug in Opera Touch for iOS (left) and Bolt Browser (right). These spoofing bugs can make phishing emails look far more convincing. (Image: Rapid7/supplied)

Rapid7’s research director Tod Beardsley, who helped Baloch with disclosing the vulnerabilities to each browser maker, said address bar spoofing attacks put mobile users at particular risk.

“On mobile, space is at an absolute premium, so every fraction of an inch counts. As a result, there’s not a lot of space available for security signals and sigils,” Beardsley told TechCrunch. “While on a desktop browser, you can either look at the link you’re on, mouse over a link to see where you’re going or even click on the lock to get certificate details. These extra sources don’t really exist on mobile, so the location bar not only tells the user what site they’re on, it’s expected to tell the user this unambiguously and with certainty. If you’re on palpay.com instead of the expected paypal.com, you could notice this and know you’re on a fake site before you type in your password.”

“Spoofing attacks like this make the location bar ambiguous, and thus, allow an attacker to generate some credence and trustworthiness to their fake site,” he said.

Baloch and Beardsley said the browser makers responded with mixed results.

So far, only Apple and Yandex pushed out fixes in September and October. Opera spokesperson Julia Szyndzielorz said the fixes for its Opera Touch and Opera Mini browsers are “in gradual rollout.”

But the makers of UC Browser, Bolt Browser and RITS Browser — which collectively have more than 600 million device installs — did not respond to the researchers and left the vulnerabilities unpatched.

TechCrunch reached out to each browser maker but none provided a statement by the time of publication.

Powered by WPeMatico

StockX admits ‘suspicious activity’ led to resetting passwords without warning

StockX, a popular site for buying and selling sneakers and other apparel, has admitted it reset customer passwords after it was “alerted to suspicious activity” on its site, despite telling users it was a result of “system updates.”

“We recently completed system updates on the StockX platform,” said the email to customers sent to TechCrunch on Thursday. The email provided a link to a password reset page but said nothing more.

The company was only last month valued at over $1 billion after a $110 million fundraise.

Companies reset passwords all the time for various reasons. Some security teams obtain lists of previously breached passwords that make their way online, scramble them in the same format that the company stores passwords, and find matches. By triggering the reset, it prevents passwords stolen from other sites from being used against one of a company’s own customers. In less than desirable circumstances, passwords are reset following a data breach.

But the company admitted it was not “system updates” as it had told its customers.

“StockX was recently alerted to suspicious activity potentially involving our platform,” said StockX spokesperson Katy Cockrel. “Out of an abundance of caution, we implemented a security update and proactively asked our community to update their account passwords.”

“We are continuing to investigate,” said the spokesperson.

egOZmJK 1

The password reset email sent by StockX on Thursday (Image: supplied)

We asked several follow-up questions — including who alerted StockX to the suspicious activity, if any customer data was compromised and why it misrepresented the reason for the password reset — but the spokesperson declined to comment further.

Throughout the day customers were tweeting screenshots of the email, worried that their accounts had been compromised. Others questioned whether the email was genuine or if it was part of a phishing attack.

“Did they get hacked, find out somehow, and then to cover it up send out that email and ask for a password change?,” one of the affected customers told TechCrunch.

Customers were given no prior warning of the password reset.

StockX founder Josh Luber kept with the company’s line, telling a customer in a tweet that the password reset was “legit” but did not respond to users asking why.

StockX tweeted back to several customers with a boilerplate response: “The password reset email you received is legitimate and came from our team,” and to contact the support email with any questions. We did just that — from our TechCrunch email address — and heard nothing back hours later.

Security experts expressed doubt that a company would reset passwords over a “systems update” as StockX had claimed.

Security researcher John Wethington said it is “rare” to see security overhauls that require password resets. “You wouldn’t just send out a random email about it,” he said. Jake Williams, founder of Rendition Infosec, said it was “bad communication” in any case.

Several took to Twitter to criticize StockX for its handling of the password reset.

One customer called the email “fishy,” another called it “suspicious” and another called on the company to explain why they had to reset passwords in this unorthodox way. Another said in a tweet that he asked StockX twice but they “refused to provide an answer.”

“Guess I’m closing my account,” he said.

Read more:
Slack resets user passwords after 2015 data breach
Capital One breach also hit other major companies, say researchers
An exposed password let a hacker access internal Comodo files
Security lapse exposed weak points on Honda’s internal network
Cryptocurrency loan site YouHodler exposed unencrypted user credit cards and transactions

Powered by WPeMatico

AI security startup Darktrace’s CEO defeats buzzword bingo with trust and transparency

It takes a lot of trust to allow a company to come in and install a mystery box on their network to monitor for threats. It’s like inviting in a security guard to sit in your living room to make sure nobody breaks in.

Yet that’s exactly what Darktrace does. (The box, not the security guard.)

The Cambridge U.K.-founded company, now with a second headquarters in San Francisco, assumes that any network can be breached. Instead of looking at the perimeter of a network, Darktrace uses artificial intelligence (AI) and machine learning to scan and identify security weaknesses and malicious traffic inside a company’s network.

Traditional network monitoring typically uses signature-based threat detection of matching against known malicious files, but can be easily modified to evade detection. Instead, Darktrace builds up a profile of the network to understand what the baseline “normal” looks like so it can spot and identify potential issues, like large amounts of data exfiltration or suspect devices.

But how do you win over those who see a sea of meaningless buzzwords? How can you differentiate between the smoke and mirrors and the real deal?

“No one wants the black box making decisions without them knowing what it’s doing,” said Nicole Eagan, Darktrace’s co-founder and chief executive, in a call with TechCrunch.

“So, let them have visibility,” she said.

Darktrace’s founders have roots in the U.K. and U.S. intelligence, where they took what they knew of the cybersecurity threats to the private sector to where the new battleground opened up. In the past half-decade of its existence, the company has gained major clients on its roster — from telcos to banks, tech giants and car makers — supported by 900 staff in over 40 offices around the world.

About a quarter of its customers are in financial services, said Eagan. But it takes a lot for the heavily regulated companies to trust a mystery device on a company’s network where the data and security, like financial services, is highly regulated.

Powered by WPeMatico

Menlo Security secures $40 million Series C to keep malware at bay

 Menlo Security, a startup with a unique approach to protecting your company from malware and phishing attacks, announced a $40 million Series C round today. Menlo protects customers by never letting employees access an actual website or email containing malware. Instead, they isolate the original in a container, then display a clean mirror image in the browser, which has been stripped of any… Read More

Powered by WPeMatico

Google adds phishing protection to Gmail on Android

 Following the widespread phishing scam that affected Google Docs and Gmail users this week, Google says it’s now rolling out a new security feature in its Gmail application on Android that will help warn users about suspicious links. This feature may not have prevented this week’s attack, however, as that attack involved a malicious and fake “Google Docs” app that… Read More

Powered by WPeMatico

Researchers simulate a ransomware attack on industrial controls

Aerial shot of wastewater treatment facility in Houston, Texas (Photo: Getty Images/Jupiterimages/Photolibrary) Researchers at the Georgia Institute of Technology have created a form of ransomware that can hit us where it really counts: the water supply. Their program installed itself in a model water plant and allowed the researchers to change chlorine levels, shut down water valves, and send false readings to monitoring systems.
“We are expecting ransomware to go one step farther, beyond the… Read More

Powered by WPeMatico