Free GoCrack Password Cracking Tool Helps Admins Test Password Security*:
- A new managed password cracking tool helps security professionals test password effectiveness, securely store passwords and audit password requirements.
- Although password policies at enterprises may not allow common or weak passwords, not all enterprises have the same password policy and weak or reused passwords can still be problematic.
- The tool was designed to help red teams manage password cracking tasks across multiple GPU machines via an easy-to-use web interface.
- According to the company that released the tool, “Some use cases for a password cracking tool can include cracking passwords on exfil archives, auditing password requirements in internal tools, and offensive/defensive operations.”
- The admin portion of GoCrack is meant to be deployed on a Linux server running Docker, or on MacOS, with a “worker” on every GPU/CPU machine.
- GoCrack has an entitlement-based system – task data can be hidden from others unless they are the original creator, or they grant additional users to the task.
- No external database server is required as GoCrack uses hashcat v3.6 or higher.
- FireEye plans to add support for MySQL and Postgres data engines in the future, as well as the ability to edit files in the UI.
- The password cracking tool GoCrack is like a gift for red teams to add to their arsenal for managing password cracking and recovery tasks; that’s not to say malicious actors won’t want this free gift as well to help crack passwords.
*Source: CSO online, October 31, 2017
Indian Government Mandates Cyber Security Standards for Phone Makers*:
- Every time a smartphone user downloads and uses an application, they release their information to third parties such as Facebook and Google.
- A study showed that about 70% of all apps that run on smartphones report their users’ information to third party services.
- The data that phone makers release to these companies go beyond simple habitual use, and it could include everything from financial information and personal details to biometrics and location data.
- The information smart phone users shared also made them liable to hacking by security agencies like the U.S. Central Intelligence Agency.
- Increasing cyber security risks in India have led the government to demand that all phone makers report their hardware, software and network security measures to the Ministry of Electronics and IT.
- The mandate is expected to encourage cyber security standardization across the entire Indian digital platform, which is valued at over $500 million.
- As the mandate takes effect, smartphone companies operating in India will have to report and, if necessary, improve their cyber security standards.
- It is not clear what the penalties for defying the mandate will be.
- As technology becomes more sophisticated and hackers gain more skills, security measures like these might just be the only way to keep consumers safe from privacy violations and illicit data use.
*Source: CPO magazine, September 04, 2017
NotPetya Ransomware Outbreak Cost Merck More Than $300M Per Quarter*:
- The full financial impact of the NotPetya ransomware compaign is still being tallied, and it doesn’t look good for pharmaceutical giant Merck.
- The attack cost them more than $300 million in Q3 alone, and is on track to hit that amount again in Q4 as well.
- NotPetya "negatively impacted third-quarter results, including an unfavorable revenue impact of approximately $135 million from lost sales and approximately $175 million in costs.”
- Due to a production shutdown caused by the attack, Merck saw sales reductions of around $240 million.
- The initial attack wreaked so much havoc that employees weren't even allowed to work, and it impacted the firm's email system and also messed with sales.
- As big of an impact as $310 million is for Merck, it seems to be par for the course for major enterprises that are dealing with the aftermath of such attacks – Maersk and FedEx both faced substantial losses in the hundreds of millions.
- It wasn’t just enterprises that were hit hard by ransomware: small and medium sized businesses were a big target too due to their limited resources.
- If Merck’s story is any indication, CISOs around the world should be putting money aside to mitigate the impact of such attacks, and do all they can to prevent such an attack from happening in the first place.
*Source: Tech Republic, October 30, 2017
A Flaw in Google's Bug Database Exposed Private Security Vulnerability Reports*:
- A series of flaws in Google's internal bug tracker let a security researcher gain access to some of the company's most critical and dangerous vulnerabilities.
- The company’s internal bug reporting system, known as the Issue Tracker, is used by security researchers and bug finders to submit issues, problems, and security vulnerabilities with Google's software, services and products.
- Most ordinary users have very little access to the bug tracker, but a security researcher found that by spoofing a Google corporate email address, he was able to gain access to the back-end of the system.
- An attacker could have discovered and exploited submitted vulnerabilities to target and potentially compromise Google accounts.
- The researcher created a Gmail account which, prior to verifying the new account by email, would let a user change their email address to any email address, including Google corporate accounts.
- The newly-created fake Google account wouldn’t give him direct access to the company’s network, but it was enough to trick the Issue Tracker into thinking he was an employee – giving him elevated privileges to view and interact with bug reports.
- From there, he was able to send altered requests to the Issue Tracker server, letting him read any bug he wanted including the most sensitive vulnerabilities.
- After he reported the bugs, his access was revoked and the vulnerability fixed within the hour.
- These bug databases are ripe targets for nation-state attackers, who want to target major technology companies.
- The researcher was awarded a little over $15,600 in bug bounties from Google for three bugs, and was also given $3,133 as an additional grant to continue research on vulnerabilities with the Issue Tracker.
*Source: ZD net, October 30, 2017
USB Stick Found in West London Contained Heathrow Security Data*:
- Detailed security arrangements for London Heathrow airport, including the Queen’s precise route every time she passes through, were found on a USB stick left in a West London street.
- The unencrypted USB stick was found lying under leaves on Ilbert Street – reportedly by an unemployed jobseeker on his way to a library.
- Having plugged the stick into a computer, the man found a treasure trove of what appeared to be security-related documents, including routes and timings of security patrols, types of ID needed to access restricted areas, and maps of CCTV cameras.
- No passwords had been applied to the stick or any of its contents.
- The offending files were passed on to Heathrow security.
- An airport spokeswoman said an internal investigation had been launched, adding “we have reviewed all of our security plans and are confident that Heathrow remains secure.”
*Source: The Register, October 30, 2017
For Cybersecurity, AI Helps Alleviate Shortage of Human Experts*:
- Qualified employees in cybersecurity are in such short supply and the surging need in this field is so great that consulting firms, security companies and businesses are turning to artificial intelligence to help plug the gaps.
- An expected one million jobs in cybersecurity will go unfilled this year world-wide, the Information Systems Audit and Control Association stated.
- Many companies that do fill open roles use employees from other departments or recent graduates who are untested in corporate cybersecurity.
- It is this discrepancy that is pushing innovation in the use of AI for cybersecurity forward.
- Another company uses AI tools to identify critical threats and highlight them for experts on staff who try to defuse them.
- As the technology advances, it will become more predictive; the goal will be to use machines as sort of a first ring of defense, allowing people to focus on the toughest of cyberchallenges.
- About 60% of companies surveyed by a Chicago-based cybersecurity firm recently indicated that “half or fewer of their security staff have the specialized skills and training to address more complex security issues.”
- Where outsourcing is not an option, the answer for many companies will be to give their staff better tools.
- A president of global enterprise risk and security at Mastercard says AI software helps it comb more quickly through its global data sets, stop fraudulent payments, and even notify banks or card issuers before they notice there may be a problem.
- No matter how sophisticated AI cybersecurity products get, some experts see a need for humans to remain at the controls and actively involved.
- The future of AI in the cybersecurity field will depend on determining what humans can do best and what can really be left to computers.
*Source: The Wall Street Journal, October 29, 2017