Don’t trust OAuth: Why the “Google Docs” worm was so convincing

An evil phishing worm masquerading as "Google Docs" took the Internet by storm today. It sent an e-mail claiming to be from a friend or relative who wanted to share a document with you. Clicking on the "Open in Docs" button asked you to log in to Google, then it popped up a familiar OAuth request asking for some permissions. If you clicked "Allow," the permissions granted it full control over your e-mail and access to all your contacts. The worm then e-mailed everyone in your contacts list before doing god-only-knows what else to the victim's e-mail.

The interesting thing about this worm was just how convincing it was. The e-mail was great—it used the exact same language as a Google Docs sharing e-mail and the exact same "Open" button. Clicking on the link brought up an authentic Google log-in page, served up from Google's servers. Then you were presented a real Google OAuth permissions page, also from Google's servers. The trick was that the app claiming to be "Google Docs" wasn't really Google Docs. The screen showed a third-party app with the name "Google Docs" and a profile picture that matched the Google Docs logo.

Read 4 remaining paragraphs | Comments

Automated mitigation on endpoint devices and networks can be tricky

Many companies have automated systems in place for preventing, detecting, and investigating security incidents, but automating the incident response and mitigation process for networks and endpoint devices has been a tougher nut to crack.

That includes actions such as automatically re-imaging endpoint devices, isolating devices from corporate networks, or shutting down particular network processes in order to quickly and efficiently respond to attacks.

“I think there’s a lot of potential,” said Joseph Blankenship, analyst at Forrester Research. “We’re definitely in a period of discovery, though, and that has to take place before we’re going to see widespread, mainstream adoption.”

Enterprises first need to get more experience with security automation tools, he said, and see what impact they have.

But full incident response automation is probably three to five years from becoming reality, he said.

“I think we’re seeing some early attempts,” he said. “Say, if every time you see the same threat indicator, the analyst gets action recommendations from an automated tool or machine learning algorithm and makes the same choice, to click yes, let’s go ahead and take the next step. Then if we do that 500 or 1,000 times we can agree that this is a process that we can fully automate and take the analyst fully out of the loop.”

At that point, the analysts can focus on their more difficult, complex situations.

But companies can also approach automation without a machine learning system, if they already have incident response playbooks in use at their company, said Ariel Tseitlin, partner at Foster City, Calif.-based investment firm Scale Venture Partners.

“Take one of those playbooks, and take security automation tools, and test how much of that playbook can be automated,” he said. “That’s a very practical and real way of going and determining if a tool is applicable for an individual environment and how much benefit you can get from it.”

Even partial automation can be very effective, he said.

“Say you have malware on an endpoint, and your playbook for that has 50 steps in it,” he said. “If you can, say, automate 80 percent of it, you can see how many hours of savings you’ll get for your security team, and you can quickly get proof of value.”

Tseitlin said that he talks with customers when deciding whether to invest in any particular security startup, and he’s finding that there’s already real value that’s being realized.

One key factor that determines whether a particular incident response technology works is whether the enterprise itself is ready for automation.

“Different companies are at different stages of security maturity,” he said. “If you haven’t thought about the process, then thinking about automation is really premature. The first thing you have to do is map out the risks, threats and controls, and then you think about how you go through implementing each of those controls. But then when you’ve gone through that, automation is a great way to accelerate and improve the efficiency of the organization.”

Cleaning up the end points

One of the earliest uses of automation on endpoint devices has been to quarantine or remove malware files before they do any damage.

Almost every PC now has some form of anti-virus, and many companies are also using behavior-based malware detection to spot new threats.

A manual response would be too slow, since malware can act quickly to damage a device, or even to start spreading to other machines on the same network.

“So it’s not a new concept,” said Rob Clyde, security consultant and member of the ISACA board of directors.

But what happens if a user clicks on a malicious link or attachment, and installs malware that is able to evade all the defenses, install itself on the machine, and begin to do damage?

A typical response would be to store a copy of the device image for later forensic analysis, wipe the machine, restore it from a clean image, and restore the user’s files from the latest backup. While this is all happening, the user might get sent to take some anti-phishing training so to be more careful next time.

Automating this process is easier for some companies than others, said Clyde.

“Some have gone to complete virtual desktops,” he said. “In essence, their desktop is always available to be re-imaged, because the physical machine is just a host for the virtual desktop.”

Similarly, if a company has its employees use a cloud-based platform like Office 365 and saves all work documents on either their own servers, or in the cloud, then reimaging can also be relatively quick and easy.

In both cases, there’s less risk of losing valuable files in the process, which reduces the potential damage that can be caused if there was no actual infection.

“At the very same time, we have heavy knowledge workers, say, someone in a marketing organization, who is constantly working on new ad copy and PowerPoint presentations,” he said. “These are still often stored, at many companies, locally on the individual machine. The idea of wiping that machine and losing a day’s work unnecessarily is putting some companies off of trying to adopt this.”

Isolating the threat

Another common technique for automated mitigation is to quarantine infected machines.

“You might not wipe it, but it won’t spread the infection any further,” he said.

But doing this requires more than just having endpoint protection in place, he said.

“It does require network access controls,” he said. “If you have a link between the detection of the infected endpoint, and the network access control system, that can automatically link back with network security products and actually keep that device from connecting to the network.”

But too often, when products that have those capabilities are deployed, they aren’t implemented.

“In some cases, there’s a bit of a check-the-box mentality,” he said. “And nobody is asking whether I’ve implemented the network access controls. They should add that to the check list.”

In a large organization, there could be an additional barrier to setting up these kinds of systems in that the people responsible for the networks and the people responsible for endpoints are two different groups.

“It requires cooperation,” he said, “and sometimes the cooperation is just too hard to get.”

In addition, there’s the question of how many devices have to be isolated, said Jon Oltsik, senior principal analyst at Enterprise Strategy Group.

“If I quarantine one system, that’s fine,” he said. “But if I’m quarantining more systems, it gets more complex.”

As the required response gets more extensive, the more complicated it gets, he said. “And the more confidence you have to have that you’re doing the right thing.”

Smart networks

There are many tools available today that can detect suspicious activity on the network.

“You see a person in marketing has launched a network scan – that shouldn’t happen, so you can quarantine that system,” said Oltsik. “Or you see systems beaconing out to known command and control servers, so you can stop them at the system level or the network level. That’s pretty routine, and there are lots of companies that do that.”

But the more sophisticated the attack, the harder it is to automate a response, he said.

That doesn’t mean network vendors aren’t trying.

Network security has been a hotbed of activity recently when it comes to automation, said ISACA’s Clyde.

“If you were to walk around the last RSA show, you would see network security company after network security company touting how they automate detection of attacks and in some cases automatically take action,” he said.

But opinion is divided as to whether this is a good idea.

“Some voice concerns about taking action without human involvement, especially if a system was not 100 percent deterministic,” he said. “They might get it wrong, and take some action that might block legitimate activity. But others are like, ‘The attackers move too quickly and we need automation.'”

If false positives are too high, companies prefer to send the alerts to analysts for manual response.

“We are making progress,” he said. “But the state of the art tends to be about detecting, and not taking action, except for cases where it’s 99.9 percent certain that it’s real.”

Fortunately, because of improving technology, human analysts are able to handle and monitor a lot more than they could even a couple of years ago, he said.

“That’s the good news,” he said. “The bad news is, I’m not sure that we’re keeping up with the innovation on the attacker side.”


This article was written by Maria Korolov from CSO Magazine and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to [email protected].

The post Automated mitigation on endpoint devices and networks can be tricky appeared first on McAfee Blogs.

Intel Finally Patches Critical AMT Bug (Kinda)

Intel finally patches the critical AMT bug discovered in March by security researcher Maksim Malyutin at Embedi, I say ‘kinda’ because it’s not really up to Intel to deploy the fix to the problem. They can’t really push out updates to CPUs, but at least they have fixed it in the firmware and now the […] The post Intel Finally Patches...

Read the full post at

FBI Warns Cyber Criminals Are Targeting Unsecured FTP Servers In The Healthcare Industry

On March 22, 2017, the FBI issued a Private Industry Notification, warning that criminal actors are actively targeting File Transfer Protocol (FTP) servers operating in “anonymous” mode and associated with medical and dental facilities to “access protected health information (PHI) and personally identifiable information (PII) in order to intimidate, harass, and blackmail business owners.” FTP’s are used to transfer information between various parties. When an FTP is placed in anonymous mode, it allows a user to authenticate the FTP server with a common username such as “anonymous” or “ftp” without submitting a password or by submitting a generic password or e-mail address.

The FBI warns that cyber criminals could use an FTP server in anonymous mode to store malicious tools or launch targeted cyber attacks. Therefore, “any misconfigured or unsecured server operating on a business network on which sensitive data is stored or processed exposes the business to data theft and compromise by cyber criminals who can use the data for criminal purposes such as blackmail, identify theft, or financial fraud.”

The FBI recommends medical and dental healthcare entities request their respective IT services personnel to check networks for FTP servers running in anonymous mode. If businesses have a legitimate use for operating a FTP server in anonymous mode, administrators should ensure sensitive PHI or PII is not stored on the server.

The FBI encourages businesses to report information concerning suspicious or criminal activity to their local FBI office or the FBI’s 24/7 Cyber Watch.

A copy of the notification can be found here.