Security week-in-review: President introduces schema for rating cyber incidents

6730231949_1886f71498_z

It’s hard to keep up with the hundreds of security-specific headlines published every week.

So, we’re rounding up the top news that affect you, your business, and the security and technology industry overall. This week we explore a new cybersecurity incident response plan from the U.S. government, the FBI most wanted list for cyber criminals, and more. Check back every Friday to learn about the latest in security news.

White House issues Presidential Policy Directive on U.S. Cyber Incident Coordination

This week, the White House introduced a plan for how to handle cyberattack, building out a scale on which to rate the severity of and response to such an attack. The directive’s introduction explains that the government has taken its lessons from its own experience with “increasingly significant cyber incidents affecting both the private sector and Federal government” as well as counterterrorism and disaster response. The hope is that this directive will help the government determine how important a cyberattack is, using its new “cyber incident severity schema.”

Get information from the White House here.

FBI created Most Wanted list for cybercriminals

The FBI released a list of its most wanted criminals. For cybercrime, that is. The U.S. government agency has compiled a list of 26 individuals it accuses of a number of cybercrimes. The list includes a number of people believed to have been involved with a distributed-denial-of-service attack against U.S. companies, others for bank fraud, as noted by SC Magazine. One of the individuals on the list has a reward of up to $3 million for his arrest.

Read more about the list here.

Vulnerability found in password manager LastPass  

Researchers at Google’s Project Zero found a critical vulnerability in LastPass, an online password manager. If exploited, the vulnerability would have allowed attackers to completely compromise a user’s account and access the stored information. The attacker would only need to direct victims to a malicious webpage to execute the attack. LastPass has since fixed the vulnerability and released a notice about its changes.

Learn more about the vulnerability here.

FBI says BEC-scam wire-transfers most often go to Chinese and Hong Kong banks

The FBI, which previously issued a warning and update on the issue of business email compromise (BEC) scams, now says that the majority of fraudulent wire transfers are pointed toward Chinese and Hong Kong banks. BEC scams have become a significant issue for American enterprises in recent months. Attackers social engineer employees, often people with access to the company’s financial information, pretending to be a person of power in the organization, such as the CEO or CFO. The attacker then asks the victim at hand to wire a sum of money to a specific routing number. It seems, through further investigation that the majority of transfers head into China and Hong Kong, though attackers can be located anywhere in the world.

Read more about the findings here.

White House image via Eric Salard/Flickr

TiaraCon to bring more women into critical, lucrative cybersecurity jobs that are going unfilled

screen-shot-2016-07-29-at-10-54-55-am-1.png

Image: TiaraCon

Next week’s DEF CON 24 will have a royal flavor with the addition of TiaraCon, a 2-day mini-conference created to advance the careers of women in the cybersecurity profession—an important mission, as 209,000 US cybersecurity jobs were left unfilled in 2015, and very few women enter the field.

More about IT Security

TiaraCon is free to attend, and will take place August 4-5 at Bally’s in Las Vegas. It will include a workshop, a panel discussion, a networking meet-and-greet, and a resume bar where attendees can have their CVs reviewed by experts in the cybersecurity staffing field.

“I want to create more inclusive workplaces that are welcoming to women, transgender folks, and gender non-binary folks, so those voices are all accounted for and you get more diverse thinking,” said Sarah Clarke, a security advisor and TiaraCon organizer. “TiaraCon puts people together who want inclusive workplace environments, and gives people a chance to hire them, support them, and create mentoring and friendship networks so no one is ever alone.”

SEE: Women in tech: 20 stories of women doing big things with their tech skills

The idea came from a group of women, including Clarke, over lunch at DEF CON last year. The group initially wanted to plan a party, but high interest levels and community support turned it into a two-day mini-conference. As of Friday, TiaraCon had 250 RSVPs. Organizers expect a crowd of 300-400 at the event.

“Most cybersecurity events are boys’ clubs, so we wanted a place that was feminine and inclusive of everyone, and just completely different,” Clarke said. The name TiaraCon represents that “everyone is special and deserves a seat at the table,” Clark said.

Exploring the stats

Women held 25% of professional computing occupations in 2015, according to the National Center for Women & Information Technology—down from an all-time high of 36% in 1991. Only 17% of Fortune 500 Chief Information Officer positions were held by women in 2015.

The cybersecurity employment stats are even more sobering: Women make up only 11% of the world’s information security workforce, according to the Women’s Society of Cyberjutsu, and just 1% of its leadership. Meanwhile, the field itself is experiencing a huge shortage, and job postings in the profession have gone up 74% over the past five years.

Many women don’t know that the job is an excellent option for working mothers, Clarke said, with its high pay and often remote, flexible hours. “It’s a great career for women, and we want them to know that,” she added.

US News and World Report ranked a career in information security analysis fifth on its list of best technology jobs. Average salaries nationally are $88,890, and significantly higher in cities such as San Francisco and New York.

Keeping women in cybersecurity

A 2008 Harvard Business Review study found that as many as 50 percent of women working in science, engineering, and technology will leave over time because of hostile work environments. These included a “hostile” male culture, a sense of isolation, and a lack of a clear career path. An updated study in 2014 found the reasons had not changed significantly.

“Tech environments have massive turnover and are often emotionally volatile,” said Deirdre Diamond, CEO of CyberSN. “Women are not only not joining cyber—they are leaving cyber because of the culture.”

On Friday at TiaraCon, a workshop led by Diamond will examine how women can communicate more powerfully and the art of conflict resolution. “The women who are coming to my workshop want to get into leadership—the soft skills matter, and no one is training them,” Diamond said. “I want other women and minorities to have what I have—a career of serious fun, travel, and a big income, in an industry that is the heart of the economy.”

Later on Friday, a panel featuring Cheryl Biswas, Tracy Z. Maleeff, Kat Sweet and Cherise Esparza Gutierrez will discuss how and why women’s differences make them stronger.

TiaraCon organizers will also release a spreadsheet listing people looking for work and companies looking to hire soon.

“It’s not some girly thing, but a serious game changing, hiring changing, corporate culture changing event,” Clarke said. “We would love for tech leaders to come. The more supportive as a culture we can be of women, transgendered people and non-gender binary folks, the better of we’re going to be.”

The community has responded enthusiastically, and are funding most of the event. TiaraCon is sponsored by #brainbabe, CyberSN, InGuardians, and ZZ Servers.

SEE: Computer science teachers need cybersecurity education says CSTA industry group

Encouraging young women in tech

Women earned 57% of all bachelor’s degrees granted in 2014, but only 17% of those in computer and information sciences.

Part of the problem in cybersecurity is that it is a relatively new field compared to other computer sciences, and women are less aware of it, said Lauren Heyndrickx, security director for JCPenney and a member of Women in Technology’s Cybersecurity Special Interest Group. Many more colleges and universities offer courses in cybersecurity today than a decade ago, so the numbers will likely pick up eventually, she added.

“People need to understand that it’s more than just patching hackers or running into obscure dark nets,” Heyndrickx said. Successful security teams include aspects of business, law, compliance, and other areas.

Heyndrickx recommends women interested in the field connect with community groups such as Women in Technology. Many online trainings and certifications are available for low or no cost, “which allows people to dig in without having to break the bank,” she added. “Don’t be scared away by security geeks that talk a language you don’t understand—just go for it.”

The 3 big takeaways for TechRepublic readers

  1. TiaraCon, a 2-day mini-conference at DEF CON 24, was created to advance the careers of women in the cybersecurity profession. It will take place August 4-5 at Bally’s in Las Vegas, and is free, with limited space.
  2. Women make up only 11% of the world’s information security workforce, according to the Women’s Society of Cyberjutsu, and just 1% of its leadership. Meanwhile, the field is experiencing a huge shortage, as 209,000 US cybersecurity jobs were left unfilled in 2015.
  3. Women interested in cybersecurity should connect with community groups that offer online trainings and certifications for low or no cost.

Also see

PUP Friday: Cleaning up with 5 star awards

Systweak’s RegClean Pro is quite a popular software. Top Ten Reviews, a consumer review portal based in Utah, has ranked it as number one in their “Registry Repair Software” category. It also boasts of having won more than a hundred 5-star awards. Yet in spite of these, something is amiss. With praises for it also come criticisms. And we’ve seen a lot of them.

What is RegClean Pro?

It is a piece of software that markets itself as a registry cleaner and optimizer in order to improve the performance of the PC. It does this by removing redundant keys and/or entries from the Windows registry.

RegClean Pro arrives on user systems either as a downloaded file from www[DOT]systweak[DOT]com/registry-cleaner/, or as a program bundled with other free third-party software. The sample we’re using for this post has an MD5 hash value of 5b8e73834ad13039e7f9bc0338b4a946.

Although Systweak caters to various operating systems, RegClean Pro in particular can only be downloaded and used by Windows users.

regclean-pro-file

What happens when you install RegClean Pro?

Upon execution, RegClean Pro attempts to fingerprint the machine it is being installed on by looking up the user’s Windows account name and the computer name. It does this behind the scenes while showing the usual software GUI that users are expected to see. Below is a slideshow of these interfaces in succession:

This slideshow requires JavaScript.

It then opens the default browser to display the following “Thank you” message:

regclean-pro-ty

It finally creates the following scheduled tasks, which enables it to further execute at certain times of the day:

regclean-pro-tasksched

Below is RegClean Pro’s shortcut after it finished installing:

regclean-pro-shortcut

Below is a slideshow on how this software performs (also in succession) after it executed by itself while opening the “Thank you” page above:

This slideshow requires JavaScript.

As it runs, RegClean Pro falsely shows users that it has found multiple errors in the registry—in this case, 127 errors. Then, it offers to fix these provided that users purchase and download the software’s full version.

Notable files and/or folders added:

  • C:Program Files (x86)RegClean ProCloud_Backup_Setup.exe

    • detected as PUP.Optional.MyPCBackup
  • C:Program Files (x86)RegClean ProCloud_Backup_Setup_Intl.exe
    • detected as PUP.Optional.MyPCBackup
  • C:Program Files (x86)RegClean Prounins000.exe
    • detected as PUP.Optional.SysTweak

Anything off with RegClean Pro’s End-User License Agreement?

For software that claims to clean the registry in order to improve PC performance, we find it quite odd to see the below bit in its EULA (emphasis ours):

NO PERFORMANCE WARRANTY. SYSTWEAK specifically disclaims any warranty for the amount
of performance increase or utility provided by the SOFTWARE PRODUCT. By purchasing
this software and accepting this EULA you specifically agree that you understand
that no representation or warranty is made by SYSTWEAK that the SOFTWARE PRODUCT
will necessarily increase performance or provide a utility benefit on your computer,
and that no claim of specific deficiency, defect, or underperformance has been made
with respect to your computer. Any claims of performance increases or utility made
for the software are those of possible or potential improvement or utility, and n
warranty is offered that a specific utility or amount of performance increase, if
any, will be realized on any particular computer. Each computer is different and
the scenarios under which they are used are different, and no claim is made that
any one computer or usage scenario shall see a performance increase or utility
benefit from the SOFTWARE PRODUCT. Your sole remedy for any dissatisfaction with
the presence of or the degree or amount of performance improvement or utility shall
be limited to the customer remedies described above.

Here’s another bit that we want to highlight in case you have used RegClean Pro and wish to hold Systweak responsible for the uncorrectable changes the software made to your system (emphasis ours):

BACKUP RESPONSIBILITY. The SOFTWARE PRODUCT is a system utility, and as such can
make irreversible changes to the state of computer on which it is run and that
SYSTWEAK cannot accurately predict or ensure the outcome in all possible scenarios,
and therefore purchaser agrees to make and test a complete system backup and backup
of all personal information before operating the SOFTWARE PRODUCT. You agree that
you accept all responsibility for reversing or correcting any changes made by the
SOFTWARE PRODUCT.

Does Malwarebytes Anti-Malware (MBAM) detect RegClean Pro?

We detect the installer the RegClean Pro installer as PUP.Optional.RegCleanerPro. For its other component files, we detect as PUP.Optional.RegCleanPro. You may refer to our forum page in case you’re interested in knowing what these component files are and other technical details.

Conclusion

Systweak, the India-based developer of RegClean Pro, boasts of being a Microsoft Gold Partner. Some dodgy companies do this, too, but in Systweak’s case, they indeed are an MS Gold Partner. For some users, a partnership with a tech giant is enough to convince them to try out a third-party software. Consumers expect quality products and services because of this. In the end, however, many are let down, realizing that what they get is a PUP.

We have reported this company to Microsoft so they can open an investigation and hopefully consider revoking Systweak’s Gold partnership status.

As for registry cleaners, we generally consider them as digital snake oil, so I wouldn’t touch it with a barge pole if I were you.

More PUP Friday posts:

Jovi Umawing (Thanks to Pieter for the assist)

Kevin Mitnick: User training could have prevented DNC email hacks

Image: iStock

Better computer training for members of the Democratic National Committee (DNC) could have prevented the phishing attacks that led to stolen emails, famed hacker turned security consultant Kevin Mitnick said.

photokevinmitnick1.jpg

photokevinmitnick1.jpg

Kevin Mitnick

Image: Jari Tomminen

Phishing attacks, in which users are baited into clicking on malicious links or providing personal data to fake websites, are a common method used by black-hat hackers to infiltrate a network or commit financial crimes. White-hat researchers, working everywhere from companies like Mitnick’s firm to major corporations, are emphasizing user training methods to prevent such incidents.

“It sounds like people at the DNC would be easy to phish and very easy to exploit,” Mitnick speculated in an interview with TechRepublic. “There’s no such thing as 100 percent security. Even people that take training can be exploited,” he said. (Almost anyone, but what about the man himself? “Me? No,” he joked.) “You could have had training, and you’re stressed for the day… you’re thinking about your kids or your school. You could still fall for stuff.”

SEE: Video: Why political organizations’ lax security practices are ‘red meat for hackers’

Phishing stories

Macros hidden inside seemingly legitimate messages are an old-school yet still very popular way of committing a phishing attack, Mitnick explained. In one scenario, a user might receive an email that appears to be from a trusted peer at another company. The peer asks for the user’s signature on an attached non-disclosure agreement. Upon clicking the link or attachment, the user is brought to a page explaining that a username and password need to be configured in order to decrypt the document. Thus the user is trapped.

“That works really well because it’s actually so legitimate. Even in my business, I get clients all the time asking for NDAs,” Mitnick explained. Fake versions of enterprise-focused social media such as HipChat and Slack also work very well, as do attacks on unsanctioned home computers innocently connected to company networks, he said.

SEE: 10 tips for spotting a phishing email

A possible solution

Mitnick started working with KnowBe4, in Tampa Bay, Florida, a year ago to offer user training to corporations. Customers use the software to send customizable fake phishing attacks to their own users and then analyze the results for who clicked on the links and in what contexts they did so.

More about IT Security

Knowbe4‘s Vice President Greg Kras said recently added user tests include Java applets that pretend to install software, tracking of USB drives that IT staff can leave around an office, “vishing,” which is phishing applied to voicemail, and analysis of vulnerable plug-ins such as obsolete versions of Flash, Java, and Shockwave. Also recently added is a mark-as-phishing button for Microsoft Outlook, which works similar to spam buttons—a user can click it when a message seems suspicious. A congratulatory message is displayed if they’re correct.

Kras said more features will be added throughout 2016, such as Gmail and Lotus versions of the mark-as-phishing button, versions of the software in many languages, Microsoft Active Directory integration, and the ability for managed service providers to customize the program.

“We actually demo the kinds of exploits being used. It becomes a very teachable moment,” Mitnick added. “The same type of attack—the type of phish—is likely not going to work on that person in the future.”

“There’s no such thing as 100 percent security.” Kevin Mitnick

KnowBe4 isn’t the only organization working on training products for end users. SANS Institute’s Securing the Human group this month updated their five-stage training roadmap. Updates include new definitions of impacts to organizational culture and new ways to measure compliance, program director Lance Spitzner said. The update coincides with the SANS Security Awareness Summit, held Aug. 3-4, 2016 in San Francisco, he said. Elsewhere, the IEEE Computer Society is planning a user-focused training initiative later this year, spokeswoman Katherine Mansfield stated.

SEE: World-famous hacker Kevin Mitnick and KnowBe4 fight phishing with training

I wouldn’t do that, Dave…

Jane Wright, analyst with Technology Business Research, said user training along with security applications that perform automated response are known collectively as user behavior analytics (UBA). IBM, Hewlett-Packard Enterprise, Splunk, LogRhythm, and EMC’s RSA division are among the leaders in that field, she said.

IBM’s recent QRadar update stands out for having better communication links to other enterprise systems, she added. (IBM is already using the product internally, although details aren’t being disclosed, officials said.) Within a year the industry will see more combinations of UBA software with artificial intelligence and machine learning, Wright said.

Also see

Second Democratic Party Website Hacked

In a DNC-like attack, pro-Russian hackers broke into a website belonging to the Democratic Congressional Campaign Committee, FireEye says.

First the Democratic National Committe (DNC), and now this: A cyber espionage group apparently affiliated with pro-Russian causes earlier this year hacked into a donor website of the Democratic Congressional Campaign Committee (DCCC), the campaign arm of House Democrats.

The website was altered so visitors attempting to donate at the site were redirected instead to another domain controlled by the attackers, security vendor FireEye said in a report released yesterday. By the time FireEye discovered the intrusion earlier this week, the link to the malicious website had been disabled.

It’s unclear if those who were redirected to the attacker-controlled site had their personal and financial data stolen or had malware dropped on their systems. It is also unclear how long visitors to the site were redirected, but it included a period between June 19 and June 27. “The site may have also been compromised for periods before and after those dates,” FireEye said.

News of the DCCC website intrusions follows the recent disclosure of an intrusion into a Democratic National Committee (DNC) system that resulted in thousands of internal emails being leaked and published on WikiLeaks. Controversial content in some of the purloined emails later forced the chairman of the DNC Debbie Wasserman Schultz to resign from her post and fueled angry accusations from the Democratic party about Russian interference in the US election process.

In comments to various media outlets, a spokesman for the Russian embassy in Washington denied any involvement in the DNC intrusion. But speculation of the source and motive for the attack continue to rage on, especially after the FBI this week said its analysis shows a potential Russian connection.

John Hultquist, manager cyber espionage intelligence at FireEye, says his firm discovered the intrusion at the DCCC website from its tracking of a cyber espionage group called Tsar Team, aka APT28. The group has been actively involved for the past three- or four years in a wide range of spying activities directed largely against Chechen rebels, Russian dissidents, and individuals with ties to the defense industry in multiple countries.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 through Aug. 4, 2016. Click for information on the conference schedule and to register.

“There is all kinds of evidence that indicate they have a strong interest in Russian geopolitical and Russian security issues,” Hultquist says. “That is why we have been so focused on them.”

Interestingly, the Tsar Team’s activities have not been restricted solely to espionage activities. The group has also engaged in quite a bit of hacktivism, and recently it has resorted to fabricating persona with interests in different causes. For instance, the hacking team created a group called the Cyber Caliphate and has been using that to post pro-ISIS propaganda in an apparent bid to gain access to ISIS sympathizers, Hultquist says.

It was while looking for activity and traces of the unique malware associated with APT28 on the Web that FireEye discovered the intrusion at the DCCC website, he says. The company informed the DCCC about its discovery on Thursday.

In comments to Bloomberg, Meredith Kelly, press secretary for the DCCC, confirmed that the organization had been the victim of a cyber intrusion and was currently cooperating with law enforcement to investigate the issue. Kelly did not offer any other details of the breach.

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

More Insights