PwC Weekly Security Report

This is a weekly digest of security news and events from around the world. News items are summarised and web links are provided for further information. Cyber-execs: Expect a cataclysmic cyber-terror event within 2 years

When it comes to the growing threats of global The findings accordingly show that 72% cyber-terrorism, the current state of security actually feel that the topic isn’t hyped within the US and the ability of organizations to enough, and that education and awareness prevent such attacks, information security is critical to foment a re-examination of executives feel deeply at risk. In fact, many the type of security technology used to expect a catastrophic incident to occur within protect both the US government and the next 24 months. private sectors. The majority of those surveyed (89%) believe that both military A survey from Thycotic, a provider of privileged and businesses need to focus more on account management (PAM) solutions, found developing capabilities to defend against that 63% of respondents feel that terrorists are terrorist-inspired cyber-attacks. capable of launching a catastrophic cyber- attack on the US, and could do so within the upcoming year. “Over two-thirds of respondents stated they did Source: http://www.infosecurity- magazine.com/news/cyberexecs- feel that terrorists were this close, and over 80 expect-a- percent agreed they could strike within two cataclysmic/http://www.symantec years,” said Nathan Wenzler, executive director .com/connec of security at Thycotic. “A consensus like this is not unusual these days, as more and more terrorist organizations have demonstrated increasing sophistication in their use of technology to communicate, social media to recruit new members, and of course, technical exploits and direct attacks against websites, corporate networks and government entities.” Even so, 92% of respondents believe that a majority of US companies either need more security or are way behind the security curve to defend against cyber-terrorism attacks. “Most companies and government organizations aren’t moving fast enough to protect themselves from what seems to be an inevitable terrorist cyberattack,” Wenzler said. “And nearly 90% of our respondents agree, stating that they believe the military and private sectors absolutely must focus more on developing and implementing defense strategies against this sort of terrorist-backed cyber-attack.” BadLock opens door for Samba-based MiTM, DDoS attacks

Details of a new, high-impact vulnerability It is “a protocol flaw in the DCE/RPC-based known as BadLock have been revealed, SAMR and LSA protocols used in the Microsoft affecting Samba, the standard Windows Windows Active Directory infrastructure. interoperability suite of programs for Linux and DCE/RPC is the specification for a remote- Unix. As the researchers who discovered it procedure call mechanism that defines both noted, “we are pretty sure that there will be APIs and an over-the-network protocol. The exploits soon after we publish all relevant Security Account Manager (SAM) Remote information.” Protocol (Client-to-Server) provides management functionality for an account store or directory containing users and groups. The Fortunately, patches have been released today, protocol exposes the "account database" for and admins would behoove themselves to both local and remote Microsoft Active update their systems immediately. Directory domains. The Local Security Authority (Domain Policy) Remote Protocol is The vulnerability was discovered by Stefan used to manage various machine and domain Metzmacher, a member of the international security policies. This protocol, with minor Samba Core Team, working at SerNet on exceptions, enables remote policy-management Samba. He reported the bug to Microsoft and scenarios. Both SAMR and LSA protocols are has been working closely with the computing based on the DCE 1.1 RPC protocol.” giant to fix the problem.

The research team said that the security Source: http://www.infosecurity- vulnerabilities can be mostly categorized as magazine.com/news/badlock- man-in-the-middle or denial of service attacks. opens-door-for-sambabased/ The several MITM attacks that the flaw enables would permit execution of arbitrary Samba network calls using the context of the intercepted user. So for instance, by intercepting administrator network traffic for the Samba AD server, attackers could view or modify secrets within an AD database, including user password hashes, or shutdown critical services. On a standard Samba server, attackers could modify user permissions on files or directories. As far as DDoS, Samba services are vulnerable to a denial of service from an attacker with remote network connectivity to the Samba service. While there are several proof of concept (PoC) exploits that researchers have developed, they’re not releasing them to the public, nor are they going into detail on what the vulnerability entails or arises from. Red Hat researchers offered a bit more on the flaw: Decryption tool stifles jigsaw ransomware

Menacing ransomware called Jigsaw But, just because researchers have figured out a threatened to delete thousands of files an hour way to outsmart the ransomware authors, if victims didn’t pay 0.4 Bitcoins or $150. doesn’t mean that Jigsaw hasn’t lost its bite. Worse, restarting your PC, according to the “Your average Jigsaw victim is not going know attackers, would also cost victims 1,000 deleted where to buy a Bitcoin. The process is files. The icing on the cake was a menacing cumbersome and could take someone days to image of “Billy the Puppet” from the horror figure out. And by that time tens of thousands movie franchise Saw and an ominous warning of files are going to be deleted,” Abrams said. message. Jigsaw victims can avoid any files from being deleted by going into their Windows Task “I want to play a game with you. Let me explain Manager and terminating the firefox.exe the rules: All your files are being deleted,” the process along with the drpbx.exe processes. ransomware note begins. According to researchers, it’s unknown how But, the Jigsaw horror show appears to be many systems have been impacted by this coming to an end—for now. ransomware or the means of infection. One clue, according to Abrams, is the fact that some Researchers analyzing the malware, that people have been lured into downloading include security researchers at Jigsaw via a fake Firefox browser installation MalwareHunterTeam and individual computer file. forensics experts Michael Gillespie and Lawrence Abrams, have been able to develop a Source: decryption tool that allows victims to recover https://threatpost.com/decryption-tool- their files for free. stifles-jigsaw-ransomware/117387/ The trio posted instructions for anyone hit with the Jigsaw ransomware on Abrams’ BleepingComputer.com security blog that include the tool needed to decrypt files. According to Abrams, Jigsaw ransomware used AES encryption which supports a block length of 128 bits and key lengths of 128, 192, and 256 bits. “The criminals behind this ransomware are taking just as much pleasure in toying with victims as they are taking their money,” Abrams told Threatpost in an interview. But, he said, attackers are living up their promise and are actually destroying the files if people don’t pay up. According to researchers, Jigsaw targets 240 different unique file extensions on infected systems and locks up documents with the .FUN, .KKK, .GWS, or, .BTC extensions. Once encrypted, criminals start a countdown clock at 60 minutes. Fail to cough-up payment in an hour and Jigsaw deletes one file. Wait another hour and two files get zapped. With each hour that passes the number of files deleted grow exponentially. Millions of people are still running Windows XP

It’s been two years since Microsoft ended Net Applications’ stats show that just under 1% support for Windows XP, the popular operating of all desktops are running OS X 10.6 (Snow system that’s been around since 2001 and Leopard), 10.7 (Lion) or 10.8 (Mountain Lion), which many people just don’t seem willing to which are no longer receiving security updates let go. from Apple. Microsoft did about all it could to drag XP-ers into the present with pop-up warnings urging Source: them that they need to upgrade, and a free https://nakedsecurity.sophos.com/ 2016/04/11/millions-of-people-are- migration tool to help people transfer their files still-running-windows-xp/ and settings to Windows 7 or Windows 8. It’s not merely that Microsoft wants to get everybody onto the latest version of Windows, although it has certainly gone to great lengths recently to get people to upgrade to Windows 10, whether they want to or not. But as we at Naked Security repeatedly warned XP users, the end of support means “zero-days forever,” because those vulnerabilities will never be patched – and XP computers are sitting ducks for cybercriminals to attack. And yet there are still millions of XP computers connecting to the internet, where all manner of malware is waiting to pounce. Windows XP was still running on 10.9% of all desktops as of March 2016, according to stats compiled by Net Applications. To put that in perspective, according to Net Applications’ figures, Windows XP is still the third-most popular desktop OS, trailing only Windows 7 (51.9%) and Windows 10 (14.2%). And there are more PCs running XP than Windows 8.1 (9.6%), and all versions of Mac OS X combined (7.8%). Desktop OS market share, March 2016 (source: Netmarketshare.com). By the way, there are some Mac OS X users who are using out-of-support versions, too, meaning they are also vulnerable to never-going-to-be- fixed security holes. HTTPS for everyone: WordPress adds encryption for all customer sites

WordPress is, by many accounts, by far the And even though negotiating the “digital most widely used content management system paperwork” of acquiring a web site certificate is (CMS) on the internet, with a market share, straightforward once you know how, doing it free and paid, of 60% or more. the first time is a bit like taking the bus in a city you’ve never visited before. A CMS, as the name suggests, is more than just a web hosting platform that lets other people You can easily end up in the wrong place, with access what you publish. no clear idea of what to do next.

It organises what you publish, so you can not WordPress brings HTTPS for free. only add, edit and delete material, but also keep track of who changed what and when, as well as roll back changes that you don’t like.

The security of your CMS therefore affects both Source: you and your readers, so HTTPS (secure HTTP https://nakedsecurity.sophos.com/2016/ – the padlock in the browser’s address bar) is 04/12/https-for-everyone-wordpress- more than just a nice to have. adds-encryption-for-all-customer-sites/

Ideally, you’d set things up so that your blog, and the interface through which you edit it, used HTTPS and only HTTPS, so encrypted connections were always used.

After all, encrypting everything, as we’ve argued before, is the easiest way to ensure that there’s nothing important you forgot to encrypt.

In fact, the most valuable part of HTTPS often isn’t the encryption, it’s the authentication: making sure not only that you are communicating privately, but also that you are talking to the right website.

That, in turn, relies on a chain of HTTPS certificates, verified by cryptographic digital signatures provided by one or more CAs, or certificate authorities.

Understanding HTTPS and the “chain of trust” About PwC

At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 157 countries with more than 2,08,000 people who are committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what matters to you by visiting us at www.pwc.com

In India, PwC has offices in these cities: Ahmedabad, Bengaluru, Chennai, Delhi NCR, Hyderabad, Kolkata, Mumbai and Pune. For more information about PwC India's service offerings, visit www.pwc.com/in

PwC refers to the PwC International network and/or one or more of its member firms, each of which is a separate, independent and distinct legal entity in separate lines of service. Please see www.pwc.com/structure for further details.

©2016 PwC. All rights reserved

For any queries, please contact:

Sivarama Krishnan [email protected]

Amol Bhat [email protected]

pwc.in

Data Classification: DC0 This document does not constitute professional advice. The information in this document has been obtained or derived from sources believed by PricewaterhouseCoopers Private Limited (PwCPL) to be reliable but PwCPL does not represent that this information is accurate or complete. Any opinions or estimates contained in this document represent the judgment of PwCPL at this time and are subject to change without notice. Readers of this publication are advised to seek their own professional advice before taking any course of action or decision, for which they are entirely responsible, based on the contents of this publication. PwCPL neither accepts or assumes any responsibility or liability to any reader of this publication in respect of the information contained within it or for any decisions readers may take or decide not to or fail to take.

© 2016 PricewaterhouseCoopers Private Limited. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers Private Limited (a limited liability company in India having Corporate Identity Number or CIN : U74140WB1983PTC036093), which is a member firm of PricewaterhouseCoopers International Limited (PwCIL), each member firm of which is a separate legal entity.

April 2016 PwC Weekly Security Report edition