network

ISSN 1353-4858 May 2017

SECURITY www.networksecuritynewsletter.com

Featured in this issue: Contents

Service providers: the gatekeepers of NEWS
Internet security Social engineering scams ensnare Google,
Facebook and their users 1

S ome of the biggest attacks recently

have been achieved by targeting
the infrastructure of the Internet itself,
also place themselves at greater risk
of becoming an indirect target of
Firms struggle to manage networks

FEATURES
2

future devastating cyber-attacks. Sean

Service providers: the gatekeepers
with Internet service providers (ISP) Newman of Corero Network Security of Internet security 5
being on the front lines. examines how ISPs can improve their Some of the biggest attacks recently have been
And as enterprises around the achieved by targeting the infrastructure of the
own security and thereby make us all Internet itself, with Internet service providers (ISPs)
world increasingly rely on hosted safer. being in the front lines. And as enterprises around the
world increasingly rely on hosted critical infrastructure
critical infrastructure or services, they Full story on page 5… or services, they also place themselves at greater risk
from falling victim because of the multi-tenant nature
Macro malware: dissecting a malicious of cloud-based datacentres. Sean Newman of Corero
Network Security examines how ISPs can improve
Word document their own security and so make us all safer.

Macro malware: dissecting a

M icrosoft Word documents with

malicious macros remain one of
the most frequent forms of compromise,
the documents. To shed some light on
these issues, Jacob Gajek of eSentire
malicious Word document
Microsoft Word documents with malicious
macros remain one of the most frequent forms
8

takes a close look at a real example of compromise. It’s common for attackers to use
either by directly carrying out malicious of a malicious Word document and social engineering techniques to get victims to run
actions or by downloading malware. scripts embedded in the documents. Jacob Gajek
exposes its inner workings in a sandbox of eSentire takes a close look at a real example of
It’s common for attackers to use environment, as well as offering some a malicious Word document and exposes its inner
workings in a sandbox environment.
social engineering techniques to get advice on how to avoid the problem.
victims to run scripts embedded in Full story on page 8… Threat hunting: assuming the
worst to strengthen resilience 13
There’s a popular truism in the information security
Threat hunting: assuming the worst to world – that it’s not a matter of if your organisation
will be breached but when. As Peter Cohen, strate-
strengthen resilience gic director for Countercept at MWR InfoSecurity,
explains in this interview, there are good reasons for

T here’s a popular truism in the infor-

mation security world – that it’s not
a matter of if your organisation will be
reasons for assuming that the ‘when’
is now and that the breach has already
assuming that the ‘when’ is now and that the breach
has already happened. That’s why threat hunting,
where you proactively look for signs of compromise
on your systems, is becoming so popular.
happened. That’s why threat hunting,
breached but when. where you proactively look for signs of The attribution problem with
As Peter Cohen, strategic director for compromise on your systems, is becom- information security attacks 17
Attribution for attacks remains a highly debated and
Countercept at MWR InfoSecurity, ing so popular. often controversial topic within information security
explains in this interview, there are good Full story on page 13… circles. It is time for the security industry to become
more open about malicious interference within their
trusted security circles, so experts can gain deeper
Social engineering scams ensnare Google, details of attacks, develop collective profiles of
common attackers and better achieve more confident
Facebook and their users levels of attribution, says Travis Farral of Anomali.
News in brief 3

I t has now been revealed that the

two US tech companies cited as vic-
tims in the arrest of a Lithuanian man,
currently being held in Lithuania,
scammed $100m out of the two firms
by impersonating a supplier.
Reviews
The Firewall
4
20
Events 20
charged with carrying out a business According to a report in Fortune, it’s
email compromise (BEC) scam, were claimed that Rimasauskas sent the firms


none other than Google and Facebook. invoices and emails purporting to come
Come and visit us at
It’s alleged that Evaldas Rimasauskas, Continued on page 2… www.networksecuritynewsletter.com

ISSN 1353-4858/17
1353-4858/10 © 2017 2011 Elsevier Ltd. All rights reserved
This journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use:
Photocopying
Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple
or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit
educational classroom use.
 NEWS

…Continued from front page and reactive measures to deal with impos-
Editorial Office: from Quanta, a leading supplier of parts tors that might try to abuse this sort of
Elsevier Ltd to US tech firms. The money from the attack. Given this, we do not intend to
The Boulevard, Langford Lane, Kidlington,
Oxford, OX5 1GB, United Kingdom
scams, which took place over the course perform validation that the URL matches
Fax:
Tel:+44
+44(0)1865
1865 843239
843973 of two years, was deposited in a number the branding information.”
Web: www.networksecuritynewsletter.com of banks spread across Eastern Europe. It seems the firm did not implement the
Publisher:
Publishing Greg Valero
Director: Bethan Keall Rimasauskas denies the allegations. Both defences, although it seems to have done
E-mail: g.valero@elsevier.com
Editor: Steve Mansfield-Devine
Facebook and Google have issued state- so now. Google says it has deactivated all
Editor:
E-mail:Steve Mansfield-Devine
smd@contrarisk.com ments claiming to have recovered most accounts associated with the attack. What’s
E-mail: smd@contrarisk.com
Senior Editor: Sarah Gordon of the money. not clear is the purpose of the attack.
Senior Editor: Sarah Gordon
Columnists: Tim Erridge, Karen Renaud, Colin Tankard
International Editoral Advisory Board:
Google has also been involved in a very
International
Dario
Dario
Forte, Edward Editoral
Forte, Edward
Fred Cohen, Amoroso,
Fred Cohen
Advisory
Amoroso, AT&T
AT&T BellJon
& Associates;
Board:
Bell Laboratories;
Laboratories;
David, The
different form of social engineering attack Firms struggle to
and one that has security specialists divid-
Fred Cohen,
Fortress; Fred Cohen
Bill Hancock,
Fortress; BillatHancock,
Consultant
Exodus& Communications;
Associates; Jon David,
ExodusLongley,
Cylink; Dennis Communications;
QueenslandKen
The
Ken Lindup,
Lindup,
University ed on its purpose and significance.
manage networks
Consultant at Cylink;
of Technology; TimDennis
Myers, Longley, Queensland
Novell; Tom University
Mulhall; Padget The attack targeted Google Docs
of Technology;
Petterson,
Petterson,
Eugene
TimMarietta;
Martin
Martin
Spafford,
Myers, Novell;
Marietta;
Purdue
EugeneTom
Eugene
University;
Mulhall;
Schultz,
WinnSchultz,
Padget
Hightower;
Hightower;
Schwartau, Inter.Pact
Eugene Spafford, Purdue University; Winn Schwartau, Inter.Pact
users. Emails were sent out that purport-
ed to be a notification alerting users that
T he complexity of today’s networks
and the security solutions needed
to keep them safe is causing problems
Production Support Manager: Lin Lucas
Production Support
E-mail: Manager: Lin Lucas
l.lucas@elsevier.com
E-mail: l.lucas@elsevier.com
someone had shared a new document for organisations, according to new
Subscription Information with them. The email included a legit- research by Firemon.
Subscription Information
An annual subscription to Network Security includes 12
An annual
imate-looking ‘Open in Docs’ button. The firm’s ‘3rd Annual State of the
issues and subscription
online accesstoforNetwork
up to 5 Security
users. includes 12
issues
Prices: and online access for up to 5 users. However, on clicking the button, vic- Firewall’ report includes a look at the
Subscriptions
1112 for all run for 12 countries
European months, from & Iranthe date
payment
US$1244 isforreceived.
all countries except Europe and Japan
tims would be faced with a screen ask- impact of emerging technologies such
More information:
¥147 525 for Japanwww.elsevier.com/journals/institutional/ ing them to give permission for Google as software defined networking (SDN),
network-security/1353-4858
(Prices valid until 31 May 2017)
To subscribe send payment to the address above. Docs to manage their contacts and read, cloud, microsegmentation and the
Permissions may be843687/Fax:
Tel: +44 (0)1865 sought directly+44from Elsevier
(0)1865 Global Rights
834971
Department, PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865
send, delete and manage emails. Internet of Things (IoT).
Email: commsales@elsevier.com,
843830, fax: +44 1865 853333, email: permissions@elsevier.com. You
or via www.networksecuritynewsletter.com The problem was, the ‘Google Docs’ Complexity is a top concern when it
may also contactrun
Subscriptions Global
for Rights directlyfrom
12 months, through
theElsevier’s home page
date payment is
(www.elsevier.com),
received. Periodicalsselecting first ‘Support
postage is paid &atcontact’,
Rahway, then
NJ‘Copyright
07065,
in question was not the real thing – it comes to firewalls, with rule optimisa-
& permission’.
USA. Postmaster
payments
In the
through
sendUSA, usersaddress
all USA
theRoad,
Copyright
may clear
Clearance
permissions
corrections
Center,USA
and make
to: Network
Inc., 222 Rosewood
was an app created on Google’s platform tion; management for multiple types of
Security, 365 Blair Avenel, NJ 07001,
Drive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978 that used that name. It’s not clear why firewalls; and compliance and audit read-
750 4744, andmay in the beUKsought
throughdirectly
the Copyright LicensingGlobal
AgencyRights
Rapid
Permissions
Clearance Service (CLARCS), 90 Tottenham
from Elsevier
Court Google would allow someone to create iness as the next biggest concerns. Some
Department, PO Box 800, Oxford OX5 1DX, UK;Road,
phone:London W1P
+44 1865
0LP, UK; fax:
843830, tel: +44
+44 (0)20
1865 7631853333, 5555; fax:permissions@elsevier.com.
email: +44 (0)20 7631 5500. Other You an app with that name when it would so 70% of organisations reported they have
countries
may also may haveGlobal
contact a localRights
reprographic rights agency
directly through for payments.
Elsevier’s home page
Derivative Works selecting first ‘Support & contact’, then ‘Copyright
(www.elsevier.com),
obviously lead to confusion. 10 or more firewalls and two-thirds have
Subscribers mayInreproduce
the USA,tables users ofmay
contents or prepare lists andofmake
arti-
& permission’.
cles including abstracts for internal
clear permissions
circulation within
At one point, someone calling himself multiple firewall vendors.
payments through the Copyright Clearance Center, Inc.,their
222institutions.
Rosewood
Permission of the
Drive, Danvers, MAPublisher
01923, USA;is required
phone:for+1resale or distribution
978 750 8400, fax: +1 outside
978 Eugene Pupov claimed on Twitter that the While 90% have adopted cloud solu-
the
750 institution.
4744, and inPermission
the UK through of thethePublisher
CopyrightisLicensing
required Agency
for all Rapid
other
derivative
Clearance works,
Serviceincluding
(CLARCS), compilations
90 Tottenham and Court
translations.
Road, London W1P
whole thing was just an academic exercise, tions, for more than a third of organisa-
Electronic
0LP, UK; tel:Storage
Permission
+44 (0)20or7631
of have
the Publisher
Usage 5555; fax: +44 (0)20 7631 5500. Other
is required rights
to store or use
carried out as a degree project for his stud- tions the responsibility for cloud security
countries may a local reprographic agency forelectronically
payments.
any material Works
Derivative contained in this journal, including any article or part of ies at Coventry University. However, the falls outside of security operations, which
an article. Except as outlined above, no part of or this publication
lists of may
Subscribers
be
may reproduce tables of contents prepare arti- university itself later claimed that no-one adds an extra layer of complexity to secu-
clesreproduced, stored infor
including abstracts a retrieval system or transmitted
internal circulation within their in any form
institutions.
or by any means,
Permission electronic,
of the Publisher mechanical,
is required photocopying,
for resale recording
or distribution or
outside of that name has ever studied there. rity management. Around two-thirds have
otherwise, without
the institution. prior written
Permission of thepermission
Publisher of is the Publisher.
required for all Address
other
permissions requests
derivative works, to: Elsevier
including Science and
compilations Global Rights Department, at
translations.
The exploit was effective because the adopted or plan to adopt some kind of
the mail, faxStorage
and emailoraddresses
Usage noted above.
Electronic
Notice
app was running on Google servers and SDN solution.
Permission of the Publisher is required to store or use electronically
No
anyresponsibility is assumed
material contained in thisby journal,
the Publisher for any
including anyinjury and/or
article dam-
or part of therefore had a legitimate URL and used “Corporate network infrastructures
age to persons
an article. Exceptor property
as outlined as aabove,
matterno of part
products
of thisliability, negligence
publication may
or
be otherwise,
reproduced,orstored
from anyin a use or operation
retrieval system or of transmitted
any methods, in products,
any form
Google’s name. As the attack was able to not only consist of multiple vendor
instructions or ideas contained in the material herein. recording
Because or of
or by any means,
rapid advan
electronic,
ces in prior
the medical
mechanical, photocopying,
sciences, inofparticular, independent
gain access to users’ address books, it could firewalls, they’re also leveraging cloud,
otherwise, without written permission the Publisher. Address
verification
permissions of diagnoses
requests and drug
to: Elsevier dosages
Science should
Global be made.
Rights Although
Department, at then send out further messages which, as SDN, microsegmentation and IoT to
all
the advertising
mail, fax andmaterial is expected to above.
conform to ethical (medical)
standards,
email addresses noted far as the recipients were concerned, would keep up with an increasingly on-demand
Notice inclusion in this publication does not constitute a guarantee
or
Noendorsement
responsibilityofis the qualitybyorthe
assumed value of suchforproduct
Publisher any injuryor of the claims
and/or dam- be coming from people they knew. The world,” said Jody Brazil, co-founder
made
age toofpersons
it by itsormanufacturer.
property as a matter of products liability, negligence
attack therefore combined phishing with and chief product strategist at FireMon.
the mechanisms of an Internet worm. “This compounds the complexity that
or otherwise, or from any use or operation of any methods, products,
instructions or ideas contained in the material herein. Because of This is a technique suggested five years organisations already face. If the way
rapid advances in the medical12987 sciences, in particular, independent
Digitally
verification of diagnoses and drugProduced by be made. Although
dosages should
ago by developer André DeMarre who we’re looking at networking is changing,
all advertising Mayfield
material is Press (Oxford)
expected Limited
to conform to ethical (medical) suggested how it could be done on the the way we look at managing security
standards, inclusion in this publication does not constitute a guarantee
or endorsement of the quality or value of such product or of the claims IETF mailing list. The following year he must change as well. Otherwise, security
made of it by its manufacturer. reported it to Google and received a bug is at risk of being left behind.”
Pre-press/Printed by bounty. At the time, Google responded: The report is available here:
Mayfield Press (Oxford) Limited
“We’re deploying some abuse detection http://bit.ly/2prnAXn.

2
Network Security May 2017