Shadow IT Feeds ‘Man in the Cloud’ Attacks

Shadow IT — the use of unauthorized online services by company employees — is a concern of cyberwarriors charged with defending business systems against network attacks. There’s new evidence that those concerns are justified.

A new attack vector on business systems leverages the synchronization features of services like Dropbox and Google Drive to perform malicious mischief, according to a report Imperva released earlier this month at the Black Hat Conference in Las Vegas.

The “Man in the Cloud” attack, as it’s called, involves making a simple change in configuration settings to turn services into a devastating criminal tool not detected easily using common security measures, the report explains.

The key to the attack is in the way the services synchronize files among devices linked to an account. Each device has software provided by the service to ensure all the information on the devices and in the cloud is the same.

When a change is made in a local Dropbox folder, for example, the software ensures that the change is made in the cloud and to all other devices linked to that Dropbox account.

Blind Defenders

When those changes are made, all the devices must be authenticated. Since it would be very inconvenient to authenticate all the devices by requiring the use of a user name and password every time a change is made to a file, the services use an alternative authentication method that involves the use of tokens.

However, it’s possible to steal a token for an account and use it to add a device to it without the account owner’s knowledge, Imperva discovered. Then, every time the owner would change the information in the account, those changes would appear on the unauthorized device, too.

The user does not know what’s going on, and it’s also hard for network defenders to detect.

“Communication using the cloud server doesn’t raise any alarms,” explained Morgan Gerhart, VP of product marketing for Imperva.

“If a separate communication channel were set up from a user’s device to a command-and-control server somewhere, an out-of-band communication channel would be needed,” he told TechNewsWorld. “That could potentially be tracked by a firewall or [intrusion detection] system.”

As the number of devices connected to company networks increases, the ability of traditional security solutions to counter threats will decrease, he maintained.

“Consumerization of IT and BYOD are accelerating the rate at which traditional endpoint and network solutions are becoming blind to the kinds of threats that are out there,” Gerhart said. “Our Man-in-the-Cloud analysis is a perfect example of that.”

Bulletproof Servers

Bulletproof servers are an important part of how the online criminal underground does business, but their operations remain shadowy.

The servers provide many of the same functions as legitimate hosting services, such as being repositories for any kind of content or executable code, but they cater to malicious content — phishing sites, pornography, fake shopping and carding sites, and hacker command-and-control infrastructure.

In short, it’s the foundation major cybercriminal operations are built upon, according to a recent Trend Micro report.

“Bulletproof hosting services very consciously make a business out of providing services for illegal or unethical online behavior,” said Christopher Budd, threat communications manager at Trend Micro.

Rules of the Game

Why are the servers called “bulletproof”?

It’s all in their operator’s sales pitch, which goes something like this: “If you do business with us and follow our rules, we will guarantee that we will keep your online activity up despite attempts by organizations or law enforcement to take them down,” Budd told TechNewsWorld.

“They can make that guarantee by being located in countries that are unresponsive or are otherwise uninterested in enforcing takedown requests,” he said.

What about those rules?

Usually they include leaving alone the citizens in the country where the bulletproof server is located. Pornography is OK, but child pornography is usually forbidden.

“That’s where following the rules is really important,” Budd noted, “because even though bulletproof hosters are providing the material and logistical support for illegal activities, it’s not anything goes.”

Supply Chain Vulnerabilities

Trading on press announcements before they’re released is a new twist on insider trading. Three of the biggest PR outlets on the Web earlier this month were sucked into just such a scheme involving overseas hackers and U.S. traders.

The caper may be a sign that companies are thinking too small when it comes to protecting their supply chains.

“The modern information supply chain goes far and beyond hardware, software and logistics of an organization,” said Tom Kellermann, chief cybersecurity officer at Trend Micro.

“It should include not only your outside general counsel, but your PR and market intelligence firms with whom you decide to relay embargoed information,” he told TechNewsWorld.

Of course, organizations need to do more than just create an extensive map of their supply chain if they want to reduce the risks connected to it.

“As the business environment becomes more and more interconnected,” BitSight VP of Business Development Jake Olcott told TechNewsWorld, “businesses will need visibility into their supply chains to make sure their vendors are doing well with cybersecurity.”

Breach Diary

  • Aug. 17. IRS announces it will be notifying an additional 390,000 taxpayers that their personal information was compromised in a data breach revealed in May. Total number of taxpayers affected by the breach now stands at 600,000.
  • Aug. 17. Colorado Office of Information Technology begins notifying some 3,000 people that some of their personal healthcare information was placed at risk when it was mailed to wrong addresses due to a technical error.
  • Aug. 17. Tripwire releases results of survey taken at Black Hat conference revealing 64 percent of respondents said targeted attacks against their networks have increased over the last year by 20 percent or more.
  • Aug. 18. Target announces deal to pay Visa card issuers up to US$67 million to settle lawsuit resulting from a massive 2013 data breach.
  • Aug. 18. In a filing with the U.S. Securities and Exchange Commission, reports data breach has compromised credit card information of 93,000 users.
  • Aug. 18. Microsoft releases out-out-of-band patch for Internet Explorer to address zero-day flaw that allows an attacker to gain the same user rights as the operator of a computer.
  • Aug. 20. University of Rhode Island reveals data breach has placed at risk some 3,000 of the school’s email accounts.

Upcoming Security Events

  • Sept. 12. B-Sides Augusta. GRU Harrison Education Commons Building, 1301 R.A. Dent Blvd., Augusta, Georgia. Free.
  • Sept. 12-21. SANS Network Security 2015. Caesars Palace, Las Vegas, Nevada. Long Courses: $3,145 – $6,295. Short Courses: $1,150 – $2,100.
  • Sept. 16. ISMG Data Breach Prevention and Response Summit. The Westin San Francisco Airport, 1 Old Bayshore Highway, Millbrae, California. Registration: $695.
  • Sept. 16-17. SecureWorld Detroit. Ford Motor Conference & Event Center, Detroit. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Sept. 18. B-Sides Cape Breton. The Verschuren Centre, Cape Breton University, Sydney, Nova Scotia, Canada. Free.
  • Sept. 22-23. SecureWorld St. Louis. America’s Center Convention Complex, St. Louis. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Sept. 28-Oct. 1. ASIS 2015. Anaheim Convention Center, Anaheim, California. Through May 31: member, $895; nonmember, $1,150; government, $945; student, $300. From June 1 through Aug. 31: member, $995; nonmember, $1,250; government, $1,045; student, $350. From Sept. 1 through Oct. 1: member, $1,095; nonmember, $1,350; government, $1,145; student, $400.
  • Sept. 30-Oct. 1. Privacy. Security. Risk. 2015. Conference sponsored by IAPP Privacy Academy and CSA Congress. Bellagio hotel, Las Vegas. Registration: Before Aug. 29, $1,195 (member), $1,395 (nonmember), $1,045 (government), $495 (academic); after Aug. 28, $1,395, $1,595, $1,145 and $495.
  • Oct. 2-3. B-Sides Ottawa. RA Centre, 2451 Riverside Dr., Ottawa, Canada. Free with registration.
  • Oct. 6. SecureWorld Cincinnati. Sharonville Convention Center, 11355 Chester Rd., Sharonville, Ohio. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Oct. 6. UK Cyber View Summit 2015. 6 a.m. ET. Warwick Business School, 17th Floor, The Shard, 32 London Bridge, London, UK. Registration: 550 euros plus VAT.
  • Oct. 9-11. B-Sides Warsaw. Pastwomiasto, Anders 29, Warsaw, Poland. Free with registration.
  • Oct. 12-14. FireEye Cyber Defense Summit. Washington Hilton, 1919 Connecticut Ave. NW, Washington, D.C. Registration: before Sept. 19, $1,125; after Sept. 18, $1,500.
  • Oct. 15. SecureWorld Denver. The Cable Center, 2000 Buchtel Blvd., Denver, Colorado. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Oct. 19-21. CSX Cybersecurity Nexus Conference. Marriott Wardman Park, 2660 Woodley Rd. NW, Washington, D.C. Registration: before Aug. 26, $1,395 (member), $1,595 (nonmember); before Oct. 14, $1,595 (member), $1,795 (nonmember); after Oct. 14, $1,795 (member), $1,995 (nonmember).
  • Oct. 28-29. SecureWorld Dallas. Plano Centre, 2000 East Spring Creek Parkway, Plano, Texas. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Oct. 28-29. Securing New Ground. Conference sponsored by Security Industry Association. Millennium Broadway Hotel, New York City. Registration: Before Sept. 8, $895 (members), $1,395 (nonmembers), $300 (CISO, CSO, CIO); after Sept. 7, $1,095, $1,495 and $300.
  • Nov. 4. Bay Area SecureWorld. San Jose Marriott, 301 South Market St., San Jose, California. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Nov. 11-12. Seattle SecureWorld. Meydenbauer Center, 11100 NE 6th St., Bellevue, Washington. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

1 Comment

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels