1©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential. This document and the contents therein are the sole property of CYREN and may not be transmitted or reproduced without CYREN’s express written permission.

CYREN CyberThreat ReportApril 2015

Avi Turiel

2©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

• Forbes.com compromise highlights web malware threat

• SEOHide - Advanced blackhat search engine optimization

• The continuing rise of macro malware

• Lessons learned from the Slack and HipChat breaches

• How secure are hashed passwords?

• Q1 stats

Agenda

3©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential. 3©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

About CYREN

THE BEST KEPT SECRET IN INFORMATION SECURITY FOR MORE THAN A DECADE

Founded in 1991, CYREN (NASDAQ and TASE: CYRN) is a long-time innovator in cybersecurity. With full-function Security as a Service (SecaaS) solutions and security technology components for embedded deployments, CYREN provides web, email, endpoint and mobile security solutions that the world’s largest IT companies trust for protection against today’s advanced threats. CYREN collects threat data and delivers cyber intelligence through a unique global network of over 500,000 points of presence that processes 17 billion daily transactions and protects 600 million users.

3©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

4©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

CYREN Powers the World’s Security

Our Cyber Intelligence is the security backbone of many of the world’s largest and most influential information technology and Internet security brands.

5©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

6©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

• Revealed in February

• Exploits embedded in the “thought for the day” widget

• Target was defense contractors

• But any visitor would have been infected

• Source: espionage group known as the “Sunshop Group”

Forbes.com watering hole attack

7©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

How a watering hole attack works

8©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

Poll Question #1

9©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

• Cloud-based secure web gateway

• Innovative detection technologies

• Custom sandbox arrays on a global basis

• Automatically investigates IPs, domains, hosts, and files associated with suspicious behavior and maintains risk scores

• Inline antimalware and URL filtering

• Comprehensive protection for business users – whether office-based, remote, or roaming

• Also protects users of Guest WiFi or Public WiFi services

CYREN WebSecurity

10©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

• JavaScript Trojans

• Injected into compromised websites

• Boost the page ranking for specific websites

• Hide hyperlinks to them within the infected sites

• Cybercriminals receive commission for pushing site

• Or use target site to push “spammy” products

Pay day loans

Pharmaceuticals

SEOHide - Advanced blackhat SEO

11©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

How SEOHide works

12©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

13©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

• Microsoft’s popular Office applications include macro functionality based on VBA (Visual Basic for Applications)

• March 1999: Melissa macro virus infected an estimated 20% of computers worldwide

• Microsoft patched Office to force users to actively decide whether to run any macro or not by showing a warning pane and requiring them to click on “enable” or “allow” before processing the macro.

Macro-malware 101

14©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

• November 2014 - outbreak of over 3.02 billion emails with new macro-malware

• Uses clever social engineering

Macro-malware reappears in 2014

15©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

“Instructions” to enable macros

16©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

Email is an effective attack vector

This .doc example was detected by only 4 of 56 Antimalware engines.

17©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

Poll Question #2

19©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

20©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

Poll Question #3

21©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

• Slack = team communication tool

• Breach announced in March

• “there was unauthorized access to a Slack database storing user profile information”

Slack Breach

• User names, email addresses, and one-way encrypted (“hashed”) passwords

• One month after a similar breach at HipChat

22©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

• Online (cloud) business tools are now targets for cybercriminals

• A treasure trove of business credentials

• Internal business data that can potentially be used for espionage.

Employees often treat the collaboration tools as if they are internal systems and may be less cautious

• User passwords must be managed carefully

• Hackers obtain encrypted passwords

• The possibility to decrypt them exists

Lessons learned

23©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

• hash("hello") = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824

• Dictionary attack: words, phrases, common passwords

• Brute Force Attack: every possible combination of characters up to a given length

• Lookup Tables: precomputed hashes of the above

Reverse Lookup Tables: compares within compromised list – assumes many users have same passwords

• hash("hello" + "QxLUF1bgIAdeQX") = 9e209040c863f84a31e719795b2577523954739fe5ed3b58a75cff2127075ed1

• Some passwords are salted and some are not

• If all are salted then this adds no protection!

Or if salt is too short, or username is used as salt

How secure are hashed/salted passwords?

24©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

• Therefore we are dependent on the site/service that we have signed up for

• Need to trust that their password mechanisms are secure

• The part that is under control of IT and the organization is the user password

• At least 8 characters (preferably more)

• Combinations of chars

• Don’t reuse passwords!

• Use password managers (with long and complex access passwords)

How secure are hashed/salted passwords?

“Slack’s hashing function is bcrypt with a randomly generated salt per-password which makes it computationally infeasible that your password could be recreated from the hashed form”

25©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

26©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

Applied cyber intelligence

27©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

Q1 Android Threats

28©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

Q1 Phishing

29©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

Q1 Spam

30©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

You can also find us here:

www.CYREN.com

twitter.com/cyreninc

linkedin.com/company/cyren

©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

Thank You. Any Questions or Thoughts?