STE WILLIAMS

This wasn’t just a massive sexting scandal involving high school kids: this was a veritable collectibles franchise.

With 351 sexually explicit images getting passed around Canon City High School in southern Colorado, US, the kids were trading them like baseball cards, Fremont County District Attorney Thom LeDoux said last week.

The sexting apocalypse exploded last month, when Superintendent George Welsh initially estimated that half the school was involved – that’s about 500 students, including some eighth graders.

Police said students used a mobile phone app that hid the photos.

The New York Times described the app as a type of “vault app”.

Those apps look innocent enough. Some disguise themselves as calculators.

But after a user enters a password, the apps reveal themselves to be secret keepers of troves of photographs.

(Naked Security actually took a look at a number of these apps the same year that Snapchat reared its marketed-at-kids sexting head.)

When the sexts were discovered by adults – I haven’t gleaned how that happened – the high school equivalent of Pandora’s Box flew open.

Parents were outraged, administrators scampered to find missed clues, and the police and the District Attorney’s office considered whether to file child pornography charges against some of the participants.

An unknown number of students were suspended. The football team forfeited its last game of the season because so many players were involved.

It wasn’t just jocks, though. As the investigation wound on, it turned out that there were actually a total of 106 children involved in some way with the images, be they swapping the photos or actually portrayed in them.

Though that’s only a fifth of the initial estimate, that’s still a hell of a lot of teenage felons to wrangle.

Because yes, possession of explicit photos of minors is a felony in Colorado, as it is in many states where laws designed to protect children from predatory adults turn into head-scratchers when you get masses of kids doing what kids do.

Specifically, what kids do is act stupid, as LeDoux said during the press conference on Wednesday:

The investigation suggests these were kids doing stupid kid things.

When the scandal first broke, LeDoux said that he wasn’t keen on arresting hundreds of children and that he’d “use discretion” if he did decide to file charges.

Because here’s the sticking point: most of the distributors of this child pornography are themselves minors. In some cases, they took photos of themselves and sent them to others.

The fact that sexting is consensual on all sides hasn’t kept kids from facing child porn charges in the past.

In fact, a few months ago, a 17-year-old boy from North Carolina was facing charges for sexting his girlfriend.

Under North Carolina law, being 17 makes him an adult, which thereby made him eligible to face felony charges of sexually exploiting a minor by sexting.

As if that wasn’t head-bangy enough, because he sexted selfies when he was 16, he also stood accused of exploiting himself.

He was facing four felony charges for sexually exploiting himself and one for having a sexually explicit picture of his girlfriend (that she sent him).

Fortunately, sanity also broke out here: he agreed to a plea bargain and was given a year of probation, during which time both he and his girlfriend were forbidden to own the devil’s gadget – a mobile phone – that got them into trouble.

That same strain of sanity has evidently gripped Colorado.

LeDoux pointed out that none of what the kids did at Canon City High would have been illegal if they were adults:

Consenting adults can do this to their hearts’ content… [But] if the subject is under the age of 18, that’s a problem.

The lack of interest in prosecuting these kids might give you pause if you’ve been paying attention to the horrors that all too often accompany sexually explicit images, such as cyberbullying, the tragedies of suicides that have resulted, revenge porn or other crimes.

But here’s the thing: in Colorado, prosecutors have so far found absolutely no evidence of aggravating circumstances.

That means there was no coercion, no bullying, no unlawful sexual contact, and no posting of explicit photos online, LeDoux said.

In the vast majority of photos, the faces of students weren’t visible.

There was, mind you, enough evidence to prosecute a “handful” of students, he said.

But rather than pressing criminal charges, prosecutors have left this matter in the hands of parents and educators.

The Fremont County School District will offer education about sexting to both students and their parents. The suspended students will also get education and counseling.

LeDoux said the decision not to prosecute doesn’t condone what the students did and that his office is sending warning letters to all 106 students involved.

The DA said he suspects that the kids have deleted all the photos. If not, additional charges could be in the offing.

Zero criminal charges are cause for celebration, given that there was apparently no harm, no foul in this case, but this could have turned out far differently: all too often, young people send naked pics to their boyfriends or girlfriends, only to find out the next morning that everyone in school has seen them.

We’ve seen far too many children hounded to the point of suicide over sexually explicit photos.

Research has shown that putting mobile phones together with teen hormones produces sexting.

It’s not going anywhere. It’s the new normal. It’s the modern-day version of flirting.

We better figure out how to deal with it on a legal, educational and cultural level.

After all, let’s face it – Colorado got lucky.

There were no casualties, no revenge-porn victims, no cyberbullies.

Let’s hope that that luck is as contagious as the prosecutorial sanity that’s broken out.

Follow @NakedSecurity

Follow @LisaVaas

Image of Teens texting courtesy of Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/sck73VxvNdI/

Security folk will be able to suck down Cisco vulnerabilities notices in more ways than ever thanks to a new application programming interface launched today.

The Cisco security team’s (PSIRT) openvuln plug is a RESTful API supporting standards like Common Vulnerability Reporting Framework (CVRF), Open Vulnerability and Assessment Language (OVAL), Common Vulnerability and Exposure (CVE) identifiers, and the Common Vulnerability Scoring System (CVSS).

Borg bod Omar Santos says the new API it will help admins to build more effective tools.

“In this case, it enables them to easily keep up with security vulnerability information specific to their network.

“That frees up more time for them to manage their network and deploy new capabilities in their infrastructure.”

The API lets Borg assimilates to use OVAL definitions and CVRF data to create rules for internal automated network assessment.

Santos says it means the vulnerability evaluation process will be simpler and patch times reduced.

Excited security wonks can check out the respective Cisco API developer site. ®

Sponsored:
Building secure multi-factor authentication

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/15/borg_security_boffins_open_tweakable_vuln_plug/

Exclusive Jisc is permanently removing open public access to Janet (the UK government-funded educational network) information, The Register can reveal, after concluding that such access has been exploited to hobble the service.

The move, alongside several other large infrastructural changes – which the administrators have asked The Register not to publish for security and insurance reasons – followed a sustained reflective DDoS attack, causing Janet significant problems between the 1 December and 8 December.

Tim Kidd, executive director at Jisc – formerly the Joint Information Systems Committee, the non-departmental public body in the UK which administrates Janet – explained the decision to block diagnostic facilities (such as traceroute) to The Register.

Kidd told us that as the attacks were typical of reflective DDoS, and said the network’s engineers began to suspect “that the visible aspects of Janet alongside public updates via Twitter and other channels were being used to inform the attacks”.

Following this, Kidd told us, Jisc began to institute changes affecting customers access to such information.

“While it is unfortunate – and certainly we’re well aware of how valuable our customers found some of our network information being openly available for diagnostics – it was a necessary step to protect the network,” Kidd said of the move, before adding:

I would also stress that work is already under way to offer an alternative solution, which would still allow customers to easily view end-to-end availability and ensure excellent performance.

Details of the attack show it did not utilise the same methods as those targeting Protonmail earlier this year, although at times the nuisance resource requests did crash in at a similar 100Gbps.

Asked if disabling such access would be certain to prevent future attacks, Kidd was hesitant: “Of course in any security incident you can never offer absolute certainly.”

“What we can say – at what is still a very early stage – is that the measures we have put in place are working effectively and customers do not appear to have received any further disruption,” offered Kidd. “Our efforts also continue to further secure the network and reduce the impact of future attacks. We remain, as I say, vigilant but cautiously optimistic.”

Kidd acknowledged that “the Janet network is used for a wide range of teaching, learning and research activities. Many of these are very specialised with extremely high data flows. We have worked hard to ensure that the measures we put in place will not adversely affect the pursuit of research and education in the UK”.

“Our security team and engineers are working closely on future enhancements to the processes we have developed during these attacks,” Kidd concluded. “These will make our network stronger. We will also be sharing this information with our network contacts to help them improve the resilience of their connection, such as helping them to move off any less appropriately configured services.” ®

Sponsored:
Building secure multi-factor authentication

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/15/janet_no_longer_shares_network_information_after_ddos/

A slow- and low-flying drone has been developed for security guard personnel that will follow visitors and snap their pictures.

Japan’s largest security outfit Secom says the drone will attempt to identify and photograph any potential intruder’s face as well as the licence plate of their car, Kyodo News reports.

The 10kmph drone, which will fly at a height of five metres, is surely hopeless at chasing anyone with initiative or a shotgun (the hoverthing has LEDs attached that would arguably help thugs aim in the dark), but it is being billed as a superior alternative to fixed CCTV.

Captured images are sent to the company for processing, where it will be determined if a car or individual is a threat.

It will cost ¥800,000 (around A$9,000, $6,600, £4,400) to buy the drone station and a monthly rental fee of ¥5,000 (around A$57, $41, £27).

The drone’s production was delayed thanks to a revision of Japan’s aviation laws back in April after a small drone with radioactive material landed on the house of Japan’s prime minister, Shinzō Abe. ®

Sponsored:
Building secure multi-factor authentication

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/15/japan_lowflying_drone_security_camera/

Sophos has paid $31.8m in cash to snap up advanced threat prevention firm SurfRight, with the deal allowing traditionally conservative Sophos to integrate SurfRight’s signature-less endpoint threat detection and response tech into its line of endpoint security products and services.

The UK-based company claims the two sets of technologies are complementary and fit in with its synchronised security strategy.

“This acquisition will further strengthen [our] leading endpoint protection technology, by adding complementary new defense tactics, delivered either on premises or in the cloud,” according to the firm.

Synchronised security involves multiple components of security protection, including network and endpoint security, actively and continuously communicating with each other.

This approach is touted as a means to offer faster threat detection and a dramatic reduction in the time and resources required to investigate and address security incidents.

Sophos said its 15,000 channel partners will help push the combined offering.

Netherlands-based SurfRight has technologies designed to prevent, detect and remediate zero-day and sophisticated attacks by interrupting malware, focusing on detecting and preventing the memory manipulations and abuses that allow malicious code to run in the first place.

Sophos spent years saying mobile malware really wasn’t a problem back in the days where everyone had a Symbian handset rather than a smartphone, before offering antivirus technology for mobiles.

That scepticism was well-founded at the time. However, its reluctance to embrace the cloud and software-as-a-service were much more difficult to understand and probably cost it in the end.

But then again, Sophos was also a pioneer in offering free-of-charge antivirus scanners to Mac users, and its execs have been canny in the acquisition space as well as in floating the firm earlier this year.

Sophos’ technologies already offer behaviour-based analytics, malicious traffic detection that monitors attempted outbound connections to known bad URLs, and application reputation, which uses a “crowd-sourced” big data warehouse, the firm boasts.

Sophos pledged to continue development and support for SurfRight’s existing product line, including its HitmanPro malware scanning and removal tools, which is used by more than 20 million people worldwide. ®

Sponsored:
Building secure multi-factor authentication

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/15/sophos_surfright_purchase_endpoint_protection/

Before we pronounce the death of static analysis, let’s raise the bar with a modern framework that keeps pace with the complexity and size found in today’s software.

Static analysis isn’t dead like some have suggested.  Has static analysis lost some of it’s luster?  Absolutely! Many of the studies would suggest that static analysis tools (commercial and open-source) are underperforming on certain types of bugs or weakness classes. But one of the reasons why I like tool studies is because they help you understand what a tool can and cannot do — provided that you have developed the test cases to measure whether or not the tool actually detected the coding issue or violation. 

Tool studies also help you better understand the behavior and characteristics of static analysis tools for a given code construct or different styles of coding.  Static analysis tools perform differently on different program structures, and understanding why tools fail on certain types of code is important to know (with confidence) if we are going to raise the bar in static analysis capabilities and innovate. 

The results of many of these tool studies haven’t been favorable. In fact, one could argue that given the simplicity of the test cases used, static analysis tools should be performing much better. For instance, the Juliet Test Case suite that was funded by NSA Center for Assured Software is a collection of Java and C/C++ synthetic, meaning they are created as examples with well-characterized weaknesses. 

A criticism of Juliet is that the test cases don’t represent “real” world software. Given that the test cases are less complex than real-world programs, and are synthetic, you might expect that tools would perform much stronger, but that hasn’t been the case. I’m aware of at least four tool studies where the test results have been mediocre across the board — OWASP Benchmark, NIST Static Analysis Tool Exposition (SATE), NSA Center for Assured Software, and a project funded at IUPUI, led by Dr. James Hill. 

One revelation from the tool studies is that each tool does something really well; a “sweet spot.”  Most of the tools have several sweet spots, but outside of them, the tools tremendously underperform. It should be noted that overall, the commercial static analysis tools fair better than the open-source tools, but some studies suggest that open-source tools may be better at finding a particular weakness.    

Improving static analysis

Static analysis tools are not dead; they just need to be updated to keep pace with modern-day software. There needs to be more emphasis and investment in research and development by the software assurance community to find new breakthroughs and advancements in techniques to improve static analysis capabilities.  

Organizations who buy static analysis tools have to put more pressure on commercial tool vendors to invest more in RD so that tools can be modernized and improved. Adding rules and heuristics is not fixing the problem long-term, nor does it provide the innovation to keep pace with the evolution in software. We’ve seen with the Heartbleed vulnerability in OpenSSL, that vendors can add rules and heuristics to identify the weakness that exposed the Heartbleed vulnerability (after the fact).  The fact that none of the tools were able to detect the weakness that exposed the vulnerability can be summarized as the crux of the problem with static analysis tools and capabilities. 

I want to share with you a research project that I’m funding to push forward the state-of-the-art in static analysis capabilities. The Static Analysis Tool Modernization Project (STAMP) research is an attempt to address the lack of innovation around static analysis tools. The goal of STAMP is to modernize static analysis tools, creating better techniques that can scale the complexity and size of today’s software. The inspiration for STAMP came from the HGTV show, Property Brothers, where brothers find neglected homes and infuse money into the homes to renovate them. STAMP has the potential to renovate (re-innovate) static analysis capabilities. STAMP will focus on four key areas:

1. Develop improved code constructs and test cases that represent “real” world programs (modern software). This will address some of the shortcomings of Juliet, and to a certain extent some of the new test case suites such as the OWASP Benchmark project. The next generation of test cases developed in STAMP will help baseline existing state-of-the-art static analysis tools. 

2. Conduct an in-depth tool study to understand what tools can and cannot do it terms of tool coverage across the various weakness classes. By identifying the gaps and strengths in static analysis tools, this will help identify the areas where static analysis capabilities need to be “modernized”.

3. Develop a modernization framework to improve the capabilities in static analysis tools.  Engaging in RD to develop a framework to explore new techniques, methods, and services will help make static analysis tools more precise and sound and achieve what many call “security at-speed.” 

4. Score and label static analysis tools and capabilities based on areas where tools perform well, and areas where tools struggle in regards to tool coverage. A consumer report will be developed to better educate and guide the software assurance community in purchasing and procuring static analysis capabilities. Oftentimes when you purchase or procure a static analysis tool, you don’t really know what the tools missed. The scoring and labeling will help organizations mix and match features in static analysis to leverage the strength of each tool(s) to cover a wider attack surface.  

One of the interesting and unique aspects in working with researchers and computer scientists who study the area of static analysis, users of commercial static analysis tools, and the commercial tool vendors, is that I get so much useful information about problem areas. One common theme that I hear is that no one tool can give you the coverage you need. Organizations should be able to read a label on a given static analysis tool (the same way nutrient labels are on foods) to understand the strengths, the “sweet spots” of static analysis tools. 

Before we pronounce the end or death of static analysis, let’s see what innovation and improvements STAMP will provide to help raise the bar in static analysis tools and capabilities. Static analysis is just one context —  like DAST and IAST — that can be leveraged to help reduce false positives, but also provide more visibility into “real” bugs and potential vulnerabilities that exist in software. 

All application security testing approaches have their limitations; to think that one is superior than the other is a bit naive. I’ve funded research that’s shown how Hybrid Analysis Security Testing (HAST) can really improve software analysis capabilities, by infusing the context of SAST and DAST together for better applications security situational awareness. There is no uber approach or tool!  We are seeing in other technology areas where vendors are opening up their platforms with APIs because customers are wanting better situational awareness across their technology investments to improve overall threat management. I see the same happening with the resurrection of static analysis and a shift from relying on a “black box” technology solution. 

With more than 17 years of information assurance and security experience in security program management, assessment, auditing, and testing, Kevin Greene brings valuable skills and capabilities to the federal government. Kevin works in the area of research and development, … View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/re-innovating-static-analysis-4-steps/a/d-id/1323486?_mc=RSS_DR_EDT

These six real-world scenarios show how to turn reactive investigative capabilities into proactive, problem-solving successes.

Digital forensic investigations are, for the most part, still predominantly conducted in response to an incident. With this reactive approach, there is extreme pressure put on the investigation team to gather and process digital evidence before it is no longer available or has been modified. Showing signs of weakness, being reactive to incidents suggests that organizations are not acting on their own initiative to identify problem areas and develop strategies for its suppression.

For investigations to truly become proactive, organizations must closely examine the time, money, and resources invested into their overall investigative capabilities. Digital forensic readiness is a process used by organizations to maximize their electronically stored information (ESI) to reduce the cost of digital forensic investigations. At the starting point, there needs to be a breakdown of risks including both internal events — those that can be controlled and take place within the boundaries of control (e.g. outages, human error) — and external events — those that cannot be controlled and take place outside the boundaries of control (e.g. floods, regulations). 

Here are six practical and realistic scenarios that can be used to demonstrate a pro-active initiative to manage business risk.

Scenario #1: Reducing the impact of cybercrime

With Information Technology (IT) playing an integral part of practically every business operation, the evolving threat landscape continues to increase risks associated with organizational assets. Using a threat modeling methodology, organizations can create a structured representation of the different ways a threat actor can go about executing attacks and how their tactics, techniques, and procedures can be used to create an impact. The output of this exercise can be put to practical use by implementing appropriate countermeasures that create potential digital evidence.

Scenario #2: Validating the impact of cybercrime or disputes

When a security incident occurs, organizations must be prepared to quantify impact. To obtain a complete and accurate view of the entire cost of an incident, both direct and indirect contributors must be included in the impact assessment. This means incorporating logs generated from different type of controls (e.g. preventive, detective, corrective) or the overhead cost of managing the incident (e.g. people and technology expenses).

Scenario #3: Producing evidence to support organizational disciplinary issues

A Business Code of Conduct document promotes a positive work environment that, when signed, strengthens the confidence of employees and stakeholders by establishing an accepted level of professional and ethical workplace behavior. When the guidelines set out in this document have been violated, employees can be subject to disciplinary actions. Where disciplinary actions escalate into a legal problem, organizations must approach the situation fairly and reasonably by gathering and processing credible digital evidence.

Scenario #4: Demonstrating compliance with regulatory or legal requirements

Compliance is not a one-size-fits-all process. It is driven by factors such as an organizations industry (e.g. financial services) or the countries where business is conducted (e.g. Canada). Evidence documenting that compliance standards are met must be specific to the requirements of both the regulation or law, and the jurisdiction.

Scenario #5: Effectively managing the release of court-ordered data

Regardless of how diligent an organization is, there will always be a time when a dispute ends up before a court of law. With adequate preparation, routine follow-ups, and a thorough understanding of what is considered reasonable in a court of law, organizations can effectively manage this risk by maintaining the admissibility of electronically stored information (ESI), such as the requirements described within the U.S. Federal Rules of Evidence. Ensuring compliance with these requirements demands that organizations implement safeguards, precautions, and controls to ensure their ESI is admissible in court and that it is authenticated to its original source.

Scenario #6: Supporting contractual and/or commercial agreements

From time to time, organizations are faced with disagreements that extend beyond disputes that involve employees. With the majority of today’s business interactions conducted electronically, organizations must ensure they capture and electronically preserve critical metadata about their third-party agreements. This would include details about the terms and conditions or the date the agreement was co-signed. Contract management system can be used to standardize and preserve metadata needed to provide sufficient grounds for supporting a dispute.

By following a reactive approach to digital forensic investigations, organizations foster a perception that they lack is initiative for managing risk.  Conversely, when organizations implement strategies to proactively gather potential sources of digital evidence in support of the business risk scenarios, they showcase their ability to effectively manage risk.

This article was sourced from the forthcoming book by Jason Sachowski, “Implementing Digital Forensic Readiness: From Reactive To Proactive Process,” available now at the Elsevier Store and other online retailers.

Jason is an Information Security professional with over 10 years of experience. He is currently the Director of Security Forensics Civil Investigations within the Scotiabank group. Throughout his career at Scotiabank, he has been responsible for digital investigations, … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/how-digital-forensic-readiness-reduces-business-risk/a/d-id/1323508?_mc=RSS_DR_EDT

These five user education strategies will turn employee bad behavior into bulletproof policies that protect data and systems.

Most computer security folks have probably experienced the feeling that their primary jobs are finger-wagging and dispensing punishments. It can be disheartening to feel like you’re perceived as the wet blanket that’s slowing down the advance of innovation, and knowing people dread interacting with your department.

Are there ways to change the prevailing mindset so that security isn’t viewed as a stick to beat people into compliance, but rather as a carrot to entice people into habits of safer behavior? It’s often said that the best way to train desired behavior is to reward people for doing things they’re already inclined to do. With this in mind, you can use people’s existing behaviors to make your systems and data more secure.

Here are five ways to redirect user behavior toward the common security good:

Reward timely maintenance
In the days when users had to initiate regular AV scans on their own machines, one company I’d heard from used to pick a user’s machine each week on which to hide a test file. Any users who performed a scan and detected the test file by the end of the week would be entered into a drawing for a prize. While this specific scenario would be a bit outdated today, there are plenty of other opportunities to reward users for performing timely, routine security maintenance on their machines or accounts: This would include almost any action that would otherwise require nagging emails or locking people out of their accounts, or any security technology that is currently considered optional.

Drill for mastery
Many companies do a periodic security test, the most common of which is to send a fairly obvious phishing email to see how many users bite. In most companies, about a third of users fail the test, and a handful of that portion inevitably sends furious emails about how unprofessional and unfair these tests are. But these same people would never complain about a fire drill; this is because they fully understand that those drills are meant to protect their own safety as well as that of coworkers, and they know what skillful behavior entails.

In reality, fires and phishing are much more unpredictable and complicated than we can simulate. The idea is still the same: Give people regular exercises that allow them to perform a given set of steps even when a stressful event occurs, so that they won’t do something in an emergency that could cause more harm. It may feel like “teaching to the test,” but having ubiquitous posters and reminders about proper email hygiene may give users a sense of mastery over phishing drills, rather than feeling duped. You can also “gamify” these activities so that individuals or departments who perform well consistently get a small gift.

Enlist employees to help in intelligence gathering
Have you ever wondered what attack attempts made it past your technological defenses and into your employees’ inboxes? One security practitioner I spoke with asked her users to submit any emails they received that they suspected were phishes, spam, scams or malware. This allowed her to see how attackers were probing their defenses, to improve education and to enhance network filters. This could also include incentives for users who are most prolific and accurate in their submissions.

Hunt for security fails
Even with the most thorough of searches, it can be exceptionally difficult to root out all the assets that need protecting, and discover how people use them. Most security groups don’t have the personnel power to sit with every single employee to see if the existing products and procedures are the best way to secure their workflow. But most employees are happy to identify ways in which security fails, if they’re not penalized for it. Indeed, if you reward that sort of behavior, you’ll have those corner cases and security end-runs identified in no time, so that you can work together to fix them.

It’s ok to break things
As anyone who’s done technical support can tell you, users are exceptionally skilled at breaking things in unexpected (and often perplexing) ways. While this could be considered problematic, it can also be a great way to root out software and system vulnerabilities. If you offer people incentives to report those vulnerabilities, you can then correct configuration errors and disclose product problems to the appropriate vendor.

While there is a time and a place for applying negative consequences for security lapses, there are plenty of ways to increase positivity, and to share a feeling of mutual assistance. If there is too much blame and shame associated with security, you may miss major areas of weakness that are common knowledge to your users.

Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all … View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/making-security-everyones-job-one-carrot-at-a-time/a/d-id/1323533?_mc=RSS_DR_EDT

Security researcher @dfirblog has discovered what he calls a devastating flaw in Windows’ Kerberos authentication system.

The flaw cannot be fixed and the only solution is to introduce and use Microsoft’s Credential Guard program to prevent passwords from being stored in memory, according to his extensive blog post.

The flaw results from how the third-party authentication system creates secret keys: by using the password associated with a disabled username (krbtgt). That password is rarely changed, making it possible to bypass the authentication system altogether and allow an attacker to grant themselves admin privileges, as well as create secret passwords for existing users and new users that don’t exist.

Although some of the entry points are time-limited – the system will seek to validate accounts after 20 minutes – because it is possible to create fake users without limit, it is possible to access a system incessantly.

Kerberos is a default authentication protocol in Windows networks and authentication clients and servers. A flaw in the system noticed last year, for example, would enable an attacker to compromise an entire network, including installing programs and deleting data. This flaw appears to be very similar.

Kerberos, or Cerberus, is a mythical three-headed dog that guarded the underworld. He was outfoxed a few times, sometimes through brute strength, but Orpheus managed to lull the fearsome dog to sleep by playing his lyre before sneaking past.

Access all areas

Dfirblog notes that the secret keys are generated to avoid having to send passwords across the network to authenticate users and are derived from user passwords and stored in memory.

But the secret keys are not salted and use the NT LAN Manager (NTLM) hash of the user as a key, so are relatively easily retrieved. The krbtgt user is created when the system is first installed and is inactive, so it can remain untouched on a system for years – providing ready access to a hacker.

The post then goes into some detail about what can be done once into the system, including adding new users, producing secret second passwords for existing users, and downloading files on the systems to review later.

Dfirblog notes: “Mitigation of most of these attacks is not possible, as this is simply how Kerberos works in the Windows environment … For the most part, you need to focus on protecting privileged accounts at all costs, because this is what attackers are after and protecting everyone is not possible. The most effective mitigation at the moment seems to be Protected Users group and Credential Guard.”

We have asked Microsoft for comment on the post. ®

Sponsored:
Evolution of the Hybrid Enterprise

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/15/devastating_flaw_in_windows_authentication/

Five months after the adulterer-friendly dating website Ashley Madison was spectacularly hacked, it seems blackmailers are still trying to dig their claws into people who signed up to the site.

Blackmail by post? How 20th century

According to security blogger Graham Cluley, some former members of the site are now receiving blackmail demands through the post. The letters ask for thousands of dollars and threaten to out former members if the lucre is not forthcoming.

Ever since the database of Ashley Madison users was displayed online, blackmailers have been quick to try and extort money from members. The swift exposure of high-profile casualties, like former director of the Family Research Council Josh Duggar, who resigned in disgrace after being shown to have multiple accounts with the website, showed there was money to be made.

After the database went online, at least one suicide was linked to the leak.

It later emerged that the whole website was something of a busted flush, with around one per cent of the people on there being women looking for affairs.

A new round of blackmailers are now having a go using snail mail, but Cluley said there was nothing to worry about.

“I can understand how it would be distressing for Ashley Madison members to receive a letter like that through the post, but I’m strongly of the opinion that – in the majority of cases – blackmailers are trying their luck, hoping that a small percentage of those targeted will pay up,” he said.

“I understand that it must be very unsettling and worrying, but paying the blackmailers any money is only likely to make them focus on you more. Ignoring them is probably a better plan in my humble opinion.” ®

Sponsored:
Evolution of the Hybrid Enterprise

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/15/ashely_madison_post_blackmail/