STE WILLIAMS

Special report The debate over encryption has become particularly intense following the deadly attacks in Paris.

Politicians, police, and government agents insist the encryption in our software and gadgets be limited. Tech companies and programmers insist the encryption be implemented fully securely.

This past week, there have been two posts from opposite ends of this debate, both argued passionately and eloquently, that highlight the complexities around the issue.

One comes from Manhattan’s District Attorney and is a 42-page report [PDF] making the case for law enforcement access to smartphones; the second is a blog post from a 25-year-old Lebanese security researcher living in Paris whose secure chat app has become the focus of media interest after the recent attacks.

The question is: who’s right? The American prosecutor or the Lebanese coder?

The two questions

The debate boils down to two basic questions. One: should investigators be able to get hold of communication data if they strongly feel it will solve a crime? And two: how would that system actually work?

With few exceptions, almost everyone agrees that, yes, the police and Feds should be able to access information that will assist in sending down criminals, so long as there are adequate measures to prevent the system from being abused.

The problem comes with the second question: how is it actually done? And here lies the problem, because the answer to that question in many respects overrides the first.

Encryption is about mathematics, not policy. If you create a system that makes data accessible only to Alice and Bob, and inaccessible to Eve, and you then try to ensure the data is somehow accessible to people indistinguishable from Eve, you have to purposefully break the system. And that break, no matter how eloquently implemented, is still a break. Once it is there, it cannot go away.

Technologists and coders have become increasingly outspoken about the fundamentally flawed logic of creating an encryption system with a hole in it, in significant part because Edward Snowden revealed the lengths to which the US government was prepared to go to access all data.

Previously, tech companies had reached an uneasy agreement that they would include carefully designed holes in their systems so information could be provided to a third party in extreme circumstances – typically the production of a search warrant.

And while local law enforcement – like our prosecutor from New York – largely stuck to that agreement, it was clear that the security and intelligence services did not. Once the hole exists, if you know its full details, you are free to access information on anyone using that system.

With smartphones in particular becoming increasingly important to everyone’s privacy, ready access has become far more than logging suspicious activity. Your phone now contains your interactions with friends and family; personal pictures; your locations now and over time. With apps, your phone contains your financial information, your searches for information, access to secure work networks, your personal life.

In his report, Cyrus Vance Jr, the Manhattan District Attorney, argues: “What makes full-disk encryption schemes remarkable is that they provide greater protection to one’s phone than one has in one’s home, which, of course, has always been afforded the highest level of privacy protection by courts. Every home can be entered with a search warrant. The same should be true of devices.”

Except in many respects, smartphones contain more personal information than your own home – and all in one tiny portable device. While you may be able to find details on people’s personal finances in a filing cabinet in a house, there won’t be a drawer – even a locked one – that contains the details of every location you visited in the past few weeks, complete with timestamps.

In your house, you may have left some letters, or even printed out an email. You may have photo albums. But the interactions we have these days with our phones are more akin to recording our voices. Law enforcement needs more than a search warrant to install a bug in your home. And while people still keep photo albums, they don’t come with GPS coordinates and instant links to the identities of the other people pictured.

In short, while entering your home is a significant invasion of privacy, the physical interference is actually likely to reveal less about yourself than the ability to go through your phone.

The law enforcement case

That said, Vance does make a persuasive case.

His report [PDF] includes real-world examples of where access to people’s phones has led to real evidence that has led to real convictions. And the examples are harrowing:

• A man accidentally filmed his own murder. The recovered video supported eyewitness accounts and the shooter was found guilty and given 35 years.
• Text messages sent between two accused rapists concerned the use of mace spray which is being used as a piece of evidence in their trial.
• Child abuse images were taken off a phone after the owner showed one to a taxi driver.
• A sex trafficker’s phone contained photos of him posing with women who appeared in online prostitution ads. They were used in his trial and helped lead to his conviction.
• A credit card swiping ring that fleeced restaurant customers of over $1m was taken down thanks to the details on a phone from one of the waiters involved.
• A murder suspect was actually cleared when his phone’s details made it clear he was not involved; a second phone found at the scene of the crime led to the person responsible.

The prosecutor makes the argument that if tech companies do not include some method for accessing information then “we risk losing crucial evidence in serious cases if the contents of passcode-protected smartphones remain immune to a warrant.”

Unlocking ‘droids

There’s an interesting factoid in the report – Google can remotely unlock up to 77 per cent of Android devices today:

“Forensic examiners are able to bypass passcodes on some [Android] devices using a variety of forensic techniques. For some other types of Android devices, Google can reset the passcodes when served with a search warrant and an order instructing them to assist law enforcement to extract data from the device. This process can be done by Google remotely and allows forensic examiners to view the contents of a device.

“For Android devices running operating systems Lollipop 5.0 and above, however, Google plans to use default full-disk encryption … that will make it impossible for Google to comply with search warrants and orders instructing them to assist with device data extraction. As of October 5, 2015, approximately 23 per cent of Android users were running Lollipop 5.0 or higher.”

And the paper cites a conversation from jail in which an inmate asks a friend to check what operating system his iPhone is using. They upgraded their phones at the same time and the fact that the friend’s phone was running iOS 8 meant that the cops would not be able to access his phone data. “That means God might be in my favor. I don’t think they can open it,” the inmate said over the recorded phone line. “I mean, you know how much shit is on that phone.”

If the only way to access a phone’s data is for the user to type in their personal passcode, then the police will be missing out on hugely valuable information. “It is the rare case in which information from a smartphone is not useful; rather, it is often crucial,” he argues, citing 111 search warrants between September 17, 2014 and October 1, 2015 where his office was not able to get at phone data because of new encryption standards.

And it wasn’t just suspects refusing to hand over the code: in some cases, the phone belonged to a dead victim. It is not hard to imagine the enormous frustration that must exist in a detective at a crime scene if she is simply not able to get at what may be critical evidence because she doesn’t know what the correct four numbers are.

In short, the district attorney argues that the previous system – where the authorities would get a search warrant after it had persuaded a judge of “probable cause” and then send it with the phone to the manufacturer’s headquarters in California and get a hard drive back in return with all its contents – was a good balance between security and privacy.

It gave law enforcement what it needed; it meant that the average Joe was not impacted. Getting access to details through cloud-storage rather than directly from a phone was also not equivalent, Vance argues, even producing a table that highlights the sort of information that can be acquired from phones themselves, cloud storage, and network operators.

A table from the Manhattan District Attorney pointing out what data can be accessed by different means

The district attorney rails against the default encryption that Apple and Google have introduced that means they don’t have ready access to a phone’s data, and argues for a new law to pass through US Congress that would make it a requirement for “any designer of an operating system for a smartphone or tablet manufactured, leased, or sold in the US to ensure that data on its devices is accessible pursuant to a search warrant.”

Sponsored:
OpenStack for enterprise: The tipping point cometh

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/24/perspectives_on_encryption/

Sysadmin Blog Researchers think they have figured out how Sony was hacked. Long story short: the hackers knew what they were doing and covered their tracks with some clever, but really basic, tricks. I’m not particularly surprised by this, but I am surprised that others are surprised by it.

The Register commenter Yet Another Anonymous Coward had a topical comment titled “Let me get this straight”, saying that “The world’s most backward country executed the world’s most advanced cyber attack and chose as its target the American subsidiary of a Japanese entertainment company?”

“Or, perhaps it has secretly infiltrated every other military and government computer system in the west and are actually running everything?”

Neither possibility should be particularly surprising.

Hacking isn’t hard

First off, let’s start with the statement that I don’t have any idea if North Korea did, in fact, hack Sony. It may have. It may not have. You can’t trust anything North Korea has to say on the matter. Sadly, we also can’t trust anything any of our governments say.

That all said, I absolutely believe North Korea has the capability to do this. Yes, North Korea is backwards. It doesn’t have enough bombs and missiles and guns to really make anyone except South Korea really sit up and take notice.

Even South Korea isn’t really all that worried, because if you tried to get those bombs and missiles and guns from A to B then everyone on earth would see it happening and a cloud of cruise missiles would rain down on the North Korean military movement, making for a short but exciting news cycle.

North Korea’s leadership know this. So what’s a megalomaniacal false demigod of a leader to do in order to strike at the hearts of his perceived enemies? Develop “cyber” capabilities. Being a good hacker doesn’t take some mystical skill. It doesn’t take a super computer and it doesn’t take a country full of cloud providers.

A half decent hacker can penetrate almost any system with nothing more than a netbook and good operational security. You can use any operating system or device if you know your tools well enough, or you write good enough tools. For the difficult hacks you’re realistically going to have to do both.

Hacking isn’t about technology. It’s about process. It’s about procedure. It’s about discipline, knowledge, study and caution.

We portray hackers as people who have a stroke of genius and then mash the keyboard really hard and poof! They’ve reversed the polarity on the tachyon inverter and suddenly used the thermostat to overwrite the hidden sectors on the tablet that controls the nuclear reactor. Oh noes!

State-level hacking

Anyone who has the resources to hire a full-time research team and a pair of decent developers can build credible offensive hacking capabilities. This means that most 50-individual companies on the planet theoretically have the resources to build both malware and network-based deployment capabilities.

Not only does this make every government on earth a threat, but by dint of the low cost of developing this capability, industrial espionage hacking teams are guaranteed to be practically everywhere. Organised crime will, without question, have extensive capabilities as well.

The idea of “state-level” capabilities moves the needle a bit, but in all honesty not by much. The primary advantage that state sponsorship brings to a hacking team is not additional nerds or computer infrastructure. It is spies and saboteurs.

Governments have people around the world, or they can hire mercenaries and consultants to get the job done. People cost money and this means that only a handful of organisations can manage the global reach of even a small government.

Any large enterprise has the financial resources to develop this capability. The large organised religious groups would as well. The larger organised crime groups have global reach, but many are loose collections of small families or clans and may not have the cohesion for unified long-term investments on this level.

Network activist and hacktivist body Anonymous and other loose – but large – populist collectives or organisations could theoretically bring state-level resources to bear. In the case of Anonymous it would be easier to herd cats than to develop any true state-level offensive capabilities, but there are plenty of non-commercial, non-governmental, non-religious organisations with global presences to be considered, and state-level hacking capabilities are more about the ability to physically access networks, people and research resources than the software cooked up by the nerds.

I don’t doubt that North Korea could have cut through Sony’s defences like they weren’t even there. Every state-level actor out there could probably go through most corporate or personal networks with similar ease. This doesn’t, however, mean that these state-level actors could get into an actively well defended network.

Beyond state-level

Defending a network properly costs a lot of money. If you want to do it, you cannot simply rely on off-the-shelf software and tools. You need to hire hackers to defend against hackers. People who are trained in operational security and who look as much for what isn’t there as what is.

Shelfware isn’t going to catch gaps in logs or other fairly simple tricks to cover one’s tracks. Someone who has actually spent time penetrating other systems and had to think about these things just might. These people are not cheap, and there aren’t many of them.

Those networks which are defended by teams of the best will not fall to your average state-level, organised crime or industrial espionage hacking crew. They will understand, amongst other things, that eggshell security doesn’t cut it. That breaches will occur will have been foreseen, and they will have built traps, isolation procedures and much, much more to counter attacks.

To get into these networks you need more than a state-level hacking apparatus. You need a hacking industry. You need to have billions of dollars being spent every year to identify new zero-day exploits, employ professional spies to gather data and be able to perform physical attacks against networks (such as compromising data centres or backhaul data links).

No one nation – not even the US – can pull this off. Developing this level of capability takes international cooperation. It takes the cooperation of nations with private industry. It requires tens – if not hundreds – of thousands of people working together to industrialise network compromise.

It really could have been North Korea

So, yes, Sony’s breach absolutely could have been the work of the North Koreans. It is even a logical target if their goal is to train their hacking team against a live target. North Korea has no love for Japan or the US, so taking on what was once an iconic corporation in those countries might have some symbolism.

More to the point, Sony was soft. It wasn’t expecting an attack, it wasn’t particularly well defended, and it didn’t have the resources (that larger, more profitable corporations have or are developing) to react in real time.

I don’t buy the proposed political motivations of North Korea hacking Sony one bit. Sony is a stupid target if you want to make an actual statement. But it is exactly the right target to train against.

We are all viable targets. Even if we are not a tempting target because what we have squirreled away on our networks, we might just be useful to train against. It could be that the only purpose the compromise of our network serves is target practice for someone going after meatier game.

Given the above, it’s time for us to stop thinking that quality attackers are few and far between, or that our networks will only be attacked for good reason. It’s time to make network security something we constantly evolve and refine and hire full-time professionals to oversee. ®

Read PART 1 here.

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/24/north_korea_could_have_pwned_sony/

Dell says it will publish a guide to remove the web security backdoor it installed in its Windows laptops and desktop PCs.

This confirms what we all know by now – that Dell was selling computers with a rather embarrassing hole it in their defenses.

New models from the XPS, Precision and Inspiron families include a powerful root CA certificate called eDellRoot, which puts the machines’ owners at risk of identity theft and banking fraud.

The certificate is bundled with its private key, which is a boon for man-in-the-middle attackers: for example, if an affected Dell connects to a malicious Wi-Fi hotspot, whoever runs that hotspot can use Dell’s cert and key to silently decrypt the victims’ web traffic. This would reveal their usernames, passwords, session cookies and other sensitive details, when shopping or banking online, or connecting to any other HTTPS-protected website.

Stunningly, the certificate cannot be simply removed: a .DLL plugin included with the root certificate reinstalls the file if it is deleted. One has to delete the .DLL – Dell.Foundation.Agent.Plugins.eDell.dll – as well as the eDellRoot certificate.

Dell said it will post information on how to do this properly on its support website, and future machines will not include the dangerous root CA cert.

In a statement to the media, the Texas-based IT titan said:

The recent situation raised is related to an on-the-box support certificate intended to provide a better, faster and easier customer support experience. Unfortunately, the certificate introduced an unintended security vulnerability.

Dell’s statement added that it started including the root CA certificate with machines in August, although an Inspiron 15 series laptop we bought in July has the certificate on it.

If you’ve got a new Dell, you can check here to see if you the dodgy root CA cert installed. And if you can’t wait for the official advice, you can try deleting the .DLL from the filesystem, and the cert from the Windows certificate manager – or use Mozilla’s Firefox because that web browser has its own set of trusted certificates, and ignores the rogue eDellRoot. ®

Sponsored:
OpenStack for enterprise: The tipping point cometh

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/24/dell_superfish_2/

PoS malware, ways to trick new payment technology, and zero tolerance for down-time or slow-time make for a stressful combination.

Cyber Monday sports a techie handle, but good ol’ Black Friday is fraught with plenty of cybersecurity challenges as well. When shoppers hit the mall worrying about long lines and hot deals, security pros need to worry about point-of-sale (PoS) malware, fraud, new mobile payment technology, and the recent EMV liability shift.

 

PoS Threats On the Rise

Although PoS malware got the most attention in the summer of 2014, Trend Micro found that, in the third quarter of 2015, PoS malware increased by 66% in the third quarter of 2015 and that attackers were quite indiscriminate about their targets. Forty-five percent of it was hitting small- to medium-sized businesses.

Larger franchises are not out of the woods though. Just last week, a hospitality brand, Starwood Hotels was breached by PoS malware, exposing payment card data of customers at 54 of its hotel properties. The precise culprit has not been revealed, but the FIN5 gang has been using RawPOS to hit hotels all year.

Plus, there’s new PoS malware on the scene:

• Cherry Picker, discovered by Trustwave this month, has been around since 2011, but has remained nearly undetected in all that time because of its sophisticated encryption and obfuscation techniques.
• AbaddonPOS: discovered by ProofPoint, also has elite obfuscation techniques, including tricks to wipe evidence of itself away. It also includes anti-analysis capabilities to frustrate researchers. Abaddon has spread through the Vawtrak malware.

The immediate concern with PoS threats are that they scrape payment data stored upon them. However, researchers are also finding that attackers are also using PoSes as an entry point into the rest of the network.

“One of the reasons that PoS devices have been such an effective attack surface is that many are left unprotected without any resident anti-malware security,” says Mark Parker, senior product manager at iSheriff. “These devices were long considered ‘dumb terminals’ and that reputation has been slow to change while the devices themselves have become more capable and in fact are often scaled down Windows machines.”

“The key to protecting cardholder data is to practice security beyond compliance by not leaving anything behind for hackers to steal,” says J.D. Oder, CTO and senior vice president of research and development, Shift4 Corp. “When EMV, point-to-point encryption, and tokenization are properly implemented in a merchant environment, sensitive payment card data doesn’t enter their systems and a ‘cardholder data environment’ ceases to exist outside of a secured payment device.”

Oders says payment card data is safest when it’s hosted offsite, rather than at the retail location. “This leaves no payment data in the merchant environment to be stolen and used by hackers, even if malware were to enter the POS or PMS,” he says. “After all, they can’t steal what you don’t have.”

He also recommends encrypting data in-memory as well as full point-to-point encryption to protect the data in transit.

 

More EMV Adoption Not An Immediate Cure

Expanded adoption of EMV technology should theoretically be a positive change for brick-and-mortar security this season.

EMV, or chip-and-PIN, is a replacement for the old magnetic stripe cards. Stolen magstripe data can be turned into counterfeit credit cards, and skimmers make it very easy to steal. Yet, in the US, EMV adoption was very sluggish because both merchants and card issuers were holding out for the other to make the first move.

But last month the EMV “liability shift” took effect. So in the event of payment card fraud, whichever party — merchant or card issuer — that has the lesser security is the one to be stuck with liability. So if the card issuer has put an EMV chip in the card, but the merchant has not updated their PoS terminals to accept EMV, then the merchant eats the cost; and vice versa.

More chip-and-PIN cards will be in use at stores this holiday season, which could be a good thing. However, experts say not to expect an improvement overnight.

“I would tell retailers EMV is going to complicate their life” this Black Friday, says Rajesh Sharma, vice president of banking and payment applications at INSIDE Secure. As customers and customer service reps alike become familiar with the technology, lines at the register may move slowly. A slow line isn’t going to be tolerated for long. So if an EMV purchase fails on the first attempt, the salepeople may quickly resort to swiping the magstripes just to keep the line moving.

“From the retailer’s point-of-view, it’s all about risk-reward,” says Suni Munshani, CEO of Protegrity. “If security gets in the way, if some infrastructure gets in the way, they’ll rip it out.”

Criminals know that all too well, he says, and they’ll manipulate that fact with social engineering, which untrained workers rarely recognize. “It’s frightfully expensive to train temporary staff,” he says.

 

Mobile Payment Schemes Can Be Manipulated

On top of EMV, retail sales reps have to learn all about payments made with mobile devices through systems like Apple Pay, Android Pay, and Samsung Pay.

Thirty-nine percent of respondents to a survey conducted by INSIDE Secure plan to make in-store purchases with a mobile device this holiday season. Plus, 17% of those who did not make mobile payments last year are planning to use the technology this year.

The hold-outs, according to the survey, cite security and privacy as their key reasons for declining to use it: 70% were concerned about fraud, and 70% about the privacy of their transaction data.

However, these technologies are actually doing quite a lot right when it comes to security. Payment technology experts praised Apple Pay when it was released for tokenizing payments, never communicating credit card data to the merchant, and adding biometrics to the process.

That doesn’t mean it’s fraud-proof. Mobile payment technology is “definitely something we’ve seen criminals more interested in in the last year,” says John Miller, director of ThreatScape Cyber Crime at iSIGHT Partners.

Cybercriminals are not exploiting vulnerabilities in the mobile payment technology per se, says Miller, but they’re compromising weaknesses in the enrollment process. They simply load stolen payment account data into one of those mobile payment systems — which they can do, because the banks don’t always do a very good job of making sure that the device to which the account is provisioned is actually a device owned by the accountholder. Thus, an attacker can walk into a store and use their Droid or iPhone to make a purchase with someone else’s money.

Apple Pay was only released in September 2014, and by March of 2015, millions of dollars of fraudulent purchases had already been made in this way with Apple Pay. 

“[Attackers are] doing in-store fraud despite EMV,” says Miller, “despite all those protections.”

 

No tolerance for down-time

“The recovery time for retail is very, very small,” says Munshani. “This is when they make the most revenue.”

So obviously, any denial of service — via an attack, a system failure, or a bad patch — is unacceptable. The concern is if a zero-day PoS vulnerability hits — one that threatens a data theft, not a denial of service — will retailers simply ignore it, and say ‘remind me in January’?

“I don’t think that would be the response anymore,” says Miller. He says that retailers’ awareness of security and its importance has improved enough that they would not simply ignore a critical threat. “They would want to clean it up, but they might not know how.”

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/black-friday-security-brick-and-mortar-retailers-have-cyber-threats-too/d/d-id/1323235?_mc=RSS_DR_EDT

Yahoo is reportedly discouraging users of its webmail service from using ad blocking software, by refusing access to emails.

As reported by Mashable, Yahoo is conducting a test run of a feature which locks out any user who has an ad blocker installed. Users who were running ad blocking software were greeted with a screen which instructed them to disable their ad blocking software in order to continue using Yahoo Mail.

On an ad blocking discussion forum, users reported seeing the error message at the end of last week, with one user saying that it pops up even after disabling Adblock Plus.

Yahoo is far from the first to take this action – London free paper City AM, the Washington Post and others have also begun detecting ad blocking software and preventing users from seeing content.

A Yahoo spokesperson said in a statement provided to Mashable that the blocking is only being tested on a portion of Yahoo email users. “At Yahoo, we are continually developing and testing new product experiences,” Yahoo said. “This is a test we’re running for a small number of Yahoo Mail users in the US.”

Ad blockers are big business – according to statistics from PageFair and Adobe, 198 million users are actively using adblocking software globally, and its estimated that their use will cost publishers nearly $22 billion during 2015.

As an alternative to all-out blocking, the Telegraph reports that telco EE is considering introducing technology that will allow smartphone users to control the advertising they see, by creating new tools that would allow them to block some forms of advertising on the mobile web and potentially within apps.

EE chief executive Olaf Swantee said he believes that not all ads are bad, but when they’re intrusive or crass they tend to drive people crazy.

This is not about ad blocking, but about starting an important debate around customer choice, controls and the level of ads customers receive.

Free tools exist which may suit businesses and consumers better, such as Ghostery or the EFF’s Privacy Badger, which block spying ads and invisible trackers.

The move by Yahoo is apparently only impacting a percentage of users but among those users some have either found workarounds to the preventative wall, or are switching to use other webmail services.

If Yahoo determines this exercise to be a success, it will be interesting to see if others adopt a similar model.

Follow @danraywood

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/oYzxasoqnpE/

Technology certification management provider, Pearson VUE, has copped to a computer security breach after malware compromised its Credential Manager System.

The Pearson Credential Manager (PCM) system supports a number of companies’ certification tracking programmes, including network hardware outfits Cisco and F5. Pearson VUE stated that an “unauthorised third party improperly accessed certain information related to a limited set of our users.”

El Reg reader Oliver Jones, who tipped us off about the breach, had been trying to follow a certification with Cisco’s tracking system, which is supported by Pearson VUE, and then found it had been down for more than a week.

Since at least 14 November, Cisco’s tracking system had claimed it was down for “site maintenance”. On Saturday, however, Cisco copped to the Pearson VUE incident and stated its tracking system “will remain down until further notice”.

Cisco added that “at this time, we believe that the compromised information, as it relates to individuals who have taken exams for and hold Cisco certifications, is limited to: name, mailing address, email address and phone number”.

The Borg suggested it wasn’t the worst hit, however, “so, while you may see reports of additional types of personal information being  potentially compromised on the PCM platform, we have been informed that this is not the case with respect to the Cisco certification user profiles”.

Pearson VUE has stated there was “no indication that any other systems [than the PCM system] have been affected” and suggested other customers need not worry.

While the company doesn’t believe US Social Security numbers were spaffed – nor “full” payment card information – it acknowledged that the PCM system is “custom designed to fit specific customer requirements,” and so attempts to “understand how this issue may have affected each of our customers” are continuing.

“It is important to note that not all system users provided all of the affected data elements,” according to Pearson.

The Register has attempted to contact Pearson VUE for comment, and was forwarded through to the press office by reception in its London office. There has been no answer so far. ®

Editor’s note: This story was revised after publication to clarify the companies involved. Microsoft, although a partner of Pearson, says it is not affected by the security breach. “Microsoft does not utilize Pearson VUE’s PCM system. We manage our own certification program and candidate data. This data breach does not affect any Microsoft Certified Professional,” a Redmond exec told us.

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/23/pearson_vue_data_breach_pcm/

Dell ships computers with all the tools necessary for crooks to spy on the owners’ online banking, shopping, webmail, and more.

The US IT titan installs a powerful root CA certificate, including its private key, on its Windows notebooks and desktops. These can be abused by eavesdropping miscreants to silently decrypt encrypted web browser traffic without victims noticing.

If you try to remove the dodgy certificate, the file is automatically reinstalled during or after the next boot up. The root CA cert appears to have been created in early April this year, and expires in the year 2039.

How can this certificate be abused? Well, an attacker could, for example, set up a malicious Wi-Fi hotspot in a cafe or hospital, intercept connections from Dell machines, and then automatically strip away the encryption – a classic man-in-the-middle attack, all enabled by Dell’s security blunder.

The decrypted traffic will include usernames, passwords, session cookies, and other sensitive information. The root CA certificate – eDellRoot – can even be used to sign programs, allowing scumbags to dress up malware as legit apps.

Web browsers, and other software, running on the affected Dell hardware will trust any certificates issued by eDellRoot. When the browser tries to connect to, say, your bank’s HTTPS-protected website, it could in fact be connecting to a malicious system on your network, such as the aforementioned evil wireless hotspot. This system can pretend to be your bank’s website, using an eDellRoot-signed SSL certificate, and you would be none the wiser as you type in your username and password. The intercepting system can even log into the bank on your behalf and pass the webpages back to your browser so you’re none the wiser of what’s going on.

Dell customers reported over the weekend finding the root CA certificate on newer Dell XPS, Precision and Inspiron desktops and notebooks.

So far, we’ve seen reports on Twitter and Reddit of the following affected gear: the XPS 15, Latitude E7450, Inspirion 5548, Inspirion 5000, Inspiron 3647, and the Precision M4800.

Our San Francisco office’s Inspirion 15 series laptop is also affected.

Caught red-handed … the eDellRoot CA cert on a Dell machine – click to enlarge (Source)

Information security expert Kenn White has created a webpage that demonstrates how vulnerable Dell computers will happily accept HTTPS connections signed with the eDellRoot key.

Crucially, White also said Firefox is not affected by the rogue certificate because it uses its own set of trusted certs.

If you have a recent XPS 15 running Windows and can load my page: https://t.co/qExUHLQwH0 then you’re vulnerable to Dell’s bogus root cert.

— Kenn White (@kennwhite) November 23, 2015

Another site to test whether your Dell is vulnerable to man-in-the-middle attacks can be found here.

Dell computer owner Joe Nord, who blogged details of the certificate installed in his Inspirion machine, noted the obvious security flaw with eDellRoot.

“Root certificates are always self-signed, so all I really know is that eDellRoot says eDellRoot is legit,” he explained. “Where it breaks down is that the private key IS PRESENT on my computer and that means … bad.”

Dell has yet to respond to a request for comment on the matter, although the Dell Cares support account on Twitter is downplaying the risk of attack for users:

@rotorcowboy It’s a Dell trusted certificate that is mentioned in the OS. It doesn’t cause any threat to the system, so we don’t recommend-1

— DellCares (@DellCares) November 22, 2015

The issue is just like Lenovo’s February Superfish scandal in which the PC-slinger was caught loading its machines with a tool capable of intercepting SSL traffic and injecting adverts into pages. In fact, the Dell certificate was created months after the Superfish blowup – was no one at the Texas goliath paying attention? ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/23/dude_youre_getting_pwned/

The rogue root certificate in new Dell computers – a certificate that allows people to be spied on when banking and shopping online – will magically reinstall itself even when deleted.

El Reg can confirm that the eDellRoot root CA cert, discovered over the weekend, automatically reappears when removed from the Windows operating system. We tried this on a Windows 8 Inspiron 15 series laptop that was bought in July this year for our San Francisco office.

You can find the dangerous certificate by opening up the Start menu, select “Run”, type in “certmgr.msc” into the box and hit Enter. Then open up the “Trusted Root Certification Authority” folder on the left, then “Certificates”, and in the window should appear “eDellRoot”. That’s the SOB you’re looking for. Right-click over it, hit “Remove”, click through the warning box. And it’s gone.

Then reboot, reopen certmgr.msc – the Windows certificate manager – and search for the certificate “eDellRoot”. Bingo, it’s back. Visiting one of the websites that test whether you have a vulnerable certificate installed reveals that, yes, the removed root CA cert was put back during or after the reboot.

Lenovo had a similar party trick with its bloatware earlier this year, using Microsoft’s Windows Platform Binary Table. How Dell reinstates the missing certificate is not clear at this stage. We’re also chasing up claims that its Ubuntu Linux laptops ship with the same dodgy root cert installed.

But the cat came back the very next day, er, reboot … the Dell eDellRoot cert that just won’t die (click to enlarge)

This means that the recommended procedure to get rid of the vulnerable root CA file on Windows will not work, as the component reappears upon restart. The certificate, issued by Dell in April and expires in 2039, contains a private key that can be extracted and used to pull off man-in-the-middle attacks on Dell owners – like Lenovo’s Superfish cluster-fsck.

For example, usernames, passwords, session cookies and other sensitive information can be silently siphoned from affected Dell machines when they connect to the web through malicious Wi-Fi hotspots in cafes, hospitals, airports, and so on.

People with recent XPS, Precision and Inspiron models should use Mozilla’s Firefox to browse the web as this software has its own set of trusted certification authorities, and ignores the dangerous eDellRoot cert.

Remember: Local Root CAs OVERRIDE certificate pinning. Defenses against SSL hijacks by using HSTS do not engage.

— SecuriTay (@SwiftOnSecurity) November 23, 2015

Dell’s support line tells people the certificate “doesn’t cause any threat to the system.” On Twitter, the IT giant said: “Customer security and privacy is a top concern for Dell. We are investigating the issue and will have further updates soon.”

El Reg is still waiting to hear back from Dell for an explanation. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/23/dell_security_nightmare_gets_worse/

What’s This?

As PCs and servers get better protected and employees more knowledgeable about the ransomware threat, criminals will go after less secure systems such as smart TVs, conferencing equipment, or other unsecured devices.

Ransomware, the malicious software that encrypts your files until you pay to get the encryption key to unlock them, is having quite a successful run. Initially targeting consumers, criminals are turning toward businesses and government organizations, demanding higher ransoms for more valuable data. An FBI agent has even commented that ransomware is so good the bureau often recommends that people just pay the ransom.

That is obviously not an acceptable long-term solution to the problem, especially as it appears the criminal technique continues to evolve.

We typically see malware threats go through several phases, starting off with attacks in small volumes, as the authors evaluate target systems’ defenses until they identify approaches that achieve reasonable success rates. Then the attacks increase in volume, going after consumers, then businesses, as the technique matures and gets monetized through massive campaigns. The next phase is a shift from volume to highly targeted attacks, as defenses adapt to the generic approach, criminals identify higher value targets, and special interest groups adopt the technique for their own specific purposes.

Ransomware is currently moving from the volume to targeted phase, increasing in sophistication of the delivery mechanism and looking for more valuable ways to get money from its victims.

Ransomware is nasty because, unlike other malware infections, you cannot run a cleaning or removal tool to get rid of it so defenses have to catch it before it can act. However, an offline backup is a reasonable and effective precaution that disarms most of the power of the ransomware. We (law enforcement and security industry) have also had a fair amount of recent successes finding and taking down ransomware servers such as CryptoLocker.

As a result, we are seeing changes to the ransom model, where encryption of your data is just one step. Using targeted attacks such as emails that look like they originate from within your company, attackers are getting their malicious encryption tools into vulnerable systems. Then, after encrypting the files or data stream, they threaten to publish something that you will pay to keep secret, whether it is valuable financial information or embarrassing emails. A recent ransomware campaign in Germany called “Chimera” threatens to publish your files if you do not pay the ransom of more than 600 euros, according to the Anti-Botnet Advisory Centre. It is not clear if Chimera actually exports your files and can carry out the threat, but if it cannot, the next one will. 

Ransomware’s Next Target

Where will ransomware go next? As we adopt more and more technology in our lives, we are also fueling the creativity of our attackers. As PCs and servers get better protected and employees more knowledgeable about the ransomware threat, criminals will change and multiply their attack vectors, going after less secure systems such as smart TVs, conferencing equipment, or other unsecured devices.

Think about the risk to your organization of criminals threatening to release audio captured from an executive’s television, video from a board meeting, or embarrassing details from your personnel files. This could result in new opportunities for them to make more money than they do today, charging a ransom to decrypt your data and a premium to not publicly release it. 

When threats go from volume to targeted mode, you need a shared intelligence strategy that can detect threats at multiple points, across both your network and the cloud. You need to be aware of the potential motivations, whether that is organized crime looking for payment or hacktivists looking to expose corporate secrets. Understanding the attacker profiles helps you identify what material is valuable and vulnerable, and helps you prioritize your security efforts.

Ransomware is just one threat that is evolving with our technology usage. Whether it is cloud computing, IoT devices, or virtualization, security needs are changing to require greater integration between defenses; broader collaboration with law enforcement, industry organizations, and supply chain partners; and increased automation that can react at digital speeds. 

Michael Sentonas is the VP and Chief Technology Officer of Security Connected for Intel Security. Michael has been with the company for fifteen years, previously holding leadership roles such as VP and CTO for Asia Pacific and, prior to this, head of Sales Engineering and … View Full Bio

Article source: http://www.darkreading.com/partner-perspectives/intel/where-is-ransomware-going/a/d-id/1323280?_mc=RSS_DR_EDT

Trend Micro report offers a full view of espionage and theft perpetrated by Chinese hackers.

By pairing an apathy toward the law and a lot of well-executed ingenuity, Chinese cybercriminals have built a business empire as robust as any enterprise in the legal world. According to a new report out today by Trend Micro’s Forward-Looking Threat Research Team, the illegal products and services bubbling up out of the cauldron that is China’s cybercrime black market are as robust and mature as they are plentiful and cheap. The result is powering the entire cybercrime economy in China and beyond.

“New hardware and channels have gone beyond being mere proofs of concept (PoCs) to become the working models driving the cybercrime trends in China today,” writes report author Lion Gu.

On the channels side, a big example of that is the rise of search engines designed to sift through a mountain of already stolen data stores and offer up criminals specific information for sale. It’s essentially online shopping for stolen data — and it is fueling a powerful cycle of future cybercrime by providing cheap and easy access to information about prospective targets.

“The data leaked underground allows attackers to commit crimes like financial fraud, identity and intellectual property theft, espionage, and even extortion,” writes Gu. “Armed with sensitive or potentially damaging information on a politician, for instance, like leaked personal details on an extramarital affair website, a cybercriminal can discredit the target who may be lobbying for the approval of, say, the national cybercrime bill.”

Meanwhile, on the hardware front, Chinese advancements in criminal hardware are bringing forward a range of new skimming devices meant to simplify the process of retail theft of card data. This includes POS skimmers, ATM skimmers and pocket skimmers with a raft of conveniently devious features.

“Some of the PoS skimmers sold underground even have an SMS-notification feature. This allows cybercriminals to instantly get their hands on stolen data via SMS every time the tampered devices are used,” writes Gu. “Cybercriminals do not even have to physically collect stolen information from installed devices.”

The previous examples are just the highlights of a host of dozens of products and services that make up the Chinese black market, which is “as robust as they are unique,” the report says. In addition to standards like botnet rental, toolkit access, and bulletproof hosting, the market also offers other remarkable ways the crooks have monetized creative lawlessness. For example, for a little over $7,000, a buyer can get into the list of the Apple App Store’s 25 free apps list. And for as little as $80, a criminal can pick up a fake banking site to perpetrate more convincing scams.

“These offerings are available to any enterprising criminal from anywhere in the world,” the report says.

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/a-comprehensive-look-at-chinas-cybercrime-culture/d/d-id/1323281?_mc=RSS_DR_EDT