STE WILLIAMS

ARM hopes to make chips in the Internet of Things a little more secure – by adding its TrustZone defenses to its microcontroller blueprints. In effect, ARM is adding some extra hurdles for hackers to leap in order to exploit programming bugs in gadgets’ firmware.

What the heck is TrustZone?

TrustZone is usually found in ARM’s application processor designs – your smartphone’s system-on-chip, for example. It’s been around since the early 2000s, though, first appearing in the ARMv6 ARM11 family well before the smartmobe boom.

It works by splitting the device into two domains: a secure domain and a non-secure domain. Typically, your bells-and-whistles operating system with its huge attack surface and vulnerabilities (cough, Android) runs in the non-secure domain, and the secure domain runs stuff that needs safeguarding: code-signing cryptography and fingerprint sensor drivers, say.

TrustZone acts as a barrier between the two worlds, allowing the non-secure and secure realms to talk to each other, but never allowing the non-secure side to tamper with the secure half – allowing the non-secure zone to trust that the secure zone hasn’t been infiltrated to do anything malicious to the system.

This technology isn’t hacker-proof, not by a long shot: the sort of bugs that turn into security holes in operating systems can crop up in the code running in the secure domains. If there is a buffer overflow or an integer overflow vulnerability in the secure zone’s code, it can be exploited from the non-secure side to infiltrate the protected realm.

ARM’s TrustZone is only as secure as the software running in the safeguarded world – and smartphone firmware developers have managed to turn out some pretty insecure code.

For its microcontroller implementation of the technology, ARM has added some hardware-level defenses against any crap code that ends up in devices. ARM hopes its microcontroller designs end up in plenty of Internet of Things gadgets, so hardwiring extra protections into the mechanism is welcome.

Welcome to ARMv8-M

ARM’s new microcontroller architecture is called ARMv8-M, which is not to be confused with ARMv8-A. ARMv8-M is a 32-bit design with TrustZone features and a few other bits and pieces. ARMv8-A is the 64-bit architecture used in high-end handhelds and server chips.

ARMv8-M is optimized for high-speed switching between the secure and non-secure states, with banked stack pointers and interrupt control registers, and a new instruction marking out functions the non-secure side is allowed to call in secured space. Devices start in secure mode, allowing it to initialize the hardware and check the integrity of the code running in non-secure mode. Then it switches to the non-secure zone, and away it goes, handling function calls from the insecure world as required.

Here’s a summary of how ARM explained ARMv8-M to us.

Don’t confuse ARMv8-M with ARMv8-A: the former is a 32-bit architecture for microcontrollers – chips that run software for a very specific purpose

Here’s the minimum you can do with a top-end microcontroller that uses an ARMv8-M core – this is the baseline specification

This is the mainline specification, which builds on the baseline spec to build a fully featured micrcontroller core

The architecture doesn’t have a standard memory management unit (MMU) that provides virtual memory via paging. Instead it has a memory protection unit (MPU) which can mark regions of RAM as accessible and non-accessible. ARMv8-M is more flexible with the size of its regions – which look like x86-style segments. The previous architecture only allowed regions to be built out of fixed blocks.

ARMv8-M looks pretty standard to ARM-savvy programmers. It also provides separate stacks and stack limit pointers for the secure and non-secure worlds, and automatically switches between the two, minimizing bugs in code by moving this job into the hardware. Interrupt control registers are also banked between the secure and non-secure worlds so the protected zones can guarantee they’ll always receive interrupts they rely on.

Memory addresses can be marked as accessible to the secure or non-secure zones, preventing non-secure code from accessing secure areas. This protection extends beyond RAM to flash storage and memory-mapped peripherals

Now here’s an interesting part: the SG instruction. Entry points into the secure zone from the insecure realm must start with this particular machine code instruction. That tells the processor this is a legit function call. If non-secure code tries to call a function in the secure area that isn’t marked with an SG instruction, an exception is raised

Finally, a technology preview of mbed – ARM’s operating system for the Internet of Things that is still in development – is now available. Work on the software was announced this time last year, and released as a beta in September. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/10/arm_trustzone_armv8m_mbed_os/

Prototype aims to prevent exploits that employ ‘use after free’ bugs in Windows, Linux, OS X software.

Another day, another Adobe Flash vulnerability: but this time, the researchers who found the bug are also building an attack-mitigation method that would eliminate attacks exploiting bugs like this one.

Among the 17 vulnerability patches included today in the update to Adobe Flash Player (APSB15-28) were multiple “use-after-free bugs” that could be exploited remotely by an attacker, including CVE-2015-7663. Endgame Security researchers, who found and reported that vulnerability to Adobe, also are working on a proof-of-concept technique to prevent the exploitation of any use-after-free flaws in Windows, Linux, and OS X.

Attack mitigation methods are nothing new, but to date, they’ve mostly been isolated to a specific class of bugs or platform, and mainly Windows. Microsoft has led this trend with its DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) mitigation tools built into its software and adopted by many of its third-party application vendors. DEP prevents an exploit from directly injecting and executing code from sections of memory used for data, and ASLR protects against buffer overflow attacks by placing a software process’s address space in random areas of memory so it’s more difficult for an attacker to execute malware on a machine.

Adobe, too, has been cracking down on exploits with some mitigations for Flash, employing so-called Heap Isolation that improves the memory layout to deter some attacks.

Even so, Endgame researchers were able to use a so-called “vector corruption” method to exploit the new Flash bug, which gives an attacker read and write rights to virtual memory. Endgame says it’s seen an increase in Flash exploits over the past year using this technique, which led to its study of ways to mitigate similar attacks.

Enter “control flow integrity.”

“This is a strong technique that prevents exploiting a whole class of vulnerabilities — use after free,” says Cody Pierce, senior director of vulnerability research and prevention at Endgame, which boasts the US intelligence agencies and the Department of Defense as its main customers. “Right now, we’re in the prototype phase and doing testing. It will be a little time before the release in a product or publicly … the first step is to get the community engaged.”

Pierce says prior to mitigation methods like DEP and ASLR, patching was a losing battle. “Before those mitigations, attackers could reverse a patch, and have an exploit within a week,” he says. “Mitigations increase that cost for attackers. We’re hoping to do that as well.”

Software security experts generally prefer security being built into software from the get-go. But attack mitigation tools have been relatively effective, they say, and can raise the bar for attackers.

That mantra has been Adobe’s strategy for some time. Brad Arkin, chief security office of Adobe, three years ago urged security researchers to dig deep and come up with new attack-mitigation methods. At the time, Adobe had recently added sandboxing to help protect its applications.

“I am a big fan of engineering solutions like DEP and ASLR that you can build directly into your software.  In fact, I find it distressing when these kinds of approaches are not used when they should be,” says Gary McGraw, CTO of Cigital. “Any engineering technique that raises the bar for attack and exploit is good in my book.”

But mitigation techniques work best when they’re built into the software from the ground up, he says. “You can’t patch your way into this,” he says.

The danger is that they could introduce performance problems or new risks, he says. “One tradeoff is sometimes efficiency, especially in a constrained embedded system,” McGraw says. “All engineering solutions like this should be carefully constructed and vetted so as not to introduce new risks accidentally. Publishing PoC code can help boot a thorough review process.  But be very wary of any new magic stuff: recall that way back when the first implementation of Microsoft’s GS compiler flag was fundamentally broken.”

The new mitigation method Pierce and his team created works something like this: an algorithm stops attackers from inserting their code into certain locations in memory, using Heap Isolation. “It almost forces isolation,” Pierce says. Add control flow integrity or CFI, which detects active exploitation attempts.

“The moment when an attacker has corrupted something in memory that a program is about to execute … when they are about to [go to] the second phase where they download a payload or persistence, the CFI prototype picks up that change,” Pierce says.

In a technical blog post today, Pierce describes CFI this way: “To accomplish this, Endgame has adapted and expanded on the idea of utilizing processor functionality to determine the exact moment when this happens. Inspired by a novel approach published by researchers at Fudan University[11, 12], we leverage CPU branch misprediction[13], allowing us to introduce control flow integrity policies without expensive binary modifications to a target application such as hooking or dynamic instrumentation.” 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/adobe-flash-bug-discovery-leads-to-new-attack-mitigation-method/d/d-id/1323092?_mc=RSS_DR_EDT

A fugitive is back in custody having spent a year posting selfies onto Facebook showing his tanned mug and his beachside hideaway.

Nick Grove’s 2014 escape from jail, by scaling a barbed-wire fence, would have been worthy of being the next Jason Bourne movie if only he’d been followed around by a Hollywood production staff filming it all.

Failing a camera crew, the escapee instead self-chronicled, posting taunting selfies of his tanned face on Facebook from poolside in Tulum – a sandy resort town in Mexico about 80 miles south of Cancun.

The New York Daily News found a Facebook page with the alias of “Nico Kai” that looks like it belonged to Grove and which listed his residency as Cancun.

Grove’s photos documented quite the pleasant life, with one selfie showing him lounging shirtless by the pool and another of him hoisting a beer.

He was arrested by Mexican police on Thursday.

The US Marshals Service gave a media briefing on Friday, saying they’d tracked down the fugitive, who started his new, social media-detailed life in Mexico after escaping the Payette County jail in Idaho 14 months ago.

US Marshal Brian Underwood declined to give specifics about how police tracked Grove down, but I’m thinking that listing Cancun as a residency for an account featuring selfies might have been a bit of a clue.

Bragging online about his escape was also helpful.

KTVB quotes Underwood:

Social media certainly played a role originally, because this particular individual bragged about his escape on Facebook.

Grove had been in jail for only 11 days, for unlawful possession of a firearm by a felon, carrying a concealed weapon without a permit, possession of burglary tools and an invalid license.

Within days of his escape, which was on the morning of 26 August 2014, he started posting details.

Police had mounted an intense, but fruitless, manhunt.

They must have been relieved to find that Grove occupied himself by posting photos, music videos and statuses about his escape to Facebook.

When contacted online by a KTVB reporter before his apprehension, Grove declined to give his location, but he did boast about his clean getaway.

The station quotes one of his messages:

They’re chasing a ghost. Nick Grove exists only on paper now.

KTVB reported that shortly after his escape, Grove wrote this on Facebook:

I’ve had more help from total strangers than any of my ‘friends’ or family.

Grove also told the station that he’d gotten himself a new job, a new ID and a new life, all within days of his escape.

He also said that breaking out of the Payette County Jail had been easy:

That place has more security flaws than any facility I’ve ever seen.

Payette County Sheriff Chad Huff said on Friday that the jail has added another fence and multiple cameras, and changed some of its policies.

As of Friday, Grove was awaiting extradition to Payette.

Truly, Grove has earned his place in the Facebook Hall of Stupid Posts.

He joins his likewise profuse social media posting peers:

• The robber who, though he took the time to wear a mask to cover his face, then posted a thinly veiled confession online. Replete with “ashamed” emoticon, of course!
• The selfie-posting tax fraud fugitive nabbed after four months on the run.
• The “catch me if you can” alleged burglar who got caught in 5 minutes.
• The guy who taunted police with a nose-thumbing selfie campaign on his Facebook page, documenting his police-caravan-caressing, waving-at-cops giggle fests.

It’s all fun and games until the selfies start flying and the cops come knocking!

Follow @NakedSecurity

Follow @LisaVaas

Image of chihuahua taking a selfie courtesy of Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/xB0JiHBpINA/

A 15-year-old schoolboy arrested and questioned over the TalkTalk cyberattack is suing three UK newspapers over alleged breach of privacy.

Lawyers for the teenager, who’s from Northern Ireland, told the court that the boy was recognizable in the newspapers’ coverage, even though the publications altered his image.

According to the Irish Independent, his lawyers said that the boy’s privacy was breached following articles that appeared in the Daily Mail, The Sun and the Daily Telegraph.

The lawyers are claiming negligence, misuse of private information, defamation, and breach of confidence and data protection.

The lawyers also took action against Twitter and Google, which were consequently ordered to remove references to the teenager’s name, address, images or information about his physical appearance.

Fears that reporting on the application for an injunction would trigger even more internet searches on the boy’s identity lead to a temporary ban on press coverage of the court action, but it was lifted after Google and Twitter took steps to remove information that could be used to identify him.

Even though the newspapers digitally altered the color of the boy’s hair and partially blacked out photographs that ran with articles about his arrest, his lawyers said that his community could still recognize him, and he’s been “stigmatized” as a result.

His family has had to move home to avoid all the publicity surrounding the case, the court heard.

There have been numerous hearings in the case. In one, a lawyer for the Daily Mail rejected claims that the newspaper had revealed his identity.

Olivia O’Kane said that the boy’s appearance and hair color were altered, neither his name or address had been published, and in the Daily Mail’s view, it never identified the teen.

The 15-year-old is one of four people who’ve been arrested so far in the wake of the TalkTalk breach last month: a breach that was initially thought to potentially involve the personal data of up to 4 million customers.

TalkTalk dialed that number down, on 6 November, to a total of 156,959 customers – 4% of its customers – whose unique bank account numbers and sort codes and obscured credit and debit card numbers were affected.

Besides the Northern Irish teen, police have also arrested three other suspects in the UK: a 16-year-old London boy, a 20-year-old man at an address in Staffordshire, and a 16-year-old boy in Norwich.

An order prohibiting the publication of any material that could lead to the boy being identified remains in place.

The case is due to be heard again next month.

Follow @NakedSecurity

Follow @LisaVaas

Image of hooded computer hacker courtesy of Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/I123f0lPwOQ/

IA15 Speaking this morning to CESG’s Information Assurance conference, Robert Hannigan, director of GCHQ, declared that Britain was a “sovereign cryptographic nation” and reproached the free market’s ability to provide adequate cybersecurity.

The claim was delivered to a cybersecurity shindig attended by government employees and private professionals, arranged by GCHQ’s infosec arm CESG, as GCHQ’s head honcho pontificated upon the relationship between the market, regulation, and threats affecting the cyber domain.

“At this event last year, we set out a raft of measures in response to the demands of commercial partners for greater clarity about what they could do to protect themselves and where they could go for help,” said Hannigan, who added that “there has been some very good progress.”

“Over 1,200 companies are now registered as meeting the requirements of Cyber Essentials. Information sharing partnerships are flourishing in some sectors. Cyber risk reviews are helping transform others,” Hannigan claimed, days after CESG was accused of leaving a gaping hole in the government security advisor profession by axing its accreditation scheme.

The global cyber security market is not developing as it needs to: demand is patchy and it is not yet generating supply. That much is clear.

The normal drivers of change, from regulation and incentivisation through to insurance cover and legal liability, are still immature.

And what’s also clear is that we cannot as a country allow this situation to continue.

Speaking on the government’s most recent attempt to regulate in this area – the controversial Investigatory Powers Bill – Hannigan declared his intention to “confront head on some of the myths about these matters, some of which have surfaced again as the government consults on proposals for new national security and law enforcement legislation.”

We advocate encryption.

“First is the myth that the government wants to ban encryption,” said the head of GCHQ. “We don’t. We advocate encryption. People and business in the UK should use encryption to protect themselves. If you don’t believe me, look at the website we launched today which is full of advice to use good encryption. All the government is saying is information needed for national security and serious crime purposes should not be beyond the lawful, warranted reach of the state when the need arises.”

Nor does GCHQ want security products to be weakened by forcing products in the UK to have “so-called backdoors,” Hannigan claimed.

“We have never said this and we do not want this,” he added. “Products should be secure. We work with companies to help make them secure.”

He continued:

The third myth is that we encourage vulnerabilities and leave them there. The truth is the opposite. In the last two years, GCHQ has disclosed vulnerabilities in every major mobile and desktop platform, including the big names that underpin British business. Vendors sometimes publicly credit us with finding those weaknesses. In September, Apple publicly credited us with the detection in the operating system for iPhones.

“No organisation does more to protect the UK in cyberspace,” said Hannigan, “from active defence, through advice, to working with companies to improve the security of products.”

Earlier this year, the Electronic Frontier Foundation filed a lawsuit against GCHQ’s partner organisation in the US, the NSA, over its Vulnerabilities Equity Process, which it uses to hoard 0-day exploits.

Dr. Richard Tynan, a technogist from Privacy International told The Register: “Mr Hannigan is extremely nuanced with his words when he asserts that GCHQ does not encourage system weaknesses and regularly reports found vulnerabilities. While we may never know the full extent of coercion used by GCHQ, we do know that its big brother, the NSA, paid $10m to RSA, a company that provides encryption products.”

We also know from the Edward Snowden revelations that GCHQ does not disclose all the vulnerabilities it finds and instead uses them for offensive hacking purposes. We have seen GCHQ target a variety of providers, from anti-virus vendors to software commonly used for online blogs and forums around the world.

There is no basis in law at present, or in the proposed Investigatory Powers Bill, authorising GCHQ to fail in its duty to protect the privacy and security of the public. Furthermore, this conduct undermines trust in devices, networks and services as users can be betrayed at any moment by anyone aware of the flaw, including cyber criminals and governments.

GCHQ declined to comment when questioned by The Register about the existence of a Vulnerabilities Equity Policy.

Elaborating on GCHQ’s information assurance successes, Hannigan stated the Sigint agency has “pioneered a world leading approach to declassifying threat data and sharing it at scale with commercial partners.”

We have developed a strong partnership with law enforcement here and in the US, and I pay tribute to our colleagues in the National Crime Agency and the FBI. Together we have disrupted the operations of some of the most dangerous global cyber criminal networks operating today.

“At the high end, we are working closely with the Ministry of Defence to secure the UK’s long term future as one of the world’s few truly sovereign cryptographic nations, something, as many of you will know, the Prime Minister attaches great importance to.

Asked about “cryptographic sovereignty” GCHQ explained to The Register that “in the context of the speech, [the] Director was referring to the UK being a world leader in [cryptography] in its own right, in that we do not need to depend on other countries, whether state or industry, to have this capability.”

“I am all too aware that we can only achieve anything in partnership. Each and every day I am reminded of the importance of our partnerships – our contractors, who make up a third of our workforce, our suppliers, our commercial partners, those who work with us lawfully on both intelligence and cyber security, and the experts with whom we develop our knowledge and expertise.” said Hannigan.

We have an excellent, proud and long record of working with industry – back through the Second World War – to promote the highest standards of information security in the UK.

Sponsored:
2015 Cost of Cyber Crime Study: United States

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/10/gchq_director_speech/

IPB Apple boss Tim Cook has once again warned of what he says would be the “dire consequences” of opening up backdoors to allow spies to access our data.

He said it would be wrong for the UK government’s latest super-spy bid – the draft Investigatory Powers Bill, which landed in Parliament last week – to weaken cryptography.

Cook was speaking to the Daily Telegraph during a visit to London on Monday.

“It’s not the case that encryption is a rare thing that only two or three rich companies own and you can regulate them in some way. Encryption is widely available,” he told the newspaper.

“It may make someone feel good for a moment but it’s not really of benefit. If you halt or weaken encryption, the people you hurt are not the folks that want to do bad things. It’s the good people. The other people know where to go,” Cook added.

The Apple boss reiterated previous comments he has made about end-to-end encryption, by saying that his company was opposed to backdoors.

He said: “We don’t think people want us to read their messages. We don’t feel we have the right to read their emails.”

This isn’t the first time Cook has expressed concerns about the idea of allowing g-men to access Apple servers. In a minor tweak to Apple’s privacy policy back in September 2014, for example, Cook told its customers:

We have never worked with any government agency from any country to create a backdoor in any of our products or services. We have also never allowed access to our servers. And we never will.

On Monday, Cook pointed out that data breaches were “becoming more frequent”, while failing to note that Apple’s own iCloud servers had been ransacked late last year.

What does the proposed snooping law say about encryption?

The Tory government’s draft IPB (PDF) only mentions the word “encryption” four times. Its first airing comes on page 16 under the heading “Equipment Interference” by stating:

Equipment interference plays an important role in mitigating the loss of intelligence that may no longer be obtained through other techniques, such as interception, as a result of sophisticated encryption.

It can sometimes be the only method by which to acquire the data. The armed forces use this technique in some situations to gather data in support of military operations.

Reading between the lines, one could easily argue that “sophisticated encryption” means encryption that actually works.

The next mention comes under the section entitled “obligations on communications service providers” (page 29), in which it is noted that the Regulation of Investigatory Powers Act 2000 (RIPA) requires comms service providers to “maintain permanent interception capabilities, including maintaining the ability to remove any encryption applied by the CSP to whom the notice relates”.

It goes on to state:

The draft Bill will not impose any additional requirements in relation to encryption over and above the existing obligations in RIPA.

The final use of the word “encryption” comes on page 167 under the “oversight arrangements” section of the draft bill. It says the investigatory powers commissioner would, among other things, be required to keep the following under review:

The exercise of functions by virtue of Part 2 or 3 of the RIPA (surveillance, covert human intelligence sources and investigation of electronic data protected by encryption, etc.)

Later today, MPs on the science and technology committee will explore the tech issues arising from the draft Investigatory Powers Bill during a one-off evidence session. ®

Sponsored:
2015 Cost of Cyber Crime Study: United States

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/10/tim_cook_reaffirms_no_spook_backdoors_over_latest_uk_super_snoop_bid/

ProtonMail has announced that it has successfully mitigated the DDoS attacks which had hobbled it since last week, while also confirming security systems had not been breached.

The encrypted email service was still being hit as of yesterday, after paying a Bitcoin ransom to one of the two DDoS attackers (the smaller, seemingly less powerful one), known as the Armada Collective, largely due to pressure from other affected companies.

The Swiss Government’s CERT (Computer Emergency Response Team) has today published a notice discouraging the payment of ransoms to DDoS attackers.

ProtonMail stated that it is “happy to announce … that after several days of intense work, we have largely mitigated the DDoS attacks against us.”

“These attacks took ProtonMail offline making it impossible to access emails, but did not breach our security,” according to a statement sent to The Register.

The attacks against the company have continued, but due to “the valiant efforts” of ProtonMail partners, IP-Max and Radware, they “are no longer capable of knocking ProtonMail offline for extended periods of time.”

As our infrastructure recovers over the next several days, there may still be intermittent service interruptions, but we have now largely restored all services.

The DDoS targeting ProtonMail was extremely sophisticated, according to the company, which prides itself on offering a means of secure communication to “activists, dissidents, and journalists”.

It was “the largest and most extensive cyberattack in Switzerland,” according to ProtonMail, “with hundreds of other companies also hit as collateral damage”. The attack also completely took down the the data centre housing ProtonMail’s servers and even affected “several upstream ISPs, causing serious damage”.

The Register wishes to note it has been unable to corroborate these claims.

ProtonMail thanked the network experts from Geneva-based IP-Max “who volunteered their time and expertise. Without their heroic 18-hour effort, it would not have been possible for ProtonMail to come back up so quickly in the face of such a massive attack”.

During the rescue operation, the IP-Max team accomplished the impossible, and managed to connect a brand new direct line from our data centre to the main PoP in Zurich, 114 kilometers away, on a Saturday, in less than 18 hours!

ProtonMail also partnered with Radware, who came into the help the crypto company at a reduced price. Radware’s Carl Herberger told The Register that the attack was still ongoing and as such the responders were limited as to what information they might be able to share.

Referencing the 300Gbps DDoS attack against Spamhaus in 2013, Herberger stated “basically, we have the attackers trying all possibilities to get to a DDoS situation”.

Asked about attribution, Herberger suggested the resources necessary for such a sizeable, varied, and persistent attack could indicate a nation state.

“It’s interesting,” he told The Register. “The conjecture around here is that a ‘truly’ secure email service is more likely to receive these kind of attacks” as it is the only way of preventing these “dark” communications, he added.

ProtonMail has stated that the attack set back its development timeline, and announced that it would no longer be releasing ProtonMail 3.0 at the end of November.

The Register understands that the attack was exceptionally aggressive, with ProtonMail previously stating that there were two stages (and two attackers) that had provoked the company’s woes.

The first stage is the volumetric attack which was targeting just our IP addresses. The second stage is the more complex attack which targeted weak points in the infrastructure of our ISPs.

This second phase has not been observed in any other recent attacks on Swiss companies and was technically much more sophisticated.

ProtonMail has promised to reveal the full story behind the attack at some point. It also encouraged DDoS experts “interested in reviewing the attack data” to contact them at [email protected]. ®

Sponsored:
2015 Cost of Cyber Crime Study: United States

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/10/protonmail_mitigates_ddos_security_breach/

Three men have been indicted over the megahack of US bank JPMorgan Chase which involved to the compromise of 83 million customer and small business accounts.

A cyberheist at JPMorgan Chase in 2014 led to the compromise of the sensitive personal details of 76 million households and seven million small businesses.

Three men, two Israeli nationals Gery Sharon and Ziv Orensteini, as well as US national Joshua Samuel Aaron who split his time between Florida, Tel Aviv, and Moscow, were initially named in an indictment in July.

They have now been charged in a 23-count indictment over crimes including computer hacking, securities fraud, wire fraud, identity theft, illegal Internet gambling and conspiring to commit money laundering.

A previous charge accused the men of “orchestrating a scheme to manipulate the price and volume of traded shares in numerous publicly traded stocks by means of deceptive and misleading email campaigns, and manipulative, prearranged stock trading.”

Two criminal complaints from July named Anthony R. Murgio and Yuri Lebedev, both of whom resided in Florida, where they attended Florida State University.

Reuters reported that another indictment has alleged “various fraud and conspiracy charges against Anthony Murgio” who has been linked with the megahack of JPMorgan in an FBI memo. Lebedev is on bail in Florida.

An article published in the Harvard Business Review earlier this year claimed that data breaches “don’t hurt stock prices” due to shareholders lacking “good metrics, tools, and approaches to measure the impact of cyber attacks on businesses and translate that into a dollar value.”

The HBR noted how, despite the enormous scale of the JPMorgan Chase hack, the company’s stock prices had remained stable – indeed, had actually begun to rise by the beginning of the following month. ®

Sponsored:
2015 Cost of Cyber Crime Study: United States

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/10/three_indicted_over_jpmorgan_chase_megahack/

In real life, solving the cybersecurity puzzle has many challenges. But shared wisdom and community defense models are making it easier to connect the dots.

You know Connect Four — that plastic game with the vertical grid where you drop checker pieces until you get four in a row? With two good players it’s deceptively simple. You have to keep your eye on all possible permutations while plotting several moves ahead.

That game reminds me of the challenges that today’s threat intelligence professionals face. Except it’s a three-dimensional version of that game, connecting many disparate pieces while keeping an eye on adversaries making several moves ahead. And in real life, the stakes are much higher.

As a lifelong security practitioner, I have worked everywhere from highly classified environments to critical infrastructure entities. Even in the most sophisticated, well-defended environments such as financial services, there are still many information silos. It’s hard to find the threat needles in the data haystack. It’s not just disparate security technologies. I am also talking about organizational, process, and data silos.

In the financial sector, three key domains come to mind: 1) information security 2) physical security and personnel and 3) anti-fraud and money laundering. Typically these are managed and executed separately.

If we could truly connect the dots between even two of these domains, we would make significant strides in better understanding the threat landscape, reducing the risk of blended threats, improving incident response, and reducing theft and losses.

Everyone is impacted
All these functional areas impact one another. Physical security impacts confidentiality and data integrity. A data security lapse can impact physical security. And when there is an enterprise security incident, many teams are impacted: the fraud team, the desktop team, the network team, the website team, the cloud security team, the physical security team, the email team, and the list goes on.

Business email compromise (BEC) is a great example of a trending blended threat where nearly all functional areas are impacted. As analysts dig into the indicators of a BEC, they need to ask: “What social engineering techniques were used; Which personnel were targeted or impersonated; What email header and payload information is available; What payment or procurement processes were perverted; What business partners or accounts were compromised; How were funds stolen or data exfiltrated?” Each new question may cross organizational, political, and technical precincts.

There are many other examples of natural silos in big organizations. What happens when new infrastructure is rolled out or when a new office is commissioned? Is the information security team part of the plan? Are vulnerabilities addressed? Is the site monitored? Is system usage authenticated and verified?

Disconnects can also happen for network security. Disparate groups monitor network performance and uptime and DDoS attacks, but may not be monitoring for a user accessing an unusual volume of customer records or systems accessed at the wrong time. Maybe ports 80 and 443 are monitored, but the firewall rules for other ports are not up to date. Maybe a system has been offline for an unusual amount of time and no one notices.

We tend to think that the more people engaged in information security, the more tools, the more budget, the more process, the better. But complexity can be detrimental to security. For example, a user opens her email and gets an alert that an infected file was found and cleaned. If the desktop team is notified, it means that everything is ok, right? But what if only part of the infection was identified and malware is still persistent, waiting to access sensitive systems? The AV team sees one puzzle piece. The network team sees one puzzle piece. But the fraud team didn’t see any of this. Where’s the correlation? Where’s the connection?

Not just a data or policy issue
Different teams, competing priorities, varied approaches, various critical watch lists… Many organizations are making good strides in aligning and clarifying corporate priorities to recognize that physical and cyber teams need to work together. Some companies have set up internal fusion centers. Public and private sector relationships are in place. Information sharing organizations like ISACs and ISAOs are helping facilitate the flow of real-time threat information. Standards like STIX and TAXII are helping to normalize threat data and make it more actionable. Shared wisdom and community defense models are quickly becoming the new norm.

In that spirit, I want to share four tips to help organizations get and stay connected.

1. Understand the business: What is the business context you work in as a security team and what are its priorities? What is the worst that can happen and how do you spot it before it happens?
2. Know thyself: No one else can know what you do, how you do it, what systems you have, or what they are supposed to do. No one else can spot what isn’t supposed to be there the way you can. Like bank tellers trained on real currency so they know a fake when they see it, organizations that “know themselves” have reduced the attack surface.
3. Look for ways to connect: Seek out ways to share information internally and externally. Sponsor regular cybersecurity simulations that involve multiple functional areas. Advocate for updates to crisis playbooks. Communicate the security roadmap broadly and especially at the executive level.
4. Stick to the plan: Too often, security is compromised to meet the competitive and agility demands of the business, or even simply to react to the present threat landscape. Money is spent without the full context of how security fits into a strategic business plan. And, when a new threat comes along, organizations are tempted to divert from the plan and buy an expensive new tool or appliance that may not be the best fit. Don’t react and don’t over-react. Have a solid plan and map actions and investments to that plan.

Kristi Horton is the lead intelligence officer of the Financial Services Information Sharing and Analysis Center (FS-ISAC). The FS-ISAC is a non-profit corporation formed in 1999 and is funded by its 6,500 member organizations. The FS-ISAC’s mission is to help assure the … View Full Bio

Article source: http://www.darkreading.com/analytics/why-threat-intelligence-feels-like-a-game-of-connect-four/a/d-id/1323072?_mc=RSS_DR_EDT

Allies US and German spooks cooped up in a windowless structure dubbed the Tin Can have been found secretly spying on each other.

The revelations reveal the absurdity of a secret agreement between spy agencies, the NSA and the BND, to operate from a former US base in Bad Aibling, Germany, that was in 2004 handed over to German control.

There the spy agencies could ostensibly monitor communications from governments and organisations throughout Western Europe, with an agreement to not spy on each other, and established the Joint Sigint Activity and Joint Analysis Center for data acquisition and analysis.

In October national news digger Der Spiegel reported the NSA broke that agreement and spied on the German Government, and may have conducted economic espionage right under the nose of the BND.

Now, Spiegel says the BND spied back on US Government diplomatic outposts and agencies, along with a host of other countries and non-governmental institutions.

Also on the BND menu were Britian, EU member states, the Vatican, and the Red Cross and Oxfam.

Targets are determined through the agencies use of email keyword selector searches

The BND is also reported to have intercepted communications from the United States’ Department of the Interior and its diplomatic stations in Brussels, along with the United Nations office in New York.

Its selector searches include telephone and fax numbers along with email addresses belonging to diplomatic officials from the US, France, Britain, and the Vatican. Sweden, Switzerland, Portugal, Greece, Spain, Italy, and Austria.

It also targeted interior ministers of Poland, Austria, Denmark and Croatia in the email search.

The news follows revelations the office serving German Chancellor Angela Merkel was infected with dangerous malware based on Regin and thought linked to the NSA. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/10/nsa_german_spooks_spy_on_each_other_within_windowless_tin_can/