STE WILLIAMS

Cryptomining malware is the fastest-growing category of malicious software, according to a new report.

Ransomware is the biggest trend in malware and it shows little signs of slowing down. After new cryptomining malware samples grew 629% to more than 2.9 million samples in the first quarter of 2018, their growth continued; in the second quartter total samples grew by 86% with more than 2.5 million new samples.

The news about cryptomining malware is at the center of the McAfee Labs Threats Report: September 2018, released today. The company notes that cryptomining has become such a popular malware approach that older malware families are being re-tooled to carry cryptominers, rather than ransomware or botnet recruiters, as their payload.

In addition to the cryptominers, both ransomware and mobile malware continue to grow, with new ransomware samples increasing 57% in the last year. This represents a slower growth rate than that previously seen, but is remains significant growth. Mobile malware grew 27% in the second quarter, with South America seeing the highest rate of new variants.

For more, read here and here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/cryptomining-malware-continues-rapid-growth-report/d/d-id/1332890?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The US fast-food chain Wendy’s is facing a proposed class action lawsuit in Illinois over its use of biometric clocks that scan employees’ fingerprints to track them at work, according to a complaint obtained by ZDNet.

The complaint was filed on 11 September in a Cook County court. According to Law 360, a second class action accuses a plastics company, Amcor Ltd., of similar missteps.

The class action was filed by former Wendy’s employees Martinique Owens and Amelia Garcia and argues that Wendy’s use of Discovery NCR Corporation fingerprint scanners to track employee hours and access to cash registers and point-of-sale (PoS) systems is in violation of Illinois’s 2008 Biometric Information Privacy Act (BIPA).

Specifically, the suit charges Wendy’s with failing to make employees aware of why it’s collecting their biometrics or how long it will collect, store and use their fingerprints, as required by BIPA. Wendy’s doesn’t even obtain written releases from employees with their explicit consent to take their fingerprints in the first place, the suit claims.

From the complaint:

While there are tremendous benefits to using biometric time clocks in the workplace, there are also serious risks. Unlike key fobs or identification cards – which can be changed or replaced if stolen or compromised – fingerprints are unique, permanent biometric identifiers associated with the employee. This exposes employees to serious and irreversible privacy risks.

ZDNet notes that it’s no accident that Discovery NCR, the software maker behind the biometric clocks, is named in the class action. The plaintiffs say that they suspect NCR may be in possession of fingerprint data on Wendy’s employees.

It was a privacy scandal over finger biometrics that led to the enactment of BIPA in 2008. In the earlier case, a private company called Pay By Touch provided consumers with just that: the ability to pay for things with the swipe of their finger on a biometric sensor.

Its technology enabled access to checking, credit card, loyalty, healthcare, and other personal information. Pay By Touch filed for bankruptcy in 2007. When it went under in 2008, it left the biometric data of nearly three million customers in limbo, as people realized that their fingerprints, which were being collected in stores, were being sent off to Pay By Touch.

Would the data be sold in the bankruptcy proceedings, like in the case of NCIX’s customer data finding its way onto Craigslist?

That was of particular concern to Illinois, the home state of the defunct company. Its response: BIPA.

The legislation requires entities that use biometric technology to inform users in writing about how the data will be stored, how it will be used, and for how long. It also states that no biometric data can be disclosed, sold, leased, traded or otherwise used for monetary gain.

The plaintiffs are seeking class-action classification and a jury trial. They’re requesting equitable relief, litigation expenses, attorneys’ fees, and disclosure of whether Wendy’s “sold, leased, traded, or otherwise profited from Plaintiffs’ and the Class’s biometric identifiers or biometric information.” They also want to know whether Wendy’s or NCR have ever used plaintiffs’ and any of the subsequent class filers’ fingerprints to track them, according to the complaint.

The fast-food chain hadn’t responded to ZDNet’s request for a comment as of Monday afternoon.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/OFab4Ddde54/

Just a few days before the January 2017 inauguration of President Trump, the Metropolitan Police Department (MPD) in Washington, DC noticed that several surveillance cameras weren’t working.

It would transpire that they were being held hostage in a ransomware attack, with some of the systems being used to spread the attack further. In fact, when investigators disrupted the attack on 12 January 2017, they found that some of the computers had been turned into proxies to spread the malware and were in the process of targeting 179,616 other systems.

The cameras were yanked back into working mode within a few days, and the ensuing investigation set off an international hunt for the culprits. The trail led to Romania, and eventually to Eveline Cismaru: a 28-year-old woman who on Thursday pleaded guilty to federal charges stemming from the attack.

Fellow Romanian, Mihai Alexandru Isvanca, was arrested in December in Bucharest, Romania, and remains held there pending extradition to the US. Three other Romanian hackers are facing prosecution in Europe.

Cismaru had initially skipped town, fleeing Romania weeks after her arrest. She was tracked down and apprehended in the UK in March 2018, and extradited to the US on 26 July 2018.

As the Washington Post reported last February, two people were arrested in London as part of the same investigation: a 50-year-old British man and a 50-year-old Swedish woman.

They would turn out to be innocent.

Investigators had found a tracking number for a package that was displayed on one of the hacked police computers that led them to a London address, but a forensic analysis of the London couple’s devices revealed no connection to the crime. Rather, it would turn out that a British healthcare company’s IP address was used to create an online order… a company that had earlier reported being hacked.

According to court filings, the Secret Service found that the closed-circuit cameras had been hijacked by “non-police” users: users who were sending spam messages laced with ransomware to a long list of email addresses. According to court papers, the computers accessing those targeted email addresses led authorities to Isvanca and Cismaru.

Secret Service agent Brian Kaiser found that 126 of the MPD’s 187 outdoor surveillance cameras were locked from an unspecified ransomware variant. A few of those had been converted into proxies and used to spread additional ransomware and malware attacks.

As the Washington Post reported at the time, investigators managed to wrestle the cameras free over the course of two days by taking the devices offline, removing all software, and restarting the system at each site – all without paying a dime of ransom. The total cost demanded by the attackers was estimated to be $60,800.

Nobody’s physical security was threatened or harmed due to the disruption of the MPD surveillance cameras, the DOJ says.

Cismaru is due to be sentenced on 3 December.

At the time of the Romanian hackers’ arrests, it wasn’t known whether the defendants knew exactly which cameras they were targeting. Bill Miller, a spokesman for US Attorney Jessie K. Liu, said at the time that given the nature of the surveillance, this case was a top priority:

This case was of the highest priority due to its impact on the Secret Service’s protective mission and its potential effect on the security plan for the 2017 Presidential Inauguration.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/-dI7L4txhBw/

Popular adblocker AdGuard has taken the decision to reset all user accounts after being on the receiving end of a credential-stuffing and brute-force password attack last Thursday.

Said the company’s security notice:

Today we detected continuous attempts to login to AdGuard accounts from suspicious IP addresses which belong to various servers across the globe.

AdGuard said it had detected the unusual login attempts and blocked them but decided to issue a full password reset because it couldn’t be certain which of the credential-stuffing attempts had been successful.

Account resets normally happen after data breaches, so was the password reset necessary? Absolutely – despite the hassle for users, AdGuard has done the right thing.

Could it have better protected itself against this kind of attack? Interestingly, yes, but to understand why, we need to examine what happened more closely.

Credential menace

Credential stuffing is a type of attack where cybercriminals get hold of passwords and usernames from one data breach and then use them on lots of other websites to see if any work there too.

Because a lot of users have got into the bad habit of reusing the same passwords across several websites, the tactic is successful at least some of the time.

All attackers need is a credential-stuffing tool and a bot made up of compromised hosts that can be used to spread the attack traffic across different IP addresses to make detection and blocking harder.

While credential-stuffing attacks are not new, figures from the content delivery network and cloud services provider Akamai show its customers saw 30 billion malicious login attempts in the eight months to June 2018, a big rise compared to last year.

The AdGuard attack

Judging from its description, AdGuard experienced two types of attack – a credential stuffing attack and a generic brute-force attack where the perpetrators simply try lots of common weak passwords to break into accounts.

Brute-force attacks should be easy to spot because lots of incorrect passwords fired at the same account will stand out as unusual. Credential-stuffing attacks can be even noisier because the spike in activity affects large numbers of accounts at the same time.

One defence is rate limiting – locking accounts after a specified number of incorrect passwords – but as AdGuard admits, this is powerless to stop an attacker who already knows the correct password stolen during a third-party data breach.

That login would have appeared indistinguishable from the real user performing the same action which is why AdGuard was wise to issue a general password reset for everyone.

However, if AdGuard and its users had implemented even quite basic two-factor authentication (2FA) then the credential-stuffing attack would have quickly floundered (the attackers would have had the correct password but not the additional factor). AdGuard has admitted this and says it plans to introduce 2FA in future:

We physically can’t implement it in one day, but this will be our next step and we will let you know about it as soon as its done.

Commendably, AdGuard does prevent people from using passwords that are part of the Have I Been Pwned? (HIBP) database, although it’s still possible to change a password to anything else after sign-up.

Who is affected?

Anyone running an AdGuard paid version should have an account that requires a password reset, including the Windows and Mac desktop applications as well as paid mobile accounts for Android or iOS.

AdGuard browser extensions for Chrome, Firefox, Safari, Edge, Opera, and Yandex seem to be free to use and aren’t connected to accounts that require a reset.

Follow @JohnEDunn
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/PFIlZ2dGSAA/

Users were complaining this week after discovering they’d been logged in to Google’s Chrome browser automatically, after logging into a Google website.

Chrome has long included a feature that lets you log in, connecting the browser directly to your Google account. This lets the browser, via its sync feature, store information about your web usage on Google’s servers, including your browsing history, bookmarks, tabs, autofill information, and a list of your installed extensions. Google provides it as a convenience for users because it enables them to synchronise the browser environment across their devices.

As you’d expect, not everyone likes the idea of sending their data to Google’s servers. Chrome users have traditionally been able to surf the web, including Google’s own websites, without signing into the browser.

Recently, though, Matthew Green, assistant professor at Johns Hopkins University and a cryptography expert, discovered that an update to Chrome has been signing users into their Chrome browsers whenever they logged in to a Google website. He blogged about it in full here.

From now on, every time you log into a Google property (for example, Gmail), Chrome will automatically sign the browser into your Google account for you. It’ll do this without asking, or even explicitly notifying you.

This angered the privacy-conscious Green, who doesn’t want Google seeing his web usage data. He has deliberately avoided signing Chrome into his Google account ever since he began using it.

According to Google executives, the rationale for the change stems from the fact that you can sign into Google in two ways when using Chrome. In addition to the browser’s own login feature, you can also sign in via the Google web page, as you would in any browser.

Adrienne Porter Felt, an engineering manager on the Google Chrome team, explained in a Twitter conversation with Green that the company made the change to avoid a common privacy problem, particularly on shared computers where one user may have logged into Chrome, unaware that someone else has signed into a different Google account on the web.

She defended the company’s position by pointing out that the automatic sign-in feature does not automatically cause the browser to synchronise your web usage data to Google. Users have to turn that on separately.

The intent is to prevent a common confusion in shared device situations where the login state of the browser ends up different from the login state of the content area. It does not turn on sync without an additional consent step

— Adrienne Porter Felt (@__apf__) September 22, 2018

She also went into more depth in another Twitter thread designed to update users:

FYI the chrome privacy notice has now been updated https://t.co/84hyyc5cwa

— Adrienne Porter Felt (@__apf__) September 24, 2018

Google changed its privacy policy over the weekend to reflect the fact that synchronization is only enabled if you explicitly choose it. Before the update, the policy listed two modes: Basic mode, and Signed-in Chrome mode. The update over the weekend changed the latter to ‘Signed-in, Synced Chrome mode’, and added this text:

On desktop versions of Chrome, signing into or out of any Google web service (e.g. google.com) signs you into or out of Chrome. Sync is only enabled if you choose.

The clarification hasn’t made Green much happier. He argues that the account-muddling problem Google is trying to solve shouldn’t affect users who don’t want to sign into the browser. On his blog, he writes:

In order for this problem to apply to you, you already have to be signed into Chrome. There is absolutely nothing in this problem description that seems to affect users who chose not to sign into the browser in the first place.

So if signed-in users are your problem, why would you make a change that forces unsigned–in users to become signed-in?

He worries that if Google is now logging him into Chrome when he didn’t give it permission, it makes it difficult to trust the company’s assurances about syncing. He also argues that it’s relatively easy to sync by mistake using a single click, because once logged in, the browser displays a blue synchronization button that he says is ambiguous.

Does that big blue button indicate that I’m already synchronizing my data to Google? That’s scary! Wait, maybe it’s an invitation to synchronize! If so, what happens to my data if I click it by accident?

He goes so far as to call it a ‘dark pattern’, by which he means a user interface design decision intended to manipulate or mislead.

He isn’t the only person to have noticed that. Others responded to Porter Felt’s tweets, with at least one person complaining that their data had been synced as soon as they were signed in:

i think what people are most upset about, myself and now john included (https://t.co/a1rAEKtZD9) is i) the dark pattern used here to try to trick users into syncing and ii) the uncertainty around what happens if you accidentally click that button. is local stored history sent up?

— Patrick Donahue (@prdonahue) September 24, 2018

Google’s former director of information security engineering didn’t seem that enamoured by the move either. Michal Zalewski, who left the company in March to join Snap, led a team of around 100 engineers at the search and advertising giant. He chimed in:

So, you know, realize that I’m in a tiny and uninteresting minority, so not gonna make a stink about what’s probably an OK change for most, but it made me a tiny bit less happy =)

— lcamtuf (@lcamtuf) September 22, 2018

One clear message that came through from several Twitter respondents to Porter Felt is that this change should have been flagged to users publicly before Google made it. Now it has happened, the company has had to play catch-up and clarify the implications for Chrome users.

So, what do you do if you’re among those who love using Chrome and don’t want to move? You can set a passphrase to encrypt the synced information that Google stores about you on its servers, and you can also select which data to sync.

Last week Naked Security ran a poll to discover which web browser our readers trust the most. It’s moves like this one that ensure, in spite its preeminent market share, it isn’t Chrome.

Follow @DannyBradbury
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/qaUIWtsfMa4/

Three months on, users continue to report that Microsoft’s BitLocker disk encryption technology turns itself off during security updates.

The problem, which has prompted much head-scratching in security circles, was raised by power user “kingcr” on Microsoft’s technet forums back in June as part of an ongoing discussion.

He reported at the time that BitLocker automatically suspended itself the first time a machine logged in after a security patch was applied and following a restart of his Windows 10 machine.

A couple of factors may be at play. One contributor to the discussion claimed that feature upgrades – unlike regular cumulative updates – had always suspended BitLocker. Since the release of Windows 10 v1803 in early May it has been possible, in certain circumstances, to let BitLocker run unimpeded even when feature updates are applied. This facility only works when “when TPM [Trusted Platform Module] is the only protector (no password, no USB-key, no PIN)”.

The original poster told the thread his machine had been suspending BitLocker even during cumulative updates, adding that he reckoned the PC was clear of scripts that might explain the odd behaviour. “kingcr” managed to replicate the odd behaviour even after a clean install on the same machine.

Others said they had encountered the same issue.

This was a worry because “BitLocker should ‘never’ suspend itself without explicit interactive permission from the administrator,” as one contributor put it.

The protection offered by the technology is rendered irrelevant otherwise, some argued.

The glitch isn’t remotely exploitable but is still a means for hackers with physical access to a computer to snaffle encryption keys, although only around the application of security updates.

Security experts quizzed by El Reg have noticed the BitLocker suspension snafu.

SHIFT + F10, Linux gets you Windows 10’s cleartext BitLocker key

READ MORE

Sean Sullivan, a security advisor at F-Secure, told El Reg: “Automated BIOS/firmware updates recently required my laptop’s BitLocker to disable itself. Haven’t heard about it doing so in any other scenario, though.”

Computer forensic expert David Cowen confirmed what several power users were reporting on the thread. “Updates put the volume in clearkey mode for one reboot.”

Cowen blogged about the issue from a computer forensics perspective back in July.

BitLocker is Microsoft’s full disk encryption technology and has been bundled with Windows since the days of Vista. Means and ways around the tech are of constant interest to hackers of various stripes.

So is what’s happening expected behaviour or a glitch?

Microsoft said it was working on the issue.

Jeff Jones, senior director at Microsoft, said: “On older devices without a Trusted Platform Module, Bitlocker may be temporarily suspended during some updates. Protection resumes after the machine is restarted.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/25/bitlocker_suspension_patching_mystery/

Interview El Reg had the honour of speaking with a war hero last Friday when the UK’s National Museum of Computing fired up its replica Enigma code-breaker to decrypt messages sent from Poland.

Ruth Bourne was among hundreds of Wrens who worked on the front line of code-breaking on 200 or so Bombe machines¹ at sites in and around Bletchley Park. This often pressurised work took place over eight-hour shifts and around the clock.

After she signed the Official Secrets Act, Bourne was told her work involved “code-breaking enemy messages” and no more. “I never even heard the name Enigma until long after the war,” she said.

Ruth Bourne in front of reconstructed Bombe. Photo: Charles Coultas

Enigma was a field encryption device used by units of the German Wehrmacht (military) during the Second World War. Encrypted messages were sent by telegraph. Wheel settings of the Enigma were reset across the whole network every day, usually around midnight, creating a new key.

The process started with the interception of the Enigma-encrypted Morse code messages, which were then forwarded to Bletchley Park (aka Station X).

Code-breakers at Bletchley and other sites used by the wartime Government Code Cipher School (GCCS) scrambled to figure out the day’s key. The Turing-Welchman Bombe, designed by Alan Turing and Gordon Welchman based partly on an earlier Polish design, was the electro-mechanical machine that somewhat automated the process.

Once the wheel and plug board settings had been determined, it was possible to read other Enigma-encrypted messages sent throughout the same day and evaluate the intelligence (codenamed Ultra) they contained.

Bourne, 92, worked in code-breaking at Bletchley Park’s satellite sites of Eastcote and later Stanmore between the time she volunteered in May 1944 until VJ Day, the end of the war.

“By the time I joined up there were very few Bombes at Bletchley and I think they were there for training anyway,” she said. “I think we finished up with 213 Bombes and they couldn’t all be in the same place, certainly not on the Park, because [Bletchley] was full of Colossus machines [valve-made electronic computers used the break the Lorenz cipher used by German High Command].

“After the atomic bomb was dropped [Hiroshima, Japan, August 1945] we stopped using the Bombes and started to dismantle them.”

It was literally drummed into us that we must be accurate otherwise a lot of very important work by very clever people would be ruined – Ruth Bourne, WWII Bombe operator

Bletchley Park’s code-breakers are credited by historians with shortening the war by two years. Asked if she realised the importance of her work at the time, Bourne said: “No, not at all.” The then 18-year-old was almost completely in the dark.

“We were only ever told, after we had signed the Official Secrets Act, and gone through a lot of other palaver, [that] ‘We are breaking German codes’. That’s a five-word sentence and that’s all I ever knew. We didn’t know about Enigma. We didn’t know anything about how the Bombe worked or how it related to the Enigma machine [either].

“I was just putting wheels on and taking them off and putting plugs in and so on.”

Code-breaking work “involved – more than anything else – being accurate,” Bourne said.

“It was literally drummed into us that we must be accurate otherwise a lot of very important work by very clever people would be ruined. So we had to be very alert.

“I have to say that [working] from midnight to 8 o’clock was very, very tiring indeed.”

The work itself was intense. “On watch it was like everything to do with the code-breaking and every code-breaker at Bletchley or wherever they were – what we had in common was pressure,” Bourne said. “Simply because when the Germans changed the code at midnight, and they could even do it more often … If you wasted time then the information that you eventually decoded would be no good because everything would, obviously, have already happened.”

Fatigue was a real and present risk to the operation. “I think personally it was pressurised and a lot of the girls didn’t manage very well but you could always get time off if you became ill – what they called burnout. I got two weeks off. That was nice.”

Bombe reconstruction

The standard British Bombe featured 36 Enigma equivalents, each housing three drums and wired to mimic the enciphering process.

Paul Kellar, an engineer involved in the multi-year project of reconstructing a working Bombe, on display at the National Museum of Computing since June, told El Reg about aspects of work by Gordon Welchman that made code-breaking using the Bombe feasible.

“The Welchman diagonal board made it a success and allowed the Bombe to work with weaker, shorter cribs² and with fewer false positives.”

We asked Bourne how the reconstruction compared to the original Bombes.

“I’m not a technician – and it has been a very long time since I’ve seen the original – but it’s very, very familiar. It’s a facsimile,” she said.

“Not having the memory that I should have being 92… nevertheless I could just operate it now and, if I had another person with me, I could even plug it up.”

If anything, the reconstructed Bombe is too pristine to be mistaken for its wartime predecessors.

“It’s pretty good. Except the present one looks very clean and new, whereas when I was working all the drums were battered and chipped and the plugs at the back were not strong and firm. You had to be a bit careful.”

A shift in the life

Bourne walked us through a shift as a Bombe operator.

“You came on watch and you took over from whoever was there and you worked in pairs. On one day you would be operating the Bombe, which meant being on your feet for mostly all the time. And then the next day you could check it with the checking machine, which is a different machine you learnt to use.

“The only time you worked as a pair was plugging up because plugging up at the back of the machine was absolutely vital that you got it right and it was pretty complicated. There were all these wires; each plug had 13 pins, doubled up for 26 letters. They all had to go in on a straight line into these sockets. You mustn’t twist them, break them or put them in wrong.

“And then there were three banks of alphabets to plug up. One of you shouted out the letters to join and the other one joined them up. So that was the back of the machine and then in the front of the machine we had the drums which were akin to the scrambling wheels on the Enigma – but we didn’t know that [at the time].

“We were putting them on according to what was known as a menu, which were the settings which had been worked out at Hut 6 with cribs and so on. Well Hut 6 if you were doing naval codes.

“So you put the drums in according to the settings on your menu or sheet of information… and then you switched it on. Now it clicked around and clicked around and then while it was clicking around you were picking up the Bombe drums from the previous run and checking them for any short circuit possibilities.

“Every drum had rows of 26 brushes and each of those brushes had six strands of wire in each brush and they could touch each other – especially if you had turned your drums the wrong way when you put them on the machine. That was when you were in big trouble.

“During that time if your machine stopped you had to write the stop³ down and rush with it to the checker. And you also had to write down on a log sheet every run and what had happened – whether it was a good run, a bad run, a one stop or a two stops. You were on the go for seven-and-a-half hours out of eight hours.”

Bumps in the night

El Reg asked Bourne if she met any of the famous code-breakers such as Welchman or Turing.

“The short answer to that was I was too young,” she said. “By the time I joined up, Alan Turing was long gone. He went to America and then he came back here. I never met any famous code-breakers. All these initial code-breakers were much older than me.”

What about her working and living conditions during the war?

“I was never in the huts but our own living conditions were horrible,” she recalled. “We had cramped barracks. We had 72 of us sleeping in one room on double bunks. If the girl on the top bunk was a big girl then you were in for a very bumpy night, I can tell you.

“We had horrible food. We also had to do all of the things that ordinary Wrens did because we weren’t supposed to be extraordinary. Even if we were up all night we still had to do all the washing up, we had to do our washing, we had to scrub our floors every month. It was not much fun, I can tell you.” ®

Bootnotes

¹ No one is quite sure of the number of Bombes built – “around 211” is the best estimate, a representative of the National Museum of Computing told El Reg. “I don’t think we will ever know for sure,” he said, adding: “Only a small number of training Bombes were at Bletchley Park. Most were at outstations, mostly nearby, like Eastcote.”

Wrens operated both the Bombes and Colossus. The only men around were likely codebreakers, engineers, etc due to wartime armed forces conscription.

² Cribs are portions of cipher text of which the plain text equivalent is already known. Typically this would include phrases such as “Heil Hitler” and wetter (weather) that the Germans habitually sent in the first message of the day.

³ A stop (a term of art in WWII code-breaking) refers to when the Bombe drums have found a possible/candidate solution. Every stop is checked on the checker machine. There could be many false stops before the actual solution was found and the process ruled out false positives en route to cracking the key of the day.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/25/bletchley_bombe_operator_interview/

Japanese auto maker Mitsubishi has recalled more than 68,000 vehicles in the US affected by two separate software bugs.

America’s National Highway Traffic Safety Administration (NHTSA) issued two recalls, one affecting more than 59,000 2018-model SUVs because of a bug in the braking system’s management unit.

Included are 2018 Outlander Sport SUVs with forward collision mitigation (FCM); 2018 Outlander hybrids and Eclipse Cross models; and 2017/18 Outlanders with adaptive cruise control and/or electric parking brakes.

The worst impact is on forward-collision mitigation (FCM), in which the bug could prevent the safety system from operating properly. Cars.com reported that this could affect automatic emergency braking, antilock braking, electronic stability control, or the brake auto-hold function.

The NHTSA report (PDF) provided more detail. Electrical noise from the hydraulic unit can cause a reset of the control unit, and that can either cancel automatic braking; cause momentary lock-ups if ABS is in operation; momentarily cancel the stability control function; or release the brakes if auto-hold is in operation.

The second bug impacts 9,166 vehicles of the same models.

Consumerreports.com has claimed the second bug puts pedestrians at risk.

The FCM system is supposed to react to pedestrians at risk and apply the brakes; the bug is that it may activate the brakes longer than is necessary, including after the obstacle is no longer detected.

The bugs are present in vehicles from plants in Okazaki, Gifu, and Mizushima.

The NHTSA noted (PDF) that this could expose drivers to an increased risk of a rear-end collision.

Mitsubishi is expected to start contacting owners in the US on 16 October. So far, there’s no word on whether owners in other countries might also be affected. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/25/mitsubishi_suv_bugs_recall/

A young company has a new patent for using fault tolerance techniques to protect against malware infection in applications.

How do you really know that an application has not been compromised? A newly patented technology is based on the premise that because you know precisely what every thread and API call are supposed to do, any divergence is a sign of trouble.

Fault-tolerance has long used multiple identical instances of an application to insure that the application can continue to function even if its hosting server goes offline. Young startup Virtual Software Systems (VS2) has been granted a patent for using that concept as a way of continuously validating application integrity.

Mario Troiana, head of development for VS2, says the company’s fault-tolerant framework is called the Intentional Computing Environment (ICE). “ICE is a framework made up of several mechanisms. Collectively, they instantiate multiple replicas of an application with different processes running on different virtual machines,” he says.

“It then enforces determinism of each thread of the application, so every time an API call is reached, the threads are compared to make sure they’re going to the same destination in a state space,” he says.

According to the company, “ICE detects and inhibits unintended application behavior caused by unpredictable events including hardware failures, malicious activity, and countless other faults.” That means if there is a point of application behavior that deviates for any reason from what is expected, ICE throws an exception and halts its execution.

There are a number of components to ICE, each handling or responding to a different aspect of application or data behavior, but the entire suite is based on the idea that application behavior is deterministic — that every part of an application will respond in a predictable, known way to any input.

Troiana is quick to point out two critical aspects of the way that ICE works. First, when software is developed, standard API calls must be replaced with ICE calls. This allows the protection software to work when the code is in production. It also means that this is not a solution applicable to off-the-shelf third-party software where the customer has no access to source code.

And VS2 doesn’t promote this as a complete, comprehensive security solution: the company sees it as complementary to other components in a total security architecture. 

ICE is currently available as a feature-complete technology assessment release for beta customers.

Related Content:

• Lean, Mean Agile Hacking Machine
• The Difference Between Sandboxing, Honeypots Security Deception
• 6 Security Training Hacks to Increase Cyber IQ Org-Wide
• The Top 5 Security Threats Mitigations for Industrial Networks 

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/application-security/fault-tolerant-method-used-for-security-purposes-in-new-framework/d/d-id/1332883?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Ignite Microsoft is beefing up the security in its cloud services lineup with a handful of unveilings today at this year’s Ignite conference.

The Redmond giant says the offerings are part of an aim to secure both its own web services and the partner ecosystems that have popped up around them.

Passwords out to pasture

Among the big declarations from security VP Rob Lefferts was that Microsoft was marking “the end of the era of passwords.”

This will be done by extending the Microsoft Authenticator multi-factor phone app to Azure Directory (AD). Any network that uses AD to authenticate people will now be able to give those users the option of using Authenticator to sign in via a PIN, fingerprint, or face scan on their iOS or Android device.

So you can log into your account if you physically have your phone and a valid PIN for the Authenticator app, for example. If you have the app running on your handheld, and provide the right extra detail – a PIN, face scan, etc – then access is granted to your account via AD.

“Using a multi-factor sign-in method, you can reduce compromise by 99.9 percent, and you can make the user experience simpler by eliminating passwords,” Lefferts declared.

“No company lets enterprises eliminate more passwords than Microsoft.”

Threat Protection set to watch over Microsoft 365, Secure Score rates Azure

Companies opting for the Microsoft 365 Windows-as-a-service package will now be able to use a new security monitoring tool to track and manage all of the security features and reports generated by the various online and offline platforms.

Microsoft says the feature will allow admins to have a single screen where they can view reports from emails, Office applications and documents, Windows endpoints and managed infrastructure.

“This will let analysts save thousands of hours as they automate the more mundane security tasks,” Lefferts declared.

Still holding out on Windows 10? Microsoft tempts upgrade with virtual desktop to Azure

READ MORE

Azure, meanwhile, will get new security reporting in the form of Secure Score, a service Microsoft says will give admins updates on what security policies are in effect at their company and where possible weak spots remain.

The idea of Secure Score is to search out best practices like securing admin accounts with multi-factor authentication and implementing two-factor auth for regular user accounts.

In addition to management for on-prem networks, Secure Score will take into account Azure instances, where score reports and rundowns will be shown in the Azure Security Center.

Confidential Compute for Azure clouds

For companies wanting to better isolate their cloud instances on Azure, Microsoft said it will be rolling out a new hardware-based service to the Azure DC line. The service will let customers opt to have their instances run on Intel SGX hardware to make sure that the code itself is running encrypted in a secure portion of the bare-metal machine itself.

Microsoft is also pushing the Information Protection SDK into general availability and adding new labeling options that will allow developers to apply Microsoft’s content protections for sensitive data and files into their own code. With the new options, Redmond adds support for Office Apps and PDF docs.

Graph Security API lands

Also targeting Microsoft’s dev community is the general availability release of the Graph Security API. The tool allows developers to plug their code into the Graph Security service and access things like its alert service, company Graph analysis, and scripts for configuring and managing the security settings for multiple products.

The idea, says Lefferts, is to make it easy for both customers and security vendors to share their threat intel and manage best practices and data analysis on malware and network attacks.

[Graph Security] helps our partners work with us and each other to give you better threat detection and faster incident response,” he said.

“It connects a broad heterogeneous ecosystem of security solutions via a standard interface to help integrate security alerts, unlock contextual information, and simplify security automation.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/24/microsoft_kills_passwords/