STE WILLIAMS

You can share how much you liked a movie on Facebook, but you’re not supposed to share the actual movie on Facebook! Trevon Franklin did it anyway, and now he’s facing six months in jail.

The 22 year-old, who went by the name ‘Tre-Von M. King’ on Facebook, pled guilty this year to sharing a pirated copy of the movie Deadpool on his Facebook page, just a week after it hit theatres. In a sentencing memorandum issued on 12 September, the US government recommended six months behind bars.

In 2016 Franklin, then 20 years old, uploaded the movie to his Facebook account:

It went viral, and the file was viewed six million times, according to the court papers.

People warned him that it wasn’t wise and may earn him some interest from law enforcement, but he remained unperturbed, arguing that he had never sold the movie online. Anyway, the feds hadn’t come after him, he pointed out.

Then he created a new group called “Bootleg Movies” where he promised to share more.

“Someone going to catch a case 5 years have fun with that”, said one commenter in response. Another just posted an excerpt from the FBI anti-piracy warning, adding: “You’ll realize how bad you’ll wish it didn’t go viral.”

Among those that saw all this were representatives of Twentieth Century Fox, who were not pleased. The FBI was alerted, and started an investigation that led to his arrest in June 2017.

He was indicted with reproducing and distributing a copyrighted work, which carries a maximum three-year sentence. In June this year, he pled guilty to a misdemeanor.

Franklin’s lawyers outlined a troubled childhood fraught with personal difficulties. In a letter to the court, he said:

I [now] understand that every action has its consequences… I regret posting the movie. I didn’t think how serious the crime was that was being committed. I know not to commit a crime like copyright infringement again, or any crime because I am a father not a criminal.

In the sentencing memorandum, the government asked for him to serve six months, followed by a year of supervised release, and a mandatory fine of $100…

Given the brazen and public manner in which defendant both flouted the law (which was pointed out to him by several Facebook users) and appeared not to care that he was willfully infringing on Fox’s copyright (which was also pointed out to him by Facebook users), and given defendant’s insistence that he was not going to suffer any consequences for his crime, other than to “become more famous”.

The government added that the sentence would be a deterrent for Facebook users who may otherwise believe that there are no consequences for sharing illegal material online.

Franklin’s actions might strike readers as the misguided act of one incredibly misinformed Facebook user, but this isn’t an isolated case.

Business Insider reported that there are plenty of Facebook groups, with tens of thousands of members, hosting and publicly sharing pirated content. We were able to find free copyrighted movies readily available on the site in less than sixty seconds with a quick search.

In the last few days, Facebook has told us that it is now smart enough to distinguish between fake images and legitimate ones. Will pirated content be next in Facebook’s clean-up strategy?

Follow @DannyBradbury
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/u0hoOLTqAHw/

A pair of IT workers have criticised banks within the Lloyds Banking Group (LBG) for sub-standard security. The group denies anything is amiss, maintaining it follows industry best practice on cyber-security.

Each of the three LBG banks – Lloyds, Halifax, and Bank of Scotland – has implemented transport layer security by running https so that transactions run to a secure server. But the three financial institutions are nonetheless vulnerable to a common class of web security vulnerability often exploited by phishing fraudsters: cross-site scripting (XSS) flaws.

A software developer and an infosec researcher have separately said that websites maintained by Lloyds, Halifax, and Bank of Scotland all have an XSS vuln, allowing attackers to read and modify the contents of the login form, as well as subsequent pages such as account information in secure banking sessions.

The issue at the three Lloyds Banking Group subsidiaries were uncovered by software developer Jim Ley and reported to each bank. A lack of response prompted him to approach The Register.

Ley developed a live proof-of-concept, seen by The Reg, for each bank showing how the unresolved web flaws might be leveraged to run login-harvesting phishing attacks.

This illustrates the risk that, unless the flaw is resolved, convincing phishing scams that leverage the web security shortcoming might be developed, he warned.

Independent security researcher Paul Moore confirmed our tipster’s warning, adding that Halifax Bank is vulnerable to a somewhat related problem.

“[Halifax Bank’s] lack of adequate security headers allows the injection of malicious scripts to both collect alter anything the user enters, regardless of TLS,” Moore told El Reg.

“Banks should deploy the correct security headers before third party dependencies go rogue… many sites are vulnerable if they don’t deploy security headers correctly,” he added.

Halifax Bank’s security header rating scores a B

Halifax Bank rates a “B” on security headers, which may on the surface seem like a passing grade but belies the problem. The devil lies in the detail, according to Moore.

“A ‘B’ isn’t bad, but the difference between an ‘A’ and ‘B’ here is the existence of a CSP [Content Security Policy]¹ header. If they disallowed inline scripts, they’d get an ‘A’ and wouldn’t be vulnerable to this attack,” Moore said.

Moore’s (benign) proof-of-concept demo from Halifax Bank can be found here, which he flagged up to the infosec community through Twitter.

El Reg relayed these criticisms to reps at LBG, alongside a request for comment. The bank said it welcomed the reports while downplaying their significance.

We employ multi-layered security controls across our systems. We take responsible disclosures seriously and always follow up to ensure that the best methods are followed.

Both techies were unimpressed with this reply. Each independently stated they had found it difficult to report problems to LBG. “If they made the reporting process easier, I’d be happier,” Moore commented.

The Reg has seen an email from LBG’s digital security team stating they were “aware of this issue”, adding that its techies “are already working on it”. ®

Bootnote

¹Content Security Policy is a security technology designed in large part to minimise XSS problems.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/20/lloyds_banking_insecure/

Comment Cybersecurity has become an increasing priority in operations technology thanks to the growing appetite for the industrial internet of things.

Operations technology (OT) is the term given to all those environments in industry, transport, automotive, city and utilities that – before industrial IoT – had been largely isolated from the outside world and, thus, protected from intruders.

Brexit or no Brexit, the UK is implementing an EU policy on the security of such systems via the Networks and Information Systems Directive, so securing OT is a necessity.

With that in mind, a technology and services pact has been signed between two UK outfits seeking to stop the “worst” from happening to elements considered part of the national critical infrastructure systems.

Privileged access management provider Osirium has partnered with aviation, rail and car cyber-security specialist Razor Secure to build and deliver a range of systems targeting industrial IoT applications including unattended operations, power and water plants, weather stations, manned and unmanned vehicles and other systems that could themselves be used as a gateway for “bad stuff” to hop onto a network.

The target market for this partnership is systems “designed well before deployment” and “required to operate for 10 years or more.”

The pair said Razor Secure’s machine learning algorithm would be used to hunt for process anomalies in endpoint security together with Osirium’s system administrator Privileged Access Management (PAM) for secure passwords, workflow and robotic process task automation.

What’s the password?

When it comes to people and processes, much is made of the vulnerabilities in IoT, but one issue that has to be addressed is password management. There is no need to operate complex attacks based on protocol weaknesses when a simple password will open the door.

This a people problem – many people need access to many things and changing passwords is inconvenient.

According to Osirium chief technology officer Andy Harris, things have been going wrong from the outset when architects have designed systems where all critical plants are on their own network. The failures come where it is assumed that a firewall is good enough. This is a problem because firewall rules are source- and destination-based and if the attacker or meddler is coming from an allowed source and bouncing off destination systems, then the firewall is useless.

The trouble comes from managers who make decisions about what to connect to the internet who don’t understand or have not bothered to consider the risks…

Harris likes the idea of a proxy-based technology that accepts an identity and connects to the IoT devices with a defined role. If that proxy also checks with the change ticket, so much the better, as you’re basically creating a digital equivalent of the physical locks.

Osirium’s approach is to separate people from passwords, cycle the passwords so they are highly complex and regularly changed, and control the tools that can be used for access.

“In the real world we have a ‘my lock’ ‘your lock’ situation. If I go to work on a pump I put my lock on the breaker, if you work on the motor you put your lock on the breaker. If I finish before you I can’t accidentally run a test because your lock is on the system,” Harris said.

“Testing gets more complex, but there are still locks. I have to issue a ‘sanction for test’ and then get a ‘permit to test’ then go to the pump (where I might find your lock). System design is crucial.

“Each system should be designed on the principle of local control/safety and global intelligence/control. If a control system tells an airbridge to move, but there is a local lockout – the local lockout takes precedence. “

The closest thing to “my lock your lock” in the software world is change tickets. These are procedures. They don’t stop mistakes but they could. If an engineer is only allowed access to a system when there is a change ticket there would be a degree of control. However, people then need the discipline to ensure the change ticket is accurate.

The trouble comes from managers who make decisions about what to connect to the internet who don’t understand or have not bothered to consider the risks.

“What really worries me is when I hear phrases like: ‘That will add cost to the system’, or: ‘We haven’t got time to do that many checks’ and: ‘No one ever writes up a ticket properly’.”

His advice when it comes to building industrial IoT? “In software, design for worst intent.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/20/securing_industrial_iot_passwords/

On September 6, the Sunspot Solar Observatory in New Mexico was evacuated and sealed off without explanation, sparking wild conspiracy theories as to why.

Since it’s an observatory, the favourite theory was that it had spotted aliens and the lock-down was part of a cover-up to prevent public panic.

No, there weren’t aliens: on Sunday, the Association of Universities for Research in Astronomy announced that it had made the decision to close the observatory in concert with the National Science Foundation, and said the closure was due to an unspecified criminal investigation.

The statement said “we became concerned that a suspect in the investigation potentially posed a threat to the safety of local staff and residents. For this reason, AURA temporarily vacated the facility and ceased science activities at this location.” The statement added that the small number of staff at the remote location made protection difficult.

More has now emerged on what happened, with Reuters alleging the FBI was investigating a janitor who it believed used the facility’s Internet service “to send and receive child pornography”.

A local report at KRQE stated the investigators linked uploaded and downloaded child abuse material to the observatory’s IP address, sparking the investigation.

The FBI records included a warrant to search the suspect’s home, Reuters said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/20/no_sunspot_solar_observatory_didnt_see_aliens/

NSS Labs has thrown a hand grenade into the always fractious but slightly obscure world of security product testing by suing multiple vendors as well as an industry standards organisation.

A lawsuit against CrowdStrike, Symantec, ESET and the Anti-Malware Testing Standards Organization (AMTSO) has alleged no less than a conspiracy to cover up deficiencies in security tools.

These vendors have known of bugs but have failed to act and worse were “actively conspiring to prevent independent testing that uncovers those product deficiencies”, NSS Labs claimed.

The lawsuit aims to illuminate bad practices that harm consumers, according to a statement by Vikram Phatak, chief exec of NSS Labs. The anti-malware market is split between consumer and corporate sales with enterprise revenues forming the largest part of the market, even for the likes of Symantec.

NSS labs accused the named security vendors of forging a pact to collectively boycott its independent test lab¹. Why? Well if one of them avoided a test all others participated in then it looks bad but if there’s a collective “no thanks” than any opprobrium is avoided.

The charge is serious: vendors have come up with a scheme to avoid tests that may expose vulnerabilities they’d rather not have to invest in repairing, never mind the negative PR backlash from poor results.

AMTSO – which aims to establish standards for fair testing – is allegedly “actively preventing unbiased testing” and facilitating this bad practice.

In addition, Crowdstrike and other unnamed vendors have clauses in their user contracts that prohibit testing without permission, NSS Lab alleged.

“If it is good enough to sell, it is good enough to test,” Phatak argued.

This isn’t the first time that NSS Labs and Crowdstrike have locked horns: last year CrowdStrike filed an injunction against NSS Labs to prevent release of test results during the RSA Conference. The lawsuit failed.

In a statement, Crowdstrike dismissed NSS’s legal offensive as baseless.

NSS is a for-profit, pay-to-play testing organization that obtains products through fraudulent means and is desperate to defend its business model from open and transparent testing. We believe their lawsuit is baseless.

CrowdStrike supports independent and standards-based testing — including public testing — for our products and for the industry. We have undergone independent testing with AV-Comparatives, SE Labs, and MITRE and you can find information on that testing here. We applaud AMTSO’s efforts to promote clear, consistent, and transparent testing standards.

El Reg also asked the other named parties in the lawsuit to comment. We’ll update this story as more information comes to hand.

Bootnote

Other security testing labs are available with other examples including AV-Comparatives, AV-TEST, and SE Labs, among others. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/20/security_testing_contratemps/

Actionable advice for tailoring the National Institute of Standards and Technology’s security road map to your company’s business needs.

The first version of the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) was published in 2014 to provide guidance for organizations looking to bolster their cybersecurity defenses, and has more recently been updated as Version 1.1. It was created by cybersecurity professionals from government, academia, and various industries at the behest of President Barack Obama and later made into federal government policy by the new administration.   

While the vast majority of organizations recognize the value in such a universally recommended, collaborative effort to improve cybersecurity in businesses of all sizes, adapting and implementing the framework is easier said than done. The content of the NIST CSF is freely available for all, so we’re not going to discuss it in great depth here. Instead, we’re going to set out five steps to help you turn the NIST CSF into a reality for your organization.

Step 1: Set your target goals.
Before you begin to think about implementing the NIST CSF, organizations must take aim at setting up their target goals. The first hurdle to this typically is establishing agreement throughout the organization about risk-tolerance levels. There is often a disconnect between upper management and IT about what constitutes an acceptable level of risk.

To begin, draft a definitive agreement on governance that clarifies precisely what level of risk is acceptable. Everybody must be on the same page before you proceed. It’s also important to work out your budget, set high-level priorities for the implementation, and establish which departments you want to focus on.

It makes a lot of sense to start with a single department or a subset of departments within your organization. Run a pilot program so that you can learn what does and doesn’t work, and identify the right tools and best practices for wider deployment. This will help you to craft further implementations and accurately estimate the cost.

Step 2: Create a detailed profile.
The next step is to drill deeper and tailor the framework to your specific business needs. NIST’s Framework Implementation Tiers will help you understand your current position and where you need to be. They’re divided into three areas:

• Risk Management Process
• Integrated Risk Management Program
• External Participation

Like most of the NIST CSF, these should not be taken as set in stone. They can be adapted for your organization. You may prefer to categorize them as people, process, and tools, or add your own categories to the framework.

Each one runs from Tier 1 to Tier 4.

Tier 1 – Partial generally denotes an inconsistent and reactive cybersecurity stance.
Tier 2 – Risk Informed allows for some risk awareness, but planning is consistent.
Tier 3 – Repeatable indicates organization-wide CSF standards and consistent policy.
Tier 4 – Adaptive refers to proactive threat detection and prediction.

Higher levels are considered a more complete implementation of CSF standards, but it’s a good idea to customize these tiers to ensure they’re aligned with your goals. Use your customized tiers to set target scores and ensure that all key stakeholders agree before you proceed. The most effective implementations will be closely tailored for specific businesses.

Step 3: Assess your current position.
Now it’s time to conduct a detailed risk assessment to establish your current status. It’s a good idea to conduct an assessment both from within the specific functional area as well as independently across the organization. Identify open source and commercial software tools capable of scoring your target areas and train staff to use them, or hire a third party to run your risk assessment. For example, vulnerability scanners, CIS benchmark testing, phishing tests, behavioral analytics, etc. It’s crucial that the people performing the risk assessment have no knowledge of your target scores.

The team implementing the CSF now aggregates and checks the final scores before they’re presented to the key stakeholders. The goal at the end of this process, is to give your organization a clear understanding of the security risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. Vulnerabilities and threats should be identified and fully documented.

For example, in the diagram below, the organization has identified three functional areas: Policy, Networks, and Applications. These could span the hybrid cloud or could be broken into different environments so they can track on a more detailed level, in which case an additional consideration is whether different functional leads will be responsible for on-premises and cloud deployments.

Along the left, the heat map lists the different CSF functions and can be expanded to any level of detail. Using a four-point scale, green designates all is OK, yellow infers the area needs work, and red warrants close analysis and correction. Here, the “identify” core function is broken out for the purpose of comparing the assessed scores against a cross business-unit core group. The SME and core scores are averaged, compared to the organization’s target, and a risk gap is then calculated. A higher gap warrants quicker remediation. Looking at the table, the organization’s “Protect” and “Respond” areas are the most vulnerable.

Step 4: Implement action plan.
With a clear picture of the current health of your defenses, a set of organizationally aligned target goals, a comprehensive gap analysis, and a set of remediation actions, you are finally ready to implement the NIST CSF. Use your first implementation as an opportunity to document processes and create training materials for wider implementation down the line.

The implementation of your action plan is not the end. You will need to set up metrics to test its efficacy and continuously reassess the framework to ensure that it’s meeting expectations. This should include an ongoing process of iteration and validation with key decision makers. In order to get the maximum benefit, you will need to hone the implementation process and further customize the NIST CSF to fit your business needs.

Related Content:

• 6 Security Investments You May Be Wasting
• How to Empower Today’s ‘cISOs’
• A Pragmatic Approach to Fixing Cybersecurity: 5 Steps

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Mukul Kumar is Cavirin’s CISO and vice president of Cyber Practice, bringing to Cavirin over 18 years of IT and security experience, including his previous role as CISO and VP of Cyber Practice at Balbix. Prior to this position, Kumar served as the chief security officer at … View Full Bio

Article source: https://www.darkreading.com/analytics/turn-the-nist-cybersecurity-framework-into-reality-4-steps/a/d-id/1332796?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The incident highlights a broader problem of poor security in cryptocurrency exchanges throughout the country.

Tech Bureau, a Japanese cryptocurrency exchange, has confirmed a $60 million theft following recent initiatives to improve its security posture.

Tech Bureau said its Zaif exchange was hacked over a two-hour period on Sept. 14. Three days later, it noticed server problems and confirmed the attack on Sept. 18. The theft totaled 6.7 billion yen ($59.67 million USD) in digital currencies, including Bitcoin, Monacoin, and Bitcoin Cash. About 2.2 billion yen belonged to Tech Bureau; 4.5 billion belonged to its clients.

Now the firm reached an agreement with Fisco, which will invest 5 billion yen ($44.59 million USD) and receive majority ownership. Earnings will be used to replace funds taken from customers.

The hack highlights a problem of poor security in cryptocurrency exchanges. Indeed, cryptocurrency exchanges throughout Japan have come under scrutiny after Coincheck suffered a $530 million theft of digital currencies back in January. It reports many exchanges are left vulnerable due to poor management and lack of security for client funds.

Read more details here.

 

 

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/japanese-cryptocurrency-exchange-hit-with-$60m-theft/d/d-id/1332855?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

What’s causing the uptick? Motivation, opportunity, and new capabilities.

According to IDC Research’s recent US DDoS Prevention Survey, more than 50% of IT security decision makers said that their organization had been the victim of a distributed denial-of-service (DDoS) attack as many as 10 times in the past year. For those who experienced an attack, more than 40% lasted longer than 10 hours. This statistic correlates with our ATLAS findings, which show there were 7.5 million DDoS attacks in 2017 — a rate, says Cisco, that is increasing at roughly the same rate as Internet traffic.

What’s behind the uptick? It boils down to three factors: motivation of the attackers; the opportunity presented by inexpensive, easy-to-use attack services; and the new capabilities that Internet of Things (IoT) botnets have.

Political and Criminal Motivations
In an increasingly politically and economically volatile landscape, DDoS attacks have become the new geopolitical tool for nation-states and political activists. Attacks on political websites and critical national infrastructure services are becoming more frequent, largely because of the desire and capabilities of attackers to affect real-world events, such as election processes, while staying undiscovered.

In June, a DDoS attack was launched against the website opposing a Mexican presidential candidate during a debate. This attack demonstrated how a nation-state could affect events far beyond the boundaries of the digital realm. It threatened the stability of the election process by knocking a candidate’s website offline while the debate was ongoing. Coincidence? Perhaps. Or maybe an example of the phenomenon security experts call “cyber reflection,” when an incident in the digital realm is mirrored in the physical world.

DDoS attacks carried out by criminal organizations for financial gain also demonstrate cyber reflection, particularly for global financial institutions and other supra-national entities whose power makes them prime targets, whether for state actors, disaffected activists, or cybercriminals. While extortion on the threat of DDoS continues to be a major threat to enterprises across all vertical sectors, cybercriminals also use DDoS as a smokescreen to draw attention away from other nefarious acts, such as data exfiltration and illegal transfers of money.

Attacks Made Easy
This past April, Webstresser.org — one of the largest DDoS-as-a-service (DaaS) providers in existence, which allowed criminals to buy the ability to launch attacks on businesses and responsible for millions of DDoS attacks around the globe — was taken down in a major international investigation. The site was used by a British suspect to attack a number of large retail banks last year, causing hundreds of thousands of pounds of damage. Six suspected members of the gang behind the site were arrested, with computers seized in the UK, Holland, and elsewhere. Unfortunately, as soon as Webstresser was shut down, various other similar services immediately popped up to take its place.

DaaS services like Webstresser run rampant in the underground marketplace, and their services are often available at extremely low prices. This allows anyone with access to digital currency or other online payment processing service to launch a DDoS attack at a target of their choosing. The low cost and availability of these services provide a means of carrying out attacks both in the heat of the moment and after careful planning.

The rage-fueled, irrational DDoS-based responses of gamers against other gamers is a good example of a spur-of-the-moment, emotional attack enabled by the availability of DaaS. In other cases, the DaaS platforms may be used in hacktivist operations to send a message or take down a website in opposition to someone’s viewpoint. The ease of accessibility to DaaS services enables virtually anyone to launch a cyberattack with relative anonymity.

IoT Botnets
IoT devices are quickly brought to market at the lowest cost possible, and securing them is often an afterthought for manufacturers. The result? Most consumer IoT devices are shipped with the most basic types of vulnerabilities, including hard code/default credentials, and susceptibility to buffer overflows and command injection. Moreover, when patches are released to address these issues, they are rarely applied. Typically, a consumer plugs in an IoT device and never contemplates the security aspect, or perhaps does not understand the necessity of applying regular security updates and patches. With nearly 27 billion connected devices in 2017, expected to rise to 125 billion by 2030 according to analysis from IHS Markit, they make extremely attractive targest for malware authors.

In the latter half of 2016, a high-visibility DDoS attack against a DNS host/provider was observed, which affected a number of major online properties. The malware responsible for this attack, and many others, was Mirai. Once the source code for Mirai was published on September 30, 2016, it sparked the creation of a slew of other IoT-based botnets, which have continued to evolve significantly. Combined with the proliferation of IoT devices, and their inherent lack of security, we have witnessed a dramatic growth in both the number and size of botnets. These new botnets provide the opportunity for attackers and DaaS services to create new, more powerful, and more sophisticated attacks.

Conclusion
Today’s DDoS attacks are increasingly multivector and multilayered, employing a combination of large-scale volumetric assaults and stealth infiltration targeting the application layer. This is just the latest trend in an ever-changing landscape where attackers adapt their solutions and make use of new tools and capabilities in an attempt to evade and overcome existing defenses. Businesses need to maintain a constant vigilance on the techniques used to target them and continually evolve their defenses to industry best practices. 

Related Content:

• 7 Serious IoT Vulnerabilities
• Enterprise Security Needs an Open Data Solution
• 4 Trends Giving CISOs Sleepless Nights
• Building a Safe, Efficient, Cost-Effective Security Infrastructure

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Carlos Morales is a Vice President responsible for NETSCOUT Arbor’s pre-sales organization and sales for Arbor Cloud DDoS Mitigation and Managed Security Services lines of business. Carlos leads one of the industry’s pre-eminent teams of pre-sales engineers providing … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/3-drivers-behind-the-increasing-frequency-of-ddos-attacks/a/d-id/1332824?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Western Digital has failed to patch a serious security vulnerability in its MyCloud NAS drives that it was told about more than a year ago, researchers have alleged.

Worse, this is despite the fact that the issue was publicly disclosed as far back as DEF CON 25 in July last year.

The latest flaw, discovered independently by researchers at Securify and Exploitee.rs, is an authentication bypass that could give a local attacker complete admin control over drives.

The researchers started an admin session tied to their IP address and then fooled the drive into thinking this was authenticated by setting a username=admin cookie.

That was possible because:

The network_mgr.cgi CGI module contains a command called cgi_get_ipv6 that starts an admin session that is tied to the IP address of the user making the request when invoked with the parameter flag equal to 1.

No admin password, nothing – just a simple CGI request to MyCloud’s web server and an attacker would be in via a local network (a remote compromise would depend on such access being enabled).

Securify has even published a proof-of-concept comprising a few lines of code – this isn’t major league hacking.

The only other requirement is that MyCloud is running the 2.x BusyBox firmware image, which would be the case for newer devices (older Debian Wheezy 3.x and 4.x versions are not affected).

Despite the flaw being reported to Western Digital from April 2017, neither set of researchers heard back, either to acknowledge the issue or offer a timescale for a fix. Tweeted Remco Vermeulen of Exploitee.rs which presented it at DEF CON:

We contacted WD about the same vuln and even publicly disclosed it at DEFCON 25 last year (as well as the https://t.co/CdqUCdgpCq wiki). Western Digital refused to acknowledge or fix the finding, so I went as far as to write a @metasploit module for it. https://t.co/oeOxsWeTo4

— Exploitee.rs (@Exploiteers) 18 September 2018

Assigned CVE-2018-17153 this week, Western Digital MyCloud even has its own detailed Exploitee.rs Wiki, a database of knowledge on this product family’s weaknesses.

This last year has seen a bump in MyCloud security vulnerabilities, including several in January featuring hardcoded backdoors. On that occasion, Western Digital took months to release a patch, which it wasn’t clear even fixed all the issues.

It looks as if the company has problems with the way it processes vulnerabilities when they are reported to it.

Even if it considers the vulnerability to be a low-priority (that is not likely to be exploited) the 101 of good Vulnerability Disclosure Policies (VDPs) is that researchers should be kept in the loop.

It’s simple: when a fix becomes available, it should be posted on Western Digital’s support site.

Follow @JohnEDunn
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/RF-F_NQplwY/

In December 2017, the youthful authors of the devastating Mirai botnet admitted that, collectively, they were guilty of conspiracy to violate the Computer Fraud and Abuse Act (CFAA): one charge for the Mirai botnet, and two charges for a clickfraud botnet.

Which, in legalese, means…

…intentional damage to a protected computer, to wit knowingly causing the transmission of a program, code, or command to a computer with the intention of impairing without authorization the integrity or availability of data, a program, system, or information; and the computer was used in or affected interstate or foreign commerce or communication.

…and which, in English, means writing and implementing the code that led to the Mirai malware, which ensnared more than 300,000 Internet of Things (IoT) devices; launching multiple distributed denial-of-service (DDoS) attacks (including, unwisely, against security journalist Brian Krebs, whose response was to track them down and unmask them); renting the botnet out to third parties and then extorting money from hosting companies in exchange for not being targeted, or selling uniquely tailored “services” to victims in order to fend off such attacks; scanning for vulnerable devices to attack; and click fraud.

…All of which is estimated to have caused damage in excess of $100m.

Yeah, the FBI says, but they’re such smart guys. Let’s keep them around!

On Tuesday, on the FBI’s recommendation and the defense attorneys’ “Yes, please!”, an Alaskan court sentenced the three men to probation, community service and fines.

Each of the Mirai authors – 22-year-old Paras Jha Fanwood, of New Jersey; Josiah White, 21, of Washington, PA; and Dalton Norman, 22, from Metairie, Louisiana – was sentenced to five years’ probation and 2,500 hours of community service, some of which will be spent working with/for the FBI.

The men were also ordered to pay $127,000 in restitution for the damage caused by their malware, and voluntarily give up significant chunks of cryptocurrency seized during the course of the investigation.

Jha, White, and Norman came to the attention of the Feds when, in the summer and fall of 2016, they created Mirai. The powerful botnet was created with a collection of IoT gadgets infected with malware including wireless cameras, routers, and digital video recorders.

A fierce attack

The fury of the Mirai botnet was something to behold: the attack on Krebs’s site, for one, saw the generation of an astonishing combined total of over 600 gigabits per second of time-wasting network traffic.

Jha, White, and Norman tried to disassociate themselves from Mirai in the fall of 2016, when Jha open-sourced the code on a criminal forum.

According to the Alaska Attorney General, since the code was unleashed, other criminal actors have used Mirai variants in a number of other attacks. These ripples are still being felt.

Jha, White, and Norman used Mirai to infect over 100K devices between December 2016 and February 2017. Besides DDoSes, they made money by using the botnet in advertising fraud, making it look like a real user has clicked on an advertisement and thus fraudulently inflating ad revenue.

Back when Mirai got open-sourced, Paul Ducklin noted that it wasn’t exactly what you’d call the work of programming prodigies. In fact, he dubbed it “badly programmed and unfinished.” Not that it mattered, he said:

It works, and it’s effective primarily because of bad programming in the very IoT devices it uses to do its dirty work.

The FBI doesn’t seem to be deterred by sloppy coding, at any rate.

As the US Attorney’s office in Alaska said on Tuesday, Jha, White, and Norman have already cooperated “extensively” with the FBI.

The government had asked that their sentences include more of the same. From the sentencing memorandum:

The United States asks the Court, upon concurrence from Probation, to define community service to include continued work with the FBI on cyber crime and cybersecurity matters.

Working undercover

In a separate, eight-page document viewed by Wired, the government described how the trio has worked behind the scenes with the agency and the broader cybersecurity community to apply their computer expertise to more constructive uses ever since the FBI first came knocking 18 months ago.

Prosecutors:

Prior to even being charged, the defendants have engaged in extensive, exceptional cooperation with the United States Government [that’s been] noteworthy in both its scale and its impact.

In fact, the government estimates that prior to sentencing, the three men have collectively worked for more than 1,000 hours: equivalent to about six months of full-time work. Their efforts have made a serious contribution in nationwide and even global law enforcement and security efforts, the government said.

For example, they helped chase what appeared to be an Advanced Persistent Threat (APT) from a nation-state hacking group. They also worked with the FBI in advance of Christmas 2017 to help mitigate a tsunami of DDoS attacks. Last year saw an unprecedented number of DDoSes: one study found that in the first quarter alone, there was a stunning 380% increase in such attacks.

According to Wired, the court documents also suggest that the trio has been working undercover, both online and offline, including traveling to “surreptitiously record the activities of known investigative subjects,” and working with overseas law enforcement to “ensur[e] a given target was actively utilizing a computer during the execution of a physical search.”

Prosecutors and the defense attorneys agreed that the men were unlikely to reoffend.

In the case of Norman, for example, there’s nothing quite like being dragged out of bed in the “innocent, quiet, early morning hours” by a SWAT team brandishing firearms and escorting your 80-year-old grandmother out to the front lawn in her nightgown to slap some sense into a precociously talented but socially awkward young man with a speech impediment who still lives at home.

Norman, “devastated” by being the cause of his family’s home being ransacked, has expressed remorse from the get-go.

The government said that Jha was particularly helpful, devoting hundreds of hours of work in helping investigators. He’s since landed a paying job at a Silicon Valley technology firm, according to the sentencing memo, although the government declined to name which firm hired him.

Jha’s courtroom journey isn’t over just yet, however. He’s admitted to using Mirai to attempt a series of cyberattacks against Rutgers University, where he was enrolled as a computer science student at the time. He’s slated to be sentenced next week in New Jersey for those crimes.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/I5Nx4XINicc/