STE WILLIAMS

An updated version of the Cold Boot Attack lets threat actors bypass security mechanisms and access data that remain in memory after a machine shuts down. Modern machines from Apple, Dell, Lenovo, and other major tech firms are affected, researchers report.

The Cold Boot Attack itself is not new. Known since 2008, it lets attackers with physical access to a machine steal its encryption keys, which briefly remain in memory after a hard reboot. Most devices now protect against this with a Trusted Computing Group (TCG) mitigation that overwrites data when the machine is rebooted and protects it from third parties.

But Olle Segerdahl, principal security researcher with F-Secure, along with fellow security consultant Pasi Saarinen, found this mechanism can be broken if they manipulate the firmware. The duo found a way to bypass TCG’s protection and exploit a weakness in the computer’s firmware to steal encryption keys and other data in a successful cold boot attack.

Several types of data could potentially be at risk, says Segerdahl. “Our primary target was hard drive encryption keys stored in memory,” he explains, but attackers could also access passwords, network credentials, and any information on the machine that its user can access.

“In one case, we used the machine to connect to corporate networks,” says Segerdahl. The duo detected VPN credentials that let them connect to internal networks and plant a backdoor. They could extract passwords for wireless networks and data that wasn’t on the hard drive, but was present in memory when they had the machine; for example, online passwords.

How it Works

Here’s how the TCG protection is intended to work: “Modern machines have a mitigation against the [cold boot] attack, where the firmware of the machine tries to detect if the machine has been properly shut down or not,” explains Segerdahl. A “flag” is set when the operating system boots up, telling firmware to protect data in memory if the device isn’t properly shut down. If it isn’t, the OS is supposed to clear that sensitive data.

The researchers broke this mitigation by removing the flag themselves and connecting a small device to the Flash memory chip on the motherboard that stores firmware settings.

“We can override the flag by accessing the memory chip directly,” says Segerdahl. Just as with the original cold boot attack, the actor needs physical access to a machine. They also need a tool to rewrite the non-volatile memory chip containing the firmware settings, disable memory overwriting, and enable booting from external devices. Cold boot attacks can be carried out with a special program on a USB stick, according to the researchers.

This manipulation gives them access to data that briefly remains in memory after a computer is shut off. How brief? It partly depends on temperature: the colder a memory card, the longer the information will last. Segerdahl says they had five- to ten seconds in their experiments.

The amount of time an attacker has to perform the operation depends on the machine they steal, he explains. If a threat actor finds a machine in sleep mode, or doesn’t have pre-boot authentication, “then the attacker has unlimited time,” says Segerdahl. If no password is required to boot the machine, they can try multiple times to gain access.

He and Saarinen advise IT departments to configure machines to either shut down or hibernate – not enter sleep mode – and require users to enter a BitLocker PIN when they power up their machines. An attacker can perform a successful cold boot attack, but encryption keys aren’t stored in RAM when a machine hibernates or shuts down, so there’s no data to steal.

Apple, Microsoft Respond

F-Secure alerted Apple, Microsoft, and Intel to their findings. Microsoft published updated guidance on BitLocker countermeasures and responded to this research with the following:

“This technique requires physical access,” says Jeff Jones, senior director at Microsoft, in a statement to Dark Reading. “To protect sensitive info, at a minimum, we recommend using a device with a discreet Trusted Platform Module (TPM), disabling sleep/hibernation and configuring BitLocker with a Personal Identification Number (PIN).”

Apple says Macs equipped with an Apple T2 chip come with security measures designed to protect devices from attacks like this one, the researchers report. The company also advises users to set a firmware password to secure Macs without a T2 chip.

Related Content:

• Malware Campaign Targeting Jaxx Wallet Holders Shut Down
• 4 Trends Giving CISOs Sleepless Nights
• Mirai, Gafgyt Botnets Resurface with New Tricks
• Three Trend Micro Apps Caught Collecting MacOS User Data

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/risk/new-cold-boot-attack-gives-hackers-the-keys-to-pcs-macs/d/d-id/1332814?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

One year after security vendor Armis disclosed a set of nine exploitable vulnerabilities in Bluetooth, some 2 billion devices — including hundreds of millions of Android and iOS smartphones — remain exposed to the threat.

Armis disclosed the vulnerabilities — collectively dubbed “BlueBorne” — last September, describing them as an attack vector for adversaries to take complete control of Bluetooth devices. At the time, the company estimated some 5 billion Bluetooth-enabled products, including laptops, phones, smartwatches, and TVs, were impacted.

Since then, the vendors of many of these products have issued patches and software updates addressing the flaws.

But Armis estimates that at least 2 billion devices remain just as open to attack via BlueBorne vulnerabilities as they were one year ago.

Nearly half of the still-vulnerable devices, 995 million, are Android devices running either the Marshmallow or even older Lollipop versions of the operating system. Another 768 million are running either unpatched or unpatchable versions of Linux, 200 million are running various versions of Windows, and 50 million are iOS devices, the company said in a report Thursday.

That so many systems remain vulnerable to BlueBorne one year after the vulnerabilities were disclosed is not especially surprising, says Ben Seri, vice president of research at Armis. “When we first announced BlueBorne, we knew there were two primary challenges to addressing this type of exposure,” he notes.

One of them is that many of the impacted devices — such as older, unsupported Android and iOS products — will never get patched, remaining at risk until the devices are discarded. Similarly, many systems running Linux, such as industrial equipment and medical devices, can be very difficult or impossible to patch.

The other challenge is the time it takes for device vendors, carriers, and enterprises to deploy patches — even when available — for such vulnerabilities. Google, Microsoft, and Linux groups, for instance, quickly issued patches for the flaws, but many of the others in the respective ecosystems have not, Seri says.

The BlueBorne vulnerabilities exist in Bluetooth implementations in Windows, Android, Linux, and iOS before Version 10. The flaws allow attackers to take complete control of vulnerable devices, steal data, distribute malware on them to conduct man-in-the-middle attacks, and spy on users. 

Airborne Attacks
Armis describes the BlueBorne flaws as enabling airborne attacks, where one infected Bluetooth device can be used to broadcast the malware to other devices over-the-air. In order to infect a device using BlueBorne, an attacker does not have to pair his or her own device with the target device, nor does the target device even need to be in discoverable mode.

“Airborne attacks bring new, frictionless attack capabilities,” Seri says. Unlike traditional methods, users don’t need to click a link or download a file to enable an attack. “Spreading through the air from device to device renders the attacks much more contagious and allows them to spread with minimum effort.”  

Such vulnerabilities also give attackers a way to jump air-gapped internal networks, such as those found in several critical infrastructure and industrial systems settings, he says.

Despite the prevalence of vulnerable systems, so far there is no evidence that attackers have actually exploited the flaws to do any of the things Armis has warned about. But the lack of evidence does not necessarily mean attackers aren’t exploiting BlueBorne flaws.

“If attackers were to use airborne attacks, such as BlueBorne, how would this be detected?” Seri asks. “There would be no log that would show a Bluetooth attack taking place” in endpoint security products, firewalls, and network security products.  

Bluetooth is completely unmonitored at many organizations, so for adversaries, attacks using BlueBorne would be a coveted vector since they would be completely under the radar, he says.

Since Armis disclosed BlueBorne, several other vendors have reported flaws in Bluetooth, as well, including Zimperium, the Israel Institute of Technology, and Tencent.

For enterprises, such vulnerabilities highlight the limitations of relying solely on device makers and carriers to address vulnerabilities in the operating systems and software stacks on their products. “It is critical to note that BlueBorne impacted not just IoT devices, not just the Amazon Echos, but [also] any device with Bluetooth — which means desktops, laptops, and potentially servers,” Seri said.

Theoretically, at least, any device approved to be on a network could be compromised, and the attacker could then penetrate deeper into an organization.

“Enterprises should understand where connected devices are at use in their environments — both sanctioned and unsanctioned — [and] be able to track their actions and gain control over them in order to prevent the threat of attacks,” Seri says.

Organizations need to be aware that any new communications method or protocol will always be a target for attacks and should expect to see attacks against Bluetooth vulnerabilities for years to come, adds Lamar Bailey, director of security research and development at Tripwire.

Auto updates, where available, are the best method for patching against known security issues so long as there is a process for thoroughly testing the updates before deployment. “Any one vendor or provider who pushes an update and bricks a bunch of customer devices will have a very bad day, and it will cause a financial impact,” Bailey said.

Related Content:

• Billions Of Bluetooth Devices Vulnerable To Code Execution, MITM Attacks
• 4 Trends Giving CISOs Sleepless Nights
• IoT Malware Discovered Trying to Attack Satellite Systems of Airplanes, Ships
• 8 Ways IoT Manufacturers Can Improve Security

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/2-billion-bluetooth-devices-remain-exposed-to-airborne-attack-vulnerabilities/d/d-id/1332815?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In July, US intelligence agencies issued a report highlighting concerns that software supply chain attacks represent an emerging threat from China that could erode America’s long-term competitive economic advantage. Threat intelligence data from a variety of sources indicates that other nation-state adversaries from Iran to Russia have leveraged the supply chain as a vehicle to compromise infrastructure and disrupt businesses. In fact, CrowdStrike’s recent study found that two-thirds of organizations across a wide variety of sectors experienced a software supply chain attack in the past 12 months.  

Adversaries have turned to this attack vector because traditional cybersecurity solutions that protect the network perimeter are advancing to the point that adversaries have had to find other ways to infiltrate an enterprise. Software supply chain vulnerabilities are prime targets for exploiting the trust between an organization and its software providers and business partners, particularly since these third-party providers are often rushing to market and overlooking best practices for proper testing and source code security.

Because of the deployment footprint for software targeted in these attacks and because advancing malware propagation techniques often leverage privileged credentials or known infrastructure vulnerabilities, supply chain attacks are often widespread, targeting the entire trusted organizations’ customer base. They are also growing in frequency and sophistication. For example, adversaries target vulnerabilities using legitimate software packages, so when an attack occurs, it is difficult to detect and mitigate stealthy propagation techniques that infect other systems across the network.

According to CrowdStrike’s study, these attacks also cost businesses on average over $1 million in lost business, productivity, and response costs — though they can cost more than monetary value. The increase in software supply chain attacks coupled with implementation of the European Union’s General Data Protection Regulation and other privacy regulatory requirements all have finally seemed to serve as a wake-up call for organizations. According to our recent supply chain security survey, 80% of IT professionals believe software supply chain attacks will be one of the biggest cyber threats their organizations will face over the next three years.

Where We Are
So, what are organizations doing to protect themselves, and what more needs to be done?

Although organizations are increasingly becoming aware of the supply chain as an emerging attack vector, the CrowdStrike’s survey found that they’re still incredibly vulnerable to such attacks. One big area of concern is supplier vetting. Unfortunately, organizations expect companies to perform strenuous due diligence with evaluating the security exposure of those they do business with, invest in, or acquire. For example, only a third of respondents in the survey said they’re vetting all of their suppliers, and about the same number said they are certain their suppliers will inform them if they’re successfully breached. Further, 72% said their organization does not always hold external suppliers to the same security standards as they hold themselves.

Moving forward, many organizations across all sectors are beginning to change their supplier vetting process. Nearly 60% say the process has become more rigorous because more detailed checks are needed, while 80% said they would avoid working with emerging or less-established vendors due to a perceived weakness in security strategy.

Organizations looking to defend against supply chain attacks are establishing stronger measures for thorough vetting. For example, major national banks are beginning to require their vendors to meet certain minimal network security environments to protect their customers’ data. But when it comes to actual vetting, only about half of survey respondents currently look at a suppliers’ internal security standards or their security software. Additionally, balancing the need to ensure timely updates to key business applications with the need to ensure updates are properly tested in a controlled environment are becoming commonplace topics of discussion with security and channel organizations.  

What’s encouraging: The supply chain survey found that 95% of organizations have seen a change in their boards’ attitude toward such attacks in the wake of NotPetya. A change in attitude and increase in awareness is a start, but adequately defending against a software supply chain attack requires having the right tools and processes in place to effectively prevent, detect, and respond to threats.

To make it harder for software supply chain attackers to get into and traverse an entire network unabated, we recommend organizations put in place:

• Behavioral-based attack detection solutions that can defend against sophisticated supply chain attacks;
• Segmented network architectures;
• Real-time vulnerability management solutions; and
• Improved controls for managing the use of privileged credentials in the environment (including control of shared/embedded admin accounts).

Additionally, to get ahead of future attacks, organizations should use threat intelligence that will help provide the necessary data and information to proactively defend against new attacks. We also recommend taking proactive measures to evaluate the effectiveness of their cybersecurity, such as red teaming and tabletop exercises. (Note: CrowdStrike is among a number of companies that provide these services).

Finally, organizations need to ensure they can quickly respond to attacks by understanding what we call breakout time. Breakout time is the time it takes for an intruder to begin moving laterally to other systems within an organization’s network. The average breakout time is one hour and 58 minutes, which is a tight window during which an organization can prevent an incident from turning into a breach.

It’s clear that industries are beginning to see the need to take software supply chain threats seriously. But organizations can’t wait for another large-scale software supply chain breach; they need to act now to ensure they’re doing all they can to defend against these damaging attacks.

Related Content:

• 6 Eye-Raising Third-Party Breaches
• Supply Chain Cyberattacks Surged 200% in 2017
• Understanding Supply Chain Cyberattacks
• GDPR 101: Keeping Data Safe Throughout the ‘Supply Chain’

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

As Vice President of Services, Thomas Etheridge oversees all service delivery associated with CrowdStrike’s Falcon suite of cybersecurity products. Thomas brings over 20 years of management consulting experience and over 16 years of executive services leadership expertise in … View Full Bio

Article source: https://www.darkreading.com/risk/the-increasingly-vulnerable-software-supply-chain/a/d-id/1332756?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Privileged access management (PAM) provider Bomgar said it plans to acquire BeyondTrust, a company focused on privilege-centric security, from an affiliate of Veritas Capital.

Bomgar, which was acquired by private equity firm Francisco Partners earlier this year, aims to secure privileged credentials, remote access sessions, and endpoints. BeyondTrust offers a PAM platform designed to scale across endpoint, server, IoT, cloud, and network devices.

The combined company will operate under the name BeyondTrust. Financial terms of the deal were not disclosed; however, the combined business will have about $300 million in total bookings, more than 800 employees, and more than 19,000 customers.

This is the latest in a series of acquisitions by Bomgar to build its PAM portfolio. In February 2018 it bought Lieberman Software, provider of privileged identity and credential management tech. In July 2018, it acquired Avecto for privileged endpoint management.

Read more details here.

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/application-security/bomgar-buys-beyondtrust-/d/d-id/1332808?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Peter Yuryevich Levashov, who operated the Kelihos botnet, pleaded guilty in U.S. District Court in Hartford, Conn., to charges related to criminal activities including harvesting login credentials, distributing bulk spam e-mails, and installing ransomware and other malicious software. From the late 1990s until his arrest in April 2017, the 38-year-old Levashov controlled and operated multiple botnets, including Storm, Waledac, and Kelihos.

According to court documents, Levashov distributed spam and other malware, such as banking Trojans and ransomware, and advertised the Kelihos botnet spam and malware services to others. As part of his criminal activity, Levashov, who also used the aliases “Petr Levashov,” “Peter Severa,” “Petr Severa,” and “Sergey Astakhov,” sold and leased malware software and services to other criminals, and engaged in buying, selling, and trading personal information harvested through the botnets and malware.

A native of St. Petersburg, Russia, Levashov was arrested in Barcelona on April 7, 2017. He remains in U.S. custody pending sentencing, which is scheduled for Sept. 6, 2019.

Read here for more.

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/kelihos-botnet-operator-pleads-guilty-in-federal-court/d/d-id/1332810?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

When I first started in the nascent cybersecurity field as a pimply-faced intern in ’92, we analyzed each and every computer virus by hand — you might call it an artisan process. Fast forward 26 years and, like most other fields, cybersecurity is now driven by big data. Malware detection, cyber-risk management, incident investigation and response, and dozens of other cybersecurity use cases are all driven by the collection and analysis of huge amounts of security-relevant metadata.

The cybersecurity vendors were the first to get this — about a decade ago, antivirus vendors shifted from artisan analysis to the collection and analysis of massive amounts of machine telemetry from their customers’ devices and networks. A handful of the largest corporations soon followed; they began collecting not only traditional security alerts (antivirus, firewall, intrusion-detection system), but also other types of data such as DNS records, web proxy and authentication logs, NetFlow records, and endpoint detection and response logs.

These early adopters realized that these secondary data feeds, while of huge volume and expensive to store and process, were indispensable for rooting out latent attacks. Some of these corporations imported this data into complex graph analysis solutions such as Palantir. But the biggest players built their own proprietary big data lakes, began archiving these data feeds, hired a stable of high-paid data scientists, and set out to make sense of the data. 

Those are the heavy hitters, but how about everyone else? Today, most corporations only have the capacity to collect traditional security alerts (including antivirus, data-loss prevention, and firewall alerts). They can’t afford the huge costs of storing, backing up, and processing the mounds of (high-value) metadata generated by these other sources. Because they can’t afford to build and maintain their own data lakes, let alone hire highly paid data scientists to trawl the data, they pump what they can into an off-the-shelf security information and event management systems or Splunk, discard it after a few months (to save money), and enable simple log searching and alert aggregation use cases. These corporations can’t begin to even think about collecting, storing, or processing other, more useful, signals. It’s as if a bank had to piece together a heist based on just the alarm and the broken glass and didn’t have any video footage.

So, this is the state of the cybersecurity world.

A Different Way
Let’s try to envision a different future. Imagine a future in which companies could, at reasonable expense, collect, store, index, and analyze all of the cybersecurity-relevant data from their environment. Not just alerts, but the full spectrum of security-relevant telemetry from their devices, networks, and cloud systems. And not just a few weeks or months of data (to save costs), but potentially years of historical data.

Furthermore, imagine what would happen if this data were stored in a well-documented, standardized form, encrypted and secured in enterprise-controlled data vaults. This would not only enable internal security teams to analyze it at scale for various cybersecurity use cases but also potentially enable service providers, with the permission of the data owner, to deliver additional services and derive new insights from this data. This would unlock the value of this data, and it would open it up to an entire ecosystem of providers. It would also enable the typical enterprise — not just the heavy hitters — to drastically improve their security posture.

This model is working in other industries and areas where extremely sensitive data has historically been siloed. For instance, Open Government Partnership is enabling the use of public records for citizens to get greater insights into the data collected on their behalf. Banks are unlocking customer data as part of the open banking movement in order for customers to make more use of their information. And in healthcare, HMOs are using data about medicines, patient behaviors, and outcomes to come up with insights across data sources that can improve patient care.

What would it look like if more than a tiny fraction of enterprises had access to all the signals hidden in their big data today? They could:

• Detect latent attacks embedded in their environment through automated threat hunting
• Measure and optimize their enterprise’s cybersecurity hygiene over time
• Investigate attacks with access to comprehensive forensic data
• Quickly understand how an attacker got in and what systems and data they accessed
• Better prioritize and automatically remediate most security incidents
• Measure the risk posed by their enterprise’s suppliers and partners
• And dozens of other use cases

The biggest enterprises might build some of these solutions themselves, but the rest would rely upon trusted service providers to slice and dice these data feeds and apply their secret sauce to solve these use cases. A hearty analytics marketplace would emerge, with competing companies offering products that wring the most out of their customers’ data.

Enterprises are sitting on all the intelligence they need to better protect themselves from cyberattacks and other threats; they just need to make better use of it to turn the data into an effective defense. Other industries are seeing benefits from liberating data from proprietary siloes, and in the future world we envision, security teams can too. The stakes are too high not to.

Related Content:

• 8 Low or No-Cost Sources of Threat Intelligence
• Why a Healthy Data Diet Is the Secret to Healthy Security
• Understanding Solving the Information-Sharing Challenge
• Why Automation Will Free Security Pros to Do What They Do Best

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Carey Nachenberg is Chronicle’s Chief Scientist and a founding member of the Chronicle team. Prior to joining Chronicle, Carey served as Fellow and Chief Engineer at Symantec. During his 22-year tenure in the cybersecurity industry, Carey pioneered numerous cybersecurity … View Full Bio

Article source: https://www.darkreading.com/risk/enterprise-security-needs-an-open-data-solution-/a/d-id/1332761?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple