STE WILLIAMS

Andrei Tyurin was arrested for his involvement in a hacking campaign targeting US financial institutions, financial news publishers, brokerage firm, and other companies.

Georgian officials have extradited Russian citizen Andrei Tyurin to the United States, where he will face charges related to a wide-ranging hacking campaign that targeted the US financial sector and included the 2014 breach of JP Morgan Chase. 

The Manhattan US Attorney’s office announced Friday that Tyurin was arrested by authorities in the country of Georgia at the request of the United States for his participation in hacking US financial organizations, brokerage firms, financial news publishers, and other companies. From 2012 to mid-2015, the campaign stole personal information of more than 100 million customers of target organizations. The breach at JP Morgan Chase was the largest theft of customer data from any single US financial institution in history with more than 80 million people affected.

In addition to attacks targeting US financial firms, Tyurin allegedly also launched cyberattacks on US and foreign companies at the direction of Gery Shalon, one of many co-conspirators he allegedly worked with. Their other activities included illegal Internet gambling businesses and international payment processors, and collectively generated hundreds of millions of dollars in illicit earnings.

Tyurin is charged with one count of conspiracy to commit computer hacking, one count of wire fraud, four counts of computer hacking, one count of conspiracy to commit securities fraud, one count of conspiracy to violate the Unlawful Internet Gambling Enforcement Act, one count of conspiracy to commit wire fraud and bank fraud, and aggravated identity theft.

Read more details here.

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/russian-national-extradited-for-2014-jp-morgan-hack/d/d-id/1332772?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The Equifax breach last September was the largest consumer breach in history. We talked to experts about lessons learned and steps companies can take to prevent and minimize future breaches.

Image Source: Shutterstock via Piotr Swat

Large breaches have become such a fact of everyday life for the past few years that it’s easy to pass off the Equifax breach last September as just another in a long string of bad security news. But make no mistake about it: this was a huge breach that will take several years to sort out.

When the dust settled earlier this year, Equifax finally disclosed that 147.9 million people were affected in some way. Sensitive personal information was stolen, including the names, Social Security numbers, and dates of birth of the victims, as well as phone numbers, email addresses, and genders.

George Avetisov, CEO of HYPR, says while the breach itself caused great harm, rank-and-file consumers and companies not directly affected by the Equifax breach are still at risk because all that personal data still resides on the Dark Web and can be used for future account fraud, synthetic identity attacks and credential re-use.

“We know how many consumers had their data stolen,” Avetisov says. “But it’s difficult to quantify the impact, as we may never know the full extent of the account fraud and credential re-use that will stem from the Equifax breach for years to come.”

Avetisov and other experts say companies must do all the security hygiene basics: such as more patching more effectively, deploying encryption and tokenization, and above all, taking better care of their data.

“Companies have to start treating data as something of value,” says Brian Vecci, technical evangelist at Varonis. “Start by turning on the lights and finding what data you have.”

In putting together this slideshow, we talked to Avetisov and Vecci; Julie Conroy, research director for Aite Group’s Retail Banking practice; and Peter Firstbrook, a research vice president at Gartner who focuses on security. 

 

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/the-equifax-breach-one-year-later-6-action-items-for-security-pros-/d/d-id/1332770?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

An expert panel at the National Academy of Sciences has called for sweeping election reforms, including one, specific recommendation that should come as no surprise: use paper.

From Thursday’s announcement about the report’s release:

All local, state, and federal elections should be conducted using human-readable paper ballots by the 2020 presidential election.

And what about the mid-terms, right around the corner in November? Yes, let’s try to get paper ballots for that one, too, the panel said. Let’s try our best to stay away from all the technologies that we’ve got in place now, because they’re full of holes:

Ballots that have been marked by voters should not be returned over the internet or any network connected to it, because no current technology can guarantee their secrecy, security, and verifiability.

Michael McRobbie, president of Indiana University and co-chair of the committee that conducted the two-year study and wrote the report, called the 2016 election a “watershed” moment:

The 2016 presidential election was a watershed moment in the history of elections – one that exposed new challenges and vulnerabilities that require the immediate attention of state and local governments, the federal government, researchers, and the American public.

Lee Bollinger, president of Columbia University and co-chair of the panel, called the threat from foreign actors “extraordinary”, according to the AP:

The extraordinary threat from foreign actors has profound implications for the future of voting and obliges us to examine, re-examine seriously, both the conduct of elections in the United States and the role of the federal and state governments in securing our elections.

According to the report, the US intelligence community found that “actors sponsored by the Russian government” obtained and maintained access to elements of multiple US state or local election systems. Those intrusions made clear that the country’s election infrastructure is clunky at best, even in the most well-resourced jurisdictions. For small jurisdictions without a lot of money to invest, things are even more grim.

Lawrence Norden, deputy director for New York University’s Brennan Center for Justice, gave specific details about that tampering in an analysis about special counsel Robert Mueller’s indictment of 12 Russian intelligence officers in July.

Namely, Mueller’s indictment alleged that Russian intelligence officers hacked into the website of a yet-unidentified state board of elections. Among other new information was an allegation that Russia used that hack to steal information related to 500,000 voters.

Norden says the figure is surprising, given that prior to the indictment, we’d only heard about an Illinois breach that affected about 100,000 voters. Intruders targeted election systems in 21 states and allegedly hacked into the computers of a private US elections systems vendor that the indictment didn’t name.

Given that the indictment mentions five times the number of affected voters than we’d heard about in the Illinois breach, it’s looking like the 2016 tampering “went deeper than we’d understood,” Norden said. As Wired’s Kim Zetter has pointed out, the indictments suggest that the 2016 attacks may have been an afterthought, given that the vendor and state board of election attacks came mid-election, in June through October 2016, months after the attacks on the Democratic National Committee and Hillary Clinton’s campaign.

Norden:

We would be wise to assume future attacks will involve more advanced planning. Combine this with the fact that the Russians undoubtedly learned information from their 2016 efforts, and there is reason to believe future attacks on our election infrastructure could be far more damaging.

As of March 2018, 13 states were still using at least some direct-recording electronic voting machines, that lack a paper trail, as their primary polling place equipment, “making audits in these states impossible.” Norden reports.

These machines should be replaced as soon as possible. Come November, it’s also critical for any states using any kind of electronic voting machines to have emergency paper ballots that can be deployed immediately in case machines breakdown – whether that breakdown is caused by a system failure or hack.

Human-readable paper ballots are not only auditable, they also assure voters that their vote was recorded accurately. In the past, faulty electronic voting machines have recorded voter choices inaccurately. Paper ballots, which can be counted by hand or machine, give voters the opportunity to review and confirm their selection before depositing their ballot for tabulation – something that’s impossible for systems that record votes electronically. According to the AP, one in five Americans cast their ballots on electronic-only machines in 2016.

Besides paper ballots, the Academy’s report has other specific recommendations, including that states should mandate a specific type of audit known as “risk-limiting” prior to the certification of election results.

Risk-limiting audits offer a high probability that any incorrect outcome can be detected, and they do so with statistical efficiency. A risk-limiting audit performed on an election with tens of millions of ballots may require examination by hand of as few as several hundred randomly selected paper ballots.

As far as internet voting goes, just forget it, the panel of experts said. It’s not secret enough, it’s not safe enough, and it’s not verifiable enough – and we shouldn’t be relying on it for elections until we have “robust guarantees” that it is.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/1ZXdeUwstpc/

The ever-popular browser Google Chrome turned 10 years old this month, and with that anniversary the Google team announced a bevy of new changes in the latest release – from a new look to behind-the-scenes functionality tweaks.

Here at Naked Security we’re most interested in the security-related update that the new version of Chrome now offers: an in-browser Chrome-native password generator and manager.

Yes, Google products have been offering to store passwords for their users for some time now via Google Password Vault – and for that matter, most browsers have been offering their own native password manager features too (in addition to the many third-party password managers that integrate into the browser of your choice).

Combined password manager and generator

The new wrinkle here is that Chrome will now generate a unique password for the user as a part of the everyday credential creation process.

That generated password will be stored in the cloud-based Google Password Vault, meaning it will be available to that same logged-in Chrome user across their devices.

As you can see in the images below, there’s no add-ons or third-party app required here, and the browser password generation looks very similar to form-fill technology that browser users are already quite used to:

Chrome is by no means the only browser with this capability. We’ve previously covered how Apple’s Safari browser will be offering similar functionality in the upcoming iOS 12 release, which should be out this month.

So it seems like in-browser password management and generation are well on their way, if not already here. Hooray, right?

Generally speaking, the fewer barriers between users and the creation of more secure, unique passwords, the better. However, depending on your point of view, there may be caveats.

For those who already have the desire and ability to use a password manager – which is likely to be most Naked Security readers – the fundamental question is whether or not they will prefer to entrust their passwords to a massive company like Google or Apple, a third-party password manager like 1Password or LastPass, or use a homegrown solution, like a personal algorithm.

There’s certainly an argument for keeping passwords out of the cloud, a browser, or a big company that already knows a ton about you, like Google or Apple. Putting all your browsing and password information in one place may be a risk that not everyone wants to take – not everyone wants all their eggs in Google’s basket, so to speak.

And certainly, there are many people that never want their password vault stored on the internet, regardless if it’s via a browser password manager or a cloud app. For those folks, an in-browser password generator and manager understandably holds little appeal.

A convenient tool?

On the other hand, though many of us know what good password hygiene is, why it matters, and how to use a password manager, there are just as many – if not more – who don’t.

Then there are those who know it is important, but still don’t bother with it – a refrain we often hear is that people know strong, unique passwords matter, but it’s such a pain to find yet another piece of tech to help with this (let alone set it up and learn to use it).

In this case, a built-in password generator and manager within the browser offers a distinct advantage: Most people are very comfortable with how their browser works, and if the browser offers oh-so-helpfully to take care of yet another internet annoyance (making and remembering all those pesky passwords), it’s one less thing to worry about.

What do you think? Does an in-browser password generator and browser appeal to you? If you’re a Chrome user, will you be using Google’s password vault or are you sticking to a different option?

Follow @mvarmazis
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/wac-WbBcO6I/

The US Department of Justice (DOJ) announced on Thursday that it had unsealed a criminal complaint (PDF) charging a North Korea regime-backed programmer, Park Jin Hyok, with being part of a team that launched multiple cyberattacks.

Make that big, dreaded, infamous cyberattacks, including unleashing the global WannaCry 2.0 ransomware in 2017, the 2014 attack on Sony Pictures, and the 2016 $81m cyber heist that drained Bangladesh’s central bank.

Beyond those headline-grabbing cyber assaults, the encyclopedic, 127-page complaint details the hacking team’s other malicious activities, including attacks or intrusions on the entertainment, financial services, defense, technology, and virtual currency industries, academia, and electric utilities.

The complaint alleges that Park, a North Korean citizen, was a member of a government-sponsored hacking team known as the “Lazarus Group” and that he worked for a North Korean government front company, Chosun Expo Joint Venture (aka Korea Expo Joint Venture or “KEJV”), to support cyber actions on behalf of the Democratic People’s Republic of Korea (DPRK).

Lazarus Group, also known as Guardians of Peace or Hidden Cobra, is a well-known cybercriminal group. In June 2017, US-CERT took the highly unusual step of sending a stark public warning to businesses about the danger of North Korean cyberattacks and the urgent need to patch old software to defend against them.

It specified Lazarus Group. The alert was unusual in that it gave details, asking organizations to report any detected activity from the Lazarus Group/Hidden Cobra/Guardians of Peace to the US Department of Homeland Security’s (DHS’s) National Cybersecurity Communications and Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch).

Specifically, US-CERT told organizations to be on the lookout for DDoS botnet activity, keylogging, remote access tools (RATs), and disk wiping malware, as well as SMB worm malware of the sort blamed for multiple waves of the WannaCry attacks.

The criminal complaint, filed on 8 June in Los Angeles federal court, says that Park worked as a programmer for over a decade for Chosun Expo Joint Venture, which had offices in China and the DPRK and which is affiliated with Lab 110: what the DOJ says is a component of DPRK military intelligence.

Besides programming for Chosun Expo, working for paying clients around the world, Park and his team also allegedly spent their time on spear-phishing campaigns, malware attacks, data exfiltration, swindling money out of bank accounts, ransomware extortion, and propagating “worm” viruses to create botnets.

The complaint focuses on these four headline-grabbing attacks:

• The November 2014 attack on Sony Pictures Entertainment in retaliation for the movie The Interview, a Seth Rogen/James Franco comedy about a plot to kill North Korea’s leader Kim Jong-Un. It never saw the light of day: Sony pulled the movie after theaters received threats specifically mentioning the 9/11 attacks on New York and the Pentagon. The DOJ says that the hackers gained access to Sony’s network by sending malware to Sony employees, after which they stole confidential data, published a massive trove of embarrassing communications on WikiLeaks, threatened Sony executives and employees, and damaged thousands of computers. Sony suffered a good deal of fallout over the attack, including ex-employees suing the company for failing to protect their private information.
• The Bangladesh Bank heist. The criminal complaint alleges that Park and his co-hackers accessed the bank’s computer terminals that interfaced with the Society for Worldwide Interbank Financial Telecommunication (SWIFT) communication system after compromising the bank’s computer network with spear-phishing emails, then sent fraudulently authenticated SWIFT messages directing the Federal Reserve Bank of NY to transfer funds from Bangladesh to accounts in other Asian countries. The team also went after several other banks in various countries from 2015 through 2018 using similar methods and “watering hole attacks,” attempting the theft of at least $1 billion.
• The hackers went after US defense contractors in 2016 and 2017, including Lockheed Martin, in a spear-phishing campaign. The US says that investigators detected some of the same aliases and accounts that were used in the Sony attack, and that sometimes they were accessed from North Korean IP addresses and contained malware “with the same distinct data table found in the malware” used against Sony and certain banks. The spear-phishing emails sent to the defense contractors were often sent from email accounts that purported to be from recruiters at competing defense contractors, according to the complaint, and some of the malicious messages made reference to the Terminal High Altitude Area Defense (THAAD) missile defense system deployed in South Korea. “The attempts to infiltrate the computer systems of Lockheed Martin, the prime contractor for the THAAD missile system, were not successful,” the DOJ said.
• WannaCry 2.0 infected hundreds of thousands of computers around the world in May 2017, causing extensive damage, including paralyzing computers at the United Kingdom’s National Health Service (NHS). Park’s team allegedly developed that malware, along with two prior versions of the ransomware.

The criminal complaint includes charts that visualize Lazarus Group’s attacks and intrusions and show how Park is implicated, including email and social media accounts that connect to each other and were used to send spear-phishing messages; aliases and malware “collector accounts” used to store stolen credentials; common malware code libraries; proxy services used to mask locations; and North Korean, Chinese, and other IP addresses. The US says that some of the group’s infrastructure was used across multiple instances of their cyber-marauding.

Assistant Attorney General Demers said in a statement that the scale and scope of the cyber-crimes alleged in the complaint are “staggering and offensive to all who respect the rule of law and the cyber norms accepted by responsible nations.”

The complaint alleges that the North Korean government, through a state-sponsored group, robbed a central bank and citizens of other nations, retaliated against free speech in order to chill it half a world away, and created disruptive malware that indiscriminately affected victims in more than 150 other countries, causing hundreds of millions, if not billions, of dollars’ worth of damage. The investigation, prosecution, and other disruption of malicious state-sponsored cyber activity remains among the highest priorities of the National Security Division and I thank the FBI agents, DOJ prosecutors, and international partners who have put years of effort into this investigation.

As to what happens next, we’ll have to wait and see.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/zkvfjWqeFh4/

Researchers have sounded a warning about the security of Baseboard Management Controllers (BMCs) – a critical component that datacentres depend on to manage servers.

According to Eclypsium, the BMC used by one server brand, Supermicro, has an insecure updating process that could allow an attacker to modify its firmware or run malware.

Affecting X8 through X11-generation systems, the BMC code wasn’t carrying out cryptographic signature verification before accepting firmware updates, the company said.

BMCs are like powerful computers-within-the-server, complete with their own CPU and memory, that remain turned on even when the server is not being used (not dissimilar to the Intel Management Engine found inside home computers).

When compromised, an attacker would be able to sneak their own modified firmware onto a server – something that would give admins a very bad day at the office.

This is the privileged layer used to issue server wipes and OS reinstalls, which would hand the same power to attackers to take over the system, or to ‘brick’ it as part of a denial-of-service attack, or possibly move sideways to other parts of the network.

It would also be incredibly difficult to detect, let alone stop once it had started – the attacker would have loaded their own firmware after all.

How did this happen?

All BMCs are hooked up to the outside world – the admins – via something called the Intelligent Platform Management Interface (IPMI), through which instructions specific to each brand of controller are issued. Authentication here is a good idea but unfortunately not mandatory.

The only limitation on the attack was the need for credentials:

Because IPMI communications can be performed over the BMC LAN interface, this update mechanism could also be exploited remotely if the attacker has been able to capture the ADMIN password for the BMC.

Supermicro is not the only vendor falling short on authentication, said the researchers:

Our research has uncovered vulnerabilities in the way that multiple vendors update their BMC firmware. These vendors typically leverage standard, off-the-shelf IPMI management tools instead of developing customized in-house management capabilities.

That said, it seems that weaknesses in Supermicro’s firmware have been detected as long ago as 2013. More recently, researchers have started worrying about the security of BMCs more generally.

Fixes

The solution is for server makers to implement authentication, which the researchers say is now part of Supermicro’s updating process for all new products. Customers using the X10 and X11 generation servers who have locked their firmware version should visit the support page for more advice or contact the company first.

Follow @JohnEDunn
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/lFpBr-z5wQw/

Apple is planning to create an online portal that will allow law enforcement officials around the world to request information about its users more easily.

The company is seeking to streamline the way that it currently services information to government agencies with the new tool, which will be ready by the end of the year. It outlined the plans in a letter, from Apple’s general counsel Kate Adams to US Senator Sheldon Whitehouse of Rhode Island, according to a report from Reuters.

Sent last week, the letter said that Apple had responded to 14,000 information requests from US law enforcement last year, including 231 “domestic emergency requests” that it addressed within 20 minutes of receipt, regardless of when it received them.

The new portal will make it easier for law enforcement officials to request information about Apple customers. The company previously handled such requests by email, Reuters said.

The revamp to Apple’s government request handling program also extends to training. The company, which has already trained nearly 1,000 law enforcement officers in how to request information, previously did it in person at its headquarters. It will create an online training course to make things more efficient, along with a team of trainers to better serve smaller police departments.

Apple, which has marketed itself as an advocate for customer privacy, infamously got into a spat with the US government over refusing to unlock an iPhone in the San Bernardino shootings in 2016. Nevertheless, the company explains in its privacy policy that it does honour requests from government agencies if it considers them to have a “valid legal basis”. In that case, it complies by providing the “narrowest possible set of data responsive to the request,” it says.

The consumer computing giant will work with law enforcement under certain circumstances to provide information about customers’ Apple devices, it says. It will also deliver information based on financial identifiers such as credit card data.

In its most recent transparency report, covering the first half of 2017, Apple said that it received 30,814 device requests and provided data for 23,856 of them. It also provided data for 2,182 of the 2,690 financial identifier requests that it received.

The company also provides information to law enforcements related to a customer’s Apple account, sometimes including content such as email and photos stored in the cloud, according to its privacy policy. It will normally notify customers that it is doing so, except in certain cases such as child abuse investigations, it says. It will also restrict, delete and preserve customer accounts in some cases when working with law enforcement.

In the first half of last year, Apple provided data for 1,802 of the 3,020 account requests it received. It added that 607 of those responses included content data. However, it’s worth pointing out that requests may cover more than one account. In all, information was requested on 43,836 accounts, and data was provided for 38,643 requests, the transparency report said.

Like many other companies, Apple must comply with National Security Orders. These are government requests for data that often include gag orders that prevent it from informing customers. It received between 13,25 and 13,499 of these in the first six months of 2017, its transparency report said, affecting between 9,000 and 9,249 accounts.

This isn’t the first time that Apple has written to Senator Whitehouse. In February 2018 the company wrote a joint letter with Facebook, Google, Microsoft and Oath (the Verizon subsidiary formerly known as AOL) supporting the Clarifying Overseas Use of Data (CLOUD) Act.

The CLOUD Act gives the Justice Department new powers to create information-sharing agreements with other nations to share cloud-based data on their citizens without approval by Congress. A coalition of civil rights groups sent their own letter protesting the Act as an infringement of privacy. Nevertheless, the Act passed into law in March.

Follow @DannyBradbury
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/_UoB4_RSOiU/

Persistence pays off for crooks when it comes to sextortion-based phishing scams, research into its effectiveness suggests.

One variant bombards prospective marks with threats to release non-existent footage of them watching smut unless they give in to demands. Cleverly, these threats are lent an air of authenticity by using partial details of real passwords that have been exposed by genuine breaches.

Most often this involves cases where the compromised web service used weak and crackable password hashes. Password crackers sell compromised email addresses and passwords through underground forums, but they often leak and are therefore not difficult to acquire even without paying. Sextortionists take these lists before churning out batches of bogus emails often from newly created webmail accounts or alternatively take the lazier and less effective approach of using open email relays.

Threat intelligence firm Digital Shadows ran the rule over a large sample of such scam emails, sent over a two-month period, to gauge their effectiveness.

In the sample, a total of 8,497 individual email addresses were swamped with more than 60,000 spam messages (a sample of which appears in a blog post here).

The Anti Public and the Exploit[.]in leaks were the two main sources of compromised credentials harnessed in the scam sample, Digital Shadows discovered.

Researchers found that persistence paid off for scammers and marks would pay up after a sustained series of scams rather than when they first appeared in their inbox. Victims who had recently actually watched porn and were in the terrible habit of reusing password across multiple sites were more likely to cave in. Using a webcam was another factor that made marks respond.

Victims in the sample were told to send funds to various Bitcoin wallets. Digital Shadows discovered 26 transactions linked to a fraudulent campaign that brought in $28,000. The amount demanded by the sextortionists varied, Digital Shadows reported.

The attackers experimented with different methods to maximize their return. For example, by tracking one Bitcoin address, we can see the same one targeted 49 email addresses with demands ranging from $1,100 to $11,000. Eventually the attacker got lucky with a payment of $1,100 (0.1512 BTC).

The scam represents a new way to monetise breached credentials.

Other security researchers, such as Troy Mursch, have begun attempting to chart their extent, as well as how many Bitcoins has been paid to fraudsters as a result, but this work remains only preliminary and no firm conclusions can be drawn.

I’ve asked @Banbreach if they’d like to collaborate to help us build a definitive grand total of BTC paid in sextortion scams.

If anyone else has found BTC addresses used for this purpose, request edit access to add your data.https://t.co/lgX0qd65zX

— Bad Packets Report (@bad_packets) August 26, 2018

Bootnote

Sextortion as a term initially referred to a sleazy cybercrime where perverts planted trojans on the PCs of young victims. Youngsters’ PCs are often in their bedrooms and the malware was used to surreptitiously turn on webcams and record footage or pictures of victims. This material was then used to coerce them into sending more explicit pictures or performing sex acts.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/10/leaked_credential_extortion_tactics/

Trusted execution environments are said to provide a hardware-protected enclave that runs software and cannot be accessed externally, but recent developments show they fall far short.

One of the primary challenges in today’s computing environments is that of trust. How do I know that the software that I am actually running is the correct software that I want to run? How do I protect the privacy of my data while it’s in memory? How can I even think of solving these problems when I’m running my applications on remote machines or in the cloud? These acute challenges and more can be addressed by running software in trusted execution environments such as SGX, TrustZone, and more.

Such environments are said to provide a hardware-protected enclave that runs the software and cannot be accessed externally. Data can be encrypted in memory and then only decrypted inside the enclave, where it remains safe. This prevents malware, service providers, and any unauthorized entity from accessing private data. Furthermore, cryptographically enforced attestation can be used to identify and ensure that authentic software is running in the enclave, even remotely and in a cloud. As such, trusted execution environments can significantly boost the security of the modern computing environment.

Unfortunately, recent developments have shown that existing trusted execution environments fail to meet their promise. The reason is something called side channels. A side channel is an unexpected (and unintended) channel through which private information is leaked. It has been known for two decades that seemingly benign information such as the time it takes to compute a function, the power that a device uses during computation, and even the noise emitted by a computer’s fan can all leak secrets. More recently, it was discovered that two isolated software applications running on the same physical machine can leak information to each other due to joint resources provided by the hardware.

A prime example of this type of software leakage is called a cache side-channel attack. Because main memory is very slow (relative to the speed of modern processors), memory caches are used to speed up memory access. These caches are shared by different applications on the same machine, meaning that the time that it takes one application to read from memory is influenced by another application’s behavior. For example, if an application has just read a certain instruction from memory, then it will reside in cache. If another application reads the same instruction, therefore, it will retrieve it much faster than if the first application had not read that instruction.

Amazingly, this can be used by the latter application to know what the first application is doing. These attacks are so effective that they have been used to extract cryptographic keys of all types, without utilizing any operating system or software vulnerability; the entire attack is launched by issuing special instructions and measuring response times.

This type of attack is devastating because it means that virtual machines in the cloud can be attacked by other virtual machines running on the same hardware, even when the isolation provided by the software layers are perfect. As a result, sensitive code — like the code that carries out cryptographic operations — is written carefully to not leak anything via the cache. This is achieved by ensuring that the memory access pattern of the code is independent of the secret key. Although this may be theoretically possible, in practice, it is extremely hard and the best code written by the best experts on the subject has been broken time and again over the past few years. In part, this is due to the complexity of the software layers (it isn’t always clear what happens when high-level instructions are called) and to the complexity of the hardware.

New Vulnerabilities
This year saw the discovery of new powerful vulnerabilities in the form of speculative execution: Spectre, Meltdown, and now Foreshadow. These attacks utilize the fact that modern hardware chips will run instructions and only later check whether these should have been carried out. This enables the chip’s pipeline to be better utilized, since often the chip’s “guesses” as to what to compute are correct.

These sophisticated techniques, and others, have provided the world with the ever-increasing speed of computation that it was used to due to Moore’s Law, and continues to demand even though the physical barriers of size are an obstacle. However, as this year’s headlines have taught us, speculative execution also leaks and provides attackers with new effective side channels that can be used to read secrets. Foreshadow is especially devastating because even perfectly written software is vulnerable, and the entire attack is due to the way that the hardware processes memory.

To make all of the above even worse, trusted execution environments like SGX have been constructed so that they also share resources with other applications running on the same hardware. As a result, speculative execution attacks are effective on SGX, and Foreshadow demonstrated that encrypted memory can be easily dumped out of an SGX enclave. Foreshadow is even able to steal the special Intel enclave attestation key, completely breaking the integrity mechanism of SGX. (Note that although such attacks are very nontrivial to design, once an attacker has written the attack, it can be quite easily deployed on a large scale.)

Although local patches have been issued by Intel, the fundamental flaw of SGX (and other trusted execution environments) is that they are not isolated from other processes. I don’t believe that it is possible to construct a truly secure trusted execution environment without full isolation; side channels are abundant and we are only just seeing the beginning. Indeed, instead of SGX being a powerful tool to provide strong and proven guarantees of security, it is part of the constant cycle of break, fix, and break again. This is indeed a sad time for the security of our digital world.

Trusted execution can only be trusted if the execution environment is truly isolated from the rest of the chip. Despite its attractive promise, SGX cannot be used today to effectively protect secrets. One can only hope that truly isolated trusted execution environments can be built in the coming years. Because this would require great cost and a complete redesign, it is sadly not something that we will see soon.

Related Content:

• 8 Big Processor Vulnerabilities in 2018
• Side-Channel Attacks the Importance of Hardware-Based Security
• Intel Reveals New Spectre-Like Vulnerability
• New Spectre Variant Hits the Network
• Spectre Returns with 8 New Variants

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Yehuda Lindell is a professor of computer science at Bar-Ilan University in Israel. He is an expert on cryptography, has published over 90 scientific articles, and has authored one of the most widely used textbooks on the subject. He has years of industry experience in the … View Full Bio

Article source: https://www.darkreading.com/cloud/foreshadow-sgx-and-the-failure-of-trusted-execution/a/d-id/1332733?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Roundup This week brought with it a Supermicro shoring up firmware security, a North Korean hacking charge, and a spying anti-adware macOS tool getting yanked by Apple from its App Store. Elsewhere, we had…

BrokenType broken out with source code release

A software vulnerability probing tool called BrokenType had appeared in public on GitHub for folks to use.

Developed by Googler Mateusz Jurczyk – though it is not an official Chocolate Factory project – BrokenType lets you fuzz code that handles OpenType and TrueType fonts to find memory corruption errors can could be exploited to execut malicious software (such as the ones behind critical Microsoft patches).

Users can download the entire three-piece toolset directly from GitHub.

Mac security foiled by… URLs

Apple security guru Patrick Wardle has detailed a recently spotted campaign to commander and control macOS machines.

Dubbed Windshift APT, the attack uses multiple exploits to infect Apple-powered computers mostly in the Middle East. One of those exploits abuses the way macOS passes URLs to applications to open.

Wardle said that, just like the way an app can be assigned to open a specific file type, it can also be associated with a URL protocol. As soon as an application lands on a filesystem, it is parsed by the operating system, and if it declares, say, it can handle foo:// URLs, then macOS automatically registers it as a handler.

That way, if you get someone to simply download an app – and not even run it – it can register itself for a custom protocol, and then be automatically activated when that protocol is invoked in a webpage. Thus, it is possible to install malware or spyware, if the user clicks OK in a popup to confirm they want to launch the special URL.

Wardle recommends that users either switch to a browser that does not automatically open .zip archives of applications, such as Chrome, or at least turn off the “open safe files after downloading” option in Safari.

Gmail users freak over FBI notification

A Reddit thread has popped up in recent days with netizens upset about a notification they received from Google that the FBI had requested access to their messages.

As it turns out, the notifications were likely the result of a 2017 investigation into a remote administration tool (RAT) known as Luminosity that lets the controller covertly spy on the activity of the PC on which the software is installed. It’s basically a utility that you sneak onto a victim’s computer, and use to snoop on them, and was sold on underground hacker forums. Luminosity’s creator was convicted in a US court earlier this year.

As the Reddit users eventually worked out, the notifications were likely sent after the expiration of a one-year nondisclosure agreement placed on Google by the Feds, and, with that having lapsed, Gmail users were then sent a notification that the FBI had asked for their account info. The agents were quite possibly after the messages of people who may have bought copies of Luminosity using their Gmail accounts. The FBI was able to obtain its customer database.

The moral of the story: don’t mess around with RATs. Especially ones sold on hacker forums and marketplaces.

Phone spyware maker mSpy was accused this week of leaving an operational – and highly sensitive – database fully exposed to the public internet. The poorly secured system has since been hidden from view. mSpy’s software is installed on devices by paranoid parents and the like to snoop on the handhelds’ owners: the database’s contents could be used by miscreants to track those phones, it is claimed.

mSpy spilled some 400,000 records on the web in 2015. Now journalist Brian Krebs reckons millions of netizens are affected.

Krebs attributed the latest discovery to an Indian security researcher named Nitish Shah, who discovered an unprotected database containing “up-to-the-minute mSpy records for both customer transactions at mSpy’s site and for mobile phone data collected by mSpy’s software.”

As well as usernames and passwords from six months of customer logins, people’s private encryption keys were also exposed, it is claimed. Those keys would let an attacker “track and view details of a mobile device running the software,” we’re told. There were also Apple iCloud usernames and ID tokens, apparently.

Egghead maps out exposed .Git repos

A Czech researcher has scanned the internet’s web servers to log the world’s exposed Git repositories.

Vladimír Smitka of Lynt Services said he started the project first as a scan just for Czech sites, but eventually expanded it to a global project that took around four weeks to complete and ended up returning 390,000 web pages that had left the critical files exposed.

Smitka said that locking down a site’s Git repository is a critical security task that is all too often overlooked by developers.

“If you use git to deploy your site, you shouldn’t leave the .git folder in a publicly accessible part of the site. If you already have it there for some reason, you need to ensure that access to the .git folder is blocked from the outside world,” he explained.

Smitka is advising developers to keep a close eye on files and scripts they upload via Git and make sure they lock down access to the files.

Kink shame: Sex app bares passwords for all to see

Whiplr, a hookup app for kinksters, has been found to be awfully naughty when it comes to password security.

An Engadget report claimed the app’s developer was storing user accounts and passwords in a backend database as plain text.

“Should hackers have gained access to this database, they could’ve potentially figured out the real identities of users either through the app itself or through other services where those credentials are identical,” the blog noted.

As you can imagine, most people on the site would not want their identities revealed to prudish family and peers, and even fewer would want to have their passwords in the hands of hackers. If you’ve downloaded the app, you will probably want to make sure your password is unique and any personal information scrubbed.

Schneider Electric crash

Industrial control equipment maker Schneider Electric has fixed a remotely exploitable device-crashing flaw in its Modicon Controller.

The CVE-2018-7789 vulnerability can be abused by hackers to remotely disconnect Modicon M221 units from host networks simply by sending malformed packets. Obviously, a miscreant needs network access to the device to knacker it.

Such an attack would leave an operator with “no way to view and control the physical processes on the OT [operational technology] network,” according to Radiflow, the industrial control specialist that uncovered the bug. Attacked equipment would have to be powered off and on again to recover.

“The recovery from such an attack would require a reboot of the attacked PLCs and physical access to the controllers, which would cause significant downtime to the ICS network,” Radiflow advised.

Radiflow discovered and reported this vulnerability to Schneider Electric approximately two months ago, prior to its recent remediation. ICS-CERT’s write-up explained that “successful exploitation of this vulnerability could allow an unauthorised user to remotely reboot the device” alongside remediation advice.

Russian hacker extradited for massive financial fraud case

The US District Attorney’s office in Manhattan, New York, said this week it has secured the extradition of Russian national Andrei Tyurin, an alleged hacker wanted in connection with a string of attacks on financial companies.

The DA claimed Tyurin was one of four hackers behind, among other shenanigans, the massive computer security breach at JPMorgan that saw the details on roughly 80 million user accounts stolen back in 2014. Tyurin was also said to have behind a string of attacks on other financial firms and at least one breach of a business news site.

“Andrei Tyurin allegedly engaged in a long-running effort to hack into the systems of U.S. based financial institutions, brokerage firms and financial news publishers, all from the perceived safety of operating outside our borders,” said FBI Assistant Director William Sweeney.

“As alleged, his illegal acts included the historically largest theft of customer data from a U.S. financial institution.”

When he does reach the US and appears in court on September 25, Tyurin will be charged with computer hacking, wire fraud, conspiracy to commit computer hacking, conspiracy to commit wire fraud, identity theft, and violating the Unlawful Internet Gambling Enforcement Act. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/08/security_roundup_080918/