STE WILLIAMS

Another week has come and gone. This one included some Fortnite flaws, a nasty Intel bug, and a voting machine maker whining about hacking contests.

Here’s a bit more of the recent news in security:

Exciting new LinkedIn use case: Chinese spying

Be careful the next time you get an invite to connect on LinkedIn: you might be pitched on something more than a job opportunity.

Reuters reports that Chinese agents have been contacting thousands of users on LinkedIn via fake accounts, trying to find high-value targets who can then be recruited to hand over sensitive information to Beijing.

The report cites counter-intelligence boss William Evanina in claiming that the People’s Republic has been running rampant on the business networking site looking to lure users into giving them valuable intel and, he claims, LinkedIn is doing little to stop it.

Evanina is now calling on LinkedIn to take on a Twitter-esque mass culling of fake accounts.

Satori suspect traced to Toronto

Satori suspect trouvé à Toronto

A 20-year-old Toronto resident has been charged by a US District Court in Anchorage, Alaska with two counts of using malware to damage computers between August and November 2017.

The charges against Kenneth Currin Schuchman reportedly relate to the Satori botnet that infected 500,000 internet routers worldwide last year.

In December 2017, Check Point’s researchers traced the Satori botnet to an amateur who named himself ‘Nexus Zeta’, who regularly visited a web forum for wannabe black hat hackers.

In early 2018, a Pastebin post by rival hackers supposedly revealed Nexus Zeta’s real identity, naming the same Kenneth Schuchman who has been charged by the US court.

I’ll be BEC

An analysis of more than 3,000 business email compromise (BEC) attacks reveals that crooks are almost as interested in tricking recipients into visiting dodgy websites as initiating wire transfers.

Although the number one objective of cyber criminal behind BEC attacks was to generate a wire transfer (46.9 per cent), fooling a recipient into clicking on a malicious link was the primary goal in two in five such scams (40.1 per cent), according to Barracuda Networks.

One in eight (12 per cent) of attacks try to establish rapport with the target by starting a conversation. A similar 12 per cent go straight for the jugular by asking for personal information as an opening gambit.

Three in five (60 per cent) of the attacks did not include malicious links, but are a simple plain text email intended to fool the recipient to commit a wire transfer or send sensitive information.

Around half (43 per cent) of such email scams pose as messages from company chief executives. The term ‘CEO fraud’ to describe BEC is therefore borne out by a review of real scan messages sent to 50 randomly-selected companies, the basis of Barracuda’s research.

Creative Cloud cleanup commences

If you’re running Adobe’s Creative Cloud suite, you’ll want to make sure you have the most recent release.

That’s because earlier this week Adobe posted an update for a security patch in the bundle to address a potentially serious security vulnerability.

CVE-2018-12829 is a privilege escalation vulnerability that, while not particularly serious on its own, could be used in combination with other attack methods to give an attacker control over the target machine.

Adobe says you can get that patch by opening the PreferencesGeneral screen in Creative Cloud and getting the latest version.

Belarus takes it easy on botnet crook

It’s often said that crime doesn’t pay. In some countries, it seems that the criminal justice system doesn’t charge much either.

Earlier this month, Sergey Yarets of Belarus was released a free man after posting a $5,500 payment to the government. This despite Yarets having been found to be Ar3s, the controller of the massive Andromeda botnet.

Even though he was found to have been running the massive botnet for years, authorities in Belarus decided that the cash fine and the 8-plus months served from time in custody were enough, and he was released.

While the government has said that the lenient punishment was in large part because most of those affected were not Belarusian citizens, Recorded Future’s Alexandr Solad thinks there’s a bit more going on.

“This case is another example of a double standard toward prosecuting cybercriminals in post-Soviet countries, where they treat their own cybercriminals differently, allowing them to avoid fair punishment and then using them in the interests of the state, neutralizing the efforts of the international community to combat cybercrimes,” Solad noted.

Huawei sounds alarms over reset bugs

A security hole in Huawei phones could allow some attackers an easy way to compromise Android handsets.

The Chinese phonemaker has put out an advisory explaining how a security bypass function can be used to jailbreak the Mate 10 Pro phone with ease.

The flaw, CVE-2018-7936, is exposed when the handset is being restored to its defaults using the Factory Reset Protection tool. If the phone is connected to a PC, the attacker can send instructions that will disable the boot wizard and allow full access to the OS with the ability to install third-party software.

Huawei recommends Mate 10 Pro owners update their firmware to version BLA-L29 8.0.0.148(C432) to get the fix.

Congress moves to stabilize funding for CVEs

It may come as a surprise to know that the trust CVE program is in fact a US government operation. MITRE, the non-profit that runs the system, gets cash to operate from federal contracts. This means that stability of CVE and its ability to operate depends on the specifics of the contract operating at the time.

Now, the House Energy and Commerce Committee wants to fix that by permanently tying the CVE program to the DHS’ annual budget. The plan is to give the program its own line in the Program, Project, or Activity section of the budget. This would put the CVE database on par with other cybersecurity programs like CERT or EINSTEIN.

The committee has written a letter [PDF] to DHS secretary Kirstjen Nielsen requesting approval of the plan to put CVE into the budget.

“Since the CVE program’s inception in 1999, it has become a critical piece of cyber infrastructure and as such, deserves a dedicated funding stream,” the committee writes.

“Funding this key cybersecurity program through piecemeal, short-term contracts does it a disservice.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/01/security_roundup_310818/

A US sports gaming company is asking permission to unmask 10 people it believes were behind a massive DDoS attack on its website earlier this month.

DraftKings, based out of Boston, MA, has filed [PDF] with the Massachusetts US District Court for authorization to force ISPs around the US to turn over the identities linked to 10 IP addresses it believes were behind the August 8 attack.

DraftKings runs a daily fantasy sports service (which it notes is not considered gambling. Customers pay to play daily games where they assemble a ‘team’ of players from a given pro sports league, then collect points (and cash prizes) based on how the players performed that day in the actual games.

Because the games are played out anew each day, DraftKings said that the 26-minute DDoS on August 8 caused it significant damage from a loss of business and the subsequent cleanup of its systems.

Denial of denial-of-service served: There was NO DDoS on FCC net neutrality comments

READ MORE

“During this time, the attack prevented legitimate DraftKings users from actively engaging with the DraftKings Website,” the complaint reads.

“As a result of the attack, plaintiff’s personnel spent several days containing the attack and mitigating further potential damage from the malicious attack.”

Shortly after the attack ended, security staff were able to attribute the DDoS to 36 different IP addresses located mostly in various parts of the US. Now, DraftKings is asking the court to issue an order that would allow it compel seven different ISPs, hosts, and networking companies to hand over logs and user data they hope will lead them to ultimately unmask the 10 people believed to be behind the attack.

Among the third-parties whose info is being sought are internet giant Google and telcos Verizon and T-Mobile as well as cloud provider ColoCrossing, the American Registry for Internet Numbers, and service provider NetActuate.

Should DraftKings be able to unmask the attackers, the company plans to sue each for violation of the Computer Fraud and Abuse Act. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/31/draftkings_ddos_suspects/

At some point this fall, a team of researchers from MIT’s CSAIL and UC Berkeley’s EECS aim to deliver an initial version of an open source, formally verified, secure hardware enclave based on RISC-V architecture called Keystone.

“From a security community perspective, having trustworthy secure enclaves is really important for building secure systems,” said Dawn Song, a professor of computer science at UC Berkeley and founder and CEO of Oasis Labs, in a phone interview with The Register. “You can say it’s one of the holy grails in computer security.”

Song just recently participated in a workshop to advance Keystone, involving technical experts from Facebook, Google, Intel, Microsoft, UC Berkeley, MIT, Stanford and the University of Washington, among other organizations.

Keystone is intended to be a component for building a trusted execution environment (TEE) that’s isolated from the main processor to keep sensitive data safe. TEEs have become more important with the rise of public cloud providers and the proliferation of virtual machines and containers. Those running sensitive workloads on other people’s hardware would prefer greater assurance that their data can be kept segregated and secure.

There are already a variety of security hardware technologies in the market: Intel has a set of instructions called Software Guard Extensions (SGX) that address secure enclaves in its chips. AMD has its Secure Processor and SEV. ARM has its TrustZone. And there are others.

But these are neither as impenetrable as their designers wish nor as open to review as cyber security professionals would like. The recently disclosed Foreshadow side-channel attack affecting Intel’s SGX offers a recent example of the risk.

That’s not say an open source secure element would be immune to such problems, but an open specification with source code would be more trustworthy because it could be scrutinized.

“All these solutions are closed source, so it’s difficult to verify the security and correctness,” said Song. “With the Keystone project, we’ll enable a fully open source software and hardware stack.”

RISC-V business

In addition, the RISC-V microarchitecture looks to be less vulnerable to side-channel attacks. As the RISC-V Foundation said following the disclosure of the Spectre and Meltdown vulnerabilities earlier this year, “No announced RISC-V silicon is susceptible, and the popular open-source RISC-V Rocket processor is unaffected as it does not perform memory accesses speculatively.”

(The RISC-V Berkeley Out–of–Order Machine, or “BOOM” processor, supports branch speculation and branch prediction, so immunity to side-channel attacks should not be assumed.)

The off-brand ‘military-grade’ x86 processors, in the library, with the root-granting ‘backdoor’

READ MORE

RISC-V is relatively new to the scene, having been introduced back in 2010. Established chipmakers like ARM, however, view it as enough of a threat to attack it.

But its not yet clear whether makers of RISC-V hardware will go all-in on openness. Ronald Minnich, a software engineer at Google and one of the creators of coreboot, recently noted that HiFive RISC-V chips have proprietary pieces.

“I realize there was a lot of hope in the early days that RISC-V implied ‘openness’ but as we can see that is not so,” he wrote in a mailing list message in June. “…Open instruction sets do not necessarily result in open implementations. An open implementation of RISC-V will require a commitment on the part of a company to opening it up at all levels, not just the instruction set.”

RISC-V may end up being a transition to more secure chip designs that incorporate the lessons of Spectre, Meltdown and Foreshadow. According to Song, there was discussion at the workshop about “whether we can build a new hardware architecture from ground up.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/31/keystone_secure_enclave/

A new study shows that device identities need a level of protection that they’re not getting from most organizations.

Machine identities should have as much protection as human credentials, though most organizations lag far behind in shielding computers and devices from prying eyes, according to a recent study.

The study, conducted by Forrester Consulting on behalf of Venafi, reports that, while 96% of IT executives said that machine identities should be protected, 80% said they have trouble delivering that protection.

And the issues aren’t just with protecting data on the systems from hackers on the Dark Web; 61% of those responding said their biggest concern from poor machine identity protection comes from internal data theft.

According to the Forrester study, containers, virtual machines, and cloud computing have changed and expanded the definition of “machine,” making enterprise security teams responsible for safeguarding the identity of many software identities in addition to hardware-based boxes.

Read here for more.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/operations/identity-and-access-management/machine-identities-need-protection-too/d/d-id/1332724?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The last of the four hackers collared for stealing and leaking people’s private nude photos from their online accounts back in 2014 has been sentenced to eight months’ imprisonment.

George Garofano, 26, of North Branford, Connecticut, was also sentenced to three years’ supervision post-release as punishment for his role in “Celebgate” (AKA The Fappening). He admitted running a phishing scheme that gave him illegal access to more than 200 Apple iCloud accounts, many of which belonged to members of the entertainment industry, between April 2013 up until October 2014.

Purloined user credentials allowed Garofano to steal personal information, private photographs and videos, as well as the ability to trade usernames and passwords with other hackers. He pleaded guilty to a specimen charge of one count of unauthorised access to a protected computer to obtain information prior to his sentencing this week.

Edward Majerczyk of Orland Park, Illinois, was jailed for a similar nine months over his involvement in Celebgate back in January 2017. Ryan Collins of Pennsylvania received a still tougher 18 months sentence back in October 2016. Emilio Herrera from Chicago was sentenced to 16 months for his role.

Stolen naked pictures and video clips from the hack were posted on notorious image board 4chan before making their way onto websites such as Imgur and Reddit. Well-known victims of “Celebgate” included Jennifer Lawrence, Kate Upton and Rihanna, among others.

The whole unsavoury incident underlines the importance of multi-factor authentication in protecting sensitive accounts. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/31/celebgate_hacker_sentenced/

The Five Eyes nations have told the tech industry to help spy agencies by creating lawful access solutions to encrypted services – and warned that governments can always legislate if they don’t.

The UK, US, Canada, Australia and New Zealand – which have a long-standing intelligence agreement – met in Australia this week.

In an official communiqué on the confab, they claim that their inability to lawfully access encrypted content risks undermining democratic justice systems – and issue a veiled warning to industry.

The group is careful to avoid previous criticisms about their desire for backdoors and so-called magic thinking – saying that they have “no interest or intention to weaken encryption mechanisms” – and emphasise the importance of privacy laws.

But the thrust of a separate framework for their plans, the Statement of Principles on Access to Evidence and Encryption, will do little to persuade anyone that the agencies have changed their opinions.

“Privacy laws must prevent arbitrary or unlawful interference, but privacy is not absolute,” the document stated.

Although governments “should recognize that the nature of encryption is such that that there will be situations where access to information is not possible”, these situations “should be rare”.

The problem the Five Eyes have is that the principles that allow government agencies to search homes or personal effects don’t give them the ability to use the content of encrypted data.

The group described this situation as “a pressing international concern that requires urgent, sustained attention and informed discussion on the complexity of the issues and interests at stake”.

Ever keen to amp up the threat this poses to society, it added: “Otherwise, court decisions about legitimate access to data are increasingly rendered meaningless, threatening to undermine the systems of justice established in our democratic nations.”

The principles set out in the Five Eyes’ statement seek to stress that law enforcement’s inability to access the content of “lawfully obtained data” is the responsibility of everyone.

“Law enforcement agencies in our countries need technology providers to assist with the execution of lawful orders,” the group said.

The agencies also pointed out that tech firms, carriers and service providers are also subject to the laws of the land – and if they don’t cooperate willingly, well, they have ways of making them.

“The Governments of the Five Eyes encourage information and communications technology service providers to voluntarily establish lawful access solutions to their products and services that they create or operate in our countries,” it said.

Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions.

Providers can create customised solutions that are tailored to their individual system architectures, it added, but governments should not favour a particular technology.

The communiqué also makes the common complaint that the “anonymous, instantaneous, and networked nature of the online environment has magnified” the threats of terrorism, child abuse, extremism and disinformation.

Again, tech firms should “take more responsibility for content promulgated and communicated through their platforms and applications”, with another separate statement setting out the action industry needs to take.

This includes development of capabilities to prevent uploading of illicit content, to carry out “urgent and immediate” takedowns, and more investment in human and automated detection capabilities.

Major firms should also set industry statements and help smaller firms deploy these capabilities on their own platforms.

Elsewhere, the communiqué re-committed the five nations to cooperate on terrorism, cyber security, and immigration through intelligence sharing and new sources of data importance. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/31/five_eyes_2018_meeting_encryption_terrorist_content/

Bitfi finally and reluctantly retracted its unhackable claim last night in the face of a new cold boot attack.

The John McAfee-backed hardware crypto-wallet firm got under the skins of security researchers by marketing its device as “unhackable” when it launched in July.

The $120 Wi-Fi-enabled Bitfi wallet is a hardware device that stores crypto-coins and other assets, protecting access to these devices through a passphrase. The passphrase is used to temporarily generate the private key needed to unlock a vault.

As previously reported, a hardware teardown exposed the device as essentially a cheap Android phone with the mobile connectivity components pulled out. The hardware is centred around Mediatek MT6580 system-on-chip, and came without a secure element that might have gone some way towards substantiating the bold claims made about the device.

Further investigation showed the unencrypted I2C protocol lines between the touchscreen and chipset can be eavesdropped on and (worse) it was possible to root the device and run arbitrary code. Security researchers made merry by demonstrating running the game Doom on the device.

None of this succeeded in mollifying Bitfi, still less John McAfee, who dismissed all these weaknesses as inconsequential. During a video debate, McAfee said he wanted to promote the wallet as a safe way for newbies to switch over from fiat currencies, arguing that “pissing off” the hacker community with claims the tech was unhackable were a great way to help promote the product.

The community was less than impressed. Bitfi won the PwnieAwards for “Lamest Vendor Response” at Black Hat earlier this month on the back of write-in nominations for an award it wasn’t initially nominated for.

The latest hack goes even further by demonstrating a cold boot attack, recovering passphrase and salt from memory.

on a completely unrelated note, here is a @Bitfi6 being cold boot attacked.

it turns out that rooting the device does not wipe RAM clean. who would have thought it!?

🎶 i feel this music is very appropriate for @Bitfi6 🎶 pic.twitter.com/jpSnYBd9Vk

— Saleem “Unhackable” Rashid (@spudowiar) August 30, 2018

Ken Munro of Pen Test Partners told El Reg that the latest hack “shows that anyone with physical access can extract the keys required to steal coins”. Worse yet, “the keys can be recovered after a significant period of time. Even powering it off doesn’t wipe them,” he said, adding that the cold boot recover vid was done by a 16-year-old.

A variety of independent security researchers worked towards this goal but particular credit is due to Saleem Rashid (@spudowiar), Ryan Castellucci (@ryancdotorg) and Andrew Tierney (@cybergibbons).

Other contributors to the effort have included Ken Munro, Alan Woodward and others.

Professor Woodward of Surrey University confirmed Munro’s prognosis on the pwnage.

He told El Reg that the latest video “shows taking a Bitfi wallet that has been used to deal in Bitcoins, plugged into a machine via the USB and the secret passphrase and salt then recovered from the memory of the wallet. Once you have that you can steal the bitcoins as we know how the wallet generates the keys using that input.”

Bitfi responded to the latest blow by withdrawing its controversial $250,000 bounty and promising to drop the “unhackable” claim. It also stated that it wanted to work with bug bounty outfit Hacker One to replace its much criticised in-house offer.

Bitfi drops unhackable marketing claim

Hacker One said Bitfi has yet to open a dialogue.

BitFi has not been in touch with us there is no conversation going on. There are specific criteria and tc for any company to qualify to run a program on our platform.

— Mårten Mickos (@martenmickos) August 31, 2018

Bounty bar

Security researchers cried sham over Bitfi’s initial bug bounty because it only covered one specific vector of attack, accessing coins on a device locked up with an unknown passphrase. This would have involved key recovery from a genuine, unaltered device. Excluded from the bounty was the possibility of modifying the device so that it records and sends the key to a malicious third party, among other possibilities.

The device failed to feature any anti-tampering measures so the possibility that units might be messed with before being returned to an intended mark isn’t implausible.

Although Bitfi seemingly wants to make peace with hackers who have criticised its bounty, it is not ready to admit its tech is vulnerable to its paying customers, as evidenced here. El Reg asked Bitfi to clarify its contradictory statement as to whether its device was vulnerable. We’ll update this story as and when more information comes to hand.

Critics, for their part, show no signs of relenting. “Bitfi can’t recall products as user keys persist in memory,” Ken Munro argued on Twitter, referencing the observations of team anti-Bitfi member @OverSoftN. ®

“This is NOT fixable by firmware, the Mediatek chipset simply was not built for this kind of device and provides features that can’t be disabled by FW,” @OverSoftN added.

Bootnote

The “unhackable” claim isn’t even original. Oracle infamously described its technology as unbreakable years ago only to be proved wrong by security researcher David Litchfield shortly afterwards.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/31/bitfi_reluctantly_drops_unhackable_claim/

There are three reasons today’s security talent pool is neither scalable nor effective in addressing the rapid evolution of cyberattacks.

People are and will always be the most critical cybersecurity resource. Right now, the talent pool with the unique skills and training to respond to cyber threats is unfortunately all too limited, and the way we are making use of this scarce resource is neither scalable nor effective in addressing the rapid evolution of cyberattacks.

The lack of analysts dedicated to advanced malware forensics and the high cost to recruit and retain such human resources, force organizations to build security operations centers (SOCs) and incident response teams in a tiered analyst structure. The further you go up the tiers, the more advanced the security analyst, and the fewer resources available to staff that position. As a result, it’s critical within this structure to filter out as many false alarms as possible. This leaves only the more limited, high-tier human resources available to analyze the most extreme forensic cases. It’s common that the pressure faced by these top-tier security professionals to respond quickly to alerts and filter as many false positives as possible drives many cases of missed infiltrated attacks.

To limit the negative impacts of a breach and avoid incident overload within incident response teams, many organizations rely on prevention technologies as their first line of cyber defense. Current prevention technologies are designed to log or, in obvious cases, filter out known anomalies and indicators, but they lack the ability to stop the unknown or prevent the implications of a successful attack. As a result, more sophisticated cyberattacks can remain undetected for longer periods of time by bypassing these established countermeasures.

This situation is often beyond the control of hard-working security pros. Consider the 2017 Equifax breach. Equifax had a well-qualified security team in place, but an advanced cyberattack evaded its detection systems and remained stealthy while stealing corporate data. As in this and most other breach scenarios, by the time the SOC analyst responds, his or her threat-hunting efforts are largely focused on investigative steps to determine the causes and assess the impact. There are three reasons why this approach is problematic:

Reason 1: Human-driven analysis consumes precious time. It’s a manual process of painstakingly reviewing atypical compromise indicators and determining an appropriate response. For example, how many indicators do you have? How many do you need to warrant investigation? How do they even come to be an indicator? Threats are simply moving too quickly to tolerate the delays inherent in manual response.

Reason 2: Skilled security analysts are hard to find. Today’s most-coveted SOC skill involves human eyes darting between screens and deciding what to do first when attempting to make sense of statistical indicators and anomalies. Aside from that being essentially a reactive exercise after the damage is done, the labor shortage of people with these skills makes them costly to hire and retain. And because it’s nearly impossible to predict the number of analysts needed to analyze the increasing volume of cyberattacks and the corresponding indicators, operational expenditures (OpEx) related to salary costs are continual wild cards.

Reason 3: It’s too late. Once a breach and potentially a theft have occurred, the damage is done and your data is gone. Your valuable SOC resources are focused on cleanup and damage control rather than on preventing the cyberattack and breach.

Given these problems, the current approach is unsustainable. Fortunately, automation technology offers a compelling solution that augments rather than replaces the human component in the equation. In particular, automation can help increase security efficacy and the speed of operations. While preventing all attacks is not possible, automated, real-time containment of an attack reinforces a protective posture, preventing or limiting the consequences of a breach. Once attacks are contained, automated responses can be customized and applied to remediation, but in a predictable way and more manageable time frame. That makes for efficient use of limited security resources, accelerates the time to address new threats, and improves OpEx.

Another benefit of automation is how it will increase the value of security analysts by enabling them to get even better at the more consequential aspects of their jobs. As adoption of automation inevitably increases, security analysts will need to focus beyond the art and science of manually correlating data based on memory and instinct, and more on strategic analysis, planning, and remediation, such as understanding the businesses drivers for how the organization uses, transmits, and stores data. Better understanding of the business context will empower analysts to develop predetermined automation outcomes designed to minimize disruption of critical business services and functions. For example, a decision may be made to automate containment or remediation of infections on call center endpoints that are critical for sustaining customer support operations.

Once preventative countermeasures are adopted that can ensure effective prevention and protection in real time, security analysts will then be able to focus on identifying the next potential weak link and remediating it. That will not only provide better security posture but will also guarantee security scalability and analysts’ greater satisfaction in their jobs.

In summary, automation will help organizations contain breach impacts while controlling the costs of scarce staff resources struggling to keep up. But ultimately, security will still come down to people. Security analysts will create the solutions that keep their organizations safe. Automation will empower them to succeed in an environment where incident response time pressures have been minimized, freeing them to employ their best talents and skills and realize the full potential of threat hunting to discover and eliminate future risks.

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Related Content:

• The Best and Worst Tasks for Security Automation
• How Better Intel Can Reduce, Prevent Payment Card Fraud (Video) 
• A False Sense of Security
• Biometrics Are Coming So Are Security Concerns

 

Roy is a 15-year seasoned product manager and security market strategist, combining strong technical knowledge with proven sales and marketing skills. Prior to enSilo, Roy led Akamai’s security strategy. Before that, he managed Imperva’s data security products and … View Full Bio

Article source: https://www.darkreading.com/endpoint/why-automation-will-free-security-pros-to-do-what-they-do-best/a/d-id/1332688?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

New Booz Allen Hamilton report advises companies to include printers in their overall security strategy.

Networked printers increasingly are becoming targets of hackers as these devices often aren’t secured by enterprises.

A new study cited by Booz Allen Hamilton found that of 61% of survey respondents who reported a data loss incident in 2016, at least 50% had at least one such incident linked to a printer. The 2017 survey by Quocirca included 200 companies with more than 1,000 employees.

The security incidents included digitally intercepted print jobs (50%), loss of data from printer hard disks (48%), mailing of documents via multifunction printers to external sources (44%), and printers getting hacked to gain network access (18%).

“Today’s office printers are full-functional computers that have a printer, scanner, photocopier, and a fax machine, as well as an email platform with local storage, wireless networking, and an operating system,” says Nate Beach-Westmoreland, head of strategic threat intelligence for Booz Allen and author of the printer portion of the firm’s new Cyber4Sight report. “Security pros need to prioritize network printers as such.”

Some of the most common types of cyberattacks on printers include disabling printers for ransom and abusing insecure printers for vandalism or vigilantism.

Brian Minick, Booz Allen’s vice president of cybersecurity, says state-linked criminals believed to be out of North Korea have regularly targeted printers in their cyberattacks on banks. They disabled printers used to confirm SWIFT network transfers, for example, in the attacks on City Union Bank in India and the Bank of Bangladesh.

“After gaining access to a network from some other entry point, bad threat actors often disable printers as a distraction or way to cover their tracks during a broader attack that makes bank transfers to the criminal’s bank account,” Minick explains. 

Printer giant HP recently launched a bug bounty program with Bugcrowd where it will pay up to $10,000 per vulnerability found in its enterprise printers, a move that underscores how these devices are becoming targets.

“We agree that, like the PC, printers have become incredibly powerful devices with increased storage and processing power,” says Shivaun Albright, chief technologist of print security for HP. “We haven’t reached the awareness-level, though, to secure print devices and implement all the good security practices that are employed to protect PCs and other important nodes in the network.”

There’s a gap today in discussions between decision makers and those implementing the technology, she says, as well as mismanagement in the deployment of printers. Companies leave critical ports and settings open, making it easy for attackers to remotely access the device. Albright recommends that customers work with their channel partner to leverage a managed print-services program.  

Booz Allen’s Minick and Beach-Westmoreland say printer vendors need to respond to vulnerabilities the way Microsoft did when it set up Patch Tuesday for Windows systems, offering regular security updates. 

Meanwhile, enterprises need to get visibility into their printer security, they say, and build continuous network monitoring into their environments in order to monitor printers the same way they do with network firewalls, switches, routers, and servers.

Related Content:

• DDoS Flaw Found in Brother Printers
• Printers: The Weak Link in Security
• Network Printer Scanner Spoofing Campaign Targets Millions 
• 7 Serious IoT Vulnerabilities

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/risk/how-hackers-hit-printers-/d/d-id/1332715?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In July 2017, Katelin Eunjoo Seo called police in Hamilton County, Indiana, claiming that she’d been raped.

As part of the investigation, she allowed Detective Bill Inglis to view her Apple iPhone 7 Plus. With Seo’s consent, Inglis also did a forensic download of its contents, after which he handed it back to her.

After investigating the phone, the tables turned. Inglis decided not to pursue charges against the alleged rapist. Rather, he began to investigate Seo herself for what looked like stalking and harassing of the alleged rapist – identified as “D.S.” in court documents.

When Inglis questioned D.S., he explained that he was getting up to 30 phone calls and text messages from Seo’s phone, and that at some point, whoever was sending the messages switched their phone number on a daily basis – likely by using a third-party app, Inglis suspected.

On 19 Jul, 2017, Seo was charged with felony stalking, intimidation, theft, and harassment for allegedly trying to harass D.S. into either marrying or impregnating her. When police arrested her at her workplace that day, they seized what looked like the same iPhone they’d seen in her possession before.

The state got a warrant to search that phone on 8 August, 2017. This time, however, Seo didn’t willingly unlock it for them. This time, she refused to unlock the phone, citing her right against self-incrimination under the Fifth Amendment to the Constitution of the United States.

Initially, a trial court agreed with the state, holding Seo in contempt. But last week, in a split decision, the Indiana Court of Appeals overturned the contempt charge, saying that it agrees with Seo.

From the majority opinion of the lengthy decision in Katelin Eunjoo Seo v. State of Indiana, written by Judge Paul Mathias:

A modern smartphone, with its central purpose of connecting its owner to the Internet and its ability to store and share incredible amounts of information in ‘the Cloud’ of online storage, is truly as close as modern technology allows us to come to a device that contains all of its owner’s conscious thoughts, and many of his or her unconscious thoughts, as well. So, when the State seeks to compel a person to unlock a smartphone so that it may search the phone without limitations, the privacy implications are enormous and, arguably, unique.

During oral arguments on 1 May, Seo’s counsel argued that requiring her to disclose her password was the same as requiring her to disclose the “contents of her mind,” a violation of her Fifth Amendment rights against self-incrimination.

That, in fact, has been a refrain heard in other court cases that have distinguished between compelled fingerprint unlocking of phones v. production of passcodes: a fingerprint is something that we “are” (and which is captured when police book a suspect), whereas a password is something that we “know,” and hence can be considered testimony that can self-incriminate.

The state pushed back, maintaining that it was a “foregone conclusion” that Seo knew her passcode and that there were text messages to D.S. on the device, making the Fifth Amendment argument inapplicable. She had, after all, already given them her passcode once before.

The Court of Appeals – which included judges Mathias, Melissa May and Patricia Riley – grappled with the fact that existing Fifth Amendment caselaw focuses on self-incrimination in the context of physical documents, not electronic data. Mathias, for one, noted that data stored on iPhone 7 models is encrypted, meaning that it’s unintelligible to outsiders – a far cry from paper documents that previous caselaw pertained to.

That difference played an important role in reversing the trial court’s decision to compel a passcode from the unwilling Seo. From Mathias’s decision:

We consider Seo’s act of unlocking, and therefore decrypting the contents of her phone, to be testimonial not simply because the passcode is akin to the combination to a wall safe as discussed in Doe [a reference to Doe v. United States, 487 U.S. 201 (1988)]. We also consider it testimonial because her act of unlocking, and thereby decrypting, her phone effectively recreates the files sought by the State.

Besides which, the state doesn’t just want Seo’s passcode: it wants to use the passcode to get into her iPhone for its entire contents:

Thus, for the foregone conclusion doctrine to apply, the State must be able to describe with reasonable particularity the discrete contents on Seo’s phone – e.g., all texts to D.S. created on Seo’s iPhone – that it is compelling her to not only produce, but to re-create by entering her passcode and decrypting the contents of the phone. This is a burden the State has not met.

The majority also held that the search warrant failed to describe with reasonable particularity the digital information it covered.

There are considerable differences between paper and electronic records, and those differences make it tough to apply existing Fifth Amendment caselaw to Seo’s and similar cases, Mathias concluded. To that end, he created a structure “for resolving decryption requests from law enforcement authorities” and asked reviewing courts of last resort to consider following it.

The Indiana Lawyer summed up the structure’s tenets:

• Requiring the decryption of data should be recognized as data recreation and, thus, strictly limited.
• Law enforcement will have legitimate need of encrypted data in some instances.
• Law enforcement requests that are identified as bona fide emergencies should be supported by “a warrant that describes the other imminent crime(s) suspected and the relevant information sought through a warrant.”
• Law enforcement should be required to seek digital data through third parties in non-emergency situations.
• Fourth Amendment exceptions and state analogues should be inapplicable or strictly limited in “the search and seizure of digital data stored on devices owned or controlled by that defendant, or from ‘Cloud’ subscriptions that defendant owns or uses.”

Despite last Tuesday’s decision, the case against Seo can continue, the majority wrote in a footnote.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/MICqfrGBm8c/