STE WILLIAMS

JavaScript library custodian NPM, after years of security scrambling, looks to be getting a grip on its code safety.

There was that incident in May when NPM swiftly removed a backdoored package following complaints. No real damage was done.

A month earlier, the bit-shifting biz added a “audit” command to v6 of npm, the company’s eponymous command line tool. Thereafter, npm-wielding developers had the option to type npm audit from the command line while in a Node.js project directory, generating a listing of known vulnerabilities affecting package dependencies hailing from code stored in the NPM registry.

Better still, simply typing npm install – the command to populate a Node.js project with packages declared in the package.json file – would run an automatic security audit.

Remediation is not automatic, but as of May, users gained the ability to type npm audit fix to replace outdated, insecure modules in projects with current, hopefully secure ones.

Since April, according to the company, npm users have run 50 million automatic scans and have deliberately invoked the command 3.1 million times. And they’re running 3.4 million security audits a week.

Across all audits, 51 per cent found at least one vulnerability and 11 per cent identified a critical vulnerability.

Pull the other one

In a phone interview with The Register, Adam Baldwin, head of security at NPM, said he didn’t have data on how many people are choosing to fix flagged flaws. “But what we’ve seen from pull requests suggests it’s gaining traction,” he said.

Incidentally, npm’s thinking about security is finding similar expression elsewhere in the industry. Earlier this year, GitHub began alerting developers when their code contains insecure libraries.

During a recent media briefing, GitHub’s head of platform Sam Lambert said he hoped that the process could be made more automated through the mechanized submission of git pull requests that developers could simply accept to replace flawed code.

Baldwin said NPM might implement something similar, an intervention rather than a simple notification. “Currently it’s not proactive policy enforcement,” he said. “But it’s something we’re considering.”

That would appeal to NPM’s growing enterprise constituency. “Enterprises for sure want the compliance and control,” said Baldwin. “They want that ability to know the open source they’re bringing in is safe or meets a certain set of criteria.”

Upping its security game further still, NPM on Wednesday added “Report a Vulnerability” buttons to every NPM package webpage. The biz also started checking the hashes of passwords during account creation against the “Have I Been Pwned?” database, to help users avoid compromised passwords.

This isn’t to say there won’t be further security issues with NPM packages, but the tools for avoiding problems and fixing them are getting better. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/22/npm_vulnerability_scanner/

Another critical security hole has been found in Apache Struts 2, requiring an immediate update.

The vulnerability – CVE-2018-11776 – affects core code and allows miscreants to pull off remote code execution against vulnerable servers and websites. It affects all versions of Struts 2, the popular open-source framework for Java web apps.

The Apache Software Foundation has “urgently advised” anyone using Struts to update to the latest version immediately, noting that the last time a critical hole was found, the holes were being exploited in the wild just a day later. In other words, if you delay in patching, your organization will be compromised in short order via this bug, if you are running vulnerable systems.

It was that earlier flaw that led to a nightmare data breach from credit company Equifax after it failed to patch swiftly enough. The details of nearly 150 million people were exposed, costing the company more than $600m, so this is not something to be taken lightly.

The company that discovered the vulnerable – Semmle Security Research Team – warns that this latest one is actually worse that the one last year, which it also found. It has published a blog post with more information. Semmle found the hole back in April and reported it to Apache, which put out a patch in June that it has now pulled into formal updates (2.3.35 for those using version 2.3 and 2.5.17 for those on 2.5).

As mentioned, the vulnerability is in the core code and doesn’t require additional plugins to work. It is caused by insufficient validation of untrusted user data in the core of the Struts framework, and can be exploited in several different ways.

Semmle says it has identified two different vectors but warns there may be others.

They are:

• The alwaysSelectFullNamespace flag is set to true in the Struts configuration – this is going to be a default with most configurations.
• Your application’s Struts configuration file contains an action … tag that does not specify the optional namespace attribute, or specifies a wildcard namespace (e.g. ‘/*’) – again a pretty common occurrence.

If your app does not meet these two conditions, according to Semmle “you are likely not vulnerable to the two attack vectors described below.” However, it warns that new attack routes will likely appear soon – so update to the latest version.

Since it can be used remotely and due to the fact that Struts is typically used to create applications that are on the public internet, hackers are going to be especially focused on exploiting it so they can gain access to corporate networks.

And there are some big targets out there: Apache Struts is extremely common with most large corporations using it somewhere in their systems for web apps.

Semmle’s VP of engineering, Pavel Avgustinov, had this to say about the hole on Wednesday this week: “Critical remote code execution vulnerabilities like the one that affected Equifax and the one we announced today are incredibly dangerous for several reasons: Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit. A hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system. It’s crucially important to update affected systems immediately; to wait is to take an irresponsible risk.”

So that’s a pretty solid “do not wait to patch” recommendation.

This is very far from the first time that big security holes have been found in Struts, leading some to recommend that people simply stop using it. ®

I’m lucky enough to have seen lots of non-public details on dozens of high-profile security breaches over the last 15 years. My one takeaway, not a joke – stop using Apache Struts.

100% serious.#DFIR

— Chad Loder (@chadloder) August 22, 2018

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/22/apache_struts_2_vulnerability/

The computer industry may have moved to more frequent software security updates – but the rest of the world still takes a month or longer to patch their networks.

That is one of the findings in a new report by enterprise network bods at Kollective. The biz spoke to 260 IT heads in the UK and US about their systems and security and uncovered some potentially eyebrow-raising facts.

More than a third of IT managers – 37 per cent – view the slow installation of software updates as the biggest security threat they face; more even than idiot end-users choosing bad passwords (33 per cent).

And that’s for a good reason: the survey revealed that nearly half – 45 per cent – of large businesses (more than 100,000 terminals) take at least a month to patch their networks; just over a quarter – 27 per cent – take several months.

This is a security nightmare waiting to happen – as has been made clear just today with the announcement of a critical remote-execution bug in Apache Struts 2. Roughly a half of Fortune 100 companies use Struts for their web apps and Apache has warned to update networks immediately.

The last big hole in the framework saw exploits in the wild within 24 hours – and it was Equifax’s failure to patch in time that led to its $600m data breach covering 150 million people.

But the reality on the ground, according to Kollective’s survey, is that two-thirds of enterprises are not able to automate security updates, with 13 per cent confessing that they have given up on trying to create an automated system and instead rely on employees updating their own systems.

Big hacker opportunity

If Kollective is right, a terrifying 81 per cent of companies will not be able to apply the Struts patch within the one-day timeframe that Apache has “urgently advised.” Just over a half – 52 per cent – say it will take a week.

Which of course leads to the question: Why? What causes the delay?

The most common answer was testing: Nearly 40 per cent of IT managers said the need to test first was the biggest cause of delay. Next up was a quarter of them warning that network scaling issues were to blame. Company policies were blamed by 12 per cent; followed by a lack of infrastructure and lastly bandwidth.

When it comes to question as to why sysadmins, most of whom are completely aware of the problem, don’t do more to fix things, the most common answer was budget.

While management is focused on artificial intelligence, machine learning and the cloud – and allocate increasing resources to each – the less-sexy but more important job of putting a content delivery network system in place to rapidly patch networks is not getting the attention it needs.

There may be a solution for IT managers running Windows though: Microsoft’s Windows as a Service (WaaS) that it is rolling out for Windows 10 will automatically update your systems and, in theory, kill off a big part of the Patch Tuesday headache (incidentally, you can now buy ‘Exploit Wednesday’ T-shirts).

But the survey also reveals that for most, the Beast of Redmond is moving too fast for most IT managers – with 46 per cent of them saying that they have no plans to manage WaaS updates.

Backlog

Worse, some warned that Microsoft’s new habit of putting out more updates more regularly is actually amplifying the problem, with a backlog of updates building up each month.

But with support for Windows 7 ending in January 2020, companies are going to have to face the unpleasant reality of shifting to Windows 10 or paying hefty support fees.

Of course, this is where the company behind the survey – Kollective – comes in. If offers enterprise content delivery networks that would introduce more automation and faster testing, with a focus on Windows 10.

“Today’s businesses are spending more than ever before on enhancing and improving their security systems. But, this investment is wasted if they aren’t keeping their systems up-to-date,” said its CEO, Dan Vetras, adding: “Our research has found that many of the delays in software distribution aren’t because of testing, but rather a lack of infrastructure. Poorly constructed networks mean that, even those companies that have made a significant investment in security software, are still leaving their organizations vulnerable to attack.”

Of course, Kollective thinks it has the answer – that’s its business – but what do you think, Reg readers? Do the figures above reflect your reality? Hold long does it take you to update your networks? And what is your future solution to the constant nightmare of security updates? ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/22/patching_survey/

Newly discovered Photoshop and Ghostscript vulnerabilities allow remote code execution.

In a pair of apparently unrelated notices this week, remote execution vulnerabilities in two products built around Adobe image manipulation products were disclosed – as well as a security update for one of them.

In the first, Adobe announced updates to the Windows and MacOS versions of  Adobe Photoshop CC 2017 and 2018. According to the company, the critical vulnerabilities could allow remote code execution by unauthorized users. In announcing the updates, designated CVE-2018-12810 and CVE-2018-12811, Adobe describes the issues broadly while giving no details about the vulnerabilities or any known “in the wild” exploits.

Each of those two flaws was given a priority ranking of three, meaning that they are remediation for vulnerabilities in products that are not historically prime targets for threat exploits.

The second remote execution flaw announced today is much broader in potential impact: the vulnerability lies in the -dSAFER functionality of Ghostscript, an open source interpreter that allows programs such as GIMP (a popular open source alternative to Adobe Photoshop) to work with Adobe’s PostScript and PDF page description languages.

Because Ghostscript is used in both applications and websites to allow display and modification of .PDF and other Adobe format files, even a rapid update to the interpreter would likely take quite a long time to be fully deployed across the Internet.

In a post to loss-security announcing the new vulnerabilities, Tavis Ormandy, the researcher who discovered them, recommended that developers disable “…PS, EPS, PDF and XPS coders in policy.xml by default.”

Ormandy, who is on Google’s Project Zero team, noted that he has found at least one exploit of the vulnerability in the wild, and that there are similar vulnerabilities that can be exploited with similar tactics. Further, he demonstrated that some of the methods for exploiting the vulnerabilities are trivial, requiring no advanced coding skills or security knowledge.

The new vulnerabilities are not the first to be found in -dSAFER. In a related post, Ormandy noted that he has posted -dSAFER sandbox escapes (methods allowing program execution to escape from the software sandbox designed to limit the effects of malicious code) in the past. 

“This exploit has the potential for file system access leading to sensitive data leak and more as it can be the beachhead opportunity for a more comprehensive data breach,” says Stephen Giguere, a sales engineer at Synopsis said.

Related Content:

• Adobe Issues Emergency Patch for Flash Zero-Day
• Attackers Shift From Adobe Flaws to Microsoft Products
• Voice-Operated Devices, Enterprise Security the ‘Big Truck’ Attack
• 10 Threats Lurking on the Dark Web

 

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info. 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/application-security/adobe-software-at-center-of-two-vulnerability-disclosures/d/d-id/1332639?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Analysis of 316 million-plus security incidents uncovers most common types of real-world attacks taking place within in-production Web apps in the AWS and Azure cloud ecosystems.

It takes over a month for the average organization to patch its most critical vulnerabilities, according to a new report detecting trends in Web application attacks.

The data comes from tCell, which today released its Q2 2018 “Security Report for In-Production Web Applications.” Researchers analyzed more than 316 million security incidents across its customer base and published key findings on the most common types of real-world attacks taking place within in-production Web apps in the Amazon Web Services and Microsoft Azure cloud ecosystems.

TCell published the report for the first time last year, when it noted a high attack-to-breach ratio, explains co-founder and CEO Michael Feiertag. The volume of attempts that attackers go through before landing a successful breach are 100,000 to 1, he says. Web application attacks are noisy because attackers use automation to hunt weak spots within the apps.

“This year we evaluated the data over the last quarter to understand how access to security data from the application has impacted the team’s ability to secure their apps,” he continues. “We discovered that security teams who have this data gained measurable process improvements for remediation, used the data to improve collaboration with developer and operations peers, and helped prioritize work to gain scale for overstretched teams.”

Researchers recognized two primary attacks at play. One was the prevalence of attempted cross-site scripting (XSS) attacks aimed at application users, which were the most common type of incident detected. Most instances of XSS are only attack attempts, they point out. Last year, only one in 1,200 attempts were successful, making it tough to separate breaches from attack attempts.

The second most common was SQL injection, which was leveraged to access sensitive data or run OS commands to gain further access into a target system. Automated threats, fire path traversal, and command injection rounded out the top five most common Web application attacks for Q2.

“We are seeing a bifurcation of attacks,” Feiertag says. The majority, by volume, are scanning attacks in which probes target many apps with every possible easy-to-test attack. Researchers also saw a spike in targeted attacks, which hit individual apps with advanced threats going for high-value vulnerabilities: command injection to put malicious code on a server, for example, or compromised credentials to gain administrative access.

“Both appear to be financially motivated but with different approaches to achieve those goals – wide vs. deep,” he adds.

TCell’s top five most common incidents differ from the most popular attacks as listed by the Open Web Application Security Project (OWASP); those are injection flaws, broken authentication, sensitive data exposure, XML external entities, and broken access control. The reason is that tCell specifically considers attacks and breaches in production that reside in public cloud environments, while OWASP considers a broader set of data, which provides “a different view on the same problem,” Feiertag explains.

CVEs: Prevalence and Patching
According to tCell’s report, 90% of active applications had a known CVE, tCell says, while 30% had a critical CVE during the second quarter. Experts detected an average of 2,900 orphaned routes or exposed API endpoints per application, which signify an attack surface with no current business function and represent a security “blind spot,” they explain in their report.

It took an average of 38 days for an organization to patch a vulnerability, regardless of its severity level, and 34 days for an organization to patch its most critical CVEs. Those stats may be affected by the size of the organization, researchers noted, given how larger businesses take significantly longer to patch vulnerabilities than smaller ones.

The less severe the vulnerability, the longer the time frame. Medium severity vulnerabilities took an average of 39 days to patch; low severity flaws took an average of 54 days. The oldest unpatched CVE took nearly a year – 340 days – to address.

Feiertag says the numbers have gotten better. “We’ve seen our customers significantly decrease their time to remediate rates,” he notes, with teams becoming more aware of the need to roll out patches quickly.

Web App Security: What Companies Are Doing
Forward-looking companies are adopting application security approaches that integrate with DevOps and the cloud, Feiertag says. The technologies enabling this, such as RASP, are newer and still evolving but are an improvement over WAF, AST, and waterfall SDLC processes.

However, he continues, many teams and companies have not embraced this change and continue to fall behind, with their software and infrastructure getting ahead of their security tools and strategies.

“Ironically, those are frequently the companies that spend the most money on security, but the results that they achieve are generally below that of their more flexible and efficient peers,” Feiertag says. He advises companies to understand their specific risks – “If you have an app on the Internet, it’ll get attacked eventually,” he says – and to use the right tools and data to minimize them.

Related Content:

• Attackers Using ‘Legitimate’ Remote Admin Tool in Multiple Threat Campaigns
• How Threats Increase in Internet Time
• Microsoft Sinkholes 6 Fancy Bear/APT28 Internet Domains
• Open-Source Hybrid Analysis Portal Gets a Boost

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info. 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/cloud/it-takes-an-average-38-days-to-patch-a-vulnerability/d/d-id/1332638?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Of all the battles Microsoft has fought over the decades, its pursuit of the alleged Russian Fancy Bear hacking group is turning into one of the most intriguing.

In a new skirmish mentioned by Microsoft’s president and chief legal officer Brad Smith, Microsoft’s Digital Crimes Unit (DCU) recently took control of six internet domains that were about to be used by the group to spoof US political organisations.

These included two mimicking US think tanks – the International Republican Institute and the Hudson Institute – plus three that appeared to be about to target services connected to the US Senate.

The motive? Politics of course:

We’re concerned that these and other attempts pose security threats to a broadening array of groups connected with both American political parties in the run-up to the 2018 elections.

But it was the final domain, impersonating Office 365 and OneDrive, that must have waved a red flag inside Microsoft – going after US democracy is bad enough but going after Microsoft brought trouble even closer to home.

Of all the battles Microsoft has fought over the decades, its dogged pursuit of the Russian Fancy Bear hacking group is rapidly turning into one of the most intriguing.

Two years ago, Microsoft sued Fancy Bear, the first time anyone had ever tried legal action against a hacking group in any context, let alone one with no business address and whose members or employees remain a mystery.

Microsoft has also gone out of its way to namecheck the group’s victims, which include the Democratic National Committee (DNC), the German parliament, French TV, the World Anti-Doping Agency, the Ukrainian military, and many others.

But the important moment was the setting up of the Defending Democracy Program earlier this year, out of which has emerged AccountGuard, a free service that it says will defend political candidates at national, state and local levels of US democracy from hackers.

For most of its existence, Microsoft has skirted around politics as much as possible. With alleged Russian hacking banging on the door of US elections, some will say the company has picked a good moment to change course.

Follow @JohnEDunn
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/MuwQncb8XCQ/

Minneapolis lawyer Paul Hansmeier has pleaded guilty to a scheme in which he and another lawyer made porn films, seeded them to BitTorrent websites, and then extorted those who downloaded them, threatening to file lawsuits unless they paid $3,000 to keep from the embarrassment of getting dragged through court.

Hansmeier, along with co-defendant and fellow attorney John Steele, were the masterminds behind a multimillion-dollar extortion scheme carried out by their Prenda Law firm. The two were arrested in December 2016 and charged with running the fraud scheme between 2011 and 2014. The two lawyers, now debarred, also worked with a third lawyer, Paul Duffy, who’s now deceased.

According to the indictment, the scheme worked like this: Steele and Hansmeier would use sham entities to get copyrights to pornographic movies, some of which they filmed themselves. Then, they’d set up a porn honeypot by uploading the movies to BitTorrent file-sharing websites. When people downloaded the movies, the trolling lawyers would pounce, filing copyright lawsuits over illegal downloads against the “John Doe” defendants, whom they knew only by IP address.

They’d use the discovery process to get ISPs to hand over subscriber names associated with those IP addresses. Then, the lawyers would send letters or place phone calls, demanding that their targets pay around $3,000. Do it fast, they threatened, or there’d be public allegations and copyright infringement lawsuits over downloading the porn. They also created shell companies to stand in as plaintiffs in the lawsuits.

According to the plea deal, they started by uploading their clients’ porn films to sites including the Pirate Bay. That was in April 2011. In November 2011, Steele and Hansmeier created Prenda Law in order to distance themselves from any potential fallout that may have come from those copyright lawsuits.

By May 2012, they were filming their own porn films, which they also used as bait in the honeypot. Between 2011 and 2014, the lawyers made more than $3m from the lawsuits, which were filed without the court having a clue that Prenda Law had uploaded their clients’ films, had created their own films and uploaded those as well, or that they’d fabricated the plaintiffs that were claiming damages from copyright infringement.

Then, in or around 2012, Steele and Hansmeier created a company – Under the Bridge Consulting – to launder the loot via “consulting fees.” They transferred about $1m of the Prenda Law profits to Under the Bridge Consulting, and from there the funds made it into the lawyers’ pockets.

In early 2017, Steele pleaded guilty to seven charges, including mail and wire fraud. He also agreed to help prosecutors who were investigating the case.

Hansmeier’s guilty plea means that the trial, originally scheduled for 5 September, won’t happen. Rather, a judge will decide sentencing.

The Prenda Law case might not be over yet, though. In court on Friday, Hansmeier’s attorney, Manny Atwal, suggested that he might have an appeal up his sleeve. The Minneapolis Star-Tribune quoted him:

The plea agreement allows Mr. Hansmeier to appeal the denial of his pretrial motion to dismiss the indictment. I think we came to a fair resolution and will see what happens at sentencing and the 8th circuit.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/n64AKWyWsaU/

The Open Rights Group has backed the Scottish government’s plans to immediately delete mugshots at the end of legal retention periods – something Whitehall said is impossible in its own systems.

The Scottish government is consulting on proposals to improve oversight of the use and retention of biometric data, which would see the nation appoint its first biometrics commissioner.

They would be responsible for overseeing adherence to a Code of Practice that sets out the rules on how long authorities can keep DNA, fingerprints and custody images.

The code (PDF), which has been published as part of the consultation, is clear that retaining biometric data interferes with people’s right to privacy, and that “the obvious approach is to have a presumption in favour of deletion following the expiry of any minimum retention period as prescribed in law”.

As such, all data must be deleted as soon as the relevant retention period had passed – and authorities must ensure records are deleted from both the primary database and any other databases they are replicated on.

Zero arrests, 2 correct matches, no criminals: London cops’ facial recog tech slammed

READ MORE

Establishing such a rule would be in contrast to the situation in England and Wales, where custody images are retained indefinitely in a mammoth database – it now holds 21 million shots of faces and identifying features – and only removed if someone requests it.

This is widely thought to go against a 2012 High Court ruling that said keeping images of presumed innocent people on file was unlawful, and that there must be a distinction between convicted and non-convicted people.

But the Home Office has countered that it isn’t technically possible to automatically link or delete records because national and local databases don’t talk to each other, and that doing it manually would be too costly to justify. It claimed ongoing efforts to update the systems will address this in the longer-term.

However, its approach – and ministers’ attitudes – is a source of constant frustration for activists and opponents.

By comparison, the Scottish government’s proposal demands automatic deletion, and indicates that in cases where a system won’t allow it, steps must still be taken to protect un-convicted people, until legacy systems are replaced.

“In relation to custody images held by Police Scotland on legacy force custody systems where there is no automated means of distinguishing between records of convicted and non-convicted persons, it will suffice for the records within those systems to be protected from access in the operational environment until deleted as those systems are shut down,” it said.

Campaigners have welcomed the plan, and urged the Home Office to follow suit.

“Open Rights Group called for rules establishing an automatic deletion procedure,” said the organisation’s Scotland director, Matthew Rice. “It is welcome to see them included in the Code of Practice for Scotland and we encourage the rest of the UK to follow Scotland’s lead.”

UK Home Office grilled over biometrics, being clingy with folks’ mugshots

READ MORE

Elsewhere in the code, the Scottish government proposed handing out a “biometrics information sheet or leaflet” as a “practical way” to ensure that people whose biometric data is captured understand how it might be used and how they can appeal.

This is another area in which Whitehall has fallen short in the eyes of critics, who argue that most people who have been taken into custody have no idea their images are retained or that they need to request they be deleted.

The Scottish government also noted that the code covered not just DNA, fingerprints and custody images – but also biometric data generated by second-generation tech, like facial recognition software, remote iris recognition and voice pattern analysis.

It said that the code would apply to Police Scotland and the Scottish Police Authority, as well as any bodies that collect data while exercising powers of arrest for devolved purposes – but not for national security or private companies.

However, the Open Rights Group said that this “does not reflect the direction of travel for biometrics in our lives” as there is an increasing amount of surveillance carried out by housing associations and private firms in the retail sector.

“These applications will have an effect on individuals’ rights, and the Code should reflect that,” Rice said. “At the moment, adoption in other areas such as public bodies or private bodies is on a voluntary basis. The Code should go further and apply to those bodies directly.”

Rice also called for there to be more power granted to the biometrics commissioner should an organisation break the code. As proposed, a breach is not a civil or criminal offence. Rather, the role-holder can only be able to issue an “improvement notice”.

The consultation closes on 1 September. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/22/scottish_government_custody_image_promises/

Cisco Talos says criminals are using one research company’s testing tools to set up and run botnets.

A report released Wednesday by Talos researchers found that Breaking Security’s Remcos remote control tool and Octopus Protector encryption utility, along with other Breaking Security tools, are being used in the wild to set up and maintain botnets.

While Breaking Security – which did not respond to a request for comment – maintains in its ToS that its products are only for legit purposes and it will revoke the license for anyone who misuses its products, Cisco Talos claims the tools can easily be used as malware and misuse of the software is rampant.

“While the organization that sells Remcos claims that the application is only for legal use, our research indicates it is still being used extensively by malicious attackers, as well,” the report claims.

“In some cases, attackers are strategically targeting victims to attempt to gain access to organizations that operate as part of the supply chain for various critical infrastructure sectors.”

Fancy that, Fancy Bear: LoJack anti-laptop theft tool caught phoning home to the Kremlin

READ MORE

Among the attacks Talos says it has spotted the software being used for targeted attacks on businesses in Turkey, Spain, Poland, and the UK, mostly hidden as email attachments within spear-phishing attempts.

Once installed, Remcos can be used to monitor user activity, including keystroke logging, remote screenshots and command execution.

Because of this, Talos says that it is classifying Remcos as a Remote Access Trojan (RAT) software and is distributing decoder script to help companies detect and remove the Remcos software from their systems. The researchers are also advising admins to screen for and treat a Remcos installation as they would any other trojan or piece of malware.

“Organizations should ensure that they are implementing security controls to combat Remcos, as well as other threats that are being used in the wild,” the researchers write.

“Remcos is a robust tool that is being actively developed to include new functionality increasing what the attackers can gain access to. To combat this, organizations should continue to be aware of this threat, as well as others like this that may be circulated on the internet.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/22/cisco_smells_a_rat/

Attackers are abusing the characteristics of cloud services to launch and hide their activity as they traverse target networks.

A new body of evidence indicates threat actors are using increasingly advanced techniques to target unsecured cloud users and leveraging features common to public cloud platforms to conceal activity as they breach and persist in target networks.

Data comes from the Threat Stack security team, which spotted the pattern over multiple years of observing behavior on client networks. It was in 2016 when they noticed attacks leveraging Amazon Web Services (AWS) were becoming more sophisticated, says CSO Sam Bisbee. The trend picked up in 2017.

The problem, the team notes, is not with AWS but with the way attackers are maliciously using it.

“These are not exploits or vulnerabilities in the AWS services and software,” Bisbee explains. “This is about the features and attributes of AWS leveraged by attackers in more sophisticated ways.”

In simpler attacks, actors typically steal AWS keys and seek direct paths to resources stored in open S3 buckets, or they launch a new Amazon Elastic Compute Cloud (EC2) to mine cryptocurrency. Sometimes they don’t have to look far: Misconfigured S3 buckets made a number of headlines in the past couple of years. Amazon emphasizes S3 buckets are secured by default; it also launched Macie to protect AWS S3 data and provides free bucket checks via Trusted Advisor.

While these less advanced techniques are still problematic, Bisbee says threats leveraging AWS are becoming more complex and targeted, with attacks launched on AWS features and combined with network-based intrusion attacks.

“In any industry and any platform, you’re constantly playing cat and mouse,” he says. “As blue teams and defenders become more sophisticated, the red team has to level up.”

How It Works
Most of these attacks start with credential theft, which Bisbee says is the most common initial entry point. An attacker can steal access keys or credentials via phishing attacks, deploying malware that picks up usernames and passwords, and snatching data from a Github repository where a developer may have accidentally uploaded his information.

Credentials secured, the next step is to figure out what level of permissions can be attained. If an actor realizes he doesn’t have what he needs, he may attempt to create additional roles or credentials in AWS and then launch a new EC2 instance inside the target environment. However, the stolen credentials must have access to IAM to create new roles, which AWS does not allow by default.

“Typically, the way most AWS accounts are configured, I can deploy that AWS instance anywhere in your network that I want,” Bisbee says. It could go at the network’s edge or at its center, where an organization’s more interesting infrastructure and databases are located.

At this point, the attacker has established a beachhead in the network from which the target can be scanned. The attacker can move laterally from his EC2 instance in a traditional network attack chain, Bisbee explains, exploiting different hosts on the network.

Upon landing on a new host, the attacker checks its AWS permissions. If the attacker is only looking for a small amount of data, he can exfiltrate through the terminal or chain of compromised hosts, bypassing DLP tools. However, the desired amount of data depends on the actor and their motivation.

Who, Where, and Why
This behavioral pattern is typically seen in more targeted, persistent attack patterns, Bisbee says. Most actors are attempting to achieve access to specific pieces of data, and they’re generally hitting targets in popular industries, such as manufacturing, financial, and tech.

The amount of data sought depends on the target, he adds. If a company is storing healthcare information or voter records, the attacker is looking for data in bulk. If the attacker is targeting a media company, he may only want prereleased content or something more specific. Because data can be extracted by copying and pasting or snapping a screenshot, it’s hard to detect theft.

One reason the lateral movement in the AWS scenario was hard to detect was because most security monitoring techniques assume an attacker will want to dive deep into the host and escalate privileges. In this case, the actors were trying to move off the host layer and back into the AWS control plane, which most blue teams aren’t on the lookout for.

AWS “is just as critical as underlying servers,” Bisbee says. “You need to be monitoring all aspects of your environment.”

Amazon has deployed multiple services to boost AWS security. GuardDuty, a managed threat detection service, is designed to monitor for malicious or unauthorized behavior (unusual API calls, potentially unauthorized deployments) and help AWS users protect their accounts and workloads. Amazon Inspector, a separate service, automates security assessments to ensure security and compliance for applications deployed on AWS.

Related Content:

• 10 Threats Lurking on the Dark Web
• Google Updates: Cloud HSM Beta, Binary Authorization for Kubernetes
• Researchers Find New Fast-Acting Side-Channel Vulnerability
• Exploring, Exploiting Active Directory Admin Flaws

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info. 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/cloud/hackers-use-public-cloud-features-to-breach-persist-in-business-networks/d/d-id/1332618?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple