Skybox Security CMO Michelle Johnson Cobb discloses research results that include a spike in malicious cryptomining during Bitcoin’s peak, a shift to outside-the-perimeter mobile threats, and more.
Article source: https://www.darkreading.com/mobile/malicious-cryptomining-and-other-shifting-threats/v/d-id/1332588?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple
Researchers at Georgia Tech have found a side-channel attack that delivers the encryption key for a mobile device’s RSA implementation. Oh, and it gets the key without physical access to the device. And in a single transaction. The good news is that there are limits.
The team presented their paper, OneDone: A Single-Decryption EM-Based Attack on OpenSSL’s Constant-Time Blinded RSA, at the USENIX Security Symposium on Aug. 16. In the paper, they describe a method of “listening” to the electromagnetic signals generated by a processor whenever it is working data. As they listen to signals, they can convert those back into their native bits and capture the encryption key (and, frankly, any other data they wish) the first time it’s processed.
“This successfully gets the key in only one encryption or decryption so you don’t have to wait a long time,” says paper co-author Milos Prvulovic, professor of computer science at Georgia Tech. He explains that the attack, which uses a small antenna placed a few inches from the device, is different from most of the side-channel attacks seeking encryption keys.
“Most require the device to decrypt a specific, specially crafted message. Others look at very small differences in the signal and require a huge amount of data. Ours extracts the key directly from how the algorithm works,” he says. To prove the concept, the team performed research on, “… two Android-based mobile phones and an embedded system board, all with ARM processors operating at high (800 MHz to 1.1 GHz) frequencies…” according to the paper.
In the past, the team notes, capturing the very low-power signals generated by the processors would have required advanced, expensive radio receivers. Now, the paper states, receiving the signal is, “…well within the signal capture capabilities of compact commercially available sub-$1,000 software-defined radio (SDR) receivers such as the Ettus B200-mini.”
A remedy for the attack was proposed in the paper, and provided to RSA ahead of publication. The researchers were able to capture the encryption key, Prvulovic says, because, “The secret bits are examined by the program one at a time. So we were able to just read out the bits one at a time.” In their remediation, the researchers changed the implementation to read bits in parallel, rather than serial, fashion, making successful decryption a far more difficult and compute-intensive process.
Prvulovic says that their modification to the program makes the algorithm resistant to this particular attack, but other side-channel attacks may still be effective. A more potent defense, he says, comes from adhering to basic mobile-device hygiene. “All of these require close proximity, so you don’t put your phone down on a table at a coffee shop or airport and do banking,” Prvulovic says. “If you’re holding the phone in your hand, it’s highly likely you’re secure. If someone’s sufficiently close with a briefcase, then think about what you’re doing.”
Related content:
Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info.
Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio
The Trump administration has rolled back rules that outlined how to launch cyberattacks on other nations. The decision, which has been under consideration for much of the year, could herald a more hawkish approach to cyberwarfare within the US government.
Signed in 2012, the original Obama-era Presidential Policy Directive 20 (PPD-20) replaced a 2004 Bush-era policy called National Security Presidential Directive (NPSD)-38. The government refused to publish its document at the time, but it was leaked as part of the Snowden files. It outlined Defensive Cyber Effects Operations (DCEO) and Offensive Cyber Effects Operations (OCEO). OCEO could focus on targets specified by the government, and would…
offer unique and unconventional capabilities to advance US national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging
PPD-20 argued that it simply formalised existing policies, and outlined a swathe of processes and restrictions governing cyberwarfare. For example, it would seek consent from countries in which cyber operations took place unless they were military actions, or unless the president decided that asking for consent would go against US national interests.
The rules also called for a multi-agency effort to establish criteria and procedures for responding to persistent malicious cyberactivity by other nations against US national interests.
Directive 20 outlined bureaucratic restrictions on these cyberwarfare capabilities. The US government would reserve their use for circumstances when network defence or law enforcement measures were insufficient. It also said that it would conduct defensive cyberspace actions with the least intrusive methods feasible to mitigate a threat. And it vowed to obtain the consent of network or computer users for the US government to take cyber measures on their behalf.
It contained extensive sections outlining the need to coordinate these cyber capabilities with other government functions, including financial, intelligence and law enforcement, in what it called a “whole-of-government” approach. Policy criteria included how operations were located and their potential effects, the methods used, and their risks and potential impact. It also explicitly outlined civil liberties as a policy consideration when considering offensive and defensive cyber-actions.
Rolling back these rules removes a layer of inter-agency bureaucracy that the government had to follow before launching cyberattacks on overseas adversities. Insiders have called their removal an “offensive step forward” according to a Wall Street Journal report.
Reactions to the Obama-era Directive over the past few years have been mixed. Some experts have argued that it was necessary to introduce checks and balances before launching a cyberattack and to prevent one from wrecking other government operations by mistake or sparking other unintended consequences.
On the other hand, lawmakers have expressed frustration with the approval process, calling it “slow as molasses”, at a time when the cybersecurity stakes have never been higher. Reports of successful attacks on political campaigns from Microsoft and others have mounted in the approach to the 2018 US midterm elections. In March, the Trump administration also called out Russia for attacking US electrical networks.
This is the latest move in a cybersecurity policy shakeup at the White House. In May, newly-appointed national security advisor John Bolton removed the position of cybersecurity coordinator from the National Security Council. This stood in stark contrast to the Obama administration’s support for elevating the position.
Officials have said that the White House has replaced PPD-20 with something else, but any further information is classified.
Follow @DannyBradbury
Follow @NakedSecurity
Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Frx061xY3QE/
For Intel and more than a billion computers that depend on Intel CPUs, the microprocessor flaws just keep coming.
This time, the company was the bearer of its own bad news when it disclosed a weakness dubbed ‘Foreshadow/Foreshadow-NG’ in a security technology called Software Guard Extensions (SGX) that has been baked into new CPU chips since 2015.
Intel said that Foreshadow was first reported to it by two sets of researchers in January 2018. The vulnerability affects secure enclaves set up by SGX chip instructions, and has been dubbed CVE-2018-3615.
Looking into this, the company’s own researchers then discovered further variants that extended the weakness to new SGX-enabled chips running virtual machines or hypervisors.
These additional vulnerabilities have been dubbed CVE-2018-3620 and CVE-2018-3646 respectively.
Intel got wind of Foreshadow’s existence only days after the world was told about the Meltdown and Spectre mega-flaws.
Since then, there has been a slow drip of new CPU flaws, including reports of something called Spectre-NG in May, of which Foreshadow is the latest and perhaps most significant example.
Foreshadow – described in Intel-speak as a “side-channel method called L1 Terminal Fault (L1TF)” – is a weakness in a chip design feature called speculative execution that could allow a hypothetical attacker to access encrypted data being held in the chip’s special SGX enclave.
These enclaves are effectively isolated areas of chip memory that the processor can allocate to applications to keep sensitive data out of the reach of other software, including malware.
The gist of Foreshadow is that the data in a secure enclave could, in theory, be copied elsewhere and then accessed.
Foreshadow-NG goes one step further:
Foreshadow-NG might also be used to read information stored in other virtual machines running on the same third-party cloud, presenting a risk to cloud infrastructure.
If you bought an Intel system after late-2015 (Skylake onwards) there’s a high chance it will contain an affected CPU (AMD and other vendors that don’t use SGX are not at risk):
Systems that have already applied firmware updates made by available by Intel earlier this year, in addition to applicable OS updates (see Microsoft’s advice), should already be protected against Foreshadow, Intel said.
However, in datacentres running hypervisors that are vulnerable to Foreshadow-NG, things get a more complicated, for reasons Intel has explored in a video.
Said Intel of these mitigations:
These actions may include enabling specific hypervisor core scheduling features or choosing not to use hyper-threading in some specific scenarios.
Clearly, Intel’s long-term solution is to design these weaknesses out of future CPUs. Given how many are now piling up, this will take time.
As with Meltdown and Spectre, there is no evidence that anyone has exploited Foreshadow, nor would it be an obvious target for an attacker when there are so many easier software weaknesses to pick on.
Nevertheless, while these are all proof-of-concept flaws for now, it’s hard to escape the feeling that chip makers and their customers have a lot of work ahead of them.
Follow @JohnEDunn
Follow @NakedSecurity
Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/qXvgVDonxC8/
A high school student in Melbourne, Australia, hacked Apple servers multiple times, got his hands on 90GB worth of “secure” files, and stuck the loot in a folder titled “hacky hack hack”.
On Thursday, he pleaded guilty in an Australian children’s court.
Details are sketchy, but it sounds like the teen – who’s described as being well-known in hacking circles – probably used virtual private networks (VPNs), Tor and other tools to try to hide his tracks.
At any rate, Australian newspaper The Age reported that the high schooler, who can’t be named because he’s a minor, developed “computerized tunnels and online bypassing systems” to exfiltrate the files.
But, try as he might, he got tracked down: Apple’s systems recorded the serial numbers of the MacBooks from which the attacks were launched. The Age reports that prosecutors told the court that the Australian Federal Police (AFP) raided the teen’s home last year.
Prosecutors told the court that police seized two Apple laptops and that the serial numbers matched those of the devices that accessed Apple’s servers. The IP addresses of a seized mobile phone and a disk device also matched up with what Apple had recorded.
Prosecutors said that the boy’s “computerized tunnels” had “worked flawlessly” – until, that is, they didn’t, and he was caught.
Apple contacted the FBI after detecting and shutting down the intrusions, sparking what The Age called a “major international investigation”. During the investigation, the FBI passed its allegations on to the AFP.
The AFP found the hacking software used to launch the attacks on the boy’s laptop, tucked into that “hacky hack hack” folder along with the stolen files and a “litany of hacking files” on the laptop and a hard drive.
The mobile phone was used to let others know about his successful forays: he posted about them using the end-to-end encrypted messaging app WhatsApp.
The teen’s lawyer says his client’s motivation was an infatuation with Apple: the boy did it “because he was such a fan of the company” and hoped to work there some day.
If the high schooler hasn’t figured it out already, the penny will drop soon: “hacking your servers” isn’t the best thing to put on your resume. Even if you’re applying to work for a penetration testing company, you might as well save everybody some time and instead write “I break the law in my spare time!”
Beyond the story of a kid getting caught is the fact that a 16-year-old could break into servers at Apple, which, rightfully or not, has a reputation for solid security. We don’t have much detail on what information was compromised, though Mac Rumors mentioned that customer account details were involved.
Apple account details played a starring role in the multiple thievery sprees we saw a few years back, which resulted in waves of celebrity nude photos being stolen. We were up to Celebgate 3.0 as of a year ago, when Miley Cyrus found herself among the most recent victims.
But according to the FBI, Celebgate thefts were carried out by a ring of attackers who launched phishing and password-reset scams on celebrities’ iCloud and email accounts.
One of them, Edward Majerczyk, got to his victims by sending messages doctored to look like security notices from ISPs. Another Celebgate convict, Ryan Collins, chose to make his phishing messages look like they came from Apple or Google.
Did the Australian teen also launch phishing attacks?
If so, there was apparently no word about it mentioned by the prosecutors. Apple could certainly clear up the details, but it’s been publicity-shy about this case. It’s easy to see why: it could point to vulnerabilities that Apple is surely scampering to fix.
I contacted Apple. If it loosens its zipped lip, I’ll update the post with whatever I learn.
Follow @LisaVaas
Follow @NakedSecurity
Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/QZhZDTWmqow/
The TUC, a federation of trade unions in England and Wales, is lobbying to gain a legal right to be consulted on surveillance in the workplace, as it opened up on staffers’ growing concerns about their bosses snooping on them.
In a report published today, the TUC took aim at inappropriate surveillance, warning that intrusive tech could, at worst, interfere with people’s rights to privacy and at best damage staff morale.
As part of the work, it commissioned a survey to which some 2,000 workers responded – and more than half believed it’s likely they are monitored at work.
The survey found that, in general, the more common types of surveillance were more acceptable, and more staff expected them to be used or saw the benefits of their use.
For instance, 49 per cent said it was likely their employers monitored emails, files and browsing histories, 45 per cent said they would use CCTV and 42 per cent said they used phone logs, including call records.
However, a number of respondees also pointed to newer techniques, such as facial recognition (15 per cent) and location tracking – 40 per cent said the company tracked assets like phones and about 21 per cent said they used handheld or wearable location-tracking devices.
Just over 20 per cent said it was likely their work used computer webcams for snooping, and 26 per cent thought they used keystroke logging software.
And about a third thought that their social media use outside of work was monitored – which almost 70 per cent of respondents said was unacceptable.
But the least palatable type of surveillance was facial recognition software, which 76 per cent said was unacceptable.
The TUC said this was probably because people struggled to see the justification for these types of surveillance; by contrast bag checks and monitoring calls or emails made more sense.
However, the survey also showed concerns that surveillance would be used in a discriminatory way to target a specific group, for instance one interviewee said junior employees were tracked more than senior staffers.
Individual monitoring was another worry, with about two-thirds of respondents saying webcam monitoring was unacceptable, while CCTV was more palatable because it is at a distance and will track everyone in that area.
Others said they were uncomfortable with the idea that employers could build up a bank of data that they could scour for mistakes and cherry-pick them to take disciplinary action if they took a disliking to someone.
Another line was tracking staff out of hours – 74 per cent said employers shouldn’t be able to do this, with social media snooping being, unsurprisingly, vastly unpopular.
The TUC noted, though, that this wasn’t just about embarrassing past incidents, it could dissuade people from engaging in union activities and recommended it be unlawful for an employer to victimise members for using social media to organise campaigns.
Nonetheless, the union acknowledged the benefits of properly used surveillance, such as health and safety and the ability to demonstrate staff had toed the line in case of customer complaints.
It also noted data protection and privacy laws that govern employers’ use of surveillance – but said that many staff aren’t aware of these rights, or feel unable to challenge surveillance they think is unfair.
As such, it called for trade unions to be granted a legal right to be consulted on and to agree in advance the use of electronic monitoring and surveillance at work.
The government should also introduce tougher regulation to prevent the use of excessive or intrusive surveillance in the workplace, and ask the Information Commissioner’s Office to update the employment codes of practice to include new forms of technology. ®
Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/17/most_staffers_expect_bosses_to_snoop_on_them_says_tuc/
Security slinger Symantec is facing a bruising battle with activist investor Starboard Value, which has nominated five directors to the security firm’s board after having amassed a 5.8 per cent shareholding.
Symantec is the outfit that spun off its Veritas storage products business to private equity for $8bn in late 2015. The infosec firm acquired it in a $13.5bn deal back in 2004.
A board committee “is evaluating the nominations put forth by Starboard”, Symantec admitted in a statement.
Stockholders will be able to vote on director nominations at Symantec’s next AGM, currently not scheduled.
The firm added: “Symantec maintains open communications with its stockholders and values constructive input that advances the goal of creating value for all stockholders. Over the last several weeks, we have had a dialogue with Starboard and we plan to continue these discussions.“
Since Symantec spun off Veritas it has been through a turbulent period. CEO Mike Brown jumped ship in April 2016 after Symantec missed fourth 2016 quarter sales projections. A layoff of up to 1,200 people was announced shortly thereafter.
Greg Clark is the current CEO, joining via a BlueCoat acquisition in August 2016.
Financially Symantec is in a lacklustre state. Its fiscal 2018 results showed revenues of $4.846bn, up 21 per cent annually, with net income of $1.147bn, compared to a net loss in the previous year of $106m.
Revenues in its first fiscal 2019 quarter (PDF), ended June 29, 2018, were $1.156bn, down 1.6 per cent from $1.175bn a year ago, with a net loss of $63m, albeit better than the year-ago net loss of $133m.
However, first quarter enterprise implied billings were below expectations due to a longer than expected sales cycles for large, multi-product platform sales in North America.
Symantec downgraded its full-year guidance and its shares are down 31 per cent over the last 12 months.
In fact they are down 40.8 per cent from a September 2017 peak of $32.81 to $19.41 today – great grist for an activist investor’s shareholder value mill.
It announced a restructuring plan on August 2 which involved an up to 8 per cent reduction in its workforce by the end of its fiscal 2019 year.
To add to its woes Symantec is running an internal audit following “concerns raised” by a former employee, which were made known to to the SEC.
Due to this probe, it is also out of compliance with Nasdaq rules regarding filing its quarterly report for its Q1 of fiscal ’19.
The activist investor playbook generally involves increasing shareholder value by somehow returning money to shareholders and specifically the activist investor through its stockholding. It achieves this by forcing/encouraging a change in corporate strategy to “free up” money by cost savings and business strategy changes.
That can be achieved by getting supportive directors on the target company’s board, either with the company’s agreement or via a proxy vote, relying on disappointed stockholders supporting the activist investor’s views.
Starboard has not spelled out publicly what it wants Symantec to do, however, with these nominations, has positioned its forces on the financial battleground, indicating a proxy fight tactic could be in its Symantec strategy. ®
Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/17/symantec_starboarded_by_activist_investors/
BSides Manchester Websites can be compromised to turn their caches into exploit delivery systems.
James Kettle of Portswigger, the firm behind Burp Suite, has developed hacking approaches to go beyond previous cache poisoning techniques.
Caching is designed to speed up page loads by reducing latency while also reducing the load on application server. Some organisations host their own cache using software like Varnish, and others opt to rely on a Content Delivery Network such as Cloudflare, with caches scattered across geographical locations. Also, some popular web applications and frameworks like Drupal – a popular content management system – have a built-in cache.
Web cache poisoning is geared towards sending a request that causes a harmful response that then gets saved in the cache and served to other users.
Kettle’s research focused on looking at how it might be possible to poison caches using unkeyed inputs1 such as HTTP headers. Other, likely less fruitful trickery, such as request smuggling (PDF) might also be possible, as Kettle is careful to note.
Cache poisoning isn’t an end in itself but rather a way to open the door towards the exploitation of secondary vulnerabilities such as XSS (cross-site scripting) in the unkeyed input. Done correctly, this creates a mechanism to cause a response that will execute arbitrary JavaScript against whomever attempts to view a particular resource on a targeted website through its cache.
In spite of its “fearsome reputation”, cache poisoning is often very easy to exploit, Kettle discovered when he began experimenting with the attack, exclusively targeting websites with researcher-friendly policies.
The researcher said he was able to compromise Mozilla’s infrastructure and partially hijack a notorious Firefox feature2, related to a badly thought-through add-on designed to promote hacking-themed show Mr Robot. The approach theoretically would have allowed Kettle to co-opt millions of Firefox browsers as a low-fat botnet.
The potential for mischief was somewhat curtailed by controls that meant only code signed by Mozilla could be pushed in this way but it nonetheless posed the potential to cause problems, as Kettle explained.
“The recipes used by Firefox were signed so I couldn’t just install a malicious add-on and get full code execution, but I could direct tens of millions of genuine users to a URL of my choice,” he said. “Aside from the obvious DDoS usage, this would be extremely serious if combined with an appropriate memory corruption vulnerability.
“Also, some backend Mozilla systems use unsigned recipes, which could potentially be used to obtain a foothold deep inside their infrastructure and perhaps obtain the recipe-signing key. Furthermore, I could replay old recipes of my choice which could potentially force mass installation of an old known-vulnerable extension, or the unexpected return of Mr Robot.”
Kettle reported the issue to Mozilla and it patched its infrastructure in under 24 hours but there was some disagreement about the severity of the problem, so the exploit only attracted a bug bounty of $1,000.
The researcher discovered problems in another direction after he expanded the header wordlist by downloading and scouring the top 20,000 PHP projects on GitHub for header names.
“This revealed the headers X-Original-URL and X-Rewrite-URL which override the request’s path,” Kettle explained. “I first noticed them affecting targets running Drupal, and digging through Drupal’s code revealed that the support for this header comes from the popular PHP framework Symfony, which in turn took the code from Zend.”
He added: “The end result is that a huge number of PHP applications unwittingly support these headers.”
These headers are “great for bypassing WAFs and security rules” as well as offering an avenue for cache poisoning, according to Kettle. If an application uses a cache, these headers can be abused to confuse it into serving up incorrect pages.
One attack (which Kettle christened as “local route poisoning”) allows someone to replace a path with another path. The end result is that after sending this request, anyone who tries to access the Unity for Education webpage is liable to get a bit of a surprise.
![Swap around pages using cache posioning [source: Portswigger blog post]](https://regmedia.co.uk/2018/08/17/unity_for_gambling.jpg "Unity for education makeover using web cache posioning")
Unity for Education gets a makeover through a variant of web cache poisoning
Other related security flaws create a means for hackers to override the query string. This, when combine with Drupal’s open redirect, created “building blocks” for hacker exploitation.
“We can combine the parameter override attack with the open redirect to persistently hijack any redirect,” Kettle explained, adding that pages on pinterest.com are among sites that are vulnerable.
Nested cache poisoning, a two-stage attack, was also possible. “If the site uses an external cache (like virtually all high-traffic Drupal sites), we can use the internal cache to poison the external cache, and in the process convert any response into a redirection,” Kettle explained.
The practical upshot, as demonstrated by Kettle, is that clicking “Download installer” on unity.com would download some opportunistic malware from evil.net.
This vulnerability was disclosed to Drupal, Symfony and Zend in May.
I contacted Drupal privately before the Black Hat presentation, and they released a security update which disables support for the X-Original-URL and X-Rewrite-URL headers: https://t.co/T3yqyMUqs1
— James Kettle (@albinowax) August 17, 2018
Kettle cited Mozilla and Drupal as particular examples during a well received presentation at BSides Manchester on Thursday, which he delivered days after unveiling his research at Black Hat in Las Vegas. Other sites also had problems and the response from them was mixed, he said in a blog post.
The response from my targets was mixed; Unity patched everything swiftly and rewarded well, Mozilla at least patched quickly, and others including data.gov and Ghost did nothing for months and only patched due to the threat of imminent publication.
Many of these case studies exploit secondary vulnerabilities such as XSS in the unkeyed input, and it’s important to remember that without cache poisoning, such vulnerabilities are useless as there’s no reliable way to force another user to send a custom header on a cross-domain request. That’s probably why they were so easy to find.
Kettle said that websites should either test to make sure they are not vulnerable or restrict the use of caching in order to avoid potential problems.
“The most robust defence against cache poisoning is to disable caching,” Kettle advised. “This is plainly unrealistic advice for some, but I suspect that quite a few websites start using a service like Cloudflare for DDoS protection or easy SSL, and end up vulnerable to cache poisoning simply because caching is enabled by default.”
“Restricting caching to purely static responses is also effective, provided you’re sufficiently wary about what you define as ‘static’,” he added.
Simply placing a cache in front of a website can take it from secure to vulnerable, Kettle warned.
“Web cache poisoning is far from a theoretical vulnerability, and bloated applications and towering server stacks are conspiring to take it to the masses,” Kettle concluded. “Web cache poisoning has long been an elusive vulnerability, a ‘theoretical’ threat used mostly to scare developers into obediently patching issues that nobody could actually exploit.” ®
1Unkeyed inputs refer to parts of a request that a cache ignores, such as the type of browser a user is using, for example. An open source Burp Suite extension called Param Miner automates the process of identifying unkeyed inputs.
2Firefox maintained a list of “recipes” as part of its SHIELD system for silently installing extensions for marketing and research purposes. Mr Robot was among the products promoted using the approach, which triggered something of a backlash.
Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/17/web_cache_poisoning/
Drawing from a recent study by SophosLabs, Principal Research Scientist Chester Wisniewski highlights a shift to the rise of more targeted and sophisticated ransomware threats, such as SamSam.
Article source: https://www.darkreading.com/vulnerabilities---threats/the-rise-of-bespoke-ransomware/v/d-id/1332578?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple
Endgame’s Mark Dufresne says SOCs can achieve better results within their existing staff and budget constraints with AI- and visualization-empowered, unified defense across the MITRE ATTCK™ matrix.