STE WILLIAMS

BLACK HAT USA 2018 – Las Vegas – Parisa Tabriz, director of engineering at Google, today shared the story of how the company made the switch to enforce HTTPS in Chrome, as well as lessons she learned in collaboration, management, and perseverance over the course of the multiyear project.

As Black Hat founder Jeff Moss put it in his introduction, there are “maybe 20 companies in the world who are in a position to actually do something about raising the level of security and resiliency for all of us.”

Google is one of them. “Anything Google does that is an improvement essentially impacts us all,” Moss added. Recently, for example, the company reached the end of a years-long initiative to label HTTP websites as “not secure” in an effort to push Web developers to embrace HTTPS encryption. The change went into effect last month with the release of Chrome 68; now HTTP sites display an alert to visitors.

The change wasn’t an easy one, as conference attendees learned today during Tabriz’s keynote. She began her talk by detailing what she believes are the key steps to success in information security, and then weaved these points into the story of how HTTPS enforcement went from bold idea to reality.

Tabriz’s first – and foremost – point: “Identify and tackle the root cause of the problems we uncover and not just be satisfied with isolated fixes.”

She pointed to Project Zero, a team of Google security analysts tasked with finding zero-day bugs. The group was created in 2014 to hunt vulnerabilities in operating systems, browsers, antivirus software, and other tech. Its goal is to better understand offensive security as a means of understanding exploitation against defenders and ultimately lead to structural improvement and better security, Tabriz explained.

Her second point: “We have to be more intentional in how we improve long-arc defensive projects.”

Staying motivated to see an effort through over a long period of time, as certain projects can take years depending on their scale, is crucial. As part of this, Tabriz emphasized the importance of identifying milestones, working toward those milestones, and celebrating progress along the way. 

Her third point: build a coalition of champions and supporters outside security so the team’s efforts are successful. “There’s an understanding we’re generally working on similar goals,” she said, adding that the cost of building exploits against high-profile targets has increased due to the efforts of people working together to address root causes of bad security.

Enforcing HTTPS: Idea to Implementation
Tabriz’s ideas are evident in the story of Google’s move to enforce HTTPS on the Chrome browser. 

“We wanted to make the risk of unencrypted traffic more comprehensible and also more consistent,” she explained. The team had a clear vision of what that state should look like but knew it would take many years to achieve it. After all, the Web isn’t an entity owned by any one person or institution, she noted, and they had to navigate an “ecosystem of constraints and incentives” – including industry organizations and browsers with different standards, proprietary ideas, and technology – in the process.

“To make a change like this it had to be gradual, and it had to be very intentional,” Tabriz said. The process began back in 2014 with brainstorming how to change the browser’s user interface, and continued in 2015 with a public UI proposal. Going public with the idea led to support and sentiment from the broader infosec community, which helped convince Chrome leadership this was worth pursuing.

Over the course of the project, Tabriz emphasizes the importance of celebrating milestones to keep up morale. The team created stickers of icons from their UI designs, for example, when those were finalized. 

Tabriz also pointed to the myriad ways in which their work could have failed to demonstrate lessons learned. Management could have killed the project, for example, when the timeline turned out to be years longer than anticipated. Because the team was able to regularly articulate progress and demonstrate positive impact in terms of overall code health, they were never told to discontinue the project. When the benefits aren’t immediately clear, it’s important to get people invested in the project’s success.

The HTTPS push also could have failed without broader support from Google’s leadership and external parties. The team worked with several Web standards groups to communicate the change, she explained, and the ability to kill progress could have come from outside the company.

“We rely on everyone working in technology to clear the path for a safer future,” Tabriz said.

Related Content:

• 6 Ways DevOps Can Supercharge Security
• Understanding Firewalls: Build Them Up, Tear Them Down
• Breaking Down the PROPagate Code Injection Attack
• Expect API Breaches to Accelerate

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/endpoint/google-engineering-lead-on-lessons-learned-from-chromes-https-push/d/d-id/1332519?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

BLACK HAT USA – Las Vegas – A team of ICS experts who spent the past year studying and re-creating the so-called TRITON/TRISIS malware that targeted a Schneider Electric safety instrumented system (SIS) at an oil and gas petrochemical plant has developed open source tools for detecting it.

Researchers from Nozomi Networks, along with independent ICS expert Marina Krotofil, previously with FireEye, today demonstrated how the malware works, as well as a simulation of how it could be used to wage a destructive attack. TRITON/TRISIS was discovered in 2017 in a Middle Eastern plant after an apparent failure in the attack shut down its Triconex safety systems. No official payload was ever deployed or found, so researchers, to date, have only been able to speculate about the attackers’ ultimate plans.

Nozomi Networks recently released the TriStation Protocol Plug-in for Wireshark that the researchers wrote to dissect the Triconex system’s proprietary TriStation protocol. The free tool can detect TRITON malware communicating in the network, as well as gather intelligence on the communication, translate function codes, and extract PLC programs that it is transmitting.

The researchers today added a second free TRITON defense tool, the Triconex Honeypot Tool, which simulates the controller so that ICS organizations can set up SIS lures (honeypots) to detect TRITON reconnaissance scans and attack attempts on their safety networks.

Andrea Carcano, founder and chief product officer at Nozomi, says he and his team re-created the attack in their lab, and found that writing custom malware like TRITON/Trisis would not be as difficult or as expensive as you’d think. TriStation software sells for about $3, for example, on one e-commerce website in China, and the hardware sells for anywhere from $5,000 to $10,000 on eBay and Alibaba. The TriStation engineering software file names have information on the software architecture and structure, Carcano said.

“Everyone believed this malware was more sophisticated,” he says. “But if you have a little knowledge and patience, you can go online and download the manuals, software, and buy a Triconex controller on eBay like we did … and build the attack in your house.”

Schneider Electric, meanwhile, maintains that a TRITON-type attack would require a skilled threat actor. Andy Kling, director of cybersecurity and system architecture for Schneider, notes that even if an attacker had the Triconex equipment on hand, the attacker would still need to understand how it works. “You’d still need to have a certain level of understanding of how not to step on the safety program and how to stealthily inject this malware into the device,” he says. “Those skills, we believe, are still pretty high.”

Kling says Schneider is still operating under the same working theory that the TRITON malware was “in development” and that the attackers likely hadn’t yet completed their malware arsenal for fully deploying the remote access Trojan. “Or perhaps they had another team and they had not gotten to the final payload piece,” he said.

Liam O’Murchu, director of security technology and response at Symantec, says there are still plenty of questions surrounding the intention of the attack and whether it was a test-run or a failed attack. “Was it a competitor trying to take over another competitor? That’s one suspicion about it,” he says. “They were specifically focused on that particular target.”

During its forensic investigation of the attack, Schneider wrote its own malware detection tool for TRITON. “We have been running the program to help our customers see if they were infected by it,” Kling says. “We’ve been running it for months, and there have been no ‘positive’ [detection] results worldwide, and no new indicators of compromise.”

Another Hole
While analyzing TRITON, the Nozomi researchers also stumbled on a built-in backdoor maintenance function in the Triconex TriStation 1131 version 4.9 controller.

“We also found two undocumented power users with hard-coded credentials,” Nozomi wrote in a blog post today. “One of the power user’s login enabled a hidden menu, which from an attacker’s perspective, could be useful.”

But Carcano says the feature was not part of the TRITON malware attack. That maintenance support feature has basically been phased out of later versions of the TriStation.

“Fifteen years ago, when those products were developed, you would have a support account built into the products. That was the norm,” says Schneider Electric’s Kling. But later versions of the software, from 4.9.1 and up, included recommendations and the ability to delete the account.

“As then time went on, [we added] a secure version of this product, and this [support] account no longer exists,” he says.

Kling says Triconex users should update their software if they’re still running the older 4.9 version.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/researchers-release-free-triton-trisis-malware-detection-tools/d/d-id/1332520?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

BLACK HAT USA 2018 – Las Vegas – Organized crime organizations play less of a role in cybercrime than you’d think. Instead, a new generation of criminal entrepreneurs runs much of the cyberattack operations worldwide, according to new research presented here today.

Over a seven-year period, Jonathan Lusthaus, director of the human cybercriminal project at Oxford University’s sociology department, studied the role of mafia/organizations in cybercrime in 20 different countries, including Russia, Ukraine, Romania, Nigeria, Brazil, China, and the US. He found that while organized crime provides help or guidance to cybercrime gangs or campaigns in some cases, the bulk of these hacking enterprises are conducted by a new breed of criminal.

“I was a little surprised by the limited role that organized crime appears to play in cybercrime,” Lusthaus said. “I was particularly surprised that I didn’t find more cases where these groups were protecting cybercriminals.”

But that actually makes sense, he said. “Cybercriminals often aren’t competing with each other in a traditional territorial way, so they don’t always need gangsters and strongmen to keep them safe or resolve disputes between them,” he explained. “There are some examples of this but many others where mafias just aren’t present.”

The premise that organized crime and cybercrime are one and the same has been based mainly on “innuendo” and assumptions, according to Lusthaus, who presented his findings here in his talk “Is the Mafia Taking Over Cybercrime?”

Organized crime organizations’ cybercrime activity is “more nuanced,” according to Lusthaus, happening in a more “organic” fashion. “They tended to get involved in ways that matched their traditional skill sets and where there was a genuine need for what they could provide, such as in running money-mule or money-laundering operations,” he said. “It’s also clear that they are using technology to enhance their other criminal operations, though this isn’t cybercrime per se.”

Where organized crime organizations intersect with cybercrime falls into four activities, according to Lusthaus’ research: providing protection for cybercriminals, investing in cybercrime ops, acting as “service providers” for a cybercrime scheme, and helping guide cybercriminals in their activities.

Lusthaus interviewed hundreds of law enforcement officials, former cybercriminals, and other experts and individuals in the private sector for his research, which is based on his newly published book, “Industry of Anonymity: Inside the Business of Cybercrime.”

Lusthaus found an interesting paradox: While many of the people he interviewed believed organized crime plays a major role in cybercrime, few were able to provide examples. “Many participants in this study believed that organized crime involvement in cybercrime was substantial. But when pressed, this appeared to be a theoretical rather than an empirical view,” he wrote in a white paper he released in conjunction with his Black Hat presentation.

‘Service Provider’
That said, Lusthaus found several examples where organized crime and cybercrime work together.

In some cases, organized crime groups are investing financially in cybercrime, mainly as a way to leverage outside hacking expertise to make money. In one case shared by a UK law enforcement official, a cybercriminal got funding from a “well-established” organized crime syndicate to fund the work of a programmer to write software that would allow the group to obtain payment card information from banks. That deal backfired after a dispute between the cybercriminal and the group, and the cybercriminal had to go on the run after his life was threatened.

Lusthaus also said there are cases of organized crime groups offering their own services to cybercrime operations, including the “offline” money-laundering of stolen money. One high-profile case was the 1994 breach of Citibank by Vladimir Levin, who had millions of dollars from the hack laundered in illegal money transfers. A US law enforcement official said a Russian mafia group in St. Petersburg called the Tambov Gang financed and handled the flow of those stolen funds to Russia.

Lusthaus found other examples, as well – most recently mafia groups that smuggle between Eastern and Western Europe card skimmers and blank cards used for counterfeit credit and debit cards using stolen account information.

Organized crime also can serve as a coordinator for specific cybercrime operations. “This usually involves recruiting those with technical skills, among others, to carry out the jobs,” Lusthaus wrote in his paper.

Interestingly, mafia groups rarely provide protection for cybercriminals, his research showed. That role typically gets filled by law enforcement or political figures for a monetary price.

Meanwhile, Lusthaus pointed out a way to deter cybercrime: by recruiting and hiring cybersecurity professionals in regions where cybercrime ops are rampant and often the only option for these individuals, such as in some Eastern European countries.

Related Content:

• Feds Indict Three Ukrainians for Cyberattacks on 100+ Companies
• Leader of Cybercrime APT Behind $1.2 Billion in Bank Heists Arrested 
• 8 Ways Hackers Monetize Stolen Data

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/no-the-mafia-doesnt-own-cybercrime-study/d/d-id/1332488?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A new report aims to shed light on what motivates security professionals to choose black hats over white ones as part of a broader study on the overall cost of cybercrime. 

To learn more about the organizational cost of cyberattacks and what lures hackers to the “dark side,” Malwarebytes and Osterman Research teamed up and polled 200 security pros between May and June 2018. They found security-related costs are enormous and growing, partly due to a spike in breaches and partly due to a proportion of industry experts donning “gray hats” and dabbling in cybercrime for money.

The cost of crime can be broken into three parts: budgeted costs for security infrastructure, services, and labor; off-budget costs related to major security incidents, and handling the cost of insider breaches. An organization with 2,500 employees can spend about $1.9 million on security, researchers write in a new report, “White Hat, Black Hat and the Emergence of the Gray Hat: The True Costs of Cybercrime.”

It’s little surprise to learn most organizations in the US have suffered some type of security breach in the 12 months preceding the survey. Phishing is the most common, though respondents also listed adware/spyware, spearphishing, and adware. Organizations reported an average of 1.8 “major” attacks — or those which lead to significant operational disruption or shutdown — during 2017. 

Mid-market companies, which usually have 500-1,000 employees, are hit hardest. Small businesses don’t have a wealth of valuable data; large ones have ramped up their defenses. Those in the middle are hit with more attacks than their smaller counterparts and have similar rates of attack as larger enterprises; however, they have fewer resources to defend themselves and less staff to combat threats. 

“Midsize businesses are the perfect target if you’re a cybercriminal,” explains Malwarebytes intelligence director Adam Kujawa.

It’s tough to stay safe when security is expensive. The average starting salary for an entry-level security pro in the US is $65,578, slightly above the global average of $60,662. Top security professionals in the States make an average of $133,422, the second highest among nations surveyed. One of the biggest costs to organizations, in addition to hiring talent, is retaining it.

But is it enough to keep security experts away from cybercrime? More than half of respondents know, or have known, someone who has engaged in black hat activity, the highest rate among the five nations polled. Twenty-two percent have been approached to participate in cybercrime; 8% considered it.

Researchers asked about respondents’ willingness to become “gray hats,” or folks who maintain their roles as security professionals while becoming a black hat hacker on the side. Those in the US think 5.1% of their infosec colleagues are gray hats; in the UK, 7.9% of security pros are believed to be gray hats. 

Most people in security think cybercrime is more lucrative and easier to enter than white hat security roles, they report. Nearly three in five security pros in the US think people become black hats because it’s more financially rewarding than become a security professional. More than half think it’s to retaliate against an employer, and half think black hats are driven by “some sort of cause of philosophical reason.” 

Security pros in the states are most likely to think employer retaliation is the driver, with more than half (53.3%) reporting that as the reason compared with the global average of 39.7%. Malicious insiders are harder to find and have the potential to cause deeper damage than external attackers.

“That’s a very expensive attack,” Kujawa points out. “The value of the data is probably more than what a regular cybercriminal could gather or accomplish.” Further, the company loses its trust in network infrastructure, which requires more work to address than securing the doors against outside threats.

“Cybercrime is more available to everybody than it ever has been,” he continues. Survey respondents believe these days, it’s easier for anyone to wear a black hat. “One of the big lures we got from the survey is a lot of global mid market companies suggest it’s easier to get into cybercrime without getting caught.”

Related Content:

• No, The Mafia Doesn’t Own Cybercrime: Study
  
• Google Engineering Lead on Lessons Learned From Chrome’s HTTPS Push
• 10 Threats Lurking on the Dark Web
• Manufacturing Industry Experiencing Higher Incidence of Cyberattacks

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/white-hat-to-black-hat-what-motivates-the-switch-to-cybercrime/d/d-id/1332521?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Firewalls traditionally focus on traffic coming into a network (or endpoint) from the outside. Advanced threats use a number of techniques to get around that focus – and those techniques aimed at MacOS are at the heart of research being presented at Black Hat this week.

Patrick Wardle, chief research officer at Digita Security and founder of Objective-See, decided that the best way to understand the limitations and possibilities of a firewall was to build his own. The first part of his presentation at Black Hat (and a subsequent talk at DEF CON) will be about how one goes about building a firewall that looks at traffic flowing in both directions and precisely what such a firewall can be expected to stop.

(See Wardle’s session, “Fire Ice: Making and Breaking macOS Firewalls,” on Thursday, August 9, at Black Hat USA)

The second part of the presentation will look at how an attacker would go about breaking through the firewall to reach the target within. Wardle says existing third-party firewalls for MacOS protect traffic in both directions and can be quite effective.

“There are some Mac malware samples that, the first thing they do when run, is enumerate the installed software and look for one of these firewall products,” Wardle says. “And if they see one of these firewall products, they will actually not infect the system because they know that the firewall will basically detect them and then give away their presence to the user.”

But even good firewalls are at a disadvantage to attackers because, in the Internet era, certain communications simply must be allowed. “I run through a variety of hacks where we can basically abuse trusted protocols, trusted processes. And even though the firewalls will see these connections, they will allow them because they have no way of telling that they’re actually malicious,” Wardle says.

Many Mac users are more trusting than they should be because of the Mac’s reputation for security. It’s a reputation that Wardle says is based on history and aggressive marketing – and is less deserved than was once the case.

“In my expert professional opinion, if you look at the latest version of Windows – Windows 10 – and compare it to the latest version of OS X, there’s really no comparison in terms of security. The Windows operating system is just so much more secure,” Wardle says. “Any attacker who wants to infect your Mac computer, if they’re advanced and sophisticated enough, they are going to have no problem hacking in.”

The firewall that Wardle developed for his presentation will be available on Github at the end of his session. The software will be free and open source.

Related Content:

• Cloud Security: Lessons Learned from Intrusion Prevention Systems
• 7 Ways to Keep DNS Safe
• Meet ‘Bro’: The Best-Kept Secret of Network Security
• The Risks of Remote Desktop Access Are Far from Remote

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/black-hat/understanding-firewalls-build-them-up-tear-them-down/d/d-id/1332516?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Image Source: Shutterstock via Who is Danny

Security pros can never rest. Even with the operation last year that took down AlphaBay and Hansa, industry experts say many groups continue to trade in malware, ransomware, and stolen credentials on the Dark Web, and that the criminals who were caught simply reorganized.

“People need to understand that there’s an underground economy – a marketplace where all these things are being traded and sold,” says Munish Walther-Puri, chief research officer and head of intelligence analytics at Terbium Labs.

And it’s a global market, points out Jon Clay, director of global threat communications at Trend Micro. “These markets are all over the place; they can be from Russia, China, the United States, France, Eastern Europe, Africa, wherever,” Clay says. “And in a lot of these developing countries, the median wage is low and there are not always jobs available.”

Getting started is as easy as viewing tutorials on the Dark Web on how to become a cybercriminal, how to write code, and how to launch attacks, he says. “You don’t always even need the knowledge or know-how. Threat actors can go right ahead and launch a ransomware attack using full attack services available to them,” Clay explains.  

Terbium’s Walther-Puri says companies need to understand that the threat on the Dark Web is ongoing and ever-shifting – and they have to keep up. To do so, they must first identify their crown jewels and determine a baseline of exposure. Only then can they develop an ongoing monitoring strategy, he says.

But before companies get too proactive, they also have to understand the threat landscape. That’s where this compilation of leading threats on the Dark Web comes in. 

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/10-threats-lurking-on-the-dark-web/d/d-id/1332514?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple