STE WILLIAMS

Google has cracked down on apps that mine for cryptocurrency, banning them entirely from its official Google Play Store.

The company quietly updated its developer policy page with the following statement:

We don’t allow apps that mine cryptocurrency on devices. We permit apps that remotely manage the mining of cryptocurrency.

The policy change means that programs using the device’s own processing power to mine cryptocurrency will no longer be allowed in the official Google Play Store, but that Google is still OK with programs that manage cryptocurrency mining services operating elsewhere.

The move mirrors one by Apple, which banned cryptocurrency miners from its stores in June. It also follows other measures by Google to stamp out cryptocurrency mining programs delivered via its products and services. In April, it banned cryptocurrency mining extensions for its Chrome browser from the Chrome store.

This may stop cryptomining, where people voluntarily give up their phone’s processing power to generate digital coins. It is less likely to stop cryptojacking, where apps deliver a legitimate service but also do some cryptomining on the side without the user’s explicit consent.

Cryptojacking has been a growing problem in Android apps. Last year, cryptomining code was found in several apps that had been approved by the Google Play Store. In April, researchers discovered that users had downloaded various Play Store apps that secretly mined for cryptocurrency more than 100,00 times.

A lot of cryptojacking malware is delivered under the radar, because the apps download their malicious code after the user has installed them. Some of them retrieve their cryptojacking code via mobile ads. This makes it harder for Google’s automated malware scanning tools to find them. Google has in the past removed apps that it discovered were cryptojacking.

The search giant has also had to clean up its own YouTube network after it found the ads delivered via the Google-owned DoubleClick advertising service were turning viewers into cryptocurrency miners without their knowledge or consent. It had to erase the ads, which used JavaScript code, to stop them compromising users’ computers and mining using their processing power.

The wording in Google’s developer policy is scant, and there was nothing on the Android or Android Developers’ blog about it at the time of writing, but perhaps we can find some guidance in its explanation for the Chrome cryptomining ban. It said:

Until now, Chrome Web Store policy has permitted cryptocurrency mining in extensions as long as it is the extension’s single purpose, and the user is adequately informed about the mining behavior. Unfortunately, approximately 90% of all extensions with mining scripts that developers have attempted to upload to Chrome Web Store have failed to comply with these policies, and have been either rejected or removed from the store.

It’s also worth pointing out that the consequences for badly-managed mining on a phone can be more severe than on a PC. The Loapi malware, which mined for cryptocurrency without the user’s consent, wrecked a phone in 48 hours by overloading its processor so much that the battery swelled up and burst the phone’s case.

The ban will make the anti-cryptojacking stance official, but it will also hit cryptomining apps, which allow users to willingly use their phone power to mine apps. The brief wording in Google’s developer policy suggests that even apps mining with the user’s consent will be axed.

Several well-known mining apps were still available on the Google Play store at the time of writing, including Pocket Miner, AA Miner, and NeoNeonMiner. Perhaps Google hadn’t completely enacted its rules yet. It took two months to scrub mining extensions from the Chrome store after the Chrome mining crackdown, so this isn’t entirely surprising.

Follow @DannyBradbury
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/1VUo4I1SKuY/

Kurkure is PepsiCo’s finger-licking, lip-smacking, Indian corn puff snack. PepsiCo is happy to tell anybody who’ll listen that it makes Kurkure in state-of-the-art, automated, hygienic, food-safety-award-winning, certified factories. Here’s a 5-minute video of the process on YouTube. As you can see, we’re talking rice meal, edible vegetable oil (palm oil), corn meal, gram meal, spices, sugar and whatnot.

“Whatnot” is not code for “plastic.” There is no plastic in Kurkure. But somehow, the plastic jokes keep coming.

One Of The Most Important And Initial Ingredient Used In The Manufacturing Of Kurkure. https://t.co/45frTGdrd3

—
Abhishek (@abhishtic) July 26, 2018

Wow PepsiCo has blocked tweets about KURKURE and PLASTIC according to this piece article about KURKURE and PLASTIC,… twitter.com/i/web/status/1…

—
Tanmay Bhat (@thetanmay) July 26, 2018

PepsiCo trying to block tweets on Kurkure https://t.co/5kj1wxR9yP

—
 (@jugaadist) July 26, 2018

And because PepsiCo is so not laughing, and because the grain-based, beverage-centric multinational company is laughing so very not hard and has so very many lawyers, it’s sued to get all those despicable jokes and plastic rumors taken offline.

As Media Nama reported on Thursday, PepsiCo has obtained an interim order from the Delhi High Court to delete hundreds of posts on Facebook, Twitter, Instagram and YouTube.

PepsiCo said in its petition in a civil defamation suit that the plastic rumors have been swirling for years on those social media platforms, and it demanded that they be taken down. That translates into takedowns of 3,412 Facebook links, 20,244 Facebook posts, 242 YouTube videos, 6 Instagram links, and 562 tweets, be they rumor-spreading, notes about NOT spreading the rumor, or jokes like those above.

Or there are all those people who set Kurkure on fire, to prove either that 1) it’s made out of plastic, or 2) it’s not made out of plastic, or 3) it’s not made out of plastic but it smells like burning plastic when you set it on fire.

You can still see those videos on YouTube, unless you live in India, where the posts have been blocked.

This didn’t start with Kurkure, mind you. It started with another crunchy PepsiCo gift to the world: the Lays potato chip. As first reported by LiveMint, PepsiCo India managed to get the High Court to tell Facebook and YouTube to block video clips that claimed that the chips were made with plastic.

…which, like the Kurkure rumor it spawned, is pure rubbish, PepsiCo said. Or, in legalese, these rumors are “baseless and reckless, and without any regard for truth or due care for verification.” In February, Justice Jayant Nath handed down an interim order that Facebook and YouTube block the problematic URLs until the next hearing.

PepsiCo had this to say in a statement sent to MediaNama:

Kurkure is a 100% safe, vegetarian snack made from trusted, high quality everyday kitchen ingredients like rice, dal, corn, gram and roasted spices.

It’s an extremely loved brand and consumed by families across India. However, rumors suggesting that Kurkure has plastic in it have plagued the brand. It’s for this reason we’ve called out the ingredients of Kurkure proactively in all our communication and have been transparent about its manufacturing by taking consumers to our plants to see the process themselves. We constantly urge consumers to not fall prey to baseless rumors and to enjoy their pack of Kurkure.

PepsiCo is entirely right: none of us should fall prey to whacky rumors we see disseminated online. The only problem is that its ban includes what are clearly jokes.

You can’t legislate the silliness out of the internet. If you try, you’ll get a whole load of publicity, but it sure won’t be the lip-smacking kind. It will be the kind that sets itself aflame all by itself and spreads like wildfire, leaving a very bad taste in your corporate mouth.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ofwpQK3Pj-U/

Idaho prison officials said on Thursday that 364 inmates in five of the state’s prisons exploited vulnerable software in the JPay tablets they use for email, music and games in order to pump up the cash balances of their accounts.

The inmates transferred nearly $225K into their JPay accounts, according to the Associated Press.

The handheld tablets are used in prisons across the country, where inmates use them to stay in touch with the outside world via money transfers, emailing families and friends, buying and listening to music, video visitation, parole and probation payments, and downloading and playing games. The devices are made available through a contract between JPay and CenturyLink. Inmates can pay for entertainment, games and additional services with JPay credits.

Idaho Department of Correction spokesman Jeff Ray said on Thursday that no taxpayer money was involved in the fraud. The tablets operate over a secure network and don’t offer access to the wider internet.

The transfer scam was discovered earlier in the month by a special investigations unit, Ray said.

Mark Molzen, a spokesman for CenturyLink, told the AP that the problem involved inmates “intentionally exploiting a software vulnerability to increase their JPay account balances.” The company declined to give details, considering any such to be proprietary information. Molzen did say that the vulnerability has since been fixed, however.

According to Ray, the largest amount swindled by a single inmate was a little under $10,000. Fifty of the inmates transferred amounts exceeding $1,000 into their accounts.

This was no accident, Ray said:

It required a knowledge of the JPay system and multiple actions by every inmate who exploited the system’s vulnerability to improperly credit their account.

Ray said that JPay has managed to claw back more than $65,000 worth of credits. The guilty inmates have been shut out of much of the tablets’ functions: they won’t be able to download games or play music until they pay back what they owe to the company, he said. They’ll still be allowed to read and send emails, though.

The Idaho Department of Correction has issued disciplinary reports to the involved inmates. That could lead to loss of privileges and a possibly reclassification to a higher security risk level.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/hmGYN57l60c/

Security researchers at Check Point have lifted the lid on the infrastructure and methods of an enormous “malvertising” and banking trojan campaign.

The operation delivered malicious adverts to millions worldwide, slinging all manner of nasties including crypto-miners, ransomware and banking trojans.

The researchers told The Register that they have observed over 40,000 infection attempts per week from this campaign (that is, at least 40,000 clicks on malicious adverts) and said the campaign was still active. They reckon the crims are getting a decent return on their ad spend so they can afford to outbid legitimate publishers.

Check Point claimed that the brain behind the campaign – whom it dubbed Master134 – redirected stolen traffic from over 10,000 hacked WordPress sites and sold it to AdsTerra, a real-time bidding ad platform. They wrote that AdsTerra then sold it to advert resellers (ExoClick, AdKernel, EvoLeads and AdventureFeeds) which then went on to sell it to the highest bidding “advertiser”.

However, the security researchers claimed, these “advertisers” were actually criminals looking to distribute ransomware, banking trojans, bots and other malware. The infected adverts then appeared on the websites of thousands of publishers worldwide, instead of clean, legitimate ads.

The ads often contained malicious JavaScript code that exploits unpatched vulnerabilities in browsers or browser plug-ins, such as Adobe’s Flash Player, so that the user gets infected by ransomware, keyloggers, and other types of malware simply by visiting a site hosting the malicious link. This is a well-known hacker tactic that dates back at least 10 years or more.

Check Point said the criminals made a laughing stock of the legitimate online advertising ecosystem. They even measured the return on investment of their ad spend by comparing it to the money they made from crypto-mining and ransoms.

The payment system in this scheme also laundered the proceeds, courtesy of the online advertising ecosystem, the researchers claimed.

Master134 and commander

What started out as the compromise of thousands of websites – all using WordPress v.4.7.1 and thus vulnerable to remote code execution attacks – took in multiple parties in the online advertising chain, and ended with the distribution of malware to web users globally, the researchers said.

They added that campaign revealed a partnership between a threat actor disguised as a publisher (dubbed “Master134”) and several legitimate resellers.

The criminals behind the “malverts” can even target users according to whether or not they have unpatched operating systems or browsers, and even specific device types. Due to the simple lack of verification tech in the field, ad networks are simply not going to detect the malicious activity.

The exact content users see depends on who they are, where they are, what device they’re using and other variables. This makes it incredibly difficult for both publishers and ad networks to conclusively review every version of an advert for malicious content.

Check Point’s research raises questions about the ad verification methods used in the online advertising industry and the role of ad networks in the malvertising ecosystem as a whole. Check Point suggested the companies were being “manipulated” in powering these attacks.

El Reg invited AdsTerra, AdKernel, AdventureFeeds and EvoLeads to comment. We’ll update this story as and when we get a response. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/30/malvertising_wordpress/

The ‘Manufacturer Usage Description’ proposal from IETF offers a promising route for bolstering security across the industry.

While Internet of Things (IoT) devices offer plenty of impressive capabilities that improve efficiency through industrial and workplace applications, they unequivocally continue to pose major security liabilities. Many IoT devices feature little or zero built-in security measures, making them enticing targets for hackers. At the same time, many companies plan to add a large number of IoT devices to their networks, increasing the challenge of identifying which devices are actually legitimate and limiting each device to only the access it requires.

While experienced network administrators might mitigate these shortcomings with access rules tailored to each IoT device or device category, this work is painstakingly cumbersome, offers no guarantees of security, and creates more work in an area where greater efficiency is the goal. In short, enterprises could certainly benefit from fundamental IoT security improvements at the device level.

The Proposed MUD Industry Standard
The Manufacturer Usage Description (MUD) specification, proposed and described in an Internet Engineering Task Force (IETF) draft document, offers a promising route for bolstering security across the IoT industry. MUD functions by enabling IoT devices to communicate with the networks they connect with and detailing the specific access and network functionality they require.

The MUD workflow is as follows. First, when the IoT device joins a network, it sends a MUD URL to the router. The router then functions as a MUD manager and visits the specified URL to retrieve a MUD file. The MUD manager then uses the information within the MUD file to put access rules in place that are recommended by the device’s manufacturer.

In this way, enterprises can simply connect their IoT devices and the access and capabilities of those devices will be automatically limited to what is appropriate. Hackers may succeed in hijacking those devices but will be unable to corrupt the MUD file accessed online from the manufacturer. If an attacker attempts to direct a device to participate in a distributed denial-of-service attack, wreak havoc in an industrial environment, or collect and transfer sensitive information to an unfamiliar destination, MUD will not allow that activity to happen. Manufacturers still will need to address vulnerabilities and update firmware going forward, but MUD drastically reduces the harm that a compromised IoT device can actually inflict.

Can the MUD URL to which the Device Points Be Corrupted?
Hackers who understand this workflow could attempt to change the MUD URL to target their own false MUD file, one that allows the access needed to perform malicious activities. As drafted, MUD offers three choices for sending the MUD URL (and allows for others to be added in the future): the DHCP option, the X.509 extension, and the LLDP extension. Of these, the DHCP option and LLDP extension potentially could allow the MUD URL to be corrupted in scenarios where the IoT device becomes compromised. The X.509 extension distinguishes itself as more secure because the MUD URL is added to an identity certificate, either by the manufacturers when the device’s IDevID is created or by another party in the supply chain with the creation of the LDevID.

How the 802.1AR Standard and DICE Support MUD Security
The IEEE 802.1AR standard specifies secure device identifiers, IDevIDs or LDevIDs, that are unique and cryptographically bound to individual devices. It also provides the capability to authenticate the identity of these devices. Devices utilizing this standard most often include a Trusted Platform Module (TPM) that stores cryptographic keys. Because the X.509 extension is added to the certificate for the IDevID or LDevID and stored on the TPM, the correct MUD URL is safeguarded through this verification. The IDevID can’t be changed, and so neither can the MUD URL.

However, the size, cost, and power requirements of TPMs create severe limitations, making it impossible to rely on this method for securing all IoT devices. Thankfully, the Device Identifier Composition Engine (DICE) Architecture, offered by Trusted Computing Group, is up to the task of providing security to devices with these resource limits. Using DICE, even smaller IoT devices can store cryptographic keys and use the 802.1AR standard without the need for a TPM. Thus, they can use the X.509 extension and ensure the MUD URL is secure.

Looking forward, the promising MUD standard must be finalized as a draft document, and manufacturers of IoT devices and routers must then embrace the standard. If that happens, though issues will always remain, enterprises will have all the advantages of an IoT that is significantly safer and more secure.

Related Content:

• 7 Tools for Stronger IoT Security, Visibility
• Securing Our Interconnected Infrastructure
• Modern Cybersecurity Demands a Different Corporate Mindset
• Building a Safe, Efficient, Cost-Effective Security Infrastructure

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info. 

Louis Creager is an IoT security analyst at  * zvelo* , a provider of cybersecurity solutions for web content, network traffic, and connected/IoT devices. Prior to joining zvelo, Louis held security analyst and engineering roles at Trustwave, an information security … View Full Bio

Article source: https://www.darkreading.com/endpoint/mud-the-solution-to-our-messy-enterprise-iot-security-problems/a/d-id/1332384?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Many respondents could enter the field by leveraging skills they already have.

Twenty percent of respondents to a new survey have considered cybersecurity careers. While roughly half of the 2,000 US adults polled had never heard of the terms penetration tester and white-hat hacker, 10% were “very familiar” with these common cybersecurity jobs and their responsibilities.

The data comes from The Harris Poll, which surveyed 2,000 adults on behalf of the University of Phoenix, measuring their awareness of careers, gender disparity, and workplace readiness in the industry. 

About one-quarter of respondents say they don’t have the skills to enter security, a conclusion attributed to lack of education, knowledge of how to get started, and familiarity with what security pros do.

However, many could leverage skills they already have, says Dennis Bonilla, executive dean for the University of Phoenix’s College of Information Systems and Technology. The individuals surveyed claim to have skills in programming (33%), data analytics (26%), and coding and Wen development (both 31%). All are taught in the University’s security-focused programs.

Read more details here.

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/careers-and-people/university-of-phoenix-poll-20--of-us-adults-have-considered-infosec-careers/d/d-id/1332419?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Roundup There has been a bumper crop of security news this week, including another shipping giant getting taken down by ransomware, Russian hackers apparently completely pwning US power grids and a sane request from Senator Wyden (D-OR) for the US government to dump Flash. But there has been other news bubbling under.

Useless action please! While Wyden might know what he’s talking about his colleagues seem set on useless posturing.

On Tuesday Senators Pat Toomey (R-PA) and Chris Van Hollen (D-MD) sent a letter [PDF] to US Treasury Secretary Steven Mnuchin asking him to implement financial sanctions against the 12 Russians accused of hacking the servers of the Democratic Party. Given the president’s confused attitude towards Russia they shouldn’t hold their breath.

The two are depressingly vague about what exactly they would like to see done, but we can’t imagine the accused are trembling in their Afoor boots. But it got the senators a bit of publicity, which is probably the point of the exercise.

FBI goes Facepalm on encryption: There had been signs that FBI Director Chris Wray might actually start listening to the technically adept about backdooring encryption. But no, he has come out with another idiotic zinger.

Speaking at the Aspen Security Conference Wray returned to the tired old theme that criminals were “going dark” thanks to encryption and thus the government needs access. Despite it being a mathematical impossibility to introduce a backdoor that no one else can find, Wray was sure there must be a way, as he explained on camera:

“We’re a country that has unbelievable innovation,” he said. “We put a man on the Moon. We have the power of flight. We have autonomous vehicle. The idea that we can’t solve this problem as a society — I just don’t buy it.”

It’s an argument that has been used before, so often in fact that Matt Blaze, professor of Computer and Information Science at the University of Pennsylvania and Tor Project board member, came up with this pithy comeback.

“When I hear ‘if we can put a man on the moon, we can do this’ I’m hearing an analogy almost saying ‘if we can put a man on the moon, surely we can put a man on the sun,'” he said.

Samsung’s Internet of S**t: We’re getting a little tired of the persistent failings in Internet of Things devices – and Samsung is the latest manufacturer to be caught with its digital pants down.

Researchers at Cisco’s Talos security team examined the Samsung SmartThings Hub and found a stunning 20 exploitable vulnerabilities. Given this device is supposed to act as a central control unit for all the gadgets in the home, potentially controlling security cameras, door locks and climate control, this isn’t good news.

Thankfully Talos are big on responsible disclosure, and a firmware fix is now available. If you have a so-called SmartThings Hub then you’d be advised to download and install the latest updates for your device. But it does make you wonder – if a massive manufacturer like Samsung can’t get security right, what are the odds your Kickstarter funded device has?

Lifelock irony overload: Lifelock likes to describe itself of a guardian of online identities, but the firm showed it can’t even protect its own data.

The company’s website was so poorly designed that any visitor could access any of the email addresses of Lifelock’s 4.5 million customers. The flaw, discovered by freelance security researcher Nathan Reese, could have seen those email addresses scraped with a simple script.

As bugs go it could have been worse. No passwords, ID information or credit card data could have been swiped. But it did make the Lifelock people, and their owners Symantec, look very silly indeed.

Dropbox – It’s not a bug, it’s a feature: Cloud data dump site Dropbox have has a grisly week of it after a panic about it pulling a Facebook and sharing customer data.

A paper published in the Harvard Business Review by the Northwestern Institute on Complex Systems analyzed the usage patterns of teams that rely on Dropbox to collaborate. A mistake in the paper seemed to suggest that Dropbox user records had been handed over to the researchers to study without being properly anonymized.

Naturally the excrement hit the aircon unit, and people started to to ask questions. Dropbox put out a statement claiming the data was fully anonymized before being passed over to the academics. A lot of people came to the realization that Dropbox had quite possibly done nothing wrong: it was all in the terms and conditions of their cloud accounts.

In short: check the fine print if you rely on online services, and if you host people’s files on the internet, it’s not a good look to let outside eggheads scrutinize your customers’ behaviors, anonymized or not.

Beware Big Star Labs apps: While we’re on data slurping it appears that a group calling itself Big Star Labs has been pumping out mobile apps and browser extensions that are collecting a lot of user data.

A study by AdGuard Research found that as many as 11 million people may have had their private information slurped taken by Labs’ software. They note that, while Big Star Labs claims to only take anonymized data, it doesn’t appear to be too rigorous about it.

If you want to avoid this code, AdGuard has a full list of stuff built by Big Star Labs.

Microsoft bugs exploited to spread malware: Microsoft Office vulnerabilities were used to distribute the Felixroot backdoor, a strain of malware previously slung against Ukrainian banking customers.

Supposed environmental protection seminar documents actually came loaded with exploits targeting Microsoft Office vulnerabilities (CVE-2017-0199) and (CVE-2017-11882) and geared towards dropping the Felixroot backdoor. Security firm FireEye reports that the same backdoor abused last September in a campaign involving malicious Ukrainian bank documents.

Flexiroot backdoor attack overview [source: FireEye blog post]

The malware is distributed via Russian-language documents, in the latest green concerns-tinged account.

The hackers are going after a pair of fashionable exploitation targets, FireEye concludes.

“CVE-2017-0199 and CVE-2017-11882 are two of the more commonly exploited vulnerabilities that we are currently seeing, a blog post on the threat from FireEye explained. “Threat actors will increasingly leverage these vulnerabilities in their attacks until they are no longer finding success, so organisations must ensure they are protected.”

Leafminer in the Levant: Symantec has issued a warning to Middle East computer users that there’s a new hacking squad in town.

The Leafminer crew use a mixture of watering hole websites, vulnerability scans of network services on the internet, and brute-force/dictionary login attempts and it appears they are primarily after emails and database logins.

The researchers found a list of 809 targeted organizations, two thirds of which were in Saudi Arabia, the Lebanon, Israel and Kuwait also targeted. Occam’s Razor would suggest that maybe the Iranian hacking teams have a new subgroup that’s going to work.

Stop paying sextortion scumbags: A couple of weeks ago we covered the story of a Reg reader who had received a sextortion email, claiming to have video of the recipient pleasuring themselves to porn.

Of course, it’s bollocks, but the social engineering was quite clever, using a stolen password to convince the recipient that the threats were real. Now research suggests that there are quite a few people got suckered into this scam.

An analysis of the Bitcoin wallets used in some of the emails suggests the scumbags have netted at least $250,000 and possibly over a million in cryptocurrency. As someone who has been approached by these scumbags my advice remains the same – tell them where to stick their blackmailing demands. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/28/security_roundup/

Roundup There has been a bumper crop of security news this week, including another shipping company getting taken down by ransomware, Russian hackers apparently completely pwning US power grids and a sane request from Senator Wyden (D-OR) for the US government to dump Flash. But there has been other news bubbling under.

Useless action please! While Wyden might know what he’s talking about his colleagues seem set on useless posturing.

On Tuesday Senators Pat Toomey (R-PA) and Chris Van Hollen (D-MD) sent a letter [PDF] to Treasury Secretary Steven Mnuchin asking him to implement financial sanctions against the 12 Russians accused of hacking the servers of the Democratic Party. Given the president’s confused attitude towards Russia they shouldn’t hold their breath.

The two are depressingly vague about what exactly they would like to see done, but we can’t imagine the accused are trembling in their Afoor boots. But it got the senators a bit of publicity, which is probably the point of the exercise.

FBI goes Facepalm on encryption: There had been signs that FBI Director Chris Wray might actually start listening to the technically adept about backdooring encryption. But no, he has come out with another idiotic zinger.

Speaking at the Aspen Security Conference Wray returned to the tired old theme that criminals were “going dark” thanks to encryption and thus the government needs access. Despite it being a mathematical impossibility to introduce a backdoor that no one else can find, Wray was sure there must be a way, as he explained on camera:

“We’re a country that has unbelievable innovation,” he said. “We put a man on the Moon. We have the power of flight. We have autonomous vehicle. The idea that we can’t solve this problem as a society — I just don’t buy it.”

It’s an argument that has been used before, so often in fact that Matt Blaze, professor of Computer and Information Science at the University of Pennsylvania and Tor Project board member, came up with this pithy comeback.

“When I hear ‘if we can put a man on the moon, we can do this’ I’m hearing an analogy almost saying ‘if we can put a man on the moon, surely we can put a man on the sun,'” he said.

Samsung’s Internet of S**t: We’re getting a little tired of the persistent failings in Internet of Things devices and Samsung is the latest manufacturer to be caught with its digital pants down.

Researchers at Cisco’s Talos security team examined the Samsung SmartThings Hub and found a stunning 20 vulnerabilities. Given this device is supposed to act as a central control unit for all the gadgets in the home, potentially controlling security cameras, door locks and climate control, this isn’t good news.

Thankfully Talos are big on responsible disclosure and a firmware fix is now available, and if you have a so-called SmartThings Hub then you’d be advised to download the fix. But it does make you wonder – if a massive manufacturer like Samsung can’t get security right, what are the odds your Kickstarter funded device has?

Lifelock irony overload: Lifelock likes to describe itself of a guardian of online identities, but the firm showed it can’t even protect its own data.

The company’s website was so poorly designed that any visitor could access any of the email addresses of Lifelock’s 4.5 million customers. The flaw, discovered by freelance security researcher Nathan Reese, could have seen those email addresses scraped with a simple script.

As bugs go it could have been worse. No passwords, ID information or credit card data could have been swiped. But it did make the Lifelock people, and their owners Symantec, look very silly indeed.

Dropbox – It’s not a bug, it’s a feature: Cloud data dumpers Dropbox have has a grisly week of it after a panic about it pulling a Facebook and sharing its customer’s data.

A paper published in the Harvard Business Review by the Northwestern Institute on Complex Systems analyzed the usage patterns of Dropbox customers. A mistake in the paper seemed to say that the user data for the study had been handed over to the researchers without being properly anonymized.

Naturally the excrement hit the aircon unit and people started to panic. Dropbox put out a statement saying the data was fully anonymized before being passed over. But a lot of people came to the realization that Dropbox had done nothing wrong, just that they had signed over a lot of rights to the company in the terms and conditions.

Beware Big Star Labs apps: While we’re on data slurping it appears that a group calling itself Big Star Labs has been pumping out mobile apps and browser extensions that are collecting a lot of user data.

A study by AdGuard Research found that as many as 11 million people might have had their data taken by the software’s operators. They note that, while the firm claims to only take anonymized data, it doesn’t appear to be too rigorous about it.

If you want to avoid this there’s a full list of affected software here.

Microsoft bugs spread malware: Microsoft Office vulnerabilities were used to distribute the Felixroot backdoor, a strain of malware previously slung against Ukrainian banking customers.

Supposed environmental protection seminar documents actually came loaded with exploits targeting Microsoft Office vulnerabilities (CVE-2017-0199) and (CVE-2017-11882) and geared towards dropping the Felixroot backdoor. Security firm FireEye reports that the same backdoor abused last September in a campaign involving malicious Ukrainian bank documents.

Flexiroot backdoor attack overview [source: FireEye blog post]

The malware is distributed via Russian-language documents, in the latest green concerns-tinged account.

The hackers are going after a pair of fashionable exploitation targets, FireEye concludes.

“CVE-2017-0199 and CVE-2017-11882 are two of the more commonly exploited vulnerabilities that we are currently seeing, a blog post on the threat from FireEye explained. “Threat actors will increasingly leverage these vulnerabilities in their attacks until they are no longer finding success, so organisations must ensure they are protected.”

Leafminer in the Levant: Symantec has issued a warning to Middle East computer users that there’s a new hacking squad in town.

The Leafminer crew use a mixture of watering hole websites, vulnerability scans of network services on the internet, and brute-force/dictionary login attempts and it appears they are primarily after emails and database logins.

The researchers found a list of 809 targeted organizations, two thirds of which were in Saudi Arabia, the Lebanon, Israel and Kuwait also targeted. Occam’s Razor would suggest that maybe the Iranian hacking teams have a new subgroup that’s going to work.

Stop paying sextortion scumbags: A couple of weeks ago we covered the story of a Reg reader who had received a sextortion email, claiming to have video of the recipient pleasuring themselves to porn.

Of course, it’s bollocks, but the social engineering was quite clever, using a stolen password to convince the recipient that the threats were real. Now research suggests that there are quite a few people got suckered into this scam.

An analysis of the Bitcoin wallets used in some of the emails suggests the scumbags have netted at least $250,000 and possibly over a million in cryptocurrency. As someone who has been approached by these scumbags my advice remains the same – tell them where to stick their blackmailing demands. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/28/security_roundup/

Eric Olden, Oracle’s new leader in security and identity, shares how the enterprise tech giant plans to operate in a cloud-first world.

Oracle, a company with a long and storied history in enterprise identity, now faces the challenge of how to adjust its approach to security amid the transition to the cloud.

Much of this responsibility falls to Eric Olden, the company’s new senior vice president and general manager of security and identity. Oracle’s portfolio comprises, in part, a lineup of identity management and cloud security products that include cloud-based enterprise software and CASB solutions.

Olden, who was previously the founder and CTO of startups including Securant Technologies, Symplified, Deep Content, Launch Sciences, and Brite Content, joined the Oracle team last October. Moving from startups to one of the world’s largest software companies, he says, has given him a new perspective on how large businesses handle cybersecurity in the cloud.

“It’s really come down to complexity,” he says. “With the advent of cloud, we’re making this transition as an industry.”

Whereas businesses used to be able to build their own data centers to protect their information and applications, and put up firewalls for security, the cloud is forcing them to change their approach, he says. Combined with the fact that most people are going mobile, it’s time for defenses to evolve.

“We’ve pushed the notion of a post-perimeter world where the identity has become the perimeter,” Olden says. “It’s something I’ve seen coming for 20-plus years, and now we see it all the time.”  

The actual cloud transition, however, has “been almost overnight,” he adds. It was only a few months ago when customers realized they didn’t want to be left behind and couldn’t delay cloud adoption.

Hackers Set Their Sights on Cloud
Once an organization begins its cloud transition, the volume and velocity of data can quickly overwhelm traditional manual approaches, Olden says. Moving to the cloud isn’t a pilot project, and it’s not something people can constantly watch for security alerts. Businesses are overwhelmed “with a sheer amount of noise,” and the ability to detect threats in the chaos can’t be done by humans alone, he adds.

Amid that struggle, hackers see the opportunity to exploi vulnerabilities with increasingly sophisticated tool sets and new attack techniques, Olden continues.

“We’re past the days of writing a virus,” he says, noting how hackers once just wanted to see whether they could pull off a cyberattack. “Now we’re talking about very organized operations trying to get identity data. [They] want the keys. Identity data is incredibly sensitive.”

Many organizations might feel as if they’re bringing a knife to a gunfight when they go up against advanced adversaries. Rather than feeling exposed and outdone, Olden explains, they should aim to reduce the time needed to detect and remediate threats.

Cloud Adoption and Oracle’s New Approach
How has Oracle adjusted its security strategy in response to the rise of cloud? Olden first points to the way in which customers receive updates for products such as the Oracle Identity Cloud.

“We can push new capabilities and features into the cloud, and all of our customers get access to them immediately … that’s a game changer,” he explains. That’s especially true for a company like Oracle, which for a long time abided by the enterprise software model of annual releases and planned upgrades for clients. The cloud has driven the level of agility, Olden says.

Oracle is also buckling down on automation and machine learning across its portfolio. Its CASB tool is an example: Once used to monitor activity in the hybrid cloud and detect abnormal behavior, it can now be used in authentication tools to automatically recognize rogue logins. If a CASB identifies suspicious activity, it can trigger multifactor authentication for the device.

By automating multifactor authentication, Olden says, you reduce the time to detect and remediate threats and eliminate passwords, which are “always the weakest link.”

This use case also emphasizes the need to secure identity in a post-perimeter world, which Oracle also explains in its Trust Fabric security model – its approach to securing enterprise computing in the cloud. It’s the company’s way of securing data and apps in its security lineup.

Looking ahead to the rest of 2018, Olden says he plans to push automation deeper across its portfolio and to more deeply integrate Oracle Identity into the Oracle Cloud with new tools.

“With some of the new product introductions, we’ll be talking about more defense-in-depth as we get more of these products reimagined in the cloud era,” he says.

Related Content:

• Every Week Is Shark Week in Cyberspace
• 5 Ways Small Security Teams Can Defend Like Fortune 500 Companies
• Google Security Updates Include Titan Hardware Key
• Password Check Required’? Not So Fast

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/identity-has-become-the-perimeter-oracle-security-svp/d/d-id/1332415?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Deal will bring DevOps security to the enterprise security vendor.

Imperva, a security firm with products for on-premises, cloud, and hybrid deployments, has announced an agreement to acquire Prevoty, a DevOps security vendor. The cash deal, valued at $140 million (subject to adjustments) is expected to close in the third quarter of fiscal 2018.

According to Imperva, Prevoty’s autonomous application protection (AAP) products will combine with Imperva’s application protection, application delivery, and data security products to allow for end-to-end security for organizations and their applications.

In addition, the Prevoty offerings for built-in application security are intended to increase Imperva’s reach into the DevOps market. In a statement announcing the purchase agreement, Imperva noted that the combination of Prevoty products and Imperva insight products like ThreatRadar should provide greater visibility into threats and vulnerabilities across the enterprise.

For more, read here and here.

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/application-security/imperva-plans-to-purchase-prevoty-/d/d-id/1332416?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple