STE WILLIAMS

It took computer scientist Carsten Schuermann just minutes last year to hack into one of the 30 pieces of voting equipment sitting in a cramped room in Caesar’s Palace that housed DEF CON’s maiden Voting Machine Village. He fired up his laptop, quickly spotted a WinVote voting machine on the Wi-Fi network using Wireshark, and then typed in a command that launched a Metasploit exploit.

“And, poof, that was it,” Schuermann says. He was able to access the Windows XP-based voting machine using the Remote Desktop Protocol (RDP), exposing real election and voting data that was still stored in it. The voting machine’s inherent weaknesses made it an easy mark: It ran XP (Service Pack 0), Wi-Fi and RDP were enabled by default, it employed the outdated WEP security protocol, and the majority of WinVote machines he had studied all used the same password: “abcde.” 

“The only changes I did was turn off the machines remotely, and we added new files to the directories,” he says. His exploit used an old buffer overrun flaw in XP, which apparently had not been patched on the voting machine.

Schuermann had been studying security weaknesses in the WinVote machine back at his home office at the IT University of Copenhagen in Denmark. He now has eight decommissioned WinVote machines that were used in previous elections – four from Virginia – that he’s been dissecting and looking for clues of compromise and hacking attempts. He’ll be back in Vegas in August at Black Hat USA, demonstrating just how he hacked the machine at DEF CON, as well as sharing some research findings from the WinVote machines he’s been studying. 

[See Schuermann’s Black Hat USA talk on August 9, Lessons from Virginia – A Comparative Forensic Analysis of WinVote Voting Machines]

“I’m going to bring a machine and show how easy it is to hack … exploiting the same vulnerability” used in last year’s DEF CON contest, he says. Schuermann, an academic expert in election security who has been studying election security for a decade, used a root shell script to control the machine, and says he can change data on the voting machines. The notoriously insecure WinVote machines – which don’t include a paper-trail feature – were replaced in Virginia prior to the 2016 election, but some localities, including some in Pennsylvania, still use them.

“Since these machines all have the same access point they connect to, once you know how to get into that wireless network … and use the ‘abcde’ password, then you have networking access to the machine and can deploy the exploit. Then you’re in,” he says. “The scary thing is you could make this automatic: You could drive by polling stations and make changes on all of the totals in the voting machines.”

Schuermann has been conducting forensic investigations on the disks in the WinVote machines using the so-called Autopsy tool. “I was trying to understand if everything was OK with the machine or was it hacked,” he says.

But because the machine’s XP platform doesn’t provide system logging, there’s no way to track whether someone connected remotely to the machine. “There’s no trail of who accessed it,” Schuermann says. So the only way to spot a potential hack is the data on the disks.

So far, Schuermann has found traces of MP3 files on the disks of one of the WinVote machines, including a Chinese music file, he says. It appears the machine was used to record songs from CDs and play MP3s.

“But there’s no evidence real hacking happened” on the machines so far, he says, and no signs of election-meddling in vote counts. 

Even so, Schuermann says hacking one of the machines would have been fairly simple. “If anyone really knows what they are doing, they could hack those machines in a minute. And once you’ve hacked one, you know [how] to hack [others],” he says.

The biggest risk overall, he says, is citizens losing trust in an election and the voting systems if hackers are able to break into them and alter or change results. “Now, with the Russia investigation and election interference, people are becoming more aware that this is not only possible but also likely someday. That’s the scary part,” he says. 

His message for the US midterm elections: “How important [a] paper [trail] is,” he says.  

Related Content:

• DEF CON Rocks the Vote with Live Machine Hacking
• Voting System Hacks Prompt Push for Paper-Based Voting
• White House Cybersecurity Strategy at a Crossroads
• Congressional Report Cites States Most Vulnerable to Election Hacking

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/iot/the-abcs-of-hacking-a-voting-machine/d/d-id/1332386?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The global cybersecurity market is currently valued at over $120 billion, up from just $3.5 billion in 2004, and the dollar amount of cybersecurity venture capital investment has grown 12 times in response. Over the past decade, the number of cybersecurity vendors has grown 23 times, an overabundance on the supply side that has complicated the marketplace and spooked less-committed, more-traditional investors. With competition high and differentiation low, backing new ventures presents much greater risk. Startups are finding it difficult to stand out. CISOs can be overwhelmed by the flood of new options.

Now the good news: Today’s market dislocations present openings for those with foresight. More noise in the market doesn’t change the fact that the signal (i.e., the number of opportunities on an annual basis) is still the same or growing. Increased competition historically has pushed markets to improve, and there’s no reason to believe the current case is any different. Security teams that understand the market and openly communicate and align their efforts with the right partners can capitalize on the resulting growth. But first they have to understand the changing landscape.

Cybersecurity Increasingly Specialized
Much of the recent discussion surrounding cybersecurity, both optimistic and pessimistic, speaks about the industry in monolithic terms. This is reminiscent of how people spoke about the Internet 20 years ago. The reality now, as then, is far more complex. Stakeholders who simply focus on cybersecurity are likely not focused enough.

Cybersecurity has fragmented into a fractal of hypertechnical specialties and subspecialties. From a high level, each offshoot might blend indistinguishably into the overall landscape. But a deeper perspective reveals highly differentiated underlying patterns. Developing deep industry expertise and granular technical knowledge is the only way to evaluate opportunities at their appropriate depth and is the crucial first step to successfully filtering the signal from the noise.

Solving a Problem Is No Longer Enough
For better or worse, cybersecurity is a game of cat and mouse. According to Momentum Cyber, the number of threat types has gone from fewer than 50 to more than 1 million since 2007. And Cybersecurity Ventures predicts cybercrime damages will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015. There is no shortage of problems desperately in need of solving.

The recent flurry of cybersecurity vendors has largely sought to combat this explosion of threats in a piecemeal, reactive way. However, such an approach is unsustainable, and a sea change is brewing. CISOs are feeling overwhelmed by the onslaught of “me-too” vendors and are seeking to simplify. According to research by Cisco, companies currently have up to 70 different security vendors installed and 62% are actively consolidating their security stack as a result.

For vendors, simply solving a problem is no longer enough. Unless a new technology either helps CISOs solve an unaddressed or imminent, high-priority problem or better utilize and operationalize their existing security stack, it won’t even register on their radar. Meeting either of these criteria requires both a workable technical solution and a viable market opportunity. Validating an idea or product along both of these dimensions requires extensive due diligence, technical expertise, and active engagement with customers.

CISOs Getting a Say in Product Development
There are a lot of things reportedly keeping CISOs up at night. But few articles on this topic are actually written by CISOs themselves. Instead of simply guessing what CISOs want, investors and vendors should incorporate customer feedback throughout product ideation and development cycles.

Cultivating and tapping a network of knowledgeable customers produces a powerful, virtuous cycle. Entrepreneurs and investors receive feedback that will both improve their product and maximize its chances of success. And CISOs, by virtue of participating, get access to a pre-vetted and decluttered sampling of promising vendors tackling relevant problems. Being a part of the product development process also allows CISOs to give voice to specific concerns other startups might have missed or that larger vendors have not properly addressed. Even high-profile CISOs have proven surprisingly willing to volunteer their time and expertise, illustrating the potential for innovative approaches to produce mutually beneficial relationships that improve the overall cybersecurity ecosystem.

High-Conviction, Value-Add Investment Is the New Standard
Cybersecurity is a complex, dynamic, and crowded market. Even the strongest products and brightest teams will need strategic, operational support until they gain their own momentum. Luckily, much of the expertise and skills that drive the investment process can be easily redirected toward amplifying the early efforts of founding teams. Whether it means fostering industry relationships to help guide business development, committing intelligence capabilities to analyze competition, or offering technical knowledge to facilitate product growth, investors should dedicate all resources possible to helping their portfolio teams succeed.

For their part, entrepreneurs should seek out partners capable of providing extensive, ongoing value-add support services and actively facilitating connections daily to potential customers. For example, our firm’s network advisory board, comprised of corporate CISOs, meets prospective cybersecurity startups almost every day.

Cybersecurity is an industry still brimming with potential. However, capitalizing on that potential requires deep knowledge and high conviction. The current, crowded marketplace presents new pitfalls for less-sophisticated players. But those committed and careful enough to sidestep these challenges can reap outsize rewards. Investors, startups, and CISOs who appreciate the industry’s complexity, anticipate the market’s needs, and prioritize strategic collaboration will be poised to win big in the rapidly changing cybersecurity landscape.

Related Content:

• 20 Cybersecurity Vendors Getting Venture Capital Love
• Why Security Startups Fly – And Why They Crash
• The Startup Challenge: Safe in the Cloud from Day One
• 6 Ways Greed Has a Negative Effect on Cybersecurity

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info. 

Ofer Schreiber is a partner, at YL Ventures, which invests early in cybersecurity, cloud computing, big data, and software-as-a-service software companies, and accelerates their evolution via strategic advice and Silicon Valley-based operational execution. Ofer Schreiber has … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/the-good-and-bad-news-about-todays-cybersecurity-investment-landscape/a/d-id/1332361?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

As of July 24, websites that aren’t encrypted will stand out for Chrome browser users with a “Not Secure” label in the address bar. The good news is that use of the unsecured HTTP protocol has diminished by more than 20 percentage points, according to Google, since it announced its intention to call out vulnerable sites more than two years ago.

In its blog post announcing the change, Google restated its desire to see the Web as an environment of 100% encrypted communications. Users of the latest version of Chrome (68) will see a new “not secure” notification when visiting HTTP pages. For the October release of Chrome (70), the company intends to call out unencrypted sites in bright red letters 

Google also pointed out that it offers encryption at no additional cost for website owners through Let’s Encrypt, a free and open certificate authority.

Read here, here, and here for more.

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/application-security/google-calls-out-insecure-sites-in-new-chrome-version/d/d-id/1332385?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Google is ramping up its security offerings with a wave of cloud and hardware announcements at the Next 2018 conference, taking place this week in San Francisco.

These updates arrive four months after Google rolled out cloud-based data and security controls. They tackle areas of security that officials report as top-of-mind for users: access management, platform security, data protection, and transparency.

“We want to give them a lot of visibility and transparency into operations – what we’re doing, how we’re doing it,” said Rob Sadowski, trust and security marketing lead at Google Cloud, during a virtual press conference about the security updates. 

Many of the updates focus on enabling more secure and convenient access. It’s a priority as more devices enter the workplace, says Google product management director Jess Leroy. Users expect seamless access to corporate resources, and network and security administrators need to maintain a certain security standard while maintaining that ease of access.

“You have different types of users connecting from all different types of places, with all different types of devices,” Leroy explains. “The ecosystem has changed pretty dramatically.”

Secure Access 
Traditional access management tools “often put security at odds with flexibility” by enforcing one-size-fits-all controls that limit users, says Jennifer Lin, product management director at Google Cloud, in a blog post about today’s announcements.

Google is addressing the problem with “context-aware access,” which will let businesses enforce granular access to Google Cloud Platform (GCP) APIs, resources, G Suite, and third-party SaaS apps based on a person’s identity, location, and context of the request. A managed device, for example, might have access to resources other devices don’t, Leroy says.

Context-aware security capabilities are available for certain customers using VPC Service Controls. They’re coming soon for customers using Cloud and Identity Access Management (IAM), Cloud Identity-Aware Proxy (IAP), and Cloud Identity.

Another component to secure access is the Titan Security Key, a FIDO security key built with a secure element to verify its integrity. It’s a phishing-resistant second factor of authentication for high-value users such as Google Cloud admins. Thirty percent of enterprise users open phishing emails, Leroy said, and 12% of them click on the malicious payload.

Google’s customers typically use the Titan key for high-value users or content – for example, administrators or root users for whom compromise would cause much greater damage. The Titan Security Key is available now for Google Cloud customers and will soon be available for anyone to purchase on the Google Store.

Secure Infrastructure
Other updates announced today are intended to strengthen the underlying cloud infrastructure, Leroy explains. One of these is Shielded VMs, which use advanced platform security to verify that no one has tampered with virtual machines. Admins can monitor changes to the VM baseline and its current runtime state. Shielded VMs are available now in beta.

Binary authorization, arriving soon in beta, lets users require signature validation when deploying container images. “It’s making sure the containers you expect to go to your production environment are always the containers that go to your production environment,” Leroy explains. It can be combined with Container Registry Vulnerability Scanning, which ensures images are safe and prevents deploying any containing vulnerable packages.

Data Protection
On the data security front, Google is rolling out Cloud HSM, a hardware security module hosted in the cloud. Cloud HSM lets users host encryption keys and perform cryptographic operations to protect sensitive workloads without worrying about managing an HSM cluster.

“The problem with HSMs is they are extremely onerous to manage,” Leroy said. “Once you’ve deployed, you have to manage them, you have to patch them, provide the right uptime and clustering and scalability … typically this is not a small investment from a time and money perspective.” Cloud HSM is Google’s way of addressing these problems, he notes.

The Cloud HSM service is integrated with the Cloud Key Management Service (KMS), Lin explains, so it’s easy to create and use keys that are generated and protected in hardware. Cloud HSM can also be used with customer-managed encryption keys (CMEK) integrated services, including Google Compute Engine, Google Cloud Storage, BigQuery, and DataProc.

Related Content:

• Securing Our Interconnected Infrastructure
• New Free Chrome Plug-in Blocks Cryptojacking Browser Attacks
• 72% of CEOs Steal Corporate IP from Former Employers
• 7 Ways to Better Secure Electronic Health Records

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/cloud/google-security-updates-include-titan-hardware-key/d/d-id/1332389?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Leafminer, a threat actor that appears to be operating out of Iran, is conducting a wide-ranging cyber espionage campaign against organizations in the Middle East using a mix of publicly available tools and custom malware.

While the group’s technical capabilities are average at best in comparison to other advanced persistent threat (APT) actors, its goals seem far more ambitious, according to Symantec, which has been studying the group.

The security vendor’s analysis of Leafminer’s activities shows the group has run targeted vulnerability scans against as many as 809 organizations across multiple industries in Saudi Arabia, United Arab Emirates, Egypt, Kuwait, Israel, and other countries in the Middle East.

The group’s major focus areas appear to be organizations in the financial, government, and petrochemical sectors, with half of its targest in those industries. Other targets include shipping and transportation, food services, utilities, and construction. Leafminer mostly has gone after email data, files, and database servers.

“[Leafminer’s] ambitious goal of targeting at least 800 different organizations across the Middle East is what sets them apart,” from other threat actors, says Vikram Thakur, technical director at Symantec. Most APT campaigns are typically focused on a far smaller set of entities with shared geopolitical interests.  

“As a group, Leafminer highlights the need for organizations to better protect their public-facing network infrastructure against known vulnerabilities and attack tools,” he says. Thakur estimates that Leafminer has conducted targeted attacks against dozens of organizations from the list of over 800 organizations against which it has run vulnerability scans.

Leafminer is the latest example of the increased cyber activity from Iran in recent years. Earlier this year, security vendor FireEye’s Mandiant unit reported a major surge in nation-state sponsored threat activity in the country in 2017. The vendor described Iran as the next China based on the extent of state-backed threat activity in the country last year.

Just this week, Palo Alto Networks issued a report on the OilRig Group, a previously known threat actor that is also based in Iran. Researchers spotted multiple attacks by OilRig between May and June 2018 directed at a technology services provider and a government organization. The attacks delivered a backdoor designed to help the threat actors steal data from the targeted victims.

Leafminer Living Off the Land

At a high-level, Leafminer’s tactics, techniques and procedures (TTP) are somewhat similar to the so-called “living-off-the land” approach that many threat actors have begun adopting, Symantec said. In addition to custom tools, the threat actor has shown a proclivity for using tools and techniques that are publicly available or have been used by others.

For instance, one of the tools that Leafminer has been using for collecting credentials is a rebranded version of the well-known Mimikatz post-exploitation tool. The method the attackers have adopted to deploy Mimikatz on compromised systems similarly is a technique known as Process Doppelganging that security vendor enSilo demonstrated at Black Hat Europe last year.

Leafminer has also taken advantage of the NSA’s Fuzzbunch toolkit that the Shadow Brokers group leaked last year, to develop exploit payload for delivering custom malware targeted at vulnerabilities in Windows SMB server, Symantec said.

Leafminer’s malware toolkit includes at least two custom malware products — a backdoor called Sorgu for enabling remote access to a compromised system and Imecab, a Trojan for establishing a persistent access account on an infected system.

The hacking team has been mainly using three techniques to gain initial access to a targeted network: watering hole attacks via compromised Web servers; scans for vulnerabilities in network services; and dictionary attacks against network service logins. In keeping with the group’s habit of borrowing techniques and tactics used by others, the approach that Leafminer has been using in its watering hole attacks are similar to that employed by the Dragonfly APT group, according to Symantec.

The tactics employed by threat groups like Leafminer highlight the need for organizations to pay attention not just to new and emerging threats but to previously known ones as well.

“Enterprises should take note of the fact that a foreign adversary is relying primarily on existing vulnerabilities and publicly available tools to target hundreds of organizations in multiple verticals, with a degree of success,” Thakur says.

In many cases, organizations can mitigate most of their exposure to such threats simply by applying known security practices, such as keeping systems updated and properly patched where possible, Thakur says.

Related Content:

• Stealing Data By ‘Living Off The Land’
• Iran ‘the New China’ as a Pervasive Nation-State Hacking Threat
• From Bullets to Clicks: The Evolution of the Cyber Arms Race
• 7 Key Stats that Size Up the Cybercrime Deluge

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/iranian-hacker-group-waging-widespread-espionage-campaign-in-middle-east/d/d-id/1332388?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple