STE WILLIAMS

It’s a joint responsibility to keep data safe in the cloud. Here’s what cloud customers must do to keep their end of the bargain.

There’s no doubt that the cloud can improve certain aspects of security. After all, clouds have enormous economies of scale that provide customers with dedicated security teams and technologies that aren’t feasible for the vast majority of organizations. That’s the good news. The bad news happens when customers don’t properly configure and secure their own workloads and buckets in a cloud environment.

Consider the recent Capital One data breach, where a hacker exploited a misconfigured cloud firewall to gain access to data on 100 million card customers and applicants in one of the largest breaches in history. There are thousands of potential cloud misconfiguration mistakes such as the one that felled Capital One. But, as with many things, most misconfiguration errors can be classified into a handful of distinct categories. Here are five of the most common areas where cloud misconfiguration attacks happen.

Mistake 1: Storage Access
When it comes to storage buckets, many cloud users think that “authenticated users” covers only those who are already authenticated within their organization or the relevant application. This is, unfortunately, not the case. “Authenticated users” refers to anyone with Amazon Web Services (AWS) authentication, which is effectively any AWS customer. Because of this misunderstanding, and the resulting misconfiguration of the control settings, storage objects can end up fully exposed to public access. Be especially careful when setting storage object access to ensure that only those within your organization who need access have it.

Mistake 2: “Secrets” Management

This configuration mistake can be especially damaging to an organization. It’s critical to ensure that secrets such as passwords, API keys, admin credentials and encryption keys are secured. I’ve seen them openly available in badly configured cloud buckets, compromised servers, open GitHub repositories, and even in HTML code. It’s the equivalent of leaving the key to your home’s deadbolt taped to the front door.

The solution is to maintain an inventory of all secrets that you use in the cloud, and regularly check to see how each is secured. Otherwise, malicious actors could easily access all your data. Worse, they can take control of your cloud resources to do irreparable damage. Equally as important is the use of a secrets management system. Services such as AWS Secrets Manager, AWS Parameter Store, Azure Key Vault, and Hashicorp Vault are some examples of robust and scalable secrets management tools.

Mistake 3: Disabled Logging and Monitoring
It’s surprising how many organizations don’t enable, configure, or even review the logs and telemetry data that public clouds provide, which in many cases can be extremely sophisticated. Someone on your enterprise cloud team should have the responsibility for regularly reviewing this data and flagging security-related events.

This advice isn’t limited to infrastructure-as-a-service public clouds. Storage-as-a-service vendors often provide similar information, which again, needs to be regularly reviewed. An update bulletin or maintenance alert could have serious security implications for your organization, but it won’t do you any good if no one is paying attention.

Mistake 4: Overly Permissive Access to Hosts, Containers and Virtual Machines
Would you directly connect a physical or virtual server in your data center to the Internet without a filter or firewall to protect it? Of course not. But people do almost exactly that in the cloud all the time. A few examples we’ve recently seen include:

• Etcd (port 2379) for Kubernetes clusters exposed to the public Internet
• Legacy ports and protocols such as FTP enabled on cloud hosts
• Legacy ports and protocols such as rsh, rexec, and telnet in physical servers that have been virtualized and migrated to the cloud.

Make sure you secure important ports and disable — or at the very least lock down — older, insecure protocols in the cloud, just as you would in your on-premises data center.

Mistake 5: Lack of Validation
This final cloud mistake is a meta-issue: We often see organizations fail to create and implement systems to identify misconfigurations as they occur. Whether it’s an internal resource or an outside auditor, someone must be responsible for regularly verifying that services and permissions are properly configured and applied. Set a schedule to ensure this occurs like clockwork, because as the environment changes, mistakes are inevitable. You’ll also need to establish a rigorous process to periodically audit cloud configurations. Otherwise, you risk leaving a security flaw in place that malicious actors can exploit.

The cloud has the potential to be a secure place for data and workloads, but only if cloud customers live up to their side of its dual responsibility model. By keeping these common mistakes in mind and setting up a system to catch them as quickly as they happen, you can be sure that your digital assets in the cloud will be safe. 

Related Dark Reading Content:

• Capital One Breach Affects 100m US Citizens
• Rubrick Data Leak Is Another Cloud Misconfiguration Horror
• Email Addresses Exposed in Latest Database Misconfiguration Episode

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “How a PIA Can CYA.”

Peter Smith, Edgewise Founder and CEO, is a serial entrepreneur who built and deployed Harvard University’s first NAC system before it became a security category. Peter brings a security practitioner’s perspective to Edgewise with more than ten years of expertise as an … View Full Bio

Article source: https://www.darkreading.com/cloud/five-common-cloud-configuration-mistakes/a/d-id/1335768?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Civil suit argues the former CIA employee and NSA contractor violated his nondisclosure agreements with the two intel agencies.

A week after Edward Snowden’s newly published memoir, Permanent Record, hit the bookshelves, the former NSA contractor and CIA employee today has been named in a civil suit filed by the US government for failing to submit the manuscript to the intelligence agencies prior to publication.

The lawsuit argues that Snowden violated the nondisclosure agreements he had signed with both the CIA and NSA, and alleges that he has given public speeches on US intelligence subjects that also violate the agreements. The US government’s lawsuit stops short of halting the publication or distribution of Snowden’s book, however. It’s about ensuring he doesn’t profit from breaking his nondisclosure agreements.

“Edward Snowden has violated an obligation he undertook to the United States when he signed agreements as part of his employment by the CIA and as an NSA contractor,” said Assistant Attorney General Jody Hunt of the Department of Justice Civil Division. “This lawsuit demonstrates that the Department of Justice does not tolerate these breaches of the public’s trust. We will not permit individuals to enrich themselves, at the expense of the United States, without complying with their pre-publication review obligations.”

Snowden still faces criminal charges for disclosing classified information and for his downloading and leaking classified NSA surveillance program information in June 2013. He has been in Russia since fleeing the US for asylum six years ago.

Read more here. 

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “How a PIA Can CYA.”

/div
Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/analytics/snowden-sued-by-us-government-over-his-new-book/d/d-id/1335827?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A 19-year-old UK man has been arrested for allegedly stealing unreleased songs from world-famous musicians’ websites and cloud-based accounts and selling the music for cryptocurrency, authorities in London and New York announced on Friday.

The City of London Police’s Intellectual Property Crime Unit (PIPCU) searched two properties that an investigation had suggested were involved: one in North London, and one in Ipswich, where they arrested the alleged hacker on suspicion of copyright and computer misuse act offenses.

The Manhattan District Attorney’s Office launched the investigation after getting complaints from the managers of ripped-off victims. The DA’s office identified one of the suspects, whom it concluded was living in the UK, and reached out to London police with the information.

Detective Inspector Nick Court, from PIPCU, said that the suspected hackers stole the music and sold it on illegal streaming sites worldwide, ripping a hole in victims’ livelihoods:

This sort of crime causes significant financial loss to those who work so incredibly hard to produce, write and make music for their fans to enjoy.

Due to UK privacy laws, the name of the detained suspect wasn’t released. Nor were the names of the musicians who were preyed on.

Therefore, we don’t know if the suspect(s), if they turn out to be guilty of stealing music, are in fact the one(s) who did this to Radiohead in June.

As you might recall, Radiohead responded to the theft of 18 hours of unheard music by politely declining the extortionist’s offer to pay $150,000 for it. Instead, in one of those fist-pumping, in-your-FACE! moves that we occasionally see, the band instead released the music on Bandcamp, with all proceeds going to the climate advocacy group Extinction Rebellion.

Just one week after that, the forces of extortionist scumbaggery had the rug pulled out from them yet again when American actress Bella Thorne did pretty much the same thing, with ripped-off nude images. Her approach: Oh, so you’re threatening to publish nude pics you hacked out of my accounts? Too late – I did it myself.

But for all (two, at least) of the thunder-stealing stories, there must be countless artists who just suffer through the loss of income when hackers steal their creative work or their images, without any sweet smell of revenge.

So for their sake, let’s hope that this bust leads to justice served. Or, in the pun-ificent words of Manhattan District Attorney Cyrus Vance Jr.:

As one of the world’s leading creative capitals, New York City is dedicated to protecting artists’ intellectual property and ensuring that those who steal it face the music.

When we hear that artists’ cloud accounts have been ripped off, Celebgate comes to mind.

You’ll recall that starting in 2015 and coming in waves up until 2017, celebrities were getting mugged left and right for their intimate photos. It doesn’t matter whether the content is nude images or unreleased music: plenty of content that we store in the cloud is worth something to somebody, and that means we need to protect it from the crooks’ well-known but quite effective tricks.

According to the FBI, the original Celebgate thefts were carried out by a ring of attackers who launched phishing and password-reset scams on celebrities’ iCloud and email accounts.

One of them, Edward Majerczyk, got to his victims by sending messages doctored to look like security notices from ISPs. Another Celebgate convict, Ryan Collins, chose to make his phishing messages look like they came from Apple or Google.

These guys’ pawing was persistent: the IP address of one of the Celebgate suspects, Emilio Herrera, was allegedly used to access about 572 unique iCloud accounts. The IP address went after some of those accounts numerous times: in total, somebody using it allegedly tried to access 572 iCloud accounts 3,263 times. Somebody at that IP address also allegedly tried to reset 1,987 unique iCloud account passwords approximately 4,980 times.

Some of the suspects used a password breaker tool to crack the account: a tool that doesn’t require special tech skills to use. In fact, anybody can purchase one of them online and use it to download a victim’s iCloud account if they know his or her login credentials.

To get those credentials, crooks break into a target’s iCloud account by phishing, be it by email, text message or iMessage.

All of which points to how scams that seem as old as the hills – like phishing – are still very much a viable threat.

Anybody who owns an email account, and a body they don’t want to see parading around the internet without their permission, and/or unreleased music that they don’t want scooped out from under them, should be on the lookout, though telling the difference between legitimate and illegitimate messages can be tough.

What to do-be-do-be-do

Here are some ways to keep your private images, and your music, from winding up in the thieves’ sweaty palms:

• Don’t click on links in emails and thus get your login credentials phished away. If you really think your ISP, for example, might be trying to contact you, instead of clicking on the email link, get in touch by typing in the URL for its website and contacting it via a phone number or email you find there.
• Use strong passwords.
• Lock down privacy settings on social media (here’s how to do it on Facebook, for example).
• Don’t friend people you haven’t met on Facebook, and don’t share photos with people you don’t know and trust. For that matter, be careful of those who you consider your “friends”. One example of creeps posing as friends can be found on the creepshot sharing site Anon-IB, where users have posted images they say they took from Instagram feeds of “a friend”.
• Use multifactor authentication (MFA) whenever possible. MFA means you need a one-time login code, as well as your username and password, every time you log in. That’s one more thing the scumbags need to figure out every time they try to phish you.

(Watch directly on YouTube if the video won’t play here.)

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/AZwjoKbVLpA/

A decade ago, Naked Security ran a story on reports that North Korea (DPRK) had set up a cyberwarfare unit whose objective was to hack the networks of its enemies.

Then viewed as an esoteric side issue, these early stories now look like a quaint underestimation of a country today regularly accused of hacking almost anything accessible via the internet.

Look no further than an announcement last week by the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) for evidence of how dramatically things have changed.

On the basis of Executive Order 13722, which dates from 2015, OFAC has decided to formally sanction three hacking entities – the Lazarus Group and its offshoots Bluenoroff and Andariel – which are allegedly proxies acting on behalf of the DPRK’s Reconnaissance General Bureau (RGB).

The accusations underpinning the action are already well known:

• The global WannaCry ransomware attack from 2017 (Lazarus).
• Successful cyberheists against banks in Bangladesh, India, Mexico, Pakistan, Philippines, South Korea, Taiwan, Turkey, Chile, and Vietnam, the most infamous of which resulted in an $80 million loss (Bluenoroff).
• Numerous attacks on foreign governments and businesses as well as raids on the ATM networks of banks (Andariel).

The motivation? According to OFAC, to steal and extort money to help fund the DPRK’s military and nuclear ambitions and to bypass economic sanctions.

The evidence? Lots of malware samples and botnets attributed to the DPRK, research submitted cybersecurity companies, and presumably less public information gathered by US and other intelligence services.

Public enemy

Given the volume of accusations levelled against North Korea, an obvious question is what effect can imposing formal sanctions hope to have?

Reading between the lines of the announcement, it’s likely that the hope is to deter any intermediaries tempted to work with these groups:

Persons that engage in certain transactions with the entities designated today may themselves be exposed to designation [sanctions].

Followed by a more menacing threat:

Furthermore, any foreign financial institution that knowingly facilitates a significant transaction or provides significant financial services for any of the entities designated today could be subject to U.S. correspondent account or payable-through sanctions.

That is, having their money or assets confiscated – or at least making it difficult to move them around.

The US has already named one alleged DPRK programmer it says was connected to the WannaCry attacks, Park Jin Hyok.

That follows a similar policy of naming and shaming hackers allegedly working on behalf of the Chinese and Russian Governments.

The logic is simple: if attacks prey on human failings exploited by phishing attacks, the same principle applies to the publicity-shy perpetrators too.

The difference in the case of the DPRK hacking groups is that the US hasn’t named any new individuals associated with them, although that may follow in time.

The warning seems clear: hackers might not care about what the US says but it should care about what the justice system might do should unnamed targets visit countries where they’re at risk of arrest.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/8GcM-gDnzJI/

Kyle Milliken is back from jail, and he has some advice for you.

The 30-year-old hacker from Arkansas, according to his blog, at age 17 began phishing celebrity Myspace accounts and using them to send internet marketing spam. After earning $5,000 per week, he evolved to hack millions of email, forum, and social media accounts. Some of his largest thefts included Disqus (17.5 million), Kickstarter (5.2 million) and Imgur (1.7 million). He also claims to have hit Twitter and Pinterest among many others.

Milliken used lists of login credentials to target accounts automatically, relying on the fact that many people reuse passwords across multiple online services. When he obtained access to an account, he could use it to send spam messages to all that account’s contacts.

He accessed account credentials in numerous ways, including hijacking Yahoo session cookies so that he could spam from users’ accounts, and, in the case of Disqus, by compromising a site developer’s GitHub account and getting at access credentials to its online database.

By the end of his run, he had 168 million login credentials and had earned around $1.4 million. He cooperated with the FBI, gave up a black hat colleague, and received a 17-month prison term in a federal work camp.

Milliken’s own poor security was what undid him. He hacked his targets via a hosted server that he rented under an alias, and always accessed it via a VPN to protect his IP. When he hacked Disqus, he forgot to use the VPN, and in 2014 the FBI caught him.

He was released last week and told ZDNet in an interview that the thing that helped him most was password reuse. He said:

The reuse of login credentials in my opinion is the greatest security flaw that we have today.

The advice for users of online services remains the same. First, use a password manager that automatically generates and stores strong passwords for each account you create. Second, where possible, turn on multi-factor authentication (MFA) for the sites you visit. This could involve SMS verification or, more secure still, a mobile app like Google Authenticator. Milliken told ZDNet that he “despised” this security measure, adding:

I honestly think that the big three email providers (Microsoft, Yahoo, Google) added this feature because of me. I was logging into millions of email accounts and really causing havoc with my contact mail spamming.

Why is Milliken giving this advice in interviews now? He claims to be rehabilitated and wants to start a career as a white hat hacker:

@BetoOnSecurity @fredbenenson The darkside days are left behind in my 20s, starting the next chapter and joining the whitehats.

—
Kyle Milliken (@hackme) September 04, 2019

He also apologised to former Kickstarter VP of data, Fred Benenson, who had lamented the Kickstarter hack on Twitter:

@fredbenenson My apologies.

—
Kyle Milliken (@hackme) September 04, 2019

Milliken won’t be the first former black hat to seek employment in the cybersecurity field. Other criminal hackers turned white hats include Hector Monsegur (Sabu), co-founder of the LulzSec hacking group, who co-operated with the FBI after his arrest and now works for Rhino Security Labs.

Another LulzSec co-founder, Mustafa Al-Bassam, went on to work for payments and cybersecurity company Secure Trading and is now a PhD student at UCL. Michael Calce, aka Mafiaboy, teamed up with HP to make a cybersecurity documentary after getting out of jail, while Kevin Mitnick, arrested in 1995 after a long hacking career, is now “chief hacking officer” at KnowBe4.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/oanr10aGwhI/

This is unlikely to surprise anybody who owns a phone: according to a new report, nearly 30% of all US calls placed in the first half of this year were garbage, as in, nuisance, scam or fraud calls. That puts the approximate volume of sludge coming into people’s phones at a mind-boggling 200 million unwanted calls per day.

The TNS 2019 Robocall Investigation Report comes from Transaction Network Services (TNS), which markets a big-data analytics engine that aims to suppress unwanted calls to consumers by applying machine learning, as well as an authentication hub to help carriers combat illegal spoofing and to help consumers fend off robocalls.

TNS’s analysis crunched approximately one billion daily calls, placed via hundreds of carriers. TNS defines “high-risk” robocalls – i.e., scam/fraudulent calls – as those that try to shake down targets for personal information and/or money. It defines “nuisance” robocalls as those that are, well, just nuisances that lack malicious intent and that don’t reflect negligent non-compliance.

“Nuisance” calls aren’t always defined to exclude scams, but we can look to the UK for what strikes me as an example of TNS’s definition…

A few years back, Home Logic, a UK firm that offers energy-saving solutions, was made £50,000 lighter thanks to a penalty issued by the Information Commissioner’s Office (ICO) for making marketing calls to people who had made it clear – via the free Telephone Preference Service (TPS)  – that they didn’t want to be contacted in that way.

It was a tech glitch, Home Logic said at the time. What happened was that it licensed the numbers it used to make marketing calls from third-party providers. It then uploaded that data to an electronic dialer system that screened the numbers against the TPS register. One of the third-party providers left it up to Home Logic UK to ensure that the data supplied was screened against the TPS.

Technical issues knocked the system out for 90 days out of 220 between April 2015 and March 2016. That didn’t slow down Home Logic, though: the unsolicited marketing calls kept right on coming, but with no screening against the TPS register.

The rate of this type of non-malicious nuisance call is rising faster than the malicious type that tries to scam you, TNS found.

Here’s that plus more key findings from the report:

Nuisance calls are increasing at a faster rate than high-risk calls. Nuisance calls increased 38% from the third quarter of 2018 to the second quarter of 2019, while high-risk calls grew only 28% over that period.

Robocall hijacking of mobile numbers has more than doubled. “Hijacking” a number is TNS’s term for what we more frequently refer to as illegal spoofing of a caller ID. A year ago, the Federal Communications Commission (FCC) slapped (or proposed) some huge fines on robocallers for using spoofed numbers, one of which represented the first major enforcement action against a company that allegedly “commandeered” consumers’ phone numbers.

TNS reports that 1 in 1,700 mobile numbers are now being commandeered by robocall spoofers every month, which is more than double last year’s rate of 1 in 4,000 mobile numbers. As a result, TNS says, 2.5% of people whose phone numbers have been hijacked have disconnected their phone number.

When it proposed its fines last year, the FCC pointed to one of those people: a poor soul whose phone number was hijacked in order to plague people. The Arizona woman said she received more than five calls a day on her cell phone, all coming from irate people complaining about the telemarketing calls they got from “her” phone number. In fact, the calls were coming from Affordable Enterprises, whose shtick was to sic its robots on unsuspecting people in order to telemarket home improvement and remodeling services.

TNS noted that in one extreme case, the company witnessed a spoofer that used a legitimate mobile number to place over 36,000 calls in a three-day period.

TNS notes that the faster growth rate of nuisance calls, as opposed to high-risk calls, may have to do with the fact that, due to regulatory action from the FCC, carriers have begun to block illegal calls.

Robocallers may shift focus to smaller, regional carrier networks. TNS reports that the top six US carriers represent 70% of total calls for the time period it analyzed, but only 12% of high-risk calls were placed from numbers owned by these carriers.

Robocallers are shifting from spoofing VoIP numbers to toll-free numbers. TNS found that the share of Voice over IP (VoIP) number spoofing dropped, but that the percentage of calls originating from toll-free numbers more than doubled from 12% last year to 25% in the first half of the year. That means that more than 8 in 10 calls from the top 10 toll-free numbers are either nuisance or high-risk calls – what TNS calls “a challenge to leading brands whose legitimate numbers are being spoofed in an attempt to trick consumers.”

Neighbor spoofing and “snowshoe spamming” are growing more sophisticated. Neighbor spoofing – that’s when robocallers display a phone number similar to your own on your caller ID, to increase the likelihood that you’ll pick up – now accounts for 25% of all bad calls. We learned about a particularly pernicious form of this a few months ago: hospitals are being suffocated by robocalls, with spam callers spoofing phone numbers to place calls to hospitals that look for all the world like the calls were placed internally.

Hospitals are also suffering from vishing attacks from voice phishers: spearphishers who pose as employees at government agencies and demand to speak to a specific, named physician as they try to finagle confidential information out of the doctors, such as medical license numbers and Drug Enforcement Agency (DEA) numbers – information with which fraudsters can illegally procure drugs to then sell on the black market.

The new twist noted by TNS: “snowshoe spamming.” That’s when spammers spoof calls over several telephone numbers in low volume, and then rapidly churn through them to evade detection.

---

Bill Versen, chief product officer at TNS, said in a press release about the report that while the top six US carriers – ATT, CenturyLink, Comcast, Sprint, T-Mobile and Verizon – are getting better at identifying these calls, the focus now has to shift to the same place that the perpetrators are now targeting: smaller networks.

The report suggests the need for diligence as the battlefront may shift to smaller regional and rural carriers.

Legislative update

In May 2019, the US Senate passed an anti-robocalling bill. That bill, the TRACED Act, would have created an interagency task force to address robocalls and extend the FCC’s statute of limitations for going after the fraudsters.

In July, the House passed its own version, the Stopping Bad Robocalls Act (HR 946). Sen. Ed Markey said at the time that both the House and Senate bills would be headed to conference and combined into one piece of legislation for the president’s consideration and possible signature.

If President Trump does sign it into law, the House bill would make it easier for the government to impose tougher penalties on illegal robocallers and demand that carriers deploy call authentication protocols such as SHAKEN/STIR at a faster pace.

But as the carriers have pointed out, SHAKEN/STIR isn’t a robocalling panacea. It’s expensive, for one thing. Nor does it signify which calls are illegal or not. Plus, with so many of these calls coming from overseas, the universal adoption needed to make SHAKEN/STIR really work is hard to imagine.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/UDmV3nOCTag/

LastPass has fixed a security bug that potentially allowed malicious websites to obtain the username and passphrase inserted by the password manager on the previously visited site.

In other words, if you visited website A, and LastPass automatically injected a username and password for you to log in, and then you surfed to website B, the latter could access the password issued to website A. Netizens are advised to update LastPass to version 4.33.0 or later, which squashes this bug.

Google Project Zero flaw-finder Tavis Ormandy discovered and privately reported the programming blunder, which is technically a clickjacking vulnerability, and went public with the details on Sunday night.

“To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times,” LastPass explained just before the weekend.

“This exploit may result in the last site credentials filled by LastPass to be exposed.”

According to Ormandy, a malicious page would be able exploit the flaw, and steal login information for the previous site, by creating popup windows and accessing cached credentials.

“I noticed that you can create a popup without calling do_popupregister() by iframing popupfilltab.html (i.e. via moz-extension, ms-browser-extension, chrome-extension, etc). It’s a valid web_accessible_resource,” Ormandy explained in his now-public bug report.

“Because do_popupregister() is never called, ftd_get_frameparenturl() just uses the last cached value in g_popup_url_by_tabid for the current tab. That means via some clickjacking, you can leak the credentials for the previous site logged in for the current tab.”

In practice, an attacker would be able to lure users to malicious pages that would be able to abuse the bug to harvest credentials in some cases. There are no public reports of this actually happening, however, as Ormandy privately tipped off LastPass, which got a patch out before the flaw was publicly disclosed.

Again, users and admins are advised to make sure they have updated to the latest version of LastPass (4.33.0 or later) to make sure the vulnerability is patched. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/09/16/lastpass_vulnerability/

Sanctions on North Korean nation-state hacking groups came amid reports of fresh malicious campaigns directed at US entities from the isolated nation.

The US government’s move last Friday to slap sanctions on three North Korean cyber threat groups is being viewed by some security experts as a necessary but likely futile attempt to slow down state-sponsored hacking activity in that country.

The sanctions came amid reports of fresh threat activity targeted at US interests from North Korea. The US DHS and the FBI warned of new malware activity related to Hidden Cobra, a DDoS botnet previously linked to North Korea’s intelligence apparatus. In another report, security vendor Prevailion said it had observed a recent expansion of a North Korean threat campaign dubbed ‘Autumn Aperture’ directed at US organizations in multiple industries.

The US Department of Treasury announced the sanctions against North Korea’s Lazarus Group and two of its sub-groups Bluenoroff and Andarie. All three are accused of working for the Reconnaissance General Bureau (RGB) North Korea’s primary intelligence agency to support the country’s missile and weapons programs.

Lazarus Group is best known for its involvement in the WannaCry 2.0 attacks of December 2017 and the crippling breach at Sony in 2014.  Security researchers believe Bluernoroff was established to earn money for the cash-strapped sanctions-hit North Korean government. The group has been linked to attacks on banks in Bangladesh, India, South Korea, Mexico and several other countries and is believed to have stolen tens of millions of dollars in these cyber heists. Andarie’s mission is thought to be similar, though this group’s attacks have focused on bankcard theft and ATM hacking.

In a statement announcing the sanctions, the Treasury Department described the three threat groups as being directly controlled by the North Korean government and being used to perpetuate the country’s broader nuclear and military goals. The sanctions prohibit all dealings by US individuals and business with the three threat groups and any entities believed associated with them in a meaningful way. It also puts strictures on any properties or business deals the groups or their associates might have in the US.

The big question is whether the sanctions will have any deterrent impact considering the targeted groups are not based in the US nor are likely to have any meaningful assets or interests that can be seized here.

“Sanctions are, arguably ineffective and laughable,” says Chris Roberts, chief security strategist at Attivo Networks.

US sanctions on North Korea for more than 25 years over its nuclear program have had little direct effect and it is likely the new ones against the three threat groups will do much to deter them, he says. Their business is breaking the law so merely telling them to stop will do little to change things on the ground Roberts notes. “Their tools, technologies and systems are in place, and anything they need they can readily get from the rest of the world with little difficulty.”

John Hultquist, director of intelligence at FireEye, says over the past several years North Korea’s cyber espionage apparatus has evolved into a significant state-run criminal enterprise. “North Korea has continuously improved their capability, especially with regards to their financially-motivated schemes, which often involve innovative tools and techniques,” he says.

It’s hard to judge the effectiveness of sanctions and indictments, which are two of the tools the US has attempted to leverage to alter the behavior of threat actors in other countries as well including in China, Russia, and Iran. Some, like China and Iran, have notably changed their behavior in the past, he notes. “But internal restructuring, or a warming relationship with the US may have caused the changes, rather than [sanctions],” he says.

Autumn Aperture Campaign

Meanwhile, Prevailion last week said it had observed a spike in activity related to Autumn Aperture, a cyber-espionage campaign targeting US organizations. The security vendor has linked the campaign with a moderate level of certainty to a North Korean advanced persistent threat group called Kimsuky or Smoke Screen.

Prevailion said its researchers have recently observed the threat actors behind the Autumn Aparture campaign using documents discussing North Korean nuclear deterrence and its nuclear submarine program as lures in malware-laden emails.

The documents that are being used are all legitimate documents written by industry experts. What the threat actors are doing is appending their malware to the documents and sending them out as attachments to targeted recipients—sometimes using obscure file formats such as Kodak FlashPix to evade detection.

Danny Adamitis, director of intelligence analysis at Prevailion, says with the latest campaign the threat actors have added functionality to check for the presence of various anti-virus products before downloading the secondary payload. “Prevailion assesses that the threat actor is a persistent threat that will continue to pose a threat to US based think tanks and their partners, particularly those involved in national security based upon historical targeting trends,” Adamitis says.

The DHS and FBI last week also released alerts on malware activity tied to North Korea. The two agencies reported on an IP tunneling tool called ELECTRICFISH and a Trojan dubbed BADCALL that they described as being linked to the North Korean Hidden Cobra botnet.

Related Content:

• North Korea Seen Using ELECTRICFISH, BADCALL Malware Variants
• US Warns of North Korea’s Not-So-Secret ‘Hidden Cobra’ DDoS Botnet
• North Korea’s Lazarus Group Targets Russian Companies For First Time
• 2019 Attacker Playbook

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Escaping Email: Unlocking Message Security for SMS, WhatsApp.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/us-turning-up-the-heat-on-north-koreas-cyber-threat-operations/d/d-id/1335819?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The company broadens its portfolio with new services developed to centralize and automate cloud security.

Oracle today announced new cloud security services at its annual OpenWorld conference, held this week in San Francisco. The latest additions to its portfolio are intended to eliminate some of the complexity in configuring cloud security and automate certain cloud security processes.

New services include Oracle Data Safe, Oracle Cloud Guard, and Oracle Maximum Security Zones. Oracle’s focus on security isn’t new, but it’s now investing in helping simplify cloud security for organizations that have begun to move infrastructure and applications to the cloud.

“There’s still a fair amount of confusion there,” says Fred Kost, vice president of product marketing for security at Oracle. As cloud misconfigurations and data leaks continue to make headlines, companies worry about moving their most sensitive information to the cloud. Despite growing confidence in the security of cloud computing, those that have moved some processes into cloud environments hesitate to move the most business-critical apps and data.

“We’re trying to make that part less risky, easier for the customer,” Kost notes. While many are aware of the shared responsibility model, they’re unsure what, exactly, they have to configure.

Oracle Data Safe is a “control center” intended to automate database security and give admins greater visibility into issues related to data, users, or configuration. Admins can use it to monitor database activity, find sensitive data, or mask databases. Data Safe is designed to protect Oracle Database cloud services, including the Autonomous Database released two years ago. “It’s a little different in that it’s focused on all of our cloud databases,” says Kost, who adds that Data Safe is geared toward protecting data while automating security in a cloud environment.

Data Safe is available now on Oracle Cloud and included with all Oracle Database cloud services.

Cloud Guard is focused on threat detection. This service continuously collects data from every part of the infrastructure and application stack, including Data Safe, Oracle OS Management Service, audit logs, and third-party tools. The idea is to analyze data and detect threats without human oversight. “Organizations want that visibility and consistency of what’s happening in their infrastructure,” Kost adds. If it detects suspicious behavior, Cloud Guard can automatically shut down a malicious instance and revoke user permissions.

Maximum Security Zones consist of an enclave in a business environment where admins can effectively lock down resources to known security configurations, automatically prevent configuration changes, and continuously monitor and block malicious activity. Security is mandatory and always on, decreasing risk for organizations worried about misconfiguration.

Both Cloud Guard and Maximum Security Zones will be generally available early next year, Kost says.

“We are seeing enterprises make too many configuration errors when setting up their cloud services. This is putting their business at risk needlessly,” said Ovum research director Maxine Holt in a statement. “By allowing for pre-set templated configuration of their cloud services, enterprises will be better protected knowing that the right security services are not only turned on, but more closely aligned to their business needs and policies.”

Related Content:

• 8 Ways to Spot an Insider Threat
• 6 Questions to Ask Once You’ve Learned of a Breach
• No Quick Fix for Security-Worker Shortfall
• Taking a Fresh Look at Security Ops: 10 Tips

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “How a PIA Can CYA.”

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/cloud/oracle-expands-cloud-security-services-at-openworld-2019/d/d-id/1335817?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Australian snoops concluded that China was to blame for a series of hacks on its parliament and leading political parties – but kept it quiet for fear of angering the Middle Kingdom, according to reports.

The February cyber-attack saw Aussie MPs told to reset their passwords, with officials publicly insisting that no data had been accessed, while giving noticeably few details about what had happened and why.

Yet, according to the Reuters newswire, the culprit was the Chinese state.

Two of the five talkative people spoken to by the newswire said that the Australian Department of Foreign Affairs ordered secrecy over the findings of an official investigation into the parliamentary hack “in order to avoid disrupting trade relations with Beijing”.

China’s Foreign Ministry told Reuters that Australia needed to meet it “halfway, and do more to benefit mutual trust and co-operation” while issuing a Russian-style denial that referred to “creating rumors and smearing others, pinning labels on people indiscriminately”.

The Pacific continent-country counts China as its largest trading partner, absorbing around a third of China’s total exports every year.

As well as targeting the local parliament, the hackers also broke into the systems of the two ruling coalition parties, the Liberals and the Nationals, and the opposition Labour party. Documents viewed by the Chinese reportedly included emails between staffers, and political policy papers about tax and foreign affairs.

Britain reportedly sent a team of investigators to Canberra to help the Aussies.

In tech trade terms, Australia has a rocky relationship with China. Flagship firm Huawei and its sister Chinese firm ZTE were both blocked last year from the country’s 5G rollout, on the grounds that they were “likely to be subject to extrajudicial directions from a foreign government”.

Diplomatically, Australia treads the fine line between confronting Chinese expansionism and encouraging trade relations, regularly sailing warships through international waters in the South China Sea that China claims as its own territory. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/09/16/australia_china_parliament_hack_report/