STE WILLIAMS

Sponsored Ask anyone in IT what it is that keeps them awake at night and most will probably reply “security”. Drill down into what specifically worries them and you’ll probably discover that it’s not the technology part but, rather, how to get the workforce to take security more seriously.

Proofpoint’s recently published State of The Phish report reveals that 90 per cent of organisations experienced some sort of phishing attack in 2019, with 88 per cent the target of spear phishing attacks and 86 per cent dealing with business email compromise (BEC) attacks.

The latest Phishing Activity Trends Report from the Anti-Phishing Working Group showed 162,155 phishing sites detected in Q4, a 17 per cent rise year on year.

There’s been a corresponding change in the nature of the attacks, too. Attacks today are for monetary gain: the APWG report found criminals demanded gift cards in 52 per cent of BEC attacks, along with payroll diversion (16 per cent) and direct bank transfers (22 per cent). How much are we talking? BEC cost businesses $1.7bn in 2019 in the US alone, according to the latest Internet Crime report by the FBI.

People problem

Back to the opening point. You can attempt to head all this off using software and you can filter out phishing emails and attempt to stop users going to malicious websites, but for all that it still only takes one email to get through and for one person to click on that email for your business to be compromised. A third of users who open simulated phishing emails are apt to interact with them, thereby exposing your data, applications and network according to Proofpoint.

What’s the answer? A system of multi-layered defence that encompasses technology, process and people. Adopting these in isolation won’t reduce your chances of successful attack by cybercriminals. Adenike Cosgrove, Proofpoint cybersecurity strategist, says given the vast landscape to police and the fact security pros are already stretched, you must create a culture of security that makes everybody responsible for tackling phishing. “To give the recommendation to a security team to look at everything, is almost impossible,” she says. “That’s why we say you need to look at your attack surface from a people-centric point of view and figure out who cybercriminals would target in your business and why.”

Building this culture requires training and that training should make employees understand the threats they face and how to avoid falling victim. It should also focus on those who hold the crucial information the scammers are likely to want – known as Very Attacked People (VAPs).

Who are VAPs? Individuals within the C-Suite yes, but not exclusively: Proofpoint discovered workers outside of this elect band can also be targeted if they have responsibilities that give them access to sensitive documents, key data and systems or other resources designated desirable. VAPs therefore must be prioritised for training, with additional attention given to checking their accounts for potential compromise, but they are not the only ones you should train.

Back to school

The training you embark upon must break existing habits and teach a set of new skills to be effective. Such training, therefore, needs to be a comprehensive, regular and interactive process; it cannot be conducted using “passive” methods, like sending out emails and documents on policy.

It must also be applied to all employees not just VAPs – only to differing degrees. Cosgrove says: “Cybersecurity best practices need to be applied daily to make a difference. Employees cannot learn how to do that if cybersecurity education is discussed just once a year.”

The problem training must address is employees do not consider themselves responsible for detecting and avoiding phishing. Also, as the State of The Phish report shows, they are often ignorant of the types of threats. Just 61 per cent correctly identified a phishing attack while half that could correctly identify ransomware. The best way to get people to understand the threats is to show them what the threats look like, and to train them using phishing simulation campaigns that are tailored to their user profile.

”You can’t change behaviour if you don’t know what the risk is,” Cosgrove says. “Security professionals are doing a great job of blocking nefarious emails from reaching users, but they are not making users aware of what is targeting them.”

This is where something like Proofpoint’s Security Awareness Training can help. It includes an Anti-Phishing Training Suite that combines customisable simulations, interactive training modules and business intelligence tools, and allows you to “attack” your own employees with threats based on real phishing emails. You can test three types of lures – malicious links, dangerous attachments and requests for sensitive data. The point here is you are in control of training: you have the flexibility to explore the effectiveness of – and employees’ susceptibility to – different lures and types of attack.

Of course, staff may respond differently and Proofpoint recommends adopting a mix of assessment and training. This might involve delivering a brief message with some tips at the conclusion of an exercise when a user might feel embarrassed, scared or even irritated or angry by a test, followed by a formal assignment a little later when they might be more receptive. Another approach is to use on-demand, computer-based training as this allows staff to engage when perhaps they feel more comfortable and prepared.

The advice is to make this all part of a well-supported program. “If I’m a major target for credential phishing, and I take a course on credential phishing and I don’t pass the test, then I’m going to keep receiving the training,” Cosgrove says. “However, that’s also supplemented with scenario-based training so that I can try to train my brain to understand the threats and can change my behaviour.”

This model lets you move beyond that standard, passive approach of sharing a policy via email or documents with an engagement-based methodology that features a feedback loop. It is the best way for staff to break past habits and to foster the development of the new cybersecurity skills you need.

How effective is this approach? Royal Bank of Scotland (RBS) had experienced a steady increase in attacks and malware entering their system so therefore elected to train staff using Proofpoint for regular, ongoing phishing assessments using email templates that emulated actual phishing lures. RBS has reduced its overall susceptibility to phishing by more than 78 per cent as a result while, in the first two months of engagement, click rates fell from 47 per cent to 22 per cent and now hover at around seven to nine per cent.

There are of, course, some hurdles in the way to getting the kind of training you need to create the new culture of security. Building the culture isn’t purely an internal thing and you must consider those outside of the business. Most organisations work with an array of external agencies, contractors and suppliers who may have access to your data and systems. Such people can be especially vulnerable to BEC attacks from attackers posing as your employees. They should, therefore, also be included in any training and cyber awareness program.

Finally, you need buy-in from the fabled C-suite – a powerful group of individuals who can sanction the training and also help reinforce it by driving home the need for vigilance among staff. A tried and tested technique to get your C-suite on board is to show them the effect a cyber-attack can have on the bottom line and talk about risk exposure.

Culture can be a difficult thing to quantify in general but when it comes to cybersecurity in the modern enterprise, a collectively shared sense of responsibility is the only way to succeed. The foundations of that culture are people and turning them into assets in the war against cyber criminals rather than – at best – neutral observers and – at worst – victims takes robust and practical training.

Sponsored by Proofpoint.

Sponsored:
Quit your addiction to storage

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/05/security_against_cybercriminals/

Data stolen from Tesco clubcards could be resold for just £2.70 a pop, reckons a price-comparison website that appears to have strayed into the dark web.

Earlier this week Tesco revealed that data from 600,000 Clubcards, its loyalty programme, had potentially been accessed by miscreants in what sounds like a credential stuffing exercise. Citing “fraudulent activity”, the supermarket said it would be issuing new cards to all members of its scheme.

Clubcard holders were being urged yesterday to change their passwords and login details on other sites using the same combination of username or email address and password.

“Our internal systems picked this up quickly and we immediately took steps to protect our customers and restrict access to their accounts. At no point was any customer’s financial data accessed,” Tesco said.

Now price comparison site Money Guru reckons that any data stolen from Clubcard holders could be being traded by online criminals for as little as £2.70.

Citing its own research into “several Dark Web marketplaces”, Money Guru claimed the average Briton’s entire online identity could be bought for “less than £750”.

Strangely enough, one’s eBay account was said to be worth £9.70 on average: Clubcard data, while revealing, doesn’t include the ability to make actual purchases. The site’s researchers also reckoned they could buy British Airways loyalty programme data – presumably the hundreds of thousands of peoples’ data, including card details, stolen from the airline in 2018 – for all of £4.90 a go.

Deborah Vickers, channel director at Money Guru, said in a canned statement: “Our research into personal data and how much it’s actually worth on the black market is shocking to say the least. For less than £750 criminals can access not only your bank details, but online shopping, social media and email information too. This just goes to show how vital it is to protect your data where possible to avoid facing costly consequences.”

The standard advice remains to use a password manager to generate hard-to-guess passwords that you don’t have to memorise, and to make sure you change your login details on anything that’s potentially been hacked. As someone once said, every little helps. ®

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/04/tesco_clubcard_600k_new_cards/

Analysis The fate of the man accused of leaking top-secret CIA hacking tools – software that gave the American spy agency access to targets’ phones and computer across the world – is in now in the hands of a jury. And, friend, do they have their work cut out for them.

Joshua Schulte stands accused of stealing the highly valuable materials directly from the CIA’s innermost sanctum and slipping them to WikiLeaks to share with the rest of the planet. Federal prosecutors have spent the past four weeks explaining exactly why they believe that to be the case. And Uncle Sam’s lawyers have developed a compelling case to send Schulte away for virtually the rest of his life.

But Schulte’s lawyer, Sabrina Shroff, has picked away at that seemingly watertight case, and pointed out, countless times, that the evidence against her client is dangerously thin. Schulte is the fall guy, she argues; the victim of an agency that decided he was responsible, and then used its extraordinary analytical focus to nail him regardless of his innocence.

The CIA may have wished the trial never happened, because, in the course of events, the picture of what actually happens in the darkest corners of what may be the most powerful institution on Earth is not one of the highest caliber of professionals working in their nation’s best interests. Instead, the leak of the world’s most dangerous hacking tools, code-named Vault 7, may have stemmed from a rubber-band fight that got out of hand.

We reported earlier that Schulte’s lawyer started her defense of him by stressing how much of an asshole he is. Just as incredibly, she closed her argument for his innocence in the same way: “I told you that Mr Schulte was a difficult man. He was a difficult employee, and I told you that there was no doubt about that. I told you that the evidence would show that, and that’s what the government showed you. For four weeks, that’s what they showed you.”

Vindictive

She’s not lying. Schulte came across as an impossible, arrogant, and vindictive co-worker. When he ended up in a dispute with another employee, Amol, Schulte lodged a formal complaint saying Amol had threatened to kill him, knowing that would put Amol in a very difficult position. It did, though a CIA probe concluded Amol hadn’t done any such thing. But such was the value of these two difficult but brilliant men to the agency that they kept them both, simply moving them to different departments and floors.

Employee after employee, all the way up to Schulte’s boss’s boss’s boss, testified Josh was a royal pain in the ASCII. But let’s let his own lawyer Shroff tell you in literally her closing words: “They proved to you that, yes, you can properly call him Voldemort or Vault Asshole or Asshole or Jason Bourne or John Galt. They have given you evidence of all of that. But one thing that you cannot call him, after four full weeks, because the evidence isn’t there, you cannot call him guilty. Please acquit.”

Those names, incidentally, were chosen by Schulte himself for various aliases he used. One that Shroff didn’t mention but the government’s lawyer did was also telling: King Josh.

“Josh Schulte is no patriot. Far from it. He’s vengeful and he’s full of rage, and he’s committed crimes that have been devastating to our national security,” prosecutor Matthew Laroche told the federal district court, in New York City, in his closing arguments [PDF]. “King Josh. That’s what the defendant thinks of himself. Well, King Josh got caught. And all of his lies, all of his deceptions have come crashing down in this case.”

To be fair, it wasn’t King Josh, it was “KingJosh3000” – one of many names he used in his job as a CIA sysadmin. The handle KingJosh3000 proved critical in the case because it was the one username the government found that, allegedly, connected Schulte to the theft of the hacking tools. He had, according to the prosecution, carefully and methodically deleted all the logs that showed his removal of gigabytes of data from the CIA’s server. But KingJosh3000’s session was missed from the data wipe, and it was that ID that he used to access a backdoor into the system after he had been officially booted off, we were told.

Sysadmin and out

The fact Schulte had been actively blocked and had his admin rights revoked on several servers was used by both the prosecution and defense as evidence of their arguments. The prosecution noted Schulte had previously been kicked off systems as an admin and in response, both out of spite and in order to demonstrate his superiority, he found his way back in and set up new accounts.

Schulte was formally warned that in the aftermath of Edward Snowden’s disclosures, this type of behavior was viewed extremely poorly, and he was made to sign a statement apologizing and promising not to do it again. But in that very same interview, his superior told the court, Schulte made it plain that he could, and would, do it again.

That behavior painted a big red target on Schulte’s back: one that led the CIA to believe it was definitely him who stole the files when they were publicly distributed one year later by WikiLeaks, long after he had left the agency. But his defense argued that same red target caused the CIA and FBI to decide he was the guilty party and then build a case around proving it, rather than looking at all the evidence and figuring out who the real culprit was.

All this raises a question, though: just how bad is the CIA’s security that it wasn’t able to keep Schulte out, even accounting for the fact that he is a hacking and computer specialist? And the answer is: absolutely terrible.

The password for the Confluence virtual machine that held all the hacking tools that were stolen and leaked? That’ll be 123ABCdef. And the root login for the main DevLAN server? mysweetsummer.

It actually gets worse than that. Those passwords were shared by the entire team and posted on the group’s intranet. IRC chats published during the trial even revealed team members talking about how terrible their infosec practices were, and joked that CIA internal security would go nuts if they knew. Their justification? The intranet was restricted to members of the Operational Support Branch (OSB): the elite programming unit that makes the CIA’s hacking tools.

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/05/cia_leak_trial/

If the “malware-free” attack trajectory continues, it could mean major trouble for defenders, according to experts from CrowdStrike and other security companies.

A modern spin on the old-school hacker-behind-the-keyboard attack exceeded malware-borne ones worldwide last year, new incident report data from CrowdStrike shows.

Seasoned cybercriminals and nation-state attackers for some time now have been upping their game with new methods to mask their activities from security tools by blending in and posing as real users in the targeted organization’s network – using stolen credentials and running legitimate tools to dig through victim systems and data, for instance. And for the first time in CrowdStrike’s research and incident response engagement reporting, so-called “malware-free” attacks edged ahead of malware-based ones, at 51% to 49% in 2019. In 2018 and 2017, malware accounted for around 60% of all attacks globally, and malware-free attacks around 40%, according to CrowdStrike’s data.

A malware-free attack in CrowdStrike’s parlance is one where the method to gain entry into a victim organization doesn’t employ a malicious file or file fragment to a computer disk. In addition to stolen credentials or legitimate tools, this type of attack also can execute code from memory and can only be detected with higher-level tools and techniques that spot unusual behavior, or via threat hunting.

Like the bad old days of hacking, much of the attack is driven by “hands-on keyboard” methods like command line interface, PowerShell, and hiding files and directories, according to CrowdStrike. “These techniques feature prominently in many sophisticated attacks, where a human adversary is engaged in the intrusion and is actively working toward an objective,” according to the report. 

Security experts worry that if attackers double down on malware-free attacks, security tools – and ultimately, targeted organizations – will be overwhelmed and unable to thwart them.

Michael Sentonas, CTO of CrowdStrike, says these malware-free attacks have gradually increased as attackers have found ways to bypass traditional security tools. But the attackers aren’t stopping at commodity antivirus software. “Now they’re starting to bypass next-generation AV products as well. That’s driving a big escalation in malware-free attacks,” he says. “If that hits 60% and above, it’s going to be a big problem. “

The problem is that most organizations don’t have the technology to discern between a legitimate user or an attacker who has stolen his or her credentials, Sentonas notes. “I want to track over the next 12 months the malware-free piece to see if that’s a real interesting [longer term] trend there,” he says.

Rapid7 also has seen attackers forgo malware when infiltrating their targets. “They are using valid credentials or reusing credentials from other breaches. That’s hard [to defend against],” says Tod Beardsley, director of research at Rapid7. “It’s not something you can easily automate defense on.”

To help combat these threats, he says, organization needs to empower end users to be part of a security culture. “You have to build trust between IT security and the user base. In that vein you are building a culture of vigilance,” he says, where if you see something that looks suspicious, there’s a clear step on what to do about it, whether confirming it out-of-band or reporting it to the right people.

Most malware-free attacks last year occurred in North America, where three-fourths of attacks didn’t deploy malware to get inside the victim organization, according to CrowdStrike. “It will be interesting as we go through this year: Will malware-free attacks continue to rise, and will that correlate in dwell time [of attackers]?” says Sentonas. “If we see that as a two- to four-year trend, we have a problem. There are more and more ways to evade security controls.”

That requires a defense that accounts for the human element. “Now more attackers are human,” says Chester Wisniewski, a principal research scientist with security vendor Sophos. “That’s why setting tripwires” to detect legitimate tools being used for nefarious purposes is key, he says. For example, if the Nmap network monitoring tool is spotted running on a Web server in the DMZ, that should be a red flag, he says. “No one should be running it … in the server in the DMZ,” he says.

If a legitimate security tool is running at a time other than when it should be used, that constitutes an incident, he says. “You’re not the only one using these tools,” he says, noting that the bad guys are as well.

Related Content:

• Latest Security News from RSAC 2020
• Malware-based Attacks Dropped 20% Worldwide
• Assessing Cybersecurity Risk in Today’s Enterprise
• How Data Breaches Affect the Enterprise 2019 Online Malware and Threats: A Profile of Today’s Security Posture

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “With New SOL4Ce Lab, Purdue U. and DoE Set Sights on National Security.”

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/most-cyberattacks-in-2019-were-waged-without-malware/d/d-id/1337239?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Domain validation glitch prompts an abrupt decision.

Let’s Encrypt, a nonprofit that has played a major role in pushing the use of encryption on the Web, today revoked more than 3 million of its digital certificates after discovering a flaw in the manner in which they were issued.

Domain owners with affected Let’s Encrypt TLS certificates who don’t renew them quickly run the risk of their websites becoming inaccessible to users after the certificates have been revoked. This can especially be an issue for domain operators that don’t have a clear idea of where affected certificates might be located in their environment so they can be renewed promptly.

“Given the short turnaround time required to respond to the incident, this may exhaust the capacity of IT teams,” says JD Kilgallin, senior integration engineer at Keyfactor.

Let’s Encrypt has published on online tool that site owners can use to determine if they have an impacted certificate.

Let’s Encrypt is a certificate authority (CA) — an Internet entity authorized to issue digital certificates that website owners can use to ensure that traffic and data between their site and end-user devices are encrypted. Sites using its certificates — like all sites using any TLS certificate — feature a padlock and a HTTPS in the browser’s address to indicate to users that the site uses encryption and therefore is generally safer than sites with just HTTP.

Let’s Encrypt offers its TLS certificates free of cost. Anyone owning a domain name, including individuals, can use Let’s Encrypt to obtain, to configure, to use, and to renew digital certificates in a completely automated fashion. Certificates are valid for 90-days and automatically renew before the end of that period.

The Internet Security Research Group (ISRG) launched Let’s Encrypt in 2014 in a bid to foster broad adoption of encryption on the Web.  Since it began issuing them in late 2015, Let’s Encrypt has issued some 1 billion digital certificates globally. Over 192 million websites around the world currently use digital certificates that Let’s Encrypt issued. Over the years that Let’s Encrypt has been issuing certificates, HTTPS usage has increased dramatically — from around 58% of all page loads globally in June 2017 to 81% of page loads currently.

On Tuesday, Let’s Encrypt announced that it was revoking a total of 3,048,289 currently valid TLS certificates because of a bug it had discovered in a software component used in a domain validation process. The software is designed to check certification authority authorization (CAA) records that allow website operators to specify which CAs are permitted to issue certificates for their domains. The goal is to make sure that before a CA automatically renews or issues a certificate, it first checks to see if the site owner has placed any restrictions on such renewals.

What Let’s Encrypt discovered was that if a site automatically requested renewals for multiple certificates for multiple domains at the same time, the validation process failed. Instead of doing the CAA check for each domain for which a certificate was being renewed, the bug caused the software to do multiple checks against just one.

“When Let’s Encrypt went to check the CAA records for a list of, say, 10 certificate renewals, it didn’t check each domain in the list once,” security vendor Sophos said in a blog post. “Instead, it inadvertently picked one of the domains and then redundantly checked it 10 times over, leaving the other nine domains unchecked.”

Major Revocation for Minor Bug
The minor software bug kept Let’s Encrypt from performing a required authorization check before issuing a publicly trusted certificate for a web server, says Kilgallin. The issue could potentially allow bad actors to obtain certificates for sites they did not own. “Although the probability of exploit is extremely low, the standards set by the CA/Browser Forum require the certificates to be revoked and for site owners to request new certificates with proper authorization checks,” he adds.

Automated enrollment and certificate renewal like that offered via Let’s Encrypt is fairly common. When the certificate life cycle works as expected, such automation can significantly reduce the time that system administrators need to ensure their servers and systems are properly authenticated and provide adequate data encryption, Kilgallin says. “However, with anomalous situations such as this, the automated renewal processes may not be equipped to replace certificates that were revoked before their expiration date,” he says. “Teams may not know where affected certificates are located in their environment, increasing the risk of a service outage.”

Pratik Savla, senior security engineer at Venafi, says this is not the first time that Let’s Encrypt has found issues with the code used for CAA record checks. In the past, the problems have resulted in CAA rules being ignored and certificates being wrongly issued. “This incident should push any CA out there to review and tighten up their testing process so any incorrect behavior is not overlooked,” he says.

For organizations, episodes such as these highlight the need for proper certificate management processes, Savla says. They need to have an understanding of the certificates in use within the environment, where they exist, when they expire, what needs to be renewed, what might be redundant, and what might have already expired.

Related Content:

• Sectigo Sponsors Let’s Encrypt to Enable Certificate Transparency Log Operation
• Encryption Offers Safe Haven for Criminals and Malware
• Criminals Hide Fraud Behind the Green Lock Icon
• 7 Tips to Improve Your Employees’ Mobile Security
• How Enterprises Are Developing and Maintaining Secure Applications 

 

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “The Perfect Travel Security Policy for a Globe-Trotting Laptop.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/operations/lets-encrypt-revokes-over-3-million-of-its-digital-certs/d/d-id/1337241?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

This week we discuss the latest in the Clearview AI debacle, get more tales from the ransomware swamp and discover how often our smart speakers are listening to us.

Host Anna Brading is joined by Sophos experts Paul Ducklin and Peter Mackenzie, and me!

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/PmHxaIiwoJ4/

Let’s Encrypt was all over the news recently – the cybersecurity news, at any rate – for the laudable reason that it just issued its 1,000,000,000th TLS certificate.

TLS certificates are the cryptographic sauce that puts the S in HTTPS, and the padlock in your browser’s address bar.

The padlock doesn’t vouch for the actual content of the website you visit, of course – it doesn’t prove that the content it presents is correct, or that its downloads are malware free – but it nevertheless provides several benefits that you don’t get with an unencrypted, no-padlock connection:

• The traffic between you and the website is encrypted. This makes it difficult for other people on the internet to sniff out and snoop on exactly what content you are looking at. Even if what you are reading is not personal or private, crooks can learn a lot about you by keeping an eye on what interests you.
• The traffic between you and the website is integrity-protected. This makes it difficult for other people to tamper with the content on its way back to you – if they try to sneak malware into a file download after it leaves the site and before it reaches you, the modified data will be rejected.
• The padlock offers evidence that the person who acquired the certificate really does have access to the website you are visiting. That may sound like a weak guarantee – it doesn’t prove that they actually own the website and it doesn’t identify them in case of any future legal dispute – but it makes it harder for random crooks to get certificates with your website’s name in them.

With this in mind, you may wonder why we have HTTP (unencrypted web traffic) at all.

In the same way that modern train doors lock automatically as you leave the station so you can’t fling them open by mistake at 225 km/hr, why not simply “define” the World Wide Web to be encrypted-only, and be done with it?

Why not force HTTPS?

In the past, there were two main reasons: TLS certificates were complicated and time-consuming to acquire and use; and they cost money that sites such as charities, hobbyists and small businesses resented having to pay, especially given that certificates need renewing regularly.

Let’s Encrypt changed that not only by offering certificates for free, but also by automating and therefore greatly simplifying the process of acquiring and renewing them.

(Let’s Encrypt wasn’t the first project to do free certificates, but it has been by far the most successful at making its free certificates widely-accepted and easy to use.)

As you can imagine, automating the certificate issuing process that much is a bit of a double-edged sword.

A flaw in the issuing protocol, or a bug in the software that implements the protocol, could have serious side-effects.

Unfortunately, something along those lines – a bug in Let’s Encrypt’s auto-validation system – has just been discovered…

…with the outcome that Let’s Encrypt will abruptly be revoking (today, in fact!) more than 3,000,000 web certificates, covering more than 12 million server names, that were still supposed to be valid for weeks or months more.

At first glance, 3,000,000 out of hundreds of millions of currently-active certificates (Let’s Encrypt claims to secure 190 million websites) doesn’t sound like an enormous proportion.

But companies with affected certificates need to renew them right now, instead of waiting until their server renews them automatically.

That’s because carrying on using a revoked certificate will cause visitors to your website to see security warnings, and may ultimately prevent them doing business with you online at all.

What happened?

A really tiny bug – tiny in code size, not in impact – seems to have caused the problem.

Let’s Encrypt certificates are valid for 90 days, and autorenew for most users when there are 30 days or fewer left on their current certificates.

Many Let’s Encrypt users have multiple certificates covering multiple websites and domains – for example, you might want a separate site for each of: billing DOT example, community DOT example and downloads DOT example.

For reasons of efficiency and reliability, you can renew a whole batch of domains at the same time, and that’s what most multi-certificate users will do – or, at least, it’s what their auto-renewal software will do for them.

Now, as a security precaution during renewal, in addition to any other checks that are carried out, Let’s Encrypt is required to look up what’s called a CAA, or Certificate Authority Authorization, for every domain you’re renewing.

A CAA check involves doing a DNS (domain name system) database lookup on the relevant domain to see if the owner of the domain – who might not be the person requesting the website certificate – has placed any restrictions on certificate renewal.

For example, the domain owner might not use Let’s Encrypt themselves, and might therefore publish a DNS entry saying, “Only accept XYZ Corporation to issue certificates for this domain,” as a way of making it harder for unauthorised third parties to get bogus certificates to impersonate their site.

This is a simple precaution that’s supposed to make it harder for crooks to take over your online identity – if you insist that they stick to one certificate issuing company, then you force the crooks to follow a certificate renewal path that makes it more likely you will catch them at their deception.

In fact, the rules of certificate signing say that an issuer must check a server’s CAA record no more than eight hours before issuing a certificate – to make the checks as current as possible.

And here comes the bug: when Let’s Encrypt went to check the CAA records for a list of, say, 10 certificate renewals, it didn’t check each domain in the list once.

Instead, it inadvertently picked one of the domains and then redundantly checked it 10 times over, leaving the other nine domains unchecked.

In pseudo-code, the checking was supposed to work like this:

for name in {'one.example', 'two.example', 'three.example'} do
   check_caa_of(name)
end
// all domains checked at this point

But it ended up working something like this:

for name in {'one.example', 'two.example', 'three.example'} do
   oops = 'two.example'  // list is "traversed" but name never updates,
                         // so one domain gets checked N times 
   check_caa_of(oops)    // instead of N domains checked once each
end
// two domains unchecked here

In truth, the number of domains that would have been rejected if they’d been checked properly is almost certainly very tiny, so the overall risk of crooks using this bug to hijack domains on purpose is quite small.

But in real life, the Rules Of The Game say that certificate issuing organisations – known as CAs, short for Certificate Authorities – can’t make that sort of assumption.

So Let’s Encrypt has to make a disclosure of what happened, and how, and what it has done to prevent the problem happening again. (It has already started that process.)

And it has to revoke any certificates that weren’t renewed in strict accordance with the rules, which require that the server name for any certificate must be CAA-checked.

It doesn’t matter if you are 99% certain than the CAA check would have passed – what matters is that the check has to be carried out, as a way of keeping the process objective and honest.

So: three million suddenly-revoked certificates.

What to do?

If you have certificates that are being revoked, Let’s Encrypt will try to email you. Affected customers ought to have received warning emails by now – Let’s Encrypt has a web page showing what the emails look like, and how get further advice – that page also has links showing you how to download a full list of serial numbers of affected certificates (0.3GByte download) and how to check those serials against your own certificates.

If you have an affected Let’s Encrypt certificate and you don’t renew it, it will suddenly stop working because it will be revoked today at 2020-02-04T20:00Z. (That’s 8pm in the UK, 3pm on the US East Coast, noon on the West Coast.)

So you need to run your certificate renewal process manually – this is typically as easy as running a command-line script – instead of waiting for the next automatic renewal.

You can check Let’s Encrypt’s website for more advice – the fix isn’t difficult, but if you don’t do it you will find visitors unable to access your site.

(As far as we can see, if you have one and only one Let’s Encrypt certificate, this bug doesn’t apply to you – because you wont ever have tried to renew more than one certificate at a time.)

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/tJ71PoX0sak/

Data stolen from Tesco clubcards could be resold for just £2.70 a pop, reckons a price comparison website that appears to have strayed into the dark web.

Earlier this week Tesco revealed that data from 600,000 Clubcards, its loyalty programme, had potentially been accessed by miscreants. Citing “fraudulent activity”, the supermarket said it would be issuing new cards to all members of its scheme.

Clubcard holders were being urged yesterday to change their passwords and login details on other sites using the same combination of username or email address and password.

“Our internal systems picked this up quickly and we immediately took steps to protect our customers and restrict access to their accounts. At no point was any customer’s financial data accessed,” Tesco said.

Now price comparison site Money Guru reckons that any data stolen from Clubcard holders could be being traded by online criminals for as little as £2.70.

Citing its own research into “several Dark Web marketplaces”, Money Guru claimed the average Briton’s entire online identity could be bought for “less than £750”.

Strangely enough, one’s eBay account was said to be worth £9.70 on average: Clubcard data, while revealing, doesn’t include the ability to make actual purchases. The site’s researchers also reckoned they could buy British Airways loyalty programme data – presumably the hundreds of thousands of peoples’ data, including card details, stolen from the airline in 2018 – for all of £4.90 a go.

Deborah Vickers, channel director at Money Guru, said in a canned statement: “Our research into personal data and how much it’s actually worth on the black market is shocking to say the least. For less than £750 criminals can access not only your bank details, but online shopping, social media and email information too. This just goes to show how vital it is to protect your data where possible to avoid facing costly consequences.”

The standard advice remains to use a password manager to generate hard-to-guess passwords that you don’t have to memorise, and to make sure you change your login details on anything that’s potentially been hacked. As someone once said, every little helps. ®

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/04/tesco_clubcard_600k_new_cards/

If you saw a link to mybrowser.microsoft.com, would you have trusted it? Downloaded and installed an Edge update from it? How about identityhelp.microsoft.com to change your password?

Well, you shouldn’t have, because the pair were among sub-domains hijacked by vulnerability researchers to prove Microsoft is lax with its own online security.

In short, the Windows giant allowed hundreds of sub-domains – at least 670 – on its big-name microsoft.com, skype.com, visualstudio.com, and windows.com properties to potentially fall into the hands of miscreants who could have commandeered them for phishing and malware distribution.

The caper

It basically would work like this, similar to previous reports of Microsoft web joy-riding: The tech goliath had loads of sub-domains, such as dev.social.microsoft.com and web.visualstudio.com, served by systems hosted in its Azure cloud. For example, mybrowser.microsoft.com might have resolved to something like webserver9000.azurewebsites.net. When you visited mybrowser.microsoft.com, your browser would have been directed, via DNS, to fetch a page from webserver9000.azurewebsites.net.

Now, as we said, Microsoft has loads of these sub-domains, and after a while it just stops updating some of them and abandons them. Unfortunately, and crucially, it leaves the sub-domains’ DNS records in place, so, for example, mybrowser.microsoft.com would still point to webserver9000.azurewebsites.net even though the server instance handling it was long since shut down.

This is where the miscreants swoop in. They get an Azure account, and spin up a web server instance, and request the hostname webserver9000, or webserver9000.azurewebsites.net in its full form. Now, when people visit mybrowser.microsoft.com, they are directed instead to the criminals’ webserver9000.azurewebsites.net, which offers victims downloads that look like browser updates but are actually ransomware or malware. Or pages that phish for their Office 365 username and password. You get the idea.

White-listing Azure cloud connections to grease your Office 365 wheels? About that…

READ MORE

This security shortcoming, and nearly 700 example at-risk sub-domains, were privately reported to Microsoft by Numan Ozdemir and Ozan Agdepe of infosec outfit Vullnerability. To demonstrate the hostnames could be hijacked, they redirected ten of Microsoft’s sub-domains, including mybrowser.microsoft.com and identityhelp.microsoft.com, to their own pages hosted on Azure. It appears Microsoft has, in the past 24 hours or so, finally deactivated the sub-domains disclosed by Vullnerability.

“An attacker can upload his own files, create his own databases, track traffic, and create a clone of the main website,” Ozdemir and Agdepe explained in an advisory seen by The Register earlier this week ahead of its publication today. “So, it is not possible to detect whether a sub-domain has been hijacked by an attacker or is really managed by system authorities. Attackers threaten security by exploiting visitors’ trust.”

Ozdemir told El Reg a sub-domain takeover requires little in the way of technical skill, and, depending how long it takes to stumble upon a vulnerable sub-domain, it could take anywhere from five to 30 minutes to commandeer.

Microsoft’s response is concerning. It has known about this danger for ages, yet persists with lax DNS management, and has refused to pay out bug bounties for the issue. Ozdemir and Agdepe argued Microsoft’s reward scheme included sub-domain security; Redmond disagreed with that interpretation.

All Microsoft has to do is delete DNS entries for sub-domains when decommissioning their servers, or at least consider removing DNS entries for those sub-domains that no longer respond to HTTP requests.

“We have detected more than 670 vulnerable sub-domains, and reported lots of vulnerable sub-domains,” said Ozdemir. “We will continue to report all vulnerable sub-domains … otherwise, nobody will report them to Microsoft. It’s a great reason why visitors should be careful while visiting Microsoft’s websites. If Microsoft doesn’t need us, we invite them to scan all their sub-domains and fix all of vulnerable sub-domains.

“They can detect those vulnerabilities by comparing DNS records and HTTP responses, just as we did.”

A spokesperson for Microsoft told El Reg: “We are aware of such reports and are taking appropriate action as needed to help protect Microsoft services and customers.” ®

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/04/microsoft_subdomain_takeover/

By taking proactive action, organizations can face down threats with greater agility and earned confidence.

Security professionals are under much pressure. It’s understandable: Within the past 12 months, 61% of US and European businesses suffered a cyberattack, up from 45% in 2018, and the figures are higher in every category of breach, according to cyber insurer Hiscox. The frequency of attacks is also up, with the number of firms reporting four or more incidents increasing from 20% to 30% over the same time period.

As cyberattacks increase in volume and get more sophisticated – and hackers become more agile – CISOs must do more to build a comprehensive security strategy that can protect critical assets, monitor impact, and recover from any unexpected attacks or disruption. Building defenses will also require a fundamental shift in thinking. Security and IT leaders should take a hard look at how they’ve been working and ask themselves: Is my security posture really rock-solid? Have I taken care of the IT hygiene basics that are so often the cause of successful breaches? And what are those core fundamentals I should implement to ensure the risk of cyberattacks is minimized as much as possible going forward?

Here are three fundamentals.

1. Patch Vulnerabilities Within Minutes, Not Days
Many organizations fail to patch their hardware and software in a timely manner. Our own recent research, conducted with Forrester Consulting, revealed it can take between 28 and 37 business days to patch IT vulnerabilities. When left open, these security gaps can make it easier for malicious actors to strike, paving the way for a host of damaging assaults. From disrupted systems to data breaches, enterprises cannot operate securely or protect their data (or their customers’ data) if they fail to patch vulnerabilities as soon as they are discovered.

Hackers can and will use any opening available to breach networks, disrupt operations, steal data, or hold it ransom. And new exploits are discovered every day.  For example, in January the National Security Agency informed Microsoft about a vulnerability that would allow an attacker to, most significantly, enable remote code execution. (Microsoft quickly patched the vulnerability, which affected Windows 10 and Windows Server 2016/2019.)

And, despite some perceptions that Mac and iOS are more secure, Apple has been dealing with ongoing jailbreak issues for iOS devices, which create security vulnerabilities and are not always easy to patch.  

But it’s not just operating systems and mainstream programs that are at risk. Qualcomm’s February 2020 Security Bulletin detailed multiple vulnerabilities, each with a “High” security rating. Among them, Adobe FrameMaker suffered a memory corruption vulnerability, which could lead to arbitrary code execution, and remote attackers could also make life difficult for those who use a Belkin N300 router.

With these and so many other vulnerabilities discovered every single day, security teams must have a real-time view of their IT enterprise. Their view needs to extend across all computing devices and endpoints, and they must have the ability to quickly patch their hardware and software and monitor their environments. To that end, a unified endpoint management platform is one effective way to monitor and patch systems more quickly, thus reducing the likelihood of breaches and disruptions. [Editor’s note: The author’s company is one of many that offer a unified endpoint management platform.]  

2. Improve the Relationship Between IT and Security Ops
Last year prove challenging for other foundational concepts as well. Our research found a misplaced sense of confidence among IT decision-makers: Eighty percent said they were certain they could act on the results of vulnerability scans, yet fewer than half (49%) were confident they had full visibility into all the hardware/software assets in their environments, including servers, laptops, desktops, and containers.

What we found is that overall visibility dramatically improves when IT and security and operations work closer together, and they are better able to defend the entire enterprise using shared sets of actionable data. Among IT decision-makers, those with strained relationships with security (40%) struggled more with maintaining both visibility and IT hygiene compared to those with good partnerships. When these two teams build walls, things fall through the cracks, mistakes are made, breaches are inevitable, and the entire organization is at risk. All it takes is them getting on the same page about goals, areas of focus, and tools at their disposal.

3. Consolidate Point Tools
Tools proliferation is one of the biggest mistakes we see organizations make. Typically, as a problem emerges, businesses acquire a tool to remedy it. This approach often leads to a mountain of tools that are hard to manage and monitor at scale. Our research shows that in the past two years alone, IT teams obtained an average of five new tools just for security.

IT leaders need to step back and aggressively take stock of all their tools. They should identify the capabilities and deliverables their organizations need to implement, which will help them gain a clearer view into their networks and determine which tools they can consolidate across both teams. The end result will be a leaner, more judiciously managed environment that will help positive business outcomes.

Always Remain Vigilant
IT teams continue to face a tremendous challenge as they move forward into a new decade. Malicious actors are more sophisticated than ever before, while many enterprises are still struggling with strained internal relationships, unpatched vulnerabilities, and a lack of comprehensive endpoint visibility. By taking proactive action on these three steps, organizations can face down threats with greater agility and earned confidence.

Related Content:

• 6 Emerging Cyber Threats That Enterprises Face in 2020
• How Enterprises Are Attacking the Cybersecurity Problem – 2019
• Assessing Cybersecurity Risk in Today’s Enterprise
• How Data Breaches Affect the Enterprise 2019 Online Malware and Threats: A Profile of Today’s Security Posture
• How Enterprises Are Developing and Maintaining Secure Applications

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “With New SOL4Ce Lab, Purdue U. and DoE Set Sights on National Security.”

Chris Hallenbeck is a security professional with years of experience as a technical lead and cybersecurity expert. In his current role as CISO for the Americas at Tanium, he focuses largely on helping Tanium’s customers ensure that the technology powering their business can … View Full Bio

Article source: https://www.darkreading.com/risk/3-ways-to-strengthen-your-cyber-defenses/a/d-id/1337145?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple