STE WILLIAMS

In the past, outing nation-state cyber espionage groups caused a few to close up shop, but nowadays actors are more likely to switch to new infrastructure and continue operations.

When cybersecurity services firm Mandiant released its APT 1 report in 2013, the Chinese group immediately shut down, and the command-and-control servers that had been used by the group to manage its infrastructure went quiet. 

The incident has driven a naming-and-shaming policy pursued by the United States, which has filed indictments against a number of cyber-espionage actors in Russia, China, and Iran. However, such tactics increasingly appear to fail to have the intended effect, according to a report planning to be published on Nov. 5 by defense giant BAE Systems. While an Iranian group, which BAE Systems calls Operation Cleaver, ceased operations following a report in late 2014, many other Iranian groups continued to operate, including Team Ajax, Shamoon, and others, the analysis said.

It is clear that the Operation Cleaver report just led to a retasking of resources, BAE Systems’ analysts concluded in the report.

“A leading theory for the group’s disappearance is that Operation Cleaver splintered, and the members dispersed and/or restructured, spent nearly a year retooling and reorganizing, and returned in autumn 2015 as OilRig. However, this remains unconfirmed,” the analysis stated. “What is more clear is that Iranian operations which targeted aerospace, defence, and energy didn’t entirely disappear but re-emerged around the same time as OilRig and continued with similar tasking.”

The analysis of cyber-espionage groups’ activities following being outed by security researchers, government agencies, and non-government organizations (NGOs) does not come to any particular conclusion, but it does show that — aside from a few early, and only purported, successes — outing cyber-espionage groups does little to disuade them from future actions. With state-sponsored cyber espionage considered a legitimate political activity, the penalties for being caught are small, says Saher Naumaan, threat intelligence analyst at BAE Systems Applied Intelligence.

“Conducting [these] operations is the new norm, which diminishes the severity of the consequences because it’s just what states do now,” she says. “The groups don’t have to disappear anymore because this is understood to be legitimate espionage activity.”

While some early groups have gone quiet, most have changed up their infrastructure. A few have retaliated. Predictably, disclosure of attackers’ tactics also led to other groups adopting those same tactics, although linking disclosure with the adoption of techniques is difficult, BAE Systems stated. 

“Disclosure has benefits and drawbacks,” the company’s researchers stated in the analysis. “The thousands of public blogs and reports made on the activity of the hundreds of threat groups who have been reported on has contributed to a shared ‘body of knowledge’ which has driven evolution of attack techniques.”

The most common strategy for cyberattackers, however, is to change tactics. 

The Chinese group APT10, also known as Stone Panda, had used dynamic DNS infrastructure to carry out attacks against managed service providers (MSPs) — operations that were publicly outed in 2017. While the group stopped using some tools and expanded its infrastructure options, it continued operations. 

“The group became careful and siloed its campaigns based on tools, targets, and infrastructure, which led to increased difficulty in mapping out its operations,” BAE Systems stated. “This again shows that threat actors no longer feel obligated to shut down all operations due to disclosure and can adapt to changing circumstances.”

Another way that cyber-espionage groups attempt to hide their trails is to adopt the techniques of other nation’s cyber spies. In October, for example, the UK’s National Cyber Security Center revealed that a Russian-backed group, known as Turla, used attack infrastructure that it apparently stole from an Iranian group known as APT34.

“The timeline of incidents, and the behaviour of Turla in actively scanning for Iranian backdoors, indicates that whilst (the attack) tools were Iranian in origin, Turla were using these tools and accesses independently to further their own intelligence requirements,” the NCSC’s advisory stated. “The behaviour of Turla in scanning for backdoor shells indicates that whilst they had a significant amount of insight into the Iranian tools, they did not have full knowledge of where they were deployed.”

Only rarely do attackers decide to strike back at the disclosers in some way, according to BAE Systems’ report. Charming Kitten, also known as APT35, impersonated the security firm ClearSky and one of its researchers after the company outed some details of the group’s operations.

In the end, there are still benefits to disclosure, but companies, organizations, and researchers should all consider the consequences, not just to the attacker but to the work of researchers when attackers’ methods are disclosed, says Naumaan.

“Our job is to disrupt adversary activity or make it difficult — disclosure forces attackers to improve, which has a cost, [such as] creating new infrastructure, building new tools, etc.,” she says. “Disclosure, [however,] has moved away from major releases [and] whitepapers to quick turnaround tweets and simultaneously doesn’t have as significant an impact on attackers as it used to.”

Related Content:

• Russian Hackers Using Iranian APT’s Infrastructure in Widespread Attacks
• Russia Chooses Resiliency Over Efficiency in Cyber Ops
• China-Based Threat Actor APT10 Ramps Up Cyber Espionage Activity
• On The Trail of An Iranian Hacking Operation
• With Operation Cleaver, Iran Emerges As A Cyberthreat

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/disclosure-does-little-to-dissuade-cyber-spies/d/d-id/1336273?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Feeling creative? Submit your caption in the comments, and our panel of experts will reward the winner with a $25 Amazon gift card.

Submit your caption in the comments, and our panel of experts will reward the winner with a $25 Amazon gift card. The contest ends Nov. 30. If you don’t want to enter a caption, help us pick a winner by voting on the submissions. Click thumbs-up for those you find funny; thumbs-down, not so. Editorial comments are encouraged and welcomed.

Click here for contest rules. For advice on how to beat the competition, check out How To Win A Cartoon Caption Contest.

John Klossner has been drawing technology cartoons for more than 15 years. His work regularly appears in Computerworld and Federal Computer Week. His illustrations and cartoons have also been published in The New Yorker, Barron’s, and The Wall Street Journal.
Web site: … View Full Bio

Article source: https://www.darkreading.com/edge/theedge/the-edge-cartoon-contest-need-a-lift/b/d-id/1336272?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

OpenTitan is an open source collaboration among Google and technology companies to strengthen root-of-trust chip design.

Google is teaming up with tech industry partners to launch OpenTitan, an open source project to strengthen chip security. The initiative will build reference design and integration guidelines for root-of-trust (RoT) silicon chips to be implemented in data center servers, storage devices, peripherals, and other technologies.

The goal is to give chipmakers and platform providers the ability to inspect and contribute to the design, firmware, and documentation of silicon chips. By open-sourcing the chip design, members of OpenTitan hope to make the process more transparent and secure. RoT chips can be used in server motherboards, network cards, laptops, phones, routers, and Internet of Things devices.

Google has already built a secure chip in Titan, its custom RoT chip designed to make sure the machines in its data centers boot from a known trustworthy state with verified code. Titan is used in Google’s multifactor security keys and its Google-brand Android phones. OpenTitan brings secure silicon chip design to a broader level with a group of tech industry partners.

“What we’re launching isn’t a proposal or standard,” OpenTitan founder and Google Cloud director Dominic Rizzo said at a press conference. “It’s an active engineering project.”

Google is responsible for defending a huge volume of data center equipment around the world, Rizzo explained, and its growing attack surface demands new defensive technologies. As firmware-level attacks become “a realistic and growing concern,” it’s looking to the silicon layer.

“We felt that in order to build trust in our secure silicon, we needed to build the design from the ground up,” Rizzo said. The goal is to bring trust, code integrity, trusted machine identity, and physical attack protection into devices built with these RoT silicon chips. OpenTitan can be used with any platform and customized so it adapts to different types of devices and software.

(Image: Google)

OpenTitan is managed by UK nonprofit lowRISC and supported by ETH Zurich, G+D Mobile Security, Nuvoton Technology, and Western Digital. A team of engineers representing these partners is tasked with building the logical design of the silicon RoT. This includes an open source microprocessor (lowRISC Ibex), cryptographic coprocessors, a hardware random-number generator, sophisticated key hierarchy, memory hierarchies for volatile and nonvolatile storage, defensive mechanisms, I/O peripherals, and secure boot, among other components.

Open source silicon is similar to open source software in the way it folds trust and transparency into the design process. Issues can be detected early on, reducing the need for blind trust. A common, open reference design gives users a choice of implementation, and maintains a set of common interfaces and guarantees for software compatibility, officials explain in a release on the news.

The project aims to open source additional layers of the root of trust. In a traditional RoT structure, the open components include protocols, APIs, printed circuit board (PCB) interface, and PCB design, they say. In addition to these, OpenTitan also open sources the firmware, instruction set architecture, system-on-a-chip architecture, digital intellectual property (IP), register-transfer level verification, and chip packaging. The foundry IP, analog IP, physical design kit, and chip fabrication remain proprietary components.

Starting today, OpenTitan is inviting everyone to evaluate and contribute to its design. Hardware vendors are invited to reach out if they’re interested in a pilot OpenTitan RoT integration.

Related Content:

• 8 Tips for More Secure Mobile Computing
• 10 Tips for Building Compliance by Design into Cloud Architecture
• Microsoft Tools Focus on Insider Risk, Data Protection at Ignite 2019
• To Secure Multicloud Environments, First Acknowledge You Have a Problem

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/endpoint/google-launches-opentitan-project-to-open-source-chip-security/d/d-id/1336274?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Police in South Florida plan to interrogate a potential witness to a fatal stabbing: Amazon’s Alexa smart speaker app.

Last week, the South Florida SunSentinel reported that police in Hallandale Beach issued a search warrant for anything recorded by two devices – an Echo and Echo Dot – found in the apartment where a woman who was arguing with her boyfriend was killed in July.

Police have accused Adam Reechard Crespo of murdering his girlfriend, Silvia Galva.

When police arrived at the apartment, they found Galva in one of the bedrooms in Crespo’s condo. She was bleeding to death from a stab wound in her chest, as Crespo tried to stanch the bleeding and save her life. Police also found the spear that, as Crespo told them, he had pulled from her chest: a spear with a 12-inch, double-sided blade.

Crespo says that Galva had been drinking, and that he’d tried to kick her out of the bedroom, but she resisted, grabbing onto the spear – at the foot of the bed – for leverage. He says he kept pulling, without turning around, until he heard a snap. That’s when the spear she was holding onto snapped and impaled her, police said.

A friend of Galva’s was in the condo at the time and told police that she’d heard arguing coming from the bedroom but couldn’t make out the details of the fight.

That’s where Alexa comes in. The voice assistant, which runs in Amazon’s Echo smart speakers, waits for its trigger word – the default is “Alexa,” though owners can change it to “Amazon,” “Computer” or “Echo” – and then starts to listen for commands. In other words, it begins to record.

This isn’t the first time that police have looked to Echo recordings to help solve crimes. In 2015, Arkansas police tried to get data from an Echo that they found at the murder scene after a man was strangled in a hot tub.

The murder suspect, James Andrew Bates, pleaded not guilty to the murder of Victor Parris Collins and wound up handing over the Echo recordings.

Whatever Alexa recorded, it wasn’t conclusive evidence of a murder. Benton County Prosecutor Nathan Smith said that the evidence could have supported more than one reasonable explanation for the death, and the charges against Bates were dropped in November 2017.

Investigators again went after Echo recordings a year ago, when they were working on the case of a double homicide: two women had been murdered in a New Hampshire home on the same day. A New Hampshire man, Timothy Verrill, was charged with two counts of first-degree murder in the fatal stabbings. The case was declared a mistrial on Thursday, but his indictments still stand, so he could be tried again.

In the case of Galva’s stabbing death in Florida, police reportedly justified probable cause for a warrant by saying that Amazon servers may help them get to the bottom of whether or not she was murdered:

It is believed that evidence of crimes, audio recordings capturing the attack on victim Silvia Crespo that occurred in the main bedroom […] may be found on the server maintained by or for Amazon.

While such requests have raised legal wrangling in other criminal investigations, that wasn’t the case in this one. Princeton University professor Jonathan Mayer, who served as chief technologist of the Federal Communications Commission (FCC) Enforcement Bureau, told the Washington Post that from a legal perspective, this one’s straightforward:

Law enforcement can access smart-speaker recordings after obtaining a search warrant.

The SunSentinel reported on Thursday that Amazon had turned over multiple recordings, but at that time, neither the company, police, nor the State Attorney’s Office were ready to say what was on them. Hallandale Beach Police Department spokesman Sgt. Pedro Abut:

We did receive recordings, and we are in the process of analyzing the information that was sent to us.

Amazon spokesman Leigh Nakanishi told the news outlet that Echo devices only record short bursts of speech:

By default, Echo devices are designed to detect only your chosen wake word.

Nakanishi said that Echo speakers only begin to listen and record after they hear their wake word. If the speakers in the bedroom didn’t hear a wake word, or if somebody pressed the mute button, they’re as likely as a brick to record anything.

No audio is stored or sent to the cloud unless the device detects the wake word.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ml8LXjIH9qE/

We’re changing our banking information, said the sham email purporting to be from a construction company working on an international airport in the Florida city of Ocala.

The message pretended to come from Ausley Construction, a bona fide firm that’s working on the $6.1m project of constructing a new terminal at the 17,500-square foot Ocala International Airport – and included the proper form to change the routing and account number, plus a copy of a voided check from the account.

It was all right and proper-looking, as are the most sophisticated Business Email Compromise (BEC) scams, and, of course, utterly bogus.

The spearphishing email worked. As reported by local paper Ocala Star Banner, the city is now $742,376.73 lighter.

According to reports from Ocala Mayor Kent Guinn and the Ocala Police Department, in September, a city senior accounting specialist got the phishing email in September. The next month, Ausley Construction submitted a legitimate invoice for nearly $250K.

The next day, on 18 October, the city paid the invoice. Ausley never saw that money, though. On 22 October, the firm let the city know that it was still waiting to be paid, and that’s when the fraud came to light.

A growing money-making racket

BEC scams like this one, and the amount of profits they’re netting crooks, are exploding. In its 2018 Internet Crime Report, the FBI said that it received 20,373 BEC/email account compromise (EAC) complaints last year, reflecting losses of over $1.2 billion.

In August 2019, a county in the US state of North Carolina fell hard in a BEC scam – as in, $1,728,083 worth of hard – that was similar to the Ocala ripoff. It, too, paid a “contractor” posing as a legitimate firm building a new school for the Cabarrus County Schools District.

Then, a few months ago, Portland Public Schools escaped a $2.9m BEC scam by the skin of its teeth. The transaction was already in the works, but the banks involved managed to freeze the funds in time.

These scams typically involve legitimate business email accounts that have been compromised, be it through social engineering or computer intrusion, to initiate unauthorized transfers.

The FBI says BEC scammers are becoming increasingly sophisticated. From the FBI’s 2018 Internet Crime Report:

In 2013, BEC/EAC scams routinely began with the hacking or spoofing of the email accounts of chief executive officers or chief financial officers, and fraudulent emails were sent requesting wire payments be sent to fraudulent locations.

Through the years, the scam has seen personal emails compromised, vendor emails compromised, spoofed lawyer email accounts, requests for W-2 information, and the targeting of the real estate sector.

These guys have it down pat. In one whaling attack (one that’s targeted at the biggest fish in an organization, such as a CEO or CFO) against two tech companies a few years ago, the scammer came up with forged invoices, contracts, and letters that looked like they’d been executed and signed by executives and agents of the tech companies.

The documents bore fake corporate stamps embossed with the companies’ names that were submitted to banks to corroborate the big sums that were fraudulently transmitted via wire transfer: a total of more than $100,000,000.

In the Ocala scam, the crooks used a former Ausley worker’s name in their spearphishing email. The former Ausley employee told police that they weren’t the one who sent that message, though. In fact, the email address showed a tiny difference that would have marked it as illegitimate, but only to employees who are a) paranoid and/or b) eagle-eyed. Namely, instead of @ausleyconstruction.com, the email address had an extra “s” at the end, as in, @ausleyconstructions.com. According to the police report, the fake address was created on 1 September 2019.

Officials have reportedly filed a claim with the city’s insurance provider for the loss and are reviewing their internal policies to avoid falling victim to a repeat scam.

How DO you avoid falling victim?

Ocala officials might want to take a page from the similarly fleeced North Carolina county of Cabarrus. In the wake of getting victimized, it hired an accounts payable (AP) consultant and tasked her with redesigning its vendor processes and reviewing its vendor files in order to harden its vendor setup and maintenance authentication techniques, internal controls and best practices, in order to reduce the potential for fraud.

Then, the county trained staff, and it implemented external checks to validate incoming data.

Those, in fact, are among the safeguards we passed along after the FBI busted 74 people in a global BEC takedown in June 2018.

As we said at the time, defending against this type of fraud is complicated. It involves bolstering defenses for email servers and accounts and improved processes, such as stricter protocols for businesses to check payments.

Some of the key ways that individuals, businesses and government agencies can avoid getting taken to the cleaners:

Don’t rely on email alone

As the FBI notes, no matter how sophisticated the fraud, there’s an easy way to thwart it: namely, don’t rely on email alone. FBI Special Agent Martin Licciardo:

The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone.

Also, here are more tips, for both individuals and businesses:

1. Watch your PsQs… and apostrophes

As we saw in the case of crooks who nabbed the proceeds from a $150K home sale, the fraudster did what fraudsters often do: they made a punctuation/English usage mistake (albeit a tiny one). Namely, they omitted a possessive apostrophe.

As Naked Security’s Paul Ducklin noted at the time in the comments section of that article, grammatical perfection on its own isn’t enough to give a message a clean bill of cybersecurity health, but any slip-ups in spelling or usage, or any unusual requests, are a good reason to look closer.

2. Watch out for weird requests

In the real estate case, the swindlers insisted that an electronically signed PDF, with their victim’s bank details, specifically be emailed as opposed to being sent via snail-mail. As Paul noted, that makes sense… for crooks. They wouldn’t be able to intercept a document sent via a country’s postal service, after all.

3. Report it

Law enforcement agencies can’t fight what they don’t know about. To that end, please do make sure to report it if you’ve been targeted in one of these scams.

In the US, victims can file a complaint with the IC3. In the UK, BEC complaints should go to Action Fraud. If you’d like to know how Sophos can help protect you against BEC, read the Sophos News article Would you fall for a BEC attack?

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/jj_w1wR5CJo/

Google has patched a bug in the Android operating system that could have allowed attackers to install a rogue application on a victim’s phone – but only if they were able to invade their personal space.

Nightwatch Security found the flaw, numbered CVE-2019-2114, and described it in an advisory. The problem lies in Android Beam, a feature in the mobile operating system that lets people transfer large files directly between phones. It uses near field communications (NFC), a communications mechanism enabled by default in most Android phones, often used for contactless payments.

Users can send each other files using Android Beam by placing their phone within an inch or two of another. If the phone is able to send the content, an option will appear to transfer it.

One file type that can be sent using this technology is an APK file, which is an application installable on an Android device. If it receives an APK, the Android Beam service will automatically try to install it. This is where an attacker could exploit the vulnerability.

For security reasons, Android treats APKs that don’t stem from the official Google Play Store as unknown applications. Android version 8 (codenamed Oreo) and above ask the user’s permission before installing any unknown application. That is supposed to stop users unwittingly installing rogue applications that have made their way onto the device, perhaps via email or an unknown App Store.

The software that manages the NFC service in the Android OS is signed by Google, meaning that the OS trusts whatever it presents. That means that it automatically trusts any APKs delivered to the device via Android Beam, and will install them without warning the recipient that the application is unknown.

This doesn’t mean that the flaw is easily exploitable. Although it won’t warn that the application is unknown, the OS still presents the user with a prompt asking permission to install any application, meaning that they would still have to approve it. There’s also the small matter of getting the attacker’s phone close enough to the victim’s phone without it being obvious.

That said, it is certainly possible. The victim might assume that the installation prompt was an application update. As for positioning the attack device, perhaps the attacker could mill a cavity into the underside of a desk with a very thin veneer between their phone and the surface, enabling it to communicate with the victim’s phone?

However, even if someone wanted to put that much effort in, there are easy ways to thwart the attack, according to Nightwatch.

What to do?

You can turn off permissions for the NFC app to install unknown applications, which will prevent the NFC app from trying to install an APK.

You can also turn off Android Beam in the NFC and Payment area of your Android device’s settings, while still leaving NFC on for contactless payments.

Finally, you can install the fix that Google released last month, patching the flaw.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/9svl-4gT4-I/

British telco Three UK has once again let random people viewing its homepage view its customers’ account details as if they were logged in, exposing personal and billing data to casual browsing.

Several Reg readers got in touch with us on Friday afternoon and Saturday after noticing that when visiting Three’s website, they appeared to be logged into accounts that were not their own.

The blunder is a carbon copy of an event in February which we exclusively revealed.

Reg reader Keith told us on Friday: “This happened to me this morning. Hotspotted on to Three with phone and laptop. Went to Three website (never been there before on device) and I could see someone else’s account loaded up. Someone other side of country I do not know – same as your article [from February] but could see pdf bills with all call details.”

El Reg has been shown recent screenshots of the CK Hutchison Holdings subsidiary’s website displaying various people’s names and access to the “My3 Home” area. That login-protected part of the website contains one’s personal details and billing information.

Yet another customer took to Twitter to complain about the issue:

@ThreeUK hi, i tried to contact the support team yesterday but no response. You sent me a bill reminder via SMS. When I follow the link it logs me in to someone else’s account with full access to their bills, usage, phone number. Seems like a huge DPA breach. No password required

— ian martin (@juan_martinez) October 29, 2019

Three UK claims to have around 10 million customers.

It is unknown whether the privacy blunder was linked to the website falling offline in the middle of last week. A number of people contacted Three last week to say they were unable to log into their accounts, with some doing so via Twitter:

@ThreeUK how long is your website and app down for?? It’s been 2 days now.

— Madalina Brait (@braitmadalina) October 31, 2019

Hi @ThreeUK I’m trying to top up my data for my mobile broadband, but your website seems to be down and I can’t find anywhere which tells me the SIM number in order to top up via the app. Please can you help?

— Rhiannon Meredith (@r_m_meredith) October 31, 2019

We asked Three if it wanted to comment on the fact that yet again its customers’ personal and billing information had been bared to anyone driving past on the information superhighway.

A spokesbeing said: “We are aware of an issue with my3 where fewer than 10 customers have reported being able to view another customer’s account information. No sensitive financial information was viewable at any time, we are investigating the matter and we apologise for any inconvenience caused.”

So that’s alright, then.

An Information Commissioner’s Office (ICO) spokesperson told The Register: “We are aware of an incident concerning 3 Mobile and will be assessing the information provided.”

That assessment is being carried out with an eye on Regulation 5a of the Privacy and Electronic Communication Regulations, which deals with “personal data breaches” and says that telcos must explain to the ICO precisely how big the breach was and what they have done to fix the damage.

Regulation 5a(3) says that “… if a personal data breach is likely to adversely affect the personal data or privacy of a subscriber or user, the service provider shall also, without undue delay, notify that breach to the subscriber or user concerned.”

Given that anyone was able to view Three customers’ data intermittently during the affected period, we at El Reg suggest the ICO asks Three to supply it with the number of people accessing the My3 account information area of the website during that time. After all, a well-designed user account area means it should be trivial for a service provider to track when a particular account was last logged into or accessed … shouldn’t it? ®

Sponsored:
How to Process, Wrangle, Analyze and Visualize your Data with Three Complementary Tools

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/11/05/three_uk_data_breach_homepage_again/

Web development is at much more risk than commonly perceived. As attackers eye the enterprise, third-party code provides an easy way in.

The technologies used to create products for the Web have evolved rapidly in recent years. JavaScript, the predominant language of the Web, is present today in 97% of modern websites. More interestingly, every Fortune 500 company uses JavaScript — specifically, npm, the JavaScript package ecosystem built by millions of developers globally.

After Node.js environment was released in 2009, the JavaScript open source community really came to life, creating pieces of reusable code (usually called modules or packages) that could be shared by different projects. As this ecosystem evolved, we saw the emergence of full-featured front-end libraries and frameworks that greatly increased development speed. Not only for creating web apps, but also for mobile and desktop apps, all relying on modern JavaScript.

For companies, this meant an unmissable opportunity — by relying on peer-reviewed third-party modules, it became less needed to develop every piece of code in-house. In such a fast-paced industry, cutting product development time and cost directly translated to a competitive edge. Code reuse became the status quo of web development in the enterprise.

As specific product needs were met with specific community-built modules, the number of third-party modules of web apps (also known as code dependencies) quickly built up — today, averaging 1,000 dependencies per web app. And here, we must address security risk.

Each of these third-party modules represents a security liability. Companies have no control over this code but blindly trust their providers to keep it secure. However, most of these providers are individual developers who often don’t have stringent security in place and so may pose little challenge to seasoned attackers. After gaining control of one of these modules, attackers can then inject malicious code downstream in the web supply chain, breaching multiple companies in a single go. This malicious code then acts silently, siphoning valuable data such as credit card details or protected health information. [Editor’s note: Jscrambler is one of a number of companies that sell services that address this issue.]

Recent findings by researchers from the Technical University of Darmstadt point out that this risk is much higher than commonly thought. Each of these third-party modules that companies amass by the hundreds contains, on average, 80 dependencies of its own. Considering these vast ramifications, Darmstadt researchers reached a startling conclusion: If 20 high-profile developer accounts are compromised by attackers, half of the ecosystem is breached. We’re talking about giant corporations worldwide being attacked from within their own code.

And while this same research urges npm stakeholders to put in place stricter code vetting and vulnerability analysis, the enterprise can’t afford to wait while still leaving it all to blind trust. Management must have a say on this, raising the right questions on third-party code security. Especially when considering that, in 2018, Web-based attacks cost companies $2.3 million on average, with the figure being $1.4 million for attacks achieved with malicious code.

It’s granted that third-party code isn’t going anywhere, as it’s still one of the main drivers of competitive product development. But it’s in learning to integrate externally sourced code securely that the enterprise will gradually mitigate this risk. Development and security teams must critically contemplate each piece of external code as a gateway for attacks. This means reducing dependencies whenever possible, gaining visibility of malicious code, and auditing code frequently and thoroughly.

Companies are still finding out about the devastating potential of these attacks in retrospect — when it’s too late. It’s time that enterprise gave this business liability proper attention — trusting third-party code responsibly, while actively keeping an eye out for web supply chain attacks.

Related Content:

• 7 Steps to Web App Security
• Security Pros Fear Insider Attacks Stem from Cloud Apps
• Why Cloud-Native Applications Need Cloud-Native Security
• About 50% of Apps Are Accruing Unaddressed Vulnerabilities

 

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “How HR and IT Can Partner to Improve Cybersecurity.”

CEO and Co-Founder of Jscrambler, Rui Ribiero has led the company since 2007 from bootstrapping to a growing business. Currently, he executes the company’s growth strategy and manages its vision and culture. With over 15 years of experience in the information technology … View Full Bio

Article source: https://www.darkreading.com/application-security/enterprise-web-security-risky-business/a/d-id/1336223?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A security hole in Office for Mac can be exploited by miscreants to potentially run malicious code on victims’ shiny computers without anyone noticing.

The CERT Coordination Center at Carnegie Melon University, on the US East Coast, warns the bug arises when folks activate the “disable all macros without notification” option in Office for Mac. This itself is a good security move, in that it’s supposed to block code embedded in documents from running without first asking the user for approval.

However, with this setting switched on, one type of macro, XLM, remains enabled, and will run without any notification when a document is opened, CERT has warned.

“If Office for the Mac has been configured to use the ‘Disable all macros without notification’ feature, XLM macros in SYLK files are executed without prompting the user,” CERT explains. “We have confirmed this behavior with fully-patched Office 2016 and Office 2019 for Mac systems.”

As you might imagine, having XLM macros running without any kind of prompt is a serious risk. The macro language is powerful enough to launch files and execute commands, meaning an attacker will effectively have remote code execution on the target system with the current user’s security clearance.

“Macros in the SYLK format are problematic in that Microsoft Office does not open in Protected View to help protect users,” says CERT CC. “This means that users may be a single click away from arbitrary code execution via a document that originated from the internet.”

Fix LibreOffice now to thwart silent macro viruses – and here’s how to pwn those who haven’t

READ MORE

In practice, an attacker could exploit the bug by embedding malicious XLM code into an SYLK file and then, via spear-phishing or other social engineering methods, convince a mark to open the poisoned file in Office for Mac.

When Microsoft was asked for comment, its spinners provided the following heavily encrypted response: “Microsoft has a customer commitment to investigate reported security issues and we will provide updates for impacted devices as soon as possible.”

Make of that what you will. It sounds as though it will be patched soon, maybe?

While there is no fix available right now for the security shortcoming, users can opt to “disable all macros with notification.” As CERT CC put it earlier this month:

Although “Disable all macros with notification” is less secure than “Disable all macros without notification” for modern VBA macros, the latter setting can allow for arbitrary code execution without any prompting when an XLM macro is used in a SYLK file. Until this issue is addressed, using the “Disable all macros with notification” is a more secure setting on Mac systems.

Alternatively, administrators can protect end-users by setting their email and web gateways to filter out SYLK (extension .slk) files. Perhaps that option is best. ®

Sponsored:
What next after Netezza?

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/11/05/office_mac_macro_bug/

A malware infection has crippled the IT operations in the remote Canadian territory of Nunavut.

An alert from the provincial government on Monday says that “all government services requiring access to electronic information” are being impacted by what they describe as a “new and sophisticated” infection.

“Essential services will not be impacted and the [government of Nunavik] will continue to operate while we work through this issue,” Premier Joe Savikataaq said. “There will likely be some delays as we get back online, and I thank everyone for their patience and understanding.”

Fully recovering from the infection could be tricky for Nunavut, a remote area that covers much of the northernmost portions of Canada. The territory covers an area of more than 1.9 million square kilometers, but has a population of around 36,000 people.

While the government did not say exactly which infection had crippled its IT infrastructure, a CBC report showed a copy of a ransom note that appears to be identical to that of the Dridex malware’s DoppelPaymer ransomware module.

The infection could also be a sign of a larger trend from ransomware operators towards targeting smaller countries and governments.

City of Joburg says it knows who ransom hack attacker is, refuses to pay off criminals

READ MORE

According to Emsisoft, an AV biz that has been tracking attacks on US state and local governments, reported ransomware outbreaks stateside have been falling over the last few months, from a high point of 44 in July to 24 in each of August and September to 16 incidents in October.

The theory is that, as municipal and state governments in the US wise up and improve their security, hackers have opted to go international in search of softer targets.

“US entities are on very high alert, bolstering their IT and so are less likely to be comprised,” the security biz said in a note to The Register.

“Because of this, big game hunters are increasingly looking for opportunities in the other countries.”

Meanwhile, Nunavut has some company in Spanish media company Cadena SER, who this week was revealed by Spain’s National Security Department to be one of a group of local companies to fall victim to a ransomware outbreak in that region. ®

Sponsored:
Your Guide to Becoming Truly Data-Driven with Unrivalled Data Analytics Performance

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/11/04/ransomware_freezes_nunavut_canada/