STE WILLIAMS

Huawei, the world’s largest telecommunications equipment manufacturer, and two of its US subsidiaries have been charged in federal court with conspiracy to violate the Racketeer Influenced and Corrupt Organizations Act (RICO). The charges are detailed in a 16-count superseding indictment filed today.

A superseding indictment is an amendment or addition to a previous indictment. In this case, the indictment contains charges from a previous superseding indictment which was unsealed in January 2019. In addition to the RICO violations, the new indictment includes a charge of conspiracy to steal trade secrets from a wide range of US companies.

Huawei allegedly stole proprietary and confidential intellectual property from six US technology firms, including Internet router source code, cellular antenna technology, and robotics. According to the indictment, these thefts — and the sophisticated institutional efforts to gain information and hide the activity — are part of a campaign that stretches back decades. The success of the campaign, prosecutors say, has allowed Huawei to save millions of dollars in its own research and development efforts.

The investigation is ongoing. 

For more, read here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “Chaos Order: The Keys to Quantum-Proof Encryption“

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/huawei-charged-with-rico-violations-in-federal-court/d/d-id/1337048?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The explosion in connected devices has led to a security nightmare for many businesses and providers, as the companies cope with securing a network that no longer connects together just workstations, servers, laptops, and smartphones, but also a growing variety of devices such as printers, door locks, lights, and vehicles.

A key problem is authenticating the devices, especially as companies shift security to zero-trust models and continuous monitoring. An academic survey of authentication mechanisms used in IoT devices, for example, found more than 80 different schemes had been proposed or implemented. Security experts worry that the plethora of devices continue to expose a massive attack surface area into corporate networks.

The Fast Identity Online (FIDO) Alliance kicked of its first working group meeting on internet-of-things (IoT) authentication last week, according to Nick Steele, research and development technical leader for authentication provider Duo Security.

“IoT is still very young in this space, in how it operates — there are really no standards at this point,” he says. “For now, it’s still really insular. A lot of these devices and how they operated are really specific to their product lines. Google Home devices operated differently than Apple Home devices, which operated differently than Amazon Alexa.”

Securing networks of connected devices is a complicated problem. Within five years, an estimated 41.6 billion IoT devices will be producing nearly 80 billion terabytes of data annually, according to International Data Corp. Any authentication framework that produces a significant amount of data per device will overwhelm many networks.

In addition, authentication has to be able to work on small devices. The demonstration device that Nok Nok Labs uses to demonstrate its technology uses a 64Mhz ARM chip and 1 MB of flash RAM — too small to run Linux. “That’s a typical IoT device,” says Rolf Lindemann, co-chair of the security requirements working group at the FIDO Alliance and vice president of products at Nok Nok Labs. 

The major cloud providers all have software development kits (SDKs) for integrating internet-of-things (IoT) devices with their cloud services. Microsoft includes a number of authentication options in its Azure IoT Hub services, and Amazon has a well-defined process for issuing certificates to IoT devices for authentication. Google announced a year ago that its Google Cloud IoT SDK would include the ability to connect to third-party authentication libraries. 

Others are jumping into the arena as well: This week, authentication provider Nok Nok Labs touted a software development kit (SDK) aimed at giving developers the tools to authenticate IoT devices. 

“IoT security is still problematic, but people now understand that it is problematic, and they are looking for solutions,” Lindemann says. “We need to make it simple for developers to plug building blocks together and have a secure solution.” 

Overhead Issues

In a paper published last year, researchers from the University of Sciences and Arts in Lebanon and Telecom ParisTech identified at least 84 different authentication mechanisms that had either been proposed or put into production. Among the most critical facets of IoT authentication are security, low processor requirements, and low bandwidth, the researchers said.

“The communication overhead of authentication protocols is a key factor, especially when dealing with power-limited devices; the number of messages exchanged between authentication parties should be kept as low as possible,” the researchers stated in the paper. “In the same context, the size of the messages should be as small as possible due to the restricted bandwidth of the wireless communication protocols used.”

Allowing secure updates is a critical piece of the puzzle as well. In 2017, the US Food Drug Administration required Abbott Laboratories to update the firmware on 465,000 pacemakers identified with a software vulnerability.  

The ability to authenticate to the device allows companies to extend a continuous monitoring and authentication framework — also known as a zero-trust model — to their connected devices. As workers bring more devices into offices, the perimeter security model has become outdated.

Companies cannot “rely on a secure netwok perimeter anymore,” he says. Instead, they have to take their cue from the consumer space, where there is no trusted boundaries. “In a consumer situation, it’s all zero trust. … The enterprise is finally accepting that it is the only reality.”

Related Content

• Companies Pursue Zero Trust, but Implementers Are Hesitant
• How Device-Aware 2FA Can Defeat Social Engineering Attacks
• Consumer Reports Calls for IoT Manufacturers to Raise Security Standards
• IoT Security: How Far We’ve Come, How Far We Have to Go
• Unsecured IoT: 8 Ways Hackers Exploit Firmware Vulnerabilities

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Chaos Order: The Keys to Quantum-Proof Encryption.”

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/theedge/babel-of-iot-authentication-poses-security-challenges/b/d-id/1337049?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Researchers at the Berryville Institute of Machine Learning (BIML) have developed a formal risk framework to guide development of secure machine-language (ML) systems.

BIML’s architectural risk analysis of ML systems is different from previous work in this area in that it focuses on issues that engineers and developers need to be paying attention to at the outset when designing and building ML systems. Most of the previous work on securing ML systems has focused on how to best protect operational systems and data against particular attacks and not on how to design them securely in the first place.

“This work provides a very solid technical foundation for taking a look at the risks associated with adopting and using ML,” says Gary McGraw, noted security researcher, author, and co-founder of BMIL. The need for this kind of a risk analysis is critical because very few are really paying any attention to ML security at the design state, even as ML use is growing rapidly, he says.

For the architectural risk analysis, BIML researchers considered nine separate components that they identified as common to setting up, training, and deploying a typical ML system: raw data; dataset assembly; datasets; learning algorithms; evaluation; inputs; trained model; inference algorithm; and outputs. They then identified and ranked multiple data security risks associated with each of those components so engineers and developers can implement controls for mitigating those risks where possible.

For instance, they identified data confidentiality, the trustworthiness of data sources, and data storage as key security considerations around the raw data used in ML systems, such as training data, test inputs, and operational data. Similarly, for the datasets used in ML systems, the researchers identified data poisoning — where an attacker manipulates data to cause ML systems to go awry — as a major risk. For training algorithms, BIML researchers identified the potential for attackers to subtly nudge an online learning system in a direction not intended by its developers as a major concern.

In total, BIML’s architectural analysis showed that typical ML systems are exposed to as many as 78 specific security risks across all individual components. They categorized the risks under multiple categories including input manipulation, data manipulation, model manipulation, and extraction attacks where threat actors try and extract sensitive data from an ML system dataset.

McGraw says the BIML analysis is about identifying and discussing ML risks and discussing them, and not so much about what to do about them. “Identifying the risks is more than half the battle,” he says. “Once you know what the risks are, it’s a lot easier to design around them.”

The BMIL report listed the top 10 risks impacting ML systems. According to the think tank, the biggest — and most commonly discussed risks — to ML systems are so-called “adversarial examples” involving the use of malicious inputs to cause the system to make false predictions or categorizations. Data poisoning, online system manipulation, and attacks impacting data confidentiality, data integrity, and data output were all identified as other top ML security risks.

The Importance of Data Security
“One of the remarkable differences in ML security and, say, normal operational security is that data and data security play a huge role,” says McGraw. “When you are training up a system, you can train it up to be racist and xenophobic and horrible if your data are set up that way,” he says.

As one example, he points to Microsoft’s very short-lived experiment with Tay, an AI-enabled chatbot that learned from interactions on Twitter and quickly began spewing out venomous tweets of its own. “Tay was learning about Twitter by being on it, and what happened was it became a racist, bigoted troll,” he says. “Tay learned what it was like to be on Twitter, and it wasn’t pretty.”  

Such incidents highlight why organizations need to think carefully about the data they are using for machine training, how the data gets sourced, and whether the sources are reliable, he says.

Contrary to what some might assume, attacking a machine-learning system is not all that complicated, McGraw notes. “Imagine the input data for Google Translate is anything that you type in,” he says. “If you are using public data sources to train your machine learning model, you have to think about what happens when an attacker starts screwing around with.

“The good news is if you are an engineer or a designer, you can make it harder for someone to attack your system. That’s the purpose of this work.”

Related Content:

• Is Machine Learning the Future of Cloud-Native Security
• Security Pros’ Painless Guide to Machine Intelligence, AI, ML DL
• AI Is Everywhere, but Don’t Ignore the Basics
• 6 Factors That Raise The Stakes For IoT Security

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “Chaos Order: The Keys to Quantum-Proof Encryption“

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/architectural-analysis-ids-78-specific-risks-in-machine-learning-systems/d/d-id/1337051?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The number of distributed denial-of-service (DDoS) attacks nearly doubled between the fourth quarter of 2018 and fourth quarter of 2019, researchers found in a new study of DDoS trends.

Last quarter brought an increase in the number of attacks relative to the third quarter of 2019, Kaspersky Labs researchers report, and attacks also lasted longer. This was expected, they said, as the fourth quarter is often a period of “retail warfare,” driving cybercrime between October and December. The end of 2018 was “very calm” and set an expectation for a 2019 increase. However, researchers did not notice a spike in DDoS activity around Black Friday or Christmas.

DDoS attackers continued to leverage non-standard protocols for amplification attacks in the last quarter of 2019, researchers found. Adversaries have also adopted Apple Remote Management Service (ARMS), part of the Apple Remote Desktop (ARD) application for remote administration. This tactic was first spotted in June 2019; by October, attacks were widespread.

The fourth quarter of 2019 brought multiple high-profile DDoS attacks, including threats against financial organizations in South Africa, Singapore, and nations across Scandinavia. DDoS attacks aimed to cause disruption for the United Kingdom’s Labour party and also targeted Minecraft servers at the Vatican. In a more recent case, just last week the FBI warned of a potential DDoS attack targeting a state-level voter registration and information site.

“This demonstrates that DDoS is still a common attack method among cybercriminals driven by ideological motives or seeking financial gain, and organizations should be prepared for such attacks and have a deep understanding of how they evolve,” researchers said in a statement.

Other notable findings include a rise in “smart” DDoS attacks that focus on the application layer and are launched by skilled attackers. Researchers saw about 28% of DDoS attacks occurred on weekends. Sundays, in particular, proved popular, with 13% of attacks on this day of the week. While it may not seem significant, Sundays have historically been the quietest for DDoS activity and have been growing increasingly popular throughout 2019.

Researchers detected a growing number of peer-to-peer botnets in the past quarter; these operate independent of command-and-control servers and are more difficult to neutralize. One of these botnets, discovered by 360 Netlab researchers, is named Roboto and targets Linux servers. Another, Mozi, typically targets IoT devices and spreads using the DHT protocol.

Some adversaries continue to leverage proven tools and tactics in their DDoS attacks. In the fourth quarter of 2019, researchers saw a wave of TCP reflection attacks in which attackers send requests to legitimate services while appearing as the victim. The victim is overwhelmed with responses; as a result, the attackers’ IP addresses don’t show alerts.

While the duration of DDoS attacks may have slightly lengthened between the third and fourth quarters of 2019, Imperva data indicated a trend toward cheaper and shorter attacks overall. More than 51% of attacks lasted barely 15 minutes in 2019, and only 10% lasted between 15 to 30 minutes. Experts attribute the shift to more availability and use of DDoS-for-hire services, which let nearly anyone strike targets of their choosing with small attacks for as little as $5.

Researchers anticipate stability in DDoS attacks going forward. “Seems like the DDoS market have re-stabilized — we see no prerequisites for either a fall or further growth,” they wrote in a blog post on their findings. “There have been no high-profile arrests or closures of specialized websites for quite some time, and the cryptocurrency market is not showing explosive growth.”

Related Content:

• Forget Hacks… Ransomware, Phishing Are Election Year’s Real Threats
• Third-Party Breaches — and the Number of Records Exposed — Increased Sharply in 2019
• 6 Factors That Raise The Stakes For IoT Security
• Chaos Order: The Keys to Quantum-Proof Encryption

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “Chaos Order: The Keys to Quantum-Proof Encryption“

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/ddos-attacks-nearly-double-between-q4-2018-and-q4-2019/d/d-id/1337052?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Cyberattackers are barraging businesses with phishing lures touting fake info about the Coronavirus. And although the lures may be fake, the security and business continuity threats that some IT departments are preparing for are quite real. One big question: If workers are sequestered in physical quarantine zones, will IT and SecOps be able to continue? 

Initially, businesses may dismiss this risk until the virus reaches their regions. However, the risk is more prevalent as the IT supply chain becomes more global and organizations rely on overseas IT services — from help desks to 24/7 SOC-as-a-service. The concern is not just that workers themselves may get infected by the virus; the concern is that employees, contractors, and service providers’ workers who are not infected could nevertheless be quarantined for being in physical proximity to the infected individual. 

“If you’ve got 200 workers working in one place and one of them presents themselves with the illness, it’s pretty likely the government is going to quarantine everybody,” says Edward Minyard, senior consultant at IP Architects, who was an Accenture consultant working with Mexico City on pandemic prevention during the H1N1 virus spread in 2019. “And the current [quarantine] protocol is for 14 days. So that can have a material impact on folks’ planning.

“If you’ve got a large outsourced facility, for example, for your security management, or any facilty with a large number of people in it, you probably don’t want to bring 100 people together and put them in a small room unless you yourself have some evidence that they have not been affected. … And the second part of the challenge is they may not be able to get there. Or even want to go there.”

Minyard says his American clients are beginning to consider the secondary impact they may feel if the virus further expands in, for example, India, a source of so many IT services. (Although India shares its norther border with China, it has thus far experienced only three confirmed cases of the virus, according to the World Health Organization, all of which are in Kerala, a western coastal state that does not border China.)

Nevertheless, Indian businesses have reported disruptions because of the stoppages in shipments from China, where over 45,000 confirmed infections and over 1,000 deaths have been reported, and many millions are in quarantine. All the way over in Barcelona, Mobile World Congress — the world’s biggest trade show for the mobile phone industry — was canceled just one week before it was set to start. 

Ths same challenges also apply to telecoms, electric companies, “and all the others that maintain the networks that are supposed to be supporting the rest of us,” Minyard says.

“From the perspective of business continuity and continuity of operations, this is a real thing,” he says. “This is not speculation. This is going on, and we don’t know how bad it’s going to be. Should you have all your eggs in one basket … I’d be thinking of a different plan.” 

IT security departments, already short-staffed, could be stressed even further than most other teams. And that’s something about the coronavirus that cyberattackers will surely capitalize on — just as they have already.  

Phishing Extravaganza 
Cybersecurity companies have been spilling over with detections and reports of phishing messages that use coronavirus-related lures. The messages include malicious links and attachments and download a variety of malware, from Emotet to wipers to remote access Trojans (RATs).  

The World Health Organization issued a warning about such scams.

Trustwave reported an Office 365 credential-stealing attack, which used a lure appearing to be from the Centers for Disease Control and Prevention (complete with CDC logo and legitimate display address) and the subject header “New case confirmed in your city.”  

Proofpoint discovered a credential-stealer that capitalized on panic with a lure claiming that a secret cure existed and that the government was using the disease as a government bioweapon.

Proofpoint, as well as Cisco Talos, reported messages purporting to provide tips for virus protection; these appeared to be sent not only by official government organizations, but by businesses’ upper management. These messages were used to steal credentials, drop malware like Emotet and — in lures specifically targeting the manufacturing and shipping industries — the Nanocore RAT. 

Related Content:

• What Are Some Basic Ways to Protect My Global Supply Chain?
• With International Tensions Flaring, Cyber Risk is Heating Up for All Businesses 
• Home Safe: 20 Cybersecurity Tips for Your Remote Workers

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: https://www.darkreading.com/theedge/coronavirus-raises-new-business-continuity-phishing-challenges-for-infosec/b/d-id/1337050?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

With presidential primaries underway and a national election on the horizon, security’s in the air just as much as platforms and policies. Unfortunately, it also opens the door to non-technical, political cynics to exacerbate election security and promote misconceptions, undermining public confidence in democracy and the election process as a whole. 

Top security concerns focus on electronic voting equipment, potential cyberattacks, and ways US states, counties, and parishes can take precautions to curb voter machine threats. Focusing solely on voting machine security is tempting for those who aren’t experts in network and information security, but this narrow view often undercuts the true complexity of election security. While voting machine security is important, hacking those machines tends to be a high-risk, high-effort production that’s almost impossible to scale because it usually requires showing up and physically touching machines. By focusing on this rarely exploited security concern, the larger systemic issues of election security are left out of the conversation.

As we gear up for this year’s voting season, it’s important to leave the implicit link between Russian interference in the 2016 election and voting machine insecurity in the past and redirect focus on the actual risks threatening election security. 

At-risk infrastructure
Election infrastructure has and will continue to be targeted during the upcoming election. Well-resourced foreign adversaries are interested in targeting the networks and Internet-connected systems used during elections. An unsophisticated level of cyber-hygiene in these IT environments can allow hackers to successfully target voter registration systems and databases, voter verification services, Web services used to publish polling information, and other network services run by local, county, and state election authorities. To combat these threats, a vulnerability management program needs to be present across all election-critical network services to reduce the attack surface and ensure critical software patches are in place.

Phishing is the most popular vector for online crime, and that won’t change with the elections. We saw email-based targeted phishing campaigns firsthand during the 2016 presidential election, when the highest profile phishing attack succeeded in targeting emails directed at Hillary Clinton’s campaign manager, John Podesta. This was not a tactic used to gain access to election systems, but rather to fuel a propaganda campaign that weakened public confidence in those systems and that specific candidate. There is no doubt that election hackers will continue to use this method in 2020. It’s likely that phishing will target virtually everyone connected to the US elections in any official capacity.

Ransomware attacks spiked in 2019, hitting critical networks in cities and counties. The wildly popular tactic is best exemplified by the attack that hit Baltimore this past May. Though not motivated by profit, ransomware-like attacks such as NotPetya are still surprisingly devasting when those encrypted hard drives do not have an existing key and are left with a self-replicating code that leverage both vulnerabilities and common Windows weaknesses. Such an attack on election day could cause immense chaos in any US city. Critical election infrastructure connected to and available over the standard public Internet would be disrupted or taken offline, which would impact both voter confidence and voter turnout.

As the 2020 elections kick off, it’s important to remember that voter machines are and will remain an important technology that help make voting easier and more accessible for millions of Americans. We should feel solace knowing that the vendors of these machines are taking their security responsibility seriously. Rather, election stakeholders for the 2020 election cycle should direct their limited resources on protecting back-end systems, increasing user awareness, and championing fundamentally simple solutions.

Attackers can reach campaign and election system online resources and email inboxes far easier than they can scale up hacks on individual voting machines. So let’s focus on maintaining voter confidence and deny attackers easy propaganda wins by securing all the things we can and auditing all those that we can’t.

Related Content:

• The Votes Are In: Election Security Matters
• Iranian Cyberattack on US Presidential Campaign Could Be a Sign of Things to Come
• Clinton Campaign Tested Staffers With Fake Phishing Emails
• Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms

Tod Beardsley is the Director of Research at Rapid7. He has over 30 years of hands-on security experience, stretching from in-band telephony switching to modern IoT implementations. He has held IT Ops and Security positions in large organizations such as 3Com, Dell, and … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/forget-hacks-ransomware-phishing-are-election-years-real-threats/a/d-id/1337004?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple