STE WILLIAMS

The burning question of the moment is, “What about CVE-2020-0601?”

That’s the bug number assigned to one of the security holes fixed in Microsoft’s January 2020 Patch Tuesday updates.

Of the 50 bugs patched this month, that’s the Big One, officially described by Microsoft as a “Windows CryptoAPI Spoofing Vulnerability“.

To explain.

The CryptoAPI, partly implemented in a Windows file called crypt32.dll (you’ll also hear that filename used to describe this bug), is the way that many, if not most, Windows programmers add encryption functionality into their software.

Instead of writing their own encryption routines – something Naked Security regularly urges you not to do, because it’s easy to make dangerous mistakes! – many programmers use the CryptoAPI built into Windows itself.

One of the functions that the CryptoAPI offers is to check and validate so-called digital certificates, which are blocks of cryptographic data used to vouch for online services you use (such as websites) or files you load (such as programs).

Digital certificates are the cryptographic sauce that puts the S into HTTPS, and the padlock into your browser’s address bar.

They are also the cryptographic mechanism that vouches for the vendor of any digitally signed software you use, and makes sure that the software hasn’t been tampered with.

The idea is that you create a certificate to vouch for your website or your software; you get a so-called Certificate Authority (CA) to sign your certificate to vouch for you; and your browser or operating system – in this case, Microsoft’s CryptoAPI, vouches for the CA.

Digital certificates considered important

The digital certificate system isn’t perfect – you will find numerous articles on Naked Security about incorrectly signed certificates; CAs who were so sloppy that their certificates were invalidated; and company certificates stolen by crooks so that they could give their own apps or web pages someone else’s imprimatur.

And digital signatures, on their own, don’t assure you that a web page itself is truthful or accurate, or that a software program is well-written and malware free.

Nevertheless, digital certificates are important – very important, in fact – in giving you a better-than-average chance of deciding that you are at least on the right website, or that you have downloaded the software you intended.

In other words, if you were a crook and you could forge digital certificates in other people’s names, then you would have a head start in trying to trick even well-informed users into visiting fake websites, filling in bogus forms, or downloading and then running imposter software.

You might also be able to trick them into visiting your website instead of the one they intended to visit, fetching the content they expected to see from the genuine website, and then passing that data on without any visible sign that it had been intercepted and snooped upon.

That’s called a man-in-the-middle attack and it means that an attacker can spy on your web browsing, even on encrypted sites, as well as altering the content you get back or modifying the data you upload.

Well, that’s apparently just what this bug could allow an attacker to do.

The phrase “spooofing vulnerability” in Microsoft’s bug description is shorthand for “a crook could create a forged certificate for signing software or network traffic, and the CryptoAPI wouldn’t spot the fakery.”

In other words, a crook who could figure out how to create a correctly-spoofed certificate would be like a bogus traveller with access to a printer that could produce fake passports so good that they wouldn’t just look right, they’d actually get through the screening point at the border post.

In Microsoft’s own, more technical, words:

An attacker could [use] a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider. [Or] the attacker [could] conduct man-in-the-middle attacks and decrypt confidential information on user connections […].

What to do?

We don’t yet know how hard it is to produce rogue certificates that will pass muster, and Microsoft understandably isn’t offering any instructions on how to do it.

All we know is that Microsoft has said it can be done, and that’s why the patch for CVE-2020-0601 has been issued.

So you should assume that someone will find out how to do it pretty soon, and will probably tell the world how to do it, too.

So, very briefly put, we urge you to…

…patch your Windows 10 computers and your Windows 2016 servers right now.

Don’t delay – patch today!

If your computer won’t accept rogue certificates, then you’re not only protecting yourself from being tricked, you’re helping to stop your computer accidentally tricking other people, too.

---

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/3IJEeL8R9bQ/

Analysis Apple has responded to a demand from the United States’ Attorney General William Barr that it grant the FBI access to two iPhones used in a recent shooting by carefully calling bullshit on his claims.

Barr held a press conference on Monday in which he accused Apple of not having given the FBI “any substantive assistance” in the case of Saudi airman Mohammed al-Shamrani, who shot and killed three American sailors at a naval base in Pensacola, Florida.

Barr tried to paint the tech goliath as standing in the way of an important terrorist investigation. “We call on Apple and other technology companies to help us find a solution so that we can better protect the lives of Americans and prevent future attacks,” he argued, giving some details of the case that pointed to jihadist motivation behind the attack.

Communication breakdown

But Apple was having none of it, putting out a response today that gently but firmly disputes Barr’s representation, and even raises questions over what Barr and the FBI’s real motivation is.

“We reject the characterization that Apple has not provided substantive assistance in the Pensacola investigation,” the statement read in part. “Our responses to their many requests since the attack have been timely, thorough and are ongoing.”

If at first you don’t succeed, pry, pry again: Feds once again demand Apple unlock encrypted iPhones in yet another terrorism case

READ MORE

Apple has provided “many gigabytes of information,” it stated – mostly backups from its iCloud service – and it provides a timeline of requests and responses.

“Within hours of the FBIs first request on December 6th, we produced a wide variety of information associated with the investigation. From December 7th through the 14th, we received six additional legal requests and in response provided information including iCloud backups, account information and transactional data for multiple accounts,” Apple notes, adding that “in every instance, we responded with all of the information that we had.”

The real issue of course is the data on the actual phones themselves. Barr noted that the shooter has posted anti-American messages on social media and implied that there may be messages on the phone that connected him to co-conspirators, while at the same time noting that there was no evidence that it was anything but an individual act. “It is very important for us to know with whom and about what the shooter was communicating before he died,” Barr said.

In response, Apple restated the policy it has with respect to accessing iPhones and the one that its CEO Tim Cook very publicly stood by the last time the FBI asked for help cracking iPhones. To crack the phone’s encryption, Apple argues, it would need to develop a backdoor in the software; a backdoor that could then be found and used by others.

“We have always maintained there is no such thing as a backdoor just for the good guys,” Apple stated. “Backdoors can also be exploited by those who threaten our national security and the data security of our customers. Today, law enforcement has access to more data than ever before in history, so Americans do not have to choose between weakening encryption and solving investigations.We feel strongly encryption is vital to protecting our country and our users’ data.”

The iGiant went further than that though and implied that the FBI and Barr have an agenda and are trying to wrong-foot the biz.

“The FBI only notified us on January 6th that they needed additional assistance a month after the attack occurred,” Apple stated. “Only then did we learn about the existence of a second iPhone associated with the investigation and the FBI’s inability to access either iPhone.”

It goes on: “It was not until January 8th that we received a subpoena for information related to the second iPhone,which we responded to within hours. Early outreach is critical to accessing information and finding additional options.”

Funny timing

It was worth noting that the FBI provided details about the second iPhone to the press at the same time it sent them to Apple, suggesting a calculated strategy to put pressure on Apple.

The FBI only talks to the press when it wants to. The fact that a subpoena arrived two days later, when the issue was already being discussed and written about – including by this site – points to some kind of strategy on the part of Barr and the FBI.

We noted last week that the request looks designed to bypass a number of shortcomings in an earlier FBI request to unlock a different iPhone. That request became the center of a very public impasse between law enforcement and Apple as well as a special inquiry report by the Department of Justice’s inspector general.

As such it looks as though the FBI has worked to create as clean a test case as possible – and this week the Attorney General formally added his backing to it. Where it goes from here is uncertain. The FBI and Attorney General have tended to maintain a degree of strategic planning and so this is unlikely to be the end of the matter.

Low Barr: Don’t give me that crap about security, just put the backdoors in the encryption, roars US Attorney General

READ MORE

The FBI may have hoped that Apple would be swayed by public pressure to reverse its position – though that seems unlikely given Cook’s determined stance in the past.

Barr could try to turn it into a legal case, setting up an almighty legal battle between citizens’ rights and governmental authority that would be certain to reach the Supreme Court. That would be a risky move, especially given recent rulings on privacy and digital devices (Riley and Carpenter being the two key cases.)

Or the FBI and Barr may be teeing up a battle in Congress for new legislation that would legally oblige Apple to grant access to its devices when presented with a search warrant. That would also be a tall ask, although not impossible if Barr can make the case that Apple is standing in the way of proper investigation of terrorist activities, especially if President Trump wins re-election.

It’s impossible to know beyond the fact that there is clearly a plan and Apple is prepared to fight it. ®

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/01/14/apple_ag_bs/

Patch Tuesday In the first Patch Tuesday of the year, Microsoft finds itself joined by Adobe, Intel, VMware, and SAP in dropping scheduled security updates.

49 fixes from Microsoft

This month’s Microsoft security fixes include three more remote-code-execution vulnerabilities in Redmond’s Windows Remote Desktop Protocol software. Two of the flaws (CVE-2020-0609, CVE-2020-0610) are present on the server side in RD Gateway – requiring no authentication – while a third (CVE-2020-0611) is found on the client side.

Dustin Childs of the Trend Micro Zero Day Initiative notes that the two gateway flaws in particular are vulnerable to attacks.

“This code execution occurs at the level of the server and is pre-auth and without user interaction,” Childs pointed out. “That means these bugs are wormable – at least between RDP Gateway Servers.”

NSA very publicly reports a Windows bug

Also dropping this month is CVE-2020-0601, an unfortunate digital-certificate-spoofing vulnerability that has been heavily hyped over the past 24 hours by the NSA.

According to Microsoft, the vulnerability is present in the Windows Crypto API for Windows 10, Server 2016, and Server 2019. It is traced back to blunders in the validation of Elliptic Curve Cryptography certificates. The end result is the ability for miscreants to forge code-signing certificates to make malware appear to come from a trusted application developers. Thus, folks can be tricked into installing spyware, ransomware, and other horrible stuff.

The NSA took things a step further, suggesting [PDF] the bug could not only be abused to disguise software nasties as legit apps, but also intercept secure network communications.

“NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable,” the secretive body said. “The consequences of not patching the vulnerability are severe and widespread.”

The four problems with the US government’s latest rulebook on security bug disclosures

READ MORE

Amid Uncle Sam’s dire warnings, Microsoft said there is no evidence of the flaw being targeted in the wild and its severity level is listed as “important,” a step below the critical remote code execution bugs in RDP, .NET (CVE-2020-0603, CVE-2020-0605, CVE-2020-0606, CVE-2020-0646) and Internet Explorer (CVE-2020-0640).

The American spying agency, though, wants everyone to know – to the point of even holding a press conference about CVE-2020-0601 – that it privately found and reported this diabolical cert flaw to Microsoft, and that it is a totally friendly mass-surveillance system that has turned a new leaf, wants to be on the good side of infosec researchers, and cares about your ongoing ability to verify the origin and integrity of executable files and network connections. And that it’s happy for Microsoft to publicly thank the snoops for finding the flaw, which it did.

Meanwhile, there’s another advisory here from the CMU CERT Coordination Center on the certificate fumble. As with all these holes, get it patched as soon as you can.

Moving on, there are the handful of remote-code-execution vulnerabilities in Office, programming screw-ups that can be exploited when the user opens a specially poisoned document file. Those include flaws in Excel (CVE-2020-0650, CVE-2020-0651, CVE-2020-0653) and one for Office in general (CVE-2020-0652.

Finally, this Patch Tuesday marks the last official mainstream release of security fixes for Windows 7 and Server 2008, which drop out of support today (plus or minus a few caveats).

Intel posts six advisories to start the year

There were half a dozen advisories released this month by Intel, including one for what Chipzilla considers a high-severity issue. That flaw, CVE-2019-14613, allows elevation of privilege by way of the VTune Amplifier for Windows software.

Intel also addressed an information disclosure flaw (CVE-2019-14615) in Processor Graphics, a denial of service bug (CVE-2019-14596) in Chipset Device Software INF Utility, and an elevation of privilege bug (CVE-2019-14601) in RAID Web Console 3 for Windows.

Admins will want to get in the habit of testing and installing all of the monthly Intel patches alongside those from Microsoft and other vendors.

VMware warns of EoP bug

While you’re patching Windows, it would be wise to get the latest update for VMware Tools. That fix cleans up CVE-2020-3941, a race condition flaw that would potentially allow a users to escalate their privileges within a Windows VM.

While not as serious as a full hypervisor escape bug, the flaw is worth patching. Alternatively, updating to VMware Tools 11.0.0 or later will also fix the bug.

Adobe starts off slow with just two January patches

This was a relatively light Patch Tuesday for Adobe, who posted a pair of updates to address a total of nine CVE-listed bugs.

Of those, five were found in Adobe Illustrator CC for Windows. Each are memory corruption vulnerabilities that, if exploited, allow for arbitrary code execution. FortiGuard Labs researcher Honggang Ren was credited for all five discoveries.

The second patch was issued for Adobe Experience Manager. It cleans up four flaws, each allowing for information disclosure. Two of the bugs were credited to Lorenzo Pirondini, a front-end software engineer at Adobe specialists Netcentric.

SAP posts seven patches

This month saw SAP release six bug fixes and one update to an earlier notice.

Of those seven bulletins, the most serious concerns CVE-2020-6305, a cross-site scripting vulnerability in the Rest Adaptor for SAP Process Integration.

Other patches include a denial of service flaw in NetWeaver Internet Communication Manager (CVE-2020-6304), and a missing authorization check in Realtech RTCISM 100. ®

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/01/14/patch_tuesday_january_2020/

Meltdown, Spectre exploits will likely lead to customers making tradeoffs between performance and security of applications, especially virtual and cloud-based apps

Back in January 2018, a consortium of security researchers from organizations including Google, Cyberus Technology and several universities disclosed two ominously-named vulnerabilities found in nearly all modern computer processors. These vulnerabilities broke open the floodgates for research into flaws in some of the most fundamental security protections found in computer processors. Meltdown, Spectre, and the other related vulnerabilities are significantly more dangerous and useful to an attacker in a virtual environment versus a non-virtual server or desktop. In response, I expect to see Intel and AMD eventually create separate processor lines to protect cloud applications from this threat.  

The Processor Speed Race
Modern processors handle dozens if not hundreds of applications simultaneously. Billions of transistors packed into multiple cores allow them to seamlessly and automatically switch between execution threads as needed. They typically enforce a set of rules on this dance of applications, including one very big one: The processor should prevent applications from accessing data from other running applications. Meltdown and Spectre allow malicious applications to break this rule.

Processing power continues to increase each year, but no longer at the same rates that we used to see when Moore’s Law still held true. Processor manufacturers have to use clever “cheats” to squeeze more performance from their devices as they run into limits of transistor technology. One of these cheats is an optimization technique called speculative execution 

Speculative Execution: Faster but Flawed
In a nutshell, application execution paths often contain many forks, or branches, where they may go down one of multiple code paths depending on the result of a calculation. The processor doesn’t know what branch the application will follow until it completes the calculation, but it can save time by guessing the outcome and continuing execution down that path while it waits for the calculation result. If it guessed correctly, it already has a head start and saves a few microseconds. If it guessed incorrectly, it simply discards the work it started and continues down the correct path.

Meltdown and Spectre both abuse speculative execution, though in slightly different ways. While the technical explanation could take a full article in itself, the short story is that they use speculative execution to load restricted memory into the processor’s memory cache and then use a few tricks to accurately identify the contents of that memory even after the process recognizes they shouldn’t be able to read it directly. The restricted memory could include anything from an administrative password to sensitive cryptographic keys on a Web server.

Spectre and Meltdown in the Cloud
While expanding the potential impact of malware on a desktop or non-virtualized server is never good, Meltdown and Spectre become much more dangerous in the cloud and virtual environments. An attacker with code execution on a physical desktop or server usually has much easier ways to elevate their privileges and access sensitive data from other applications. Using Meltdown or Spectre would be excessive.

But in a virtual environment, a single piece of hardware (for example, an EC2 instance in an AWS data center) can house multiple different tenants, each of which expects their applications and services to be completely isolated from the other tenants with which they share the resources. Usually, the hypervisor (the management software that handles virtualizing a single piece of hardware into multiple virtual servers) has strict security controls to enforce tenant isolation. 

But Spectre and Meltdown completely bypass these software protections by targeting the hardware itself. An attacker with access to one application on a cloud server could steal data from all the other applications using a shared resource on the same physical hardware, no matter how good the security of those other applications is!

Since Meltdown and Spectre’s disclosure, researchers have found several variants and other vulnerabilities that abuse speculative execution to access restricted memory. Intel and AMD, the two largest processor manufacturers, have been playing a cat-and-mouse game of patching these flaws, usually at the cost of processor performance. The performance loss has been up to 30% in extreme cases. This has led many desktop users, who are less impacted by Spectre, Meltdown, and the like, to disable the security options to retain more processing power. 

How to Solve the Problem
Mitigating this type of vulnerability in a cloud environment where security is paramount ranges from difficult to impossible. Patching these vulnerabilities requires difficult microcode updates to the processor itself. Because of these challenges, we’re likely heading towards a future where Intel and AMD manufacture different classes of processors that focus on either security or speed.

Cyber security is all about risk trade-offs. Desktop computers and non-virtualized servers have less to lose from an attacker successfully exploiting a Meltdown-like vulnerability than virtual environments, where an exploit could be a disaster. Since their risk is substantially lower, they could benefit from remaining vulnerable in return for significantly better processor performance. Processors used in virtual environments would likely swing the other way: prioritize security over speed by removing speculative execution entirely (or possibly something slightly less drastic). This could lead to different processor lines, one focused on security with slightly degraded performance and another focused on pure execution speed that risks falling victim to speculative execution attacks.

Researchers have already opened Pandora’s box for processor security vulnerabilities and the days are clearly numbered for speculative execution in its current form. Since the original Meltdown and Spectre disclosures, researchers have discovered additional serious flaws nearly every other month. At this rate, something will have to change to keep cloud applications safe. Whether that will be a fundamental re-architecture on all processors or a split into different security and performance-focused lines remains to be seen.

Related Content:

• State of the Cloud     
• New Speculative Execution Vulnerability Gives CISOs a New Reason to Lose Sleep
• Microsoft Confirms Windows Performance Hits with Meltdown, Spectre Patches
• Intel Processor Security Flaw Prompts Kernel Makeovers in Linux, Windows
• Microsoft to Roll Out Azure Sphere for IoT Security

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “In App Development, Does No-Code Mean No Security?“

Marc Laliberte is a senior security analyst at WatchGuard Technologies. Specializing in networking security protocols and Internet of Things technologies, Marc’s day-to-day responsibilities include researching and reporting on the latest information security threats and … View Full Bio

Article source: https://www.darkreading.com/cloud/processor-vulnerabilities-put-virtual-workloads-at-risk/a/d-id/1336735?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

How prepared is the energy sector for an escalating attack surface in the operating technology environment? Here are five trends to watch.

The new year is shaping up to be a year of giant leaps for cybersecurity and the energy sector. The escalation of attacks brought us to a tipping point in 2019. Across the energy sector, leaders now recognize we need to step up defenses to meet the threat environment.

Over the past few years, cyberattacks on the energy sector have grown in volume and in sophistication. Attacks increasingly targeted the operating technology (OT) environment, reaching beyond information technology (IT) systems like servers and mobile devices to attack machinery and equipment including turbines, compressors, and transformers. This distinction has consequences. Attacks on the OT environment have the potential to cause physical damage to a plant, create service outages, and even cost lives. In some cases, attackers had the backing of nation-states in developing attacks specifically tailored to disruption of operations — not the theft of information that many IT cybersecurity measures are designed to prevent.

Just as important: Defending the OT environment is not the same as defending IT. The tools used to recognize malware on a server or desktop aren’t a one-to-one match for the steps needed to recognize attacks intended to break a steam turbine, let alone stop an attack in progress. Utilities — especially large utilities — continue to seek better visibility into their operating assets through digitalization. When asked in an industrywide survey conducted in the summer of 2019 by Siemens and the Ponemon Institute, utility sector cybersecurity officers estimated that 30% of cyberattacks on OT went undetected. Some utilities are now using artificial intelligence and machine learning technologies to boost cybersecurity by not only monitoring their system conditions, but automating the contextualization of their data. Understanding context is essential to recognizing attacks in the OT, where malicious code may not carry the telltale signatures used to recognize conventional IT attacks.

The good news is that leaders across the industry are aware they face a new type of threat, and they’re aware that current defenses can’t meet that threat. That awareness will prompt action. Here are my predictions about five key trends in cybersecurity in the utility sector this coming year.

Trend 1: Cybersecurity will take new prominence in organizational structures.
Cybersecurity risks now rise to the level of the C-suite and the boardroom. Get cybersecurity wrong, and your organization will face financial, reputational, and service outage consequences. Clear, direct communications from cybersecurity experts to leadership will be an essential feature of any strong organization. A CEO doesn’t need to be an expert — but they’ll need to hear from someone who is.

Trend 2: People and talent will remain scarce.
With cyberattacks now confronting the OT environment, a strong cybersecurity team needs to draw on experience from the operating environment, security, and IT. A single person rarely has the necessary skills and experience — and those people who bring a combined background will be highly valued.

In our recent industry survey, lack of skilled personnel was the No. 1 most cited pain point in managing cybersecurity risk. Fifty-eight percent of cybersecurity officers indicated that their organization did not have sufficient staff to meet their cybersecurity objectives in the OT environment. Meanwhile, the same survey showed that utilities allocated the smallest share of their cybersecurity budget to personnel and training. Large organizations will compete to hire the talent that is available.

Trend 3: Small and midsize organizations will be targets.
Many utilities In the United States and around the world are relatively small, serving a municipality or a region. These small and medium-sized organizations face the same threat environment as the largest corporations. In one set of attacks in 2018, nation-state hackers targeted small businesses in or affiliated with the electricity sector. The set of targets included small generating stations with contracts to provide emergency backup power to U.S. military installations. This is an alarming example of how the shift toward threats targeting OT coincides with a shift toward targeting smaller organizations.

Trend 4: Partnerships will drive innovation.
Many organizations already contract out cybersecurity as an efficient way to bring together cyber expertise with the knowledge of their unique operating environment. When surveyed, 70% of respondents indicated an interest in contracting third parties for monitoring and detection Expect a cottage industry of experts in cyber and OT to offer solutions — and expect some growing pains. Organizations will need to learn how to build the trust and intimacy needed to share real-time operating data with partners, on top of doing the technical work that enables monitoring and protection.

Trend 5: Context will be key, and artificial intelligence will be king.
Whether in-house or as partners, one major challenge in defending operating environment lies in understanding what’s happening in the machinery quickly enough to flag and mitigate attacks. Getting it right requires monitoring every possible attack pathway, along with thousands of data points about the operating state of equipment. There are clear advantages to automating this analysis, even before considering the talent shortage in cybersecurity. To date, only 18% of utility organizations have adopted AI to automate monitoring and contextualization of OT system conditions, but these technologies offer great promise for amplifying the efforts of small teams, and tailoring solutions to unique systems.

I’m broadly encouraged by a new awareness about the nature of threats against the energy sector. We have a lot of work to do to catch up — and we should not expect attackers to stay still. But I believe the energy sector is primed and ready to answer the escalating attack environment in OT, and to build the trust, the partnerships, and the technologies that will protect critical infrastructure in 2020 and beyond.

Related Content:

• Operational Technology: Why Old Networks Need to Learn New Tricks
• 2019 Online Malware and Threats: A Profile of Today’s Security Posture
• Why It’s Imperative to Bridge the IT OT Cultural Divide

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Car Hacking Hits the Streets“

Leo Simonovich is responsible for setting the strategic direction for Siemens’ industrial cybersecurity business worldwide. He identifies emerging market trends, works with customers and Siemens businesses to provide best-in-class cyber offers, and contributes to the … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/global-predictions-for-energy-cyber-resilience-in-2020/a/d-id/1336746?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Network intruders are staying undetected for an average of 95 days, enabling them to target critical systems and more completely disrupt business.

More cyberattackers are targeting large companies with stealthier attacks, aiming to significantly disrupt businesses and force them to pay higher ransoms, according to a report summarizing more than 300 breach investigations.

The “CrowdStrike Services Cyber Front Lines Report” found that 36% of incidents aimed to disrupt business or operations. While companies are getting better at detecting attacks using their own people and systems —79% of attackers were discovered internally, the highest rate in three years — the number of days attackers went undetected increased to 95, up from 85 days in 2018, CrowdStrike found.

The result is that malicious attackers have more time to attack operations and cause more disruption, says Thomas Etheridge, vce president of services at CrowdStrike.

“Not all of these threat actors are deploying ransomware, but they were really focused on disrupting the business’ ability to perform business,” he says. “That disruption was behind higher ransom amounts and the decision to often pay the ransom.”

The report’s findings highlight how last year’s steady beat of ransomware headlines became a trend. From the coordinated attacks on Texas towns to a focus on local school districts, reports of ransomware attacks exploded in 2019. While successful attacks have decreased in number by some accounts, attackers are focusing on larger targets and threatening to do greater damage. Called “big-game hunting” by many firms, the revised strategy is about minimizing effort and maximizing the profit from criminal activity.

“That type of access that the attacker has, it really gives them the flexibility to understand where the critical data assets are, what approach they are going to take to encrypt those assets, where the backups are stored — and that really puts the customer at a disadvantage,” Etheridge says.

While the increase in disruptive attacks is the main theme of CrowdStrike’s report, a number of other trends are highlighted as a well. The company found, for example, that a legitimate tool for scanning Active Directory stores, known as Bloodhound, had been co-opted by attackers to speed their movement across networks. 

The company also urged companies to better secure their cloud services, especially infrastructure-as-a-service (IaaS) infrastructure. Attackers are already targeting API keys, which are used to allow programs to access and incorporate features from the cloud.

“Static keys pose a significant risk because they allow enduring access to large amounts of often sensitive data,” the report states. “Instead, use ephemeral credentials for automated cloud activity and enforce the usage of these credentials only from authorized IP address space.”

Finally, Macs are now on the menu for attackers, CrowdStrike says.

“The increasing popularity of macOS systems in organizations, combined with insufficient macOS endpoint management and monitoring, have made Macs lucrative targets for threat actors,” the report states. “Once inside a victim environment, the Services team has observed threat actors leveraging legitimate user credentials and native macOS utilities to move laterally and persist there while evading detection.”

In terms of disruptive attacks, the manufacturing sector found itself most often successfully targeted by ransomware and other business-disrupting malware, according to CrowdStrike’s report. Healthcare had the second highest number of disruptive incidents, followed by government organizations and information-technology companies.

Attackers often used spear-phishing attacks for the initial compromise, the company found. In just over a third of cases (35%), spear-phishing e-mails or messages gave attackers initial access to the victim’s systems. Attackers also sought out legitimate credentials to allow them to move around networks. Collecting credential dumps and attempting to discover accounts were the No. 1 and No. 3 attack techniques.

Companies that deploy a handful of defenses could fend off many of the attacks detected by CrowdStrike. Multifactor authentication on all public-facing portals, for example, will prevent attackers from gaining easy access through stolen credentials. Network segmentation helps prevent attackers from easily moving around a network following a compromise. 

“These methods can help organizations improve their security posture,” Etheridge says. “Organziations are better able to self-detect the attackers in their environment, so we expect attackers to continue to use more stealthy techniques to increase their dwell time.”

Related Content:

• State of the Cloud

• Targeted Ransomware Attacks Show No Signs of Abating
• How Data Breaches Affect the Enterprise
• Ransomware Attack Hits Las Cruces, New Mexico Public Schools
• Texas Towns Recover, but Local Governments Have Little Hope for Respite from Ransomware
• Attacker ‘Dwell Time’ Average Dips Slightly to 86 Days

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “6 Unique InfoSec Metrics CISOs Should Track in 2020.”

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/attackers-increasingly-focus-on-business-disruption/d/d-id/1336800?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

It’s “not about blocking” but removing them altogether, the company said.

 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/google-chrome-will-remove-third-party-cookies-and-tracking-/d/d-id/1336801?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The oil gas company is at the heart of the ongoing US presidential impeachment case.

Burisma Holdings, a Ukrainian oil gas company, has been hit with a phishing campaign that began in early November 2019 and is ongoing, according to Area 1 Security, which spotted the campaign it says came out of the Main Intelligence Directorate of the General Staff of the Russian Army (GRU).

The attack on Burisma, the Ukrainian company at the center of the current presidential impeachment case, was first reported by The New York Times last night. Intelligence agencies reportedly compared the new attack to that against Hillary Clinton’s 2016 presidential campaign by the GRU’s Fancy Bear hacking team. The payloads appear designed to gather login credentials from targeted email recipients.

The phishing campaign is running alongside active intelligence activities on the part of Russian actors, aimed at gathering information that could be damaging to Democratic candidate Joe Biden and his family, the Times reported. 

Area 1 disclosed details on the attack today in a new report.

For more, read here and here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “6 Unique InfoSec Metrics CISOs Should Track in 2020.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/fancy-bear-targets-ukrainian-oil-firm-burisma-in-phishing-attack/d/d-id/1336802?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Google is testing out a feature to make Android’s built-in password manager safer, according to online sleuths who have picked apart its software. The update, still in development, concerns the mobile operating system’s autofill feature.

In the past, entering passwords into websites and apps on your mobile phone was a huge pain because of the way mobile operating systems locked down applications. In the bad old days, using a password manager like 1Password or Dashlane on an Android device was difficult, because there was no built-in support that connected them to other apps and websites so that they could automatically fill in your credentials for you.

Instead, they’d use Android’s accessibility setting as a bridge to other apps, but it didn’t work perfectly and you had to configure it manually to begin with. The alternative was even worse – opening the password manager, looking up the password, and then copying and pasting it into the app or site you were accessing.

The answer came in the form of autofill, which lets the mobile OS fill in the password for you from a trusted list. Google introduced this feature in Android 8, (code-named Oreo), in August 2017. You could use it to take autofill input from third-party password managers, or if you wanted to keep everything in your Google account, you could use autofill with Google’s own password management service.

The problem with autofill when using Google’s own password manager was that it doesn’t ask for any extra authorisation. You tap the part of the form to fill out your own credentials, and it collects the data from Google’s password manager and pastes it in without checking who you are. That means if someone else grabs your phone while you’re distracted, they could potentially log in as you.

According to a report from XDA Developers, Google is testing a fix for that problem. The company is apparently looking at introducing biometric authentication for autofill, meaning that people will have to prove their identity before autofilling credentials from Google’s password manager.

XDA analysed a forthcoming APK (an Android Package file) covering the autofill service, and found it using the BiometricPrompt application programming interface (API). BiometricPrompt lets applications authenticate users via a fingerprint, iris scanner, or face recognition, depending on what the phone supports.

XDA tested the functionality by getting the OS to authenticate its editor in chief using face recognition before logging him into Reddit’s Android app. It also noticed a ‘Use Biometrics’ option within the Autofill Security settings screen that allowed a user to turn it on for filling out credentials and payments information.

Third-party password managers already call the phone’s biometric authentication before they’ll fill anything out for you. Many of these, like 1Password, handle both your passwords and credit card details.

This is an undocumented and not-yet implemented feature in an APK that XDA Developers reverse engineered, so it isn’t clear when – or even if – Google will switch on this biometric feature for autofill, although it seems like a no-brainer. In the meantime, you can use another password manager to get the functionality. By the time Google catches up, you may not feel like going back.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Bv2NtaVOe80/

A fortnight in to 2020 and we have the first security flaw considered important enough to be given its own name: Cable Haunt – complete with eye-catching logo.

First discovered by Danish company Lyrebirds some time ago, Cable Haunt is an unusual flaw which in Europe alone is said to affect up to 200 million cable modems based on the Broadcom platform.

Specifically, the flaw is in a normally hidden software layer called the spectrum analyser (SA) used by Internet Service Providers (ISPs) to troubleshoot a subscriber’s connection quality.

According to Lyrebirds, this analyser has several problems starting with the basic problem that the WebSocket interface used to control the tool from a web browser is unsecured.

Because parameters sent via this are not restricted by the modem, it accepts JavaScript running in the browser – which gives attackers a way in as long as they can reach the browser (although not in Firefox, apparently).

Using HTTPS instead of an exposed WebSockets would have dodged that bullet by implementing Cross-Origin Resource Sharing (CORS) security.

Having to reach a browser inside the network with access to the modem explains why the flaw is given the apparently ‘medium’ CVSS rating of 4.8. The qualification to this, of course, is that remotely compromising a browser is well within the reach of a competent hacker.

What might an attacker do?

• Change default DNS server
• Conduct remote man-in-the-middle attacks
• Hot-swap code or even the entire firmware
• Upload, flash, and upgrade firmware silently
• Disable ISP firmware upgrade
• Change every config file and settings
• Get and Set SNMP OID values
• Change all associated MAC Addresses
• Change serial numbers
• Be exploited in botnet.

Identified as CVE-2019-19494 (a second CVE, CVE-2019-19495, relates to the vulnerability on the Technicolor TC7230 modem), it’s clear from that list that this is a flaw users should not ignore.

Haunted

The researchers offer what looks like a valid reason for giving the issue a name – the desire to grab attention to a flaw they hint that some modem makers and ISPs have been ignoring since the company reported it to them in early 2019. The risk:

At this rate it would eventually leak out of our hands and into organizations with time and resources to take advantage of the vulnerability.

Lyrebirds thinks it knows why things have been moving so slowly too:

We are a small unknown crew with no reputation and could therefore not establish connection with any manufacturers directly, even though we tried.

What to do

The vulnerability affects cable modems using Broadcom’s reference software as part of their firmware, so the first thing is to work out whether your broadband connection is served using that technology combination (ones advertised as being fibre or ADSL are not affected).

Beyond that, because modem makers integrate the firmware for Broadcom modems to suit their own needs, the degree to which specific models using the software are affected is hard to predict.

The researchers list several models and firmware versions known to be at risk from Sagemcom, Technicolor, Netgear, and Compal, but they caution that this isn’t exhaustive.

The researchers have also made available a test script that more technical users can use to work out whether a modem is vulnerable. It’s a not a guarantee, however – even if it comes up negative, a modem might still be vulnerable, they caution.

The first piece of good news is that because cable modems are remotely managed, ISPs will apply a fix automatically when it becomes available.

The second piece of good news is that there’s no evidence attackers have exploited the flaw – yet.

When your ISP gets around to applying the fix will be up to them. Some might have quietly done so already but expect others to take longer. If the researchers couldn’t get modem makers and ISPs to talk to them, customers may not get much further.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/xgn6q9BSap4/