STE WILLIAMS

Embattled Russian security software maker Kaspersky Lab has taken the American government to a US federal court to overturn Uncle Sam’s ban on its antivirus tools.

The Moscow-based developer claimed the US Department of Homeland Security acted illegally when, back in September, the department publicly told federal agencies they could no longer use any Kaspersky products on their machines.

Kaspersky argued that the order, known as binding operational directive 17-01, is unconstitutional, and relied on “subjective, non-technical public sources” that amounted to little more than rumors.

“Furthermore, DHS [the Department of Homeland Security] has failed to provide the company adequate due process to rebut the unsubstantiated allegations underlying the directive, and has not provided any evidence of wrongdoing by the company,” Kaspersky Lab said in announcing its appeal against the order on Monday.

“As a result, DHS’s actions have caused undue damage to both the company’s reputation in the IT security industry and its sales in the US. It has unfairly called into question Kaspersky Lab’s fundamental principles of protecting its customers and combatting cyber threats, regardless of their origin or purpose. In filing this appeal, Kaspersky Lab hopes to protect its due process rights under the US Constitution and federal law and repair the harm caused to its commercial operations, its US-based employees, and its US-based business partners.”

The directive ordered IT administrators at US government agencies to wipe all copies of Kaspersky Labs products from their machines by the end of this year. This came after fears were raised that Kaspersky was secretly passing information from its customers’ computers, including top-secret American government files, to Russian intelligence agencies.

In December, a former NSA worker admitted to taking home classified documents and security exploits only to have them detected and uploaded to Kaspersky’s cloud for analysis by his copy of Kaspersky antivirus on his home PC. According to anonymous US government sources, Russian FSB spies accessed those documents via Kaspersky’s software.

Kaspersky: Clumsy NSA leak snoop’s PC was packed with malware

READ MORE

Kaspersky has long denied any dodgy collaborations with Kremlin snoops, though it is understood the company can be compelled, by law, to hand over data to President Putin’s surveillance agencies. The thought of Russian intelligence, or any old miscreants, extracting sensitive information from US federal PCs via Kaspersky’s tools, frankly, freaks out American officials.

The biz hopes to wield the US Administrative Procedure Act like a hammer in a Washington DC federal court, and deliver a knockout blow to the directive on the basis that it is allegedly unconstitutional. Kaspersky also claimed it tried to negotiate and cooperate with Homeland Security to ensure it can keep its software on government computers, but did not hear anything from Uncle Sam on the matter.

“Because Kaspersky Lab has not been provided a fair opportunity in regards to the allegations and no technical evidence has been produced to validate DHS’s actions, it is in the company’s interests to defend itself in this matter,” Kaspersky founder and CEO Eugene Kaspersky said of the appeal.

In a statement, issued alongside the directive, a Homeland Security spokesperson said: “Kaspersky antivirus products and solutions provide broad access to files and elevated privileges on the computers on which the software is installed, which can be exploited by malicious cyber actors to compromise those information systems.

“The department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks.

“The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates US national security.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/12/18/kaspersky_appeals_dhs_ban/

The bounty, split between two researchers, is the largest single reward by any government bug bounty program to date.

The United States Air Force paid out a total of $26,883 in bug bounty rewards during h1-212, HackerOne’s fourth live hacking event of 2017 and kickoff for Hack the Air Force 2.0.

This payout included a single prize of $10,650, the biggest reward from any government bug bounty program to date. Hackers Brett Buerhaus and Mathias Karlsson earned the sum, which they split, for discovering a vulnerability in the Air Force website that let them pivot onto the US Department of Defense’s unclassified network.

Twenty-five civilian hackers from seven countries, and seven US Air Force members, reported 55 total vulnerabilities in nine hours of hacking over the course of the day. The average time to first response was 25 minutes, and every report was triaged by the end of the day, HackerOne states. Hack the Air Force 2.0 will continue through Jan. 1, 2018.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/us-government-pays-$10650-bug-bounty-in-hack-the-air-force-event/d/d-id/1330661?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Businesses struggle to quantify and manage risk, leading to wasted resources and oversight of major problems.

Poor risk management leads to a slippery slope of weak prioritization, wasted resources, and unaddressed security issues. Most businesses don’t know how to quantify and manage risk, and their failures lead to repeating the same security problems and facing new, major ones.

All this comes from the FAIR Institute, a nonprofit focused on advancing risk measurement and management. The institute polled 114 professionals who identify as CISO, cybersecurity specialist, risk officer, risk analyst, and C-level exec. Its goal was to learn about the current state of risk management maturity.

The top four scores came from businesses in the health, finance, consulting, and insurance industries. While the financial services industry scored highest overall, says Jones, even the top 25^th percentile of scores were relatively low — a sign risk management is immature overall.

Most cyber risk management programs are “going through the motions” on risk management, says FAIR Institute chairman Jack Jones, who is also cofounder and executive vice president of RD at RiskLens. It’s common for organizations to make decisions about people, processes, and technology without ensuring these choices are properly informed and executed.

“The industry has historically focused on best practices checklists … rather than effective risk measurement and prioritization,” he says. Much of this is due to a weak understanding of risk. Decision making and execution are both low across industries, suggesting both are problematic.

While compliance checklists aren’t harmful by nature, people assume compliance achieves risk management objectives, Jones says. Many businesses fail to prioritize issues due to inaccurate terminology, broken mental models, and insufficient skills among those who rate risk.

One major weakness is a “huge reliance” on mental models for rating risk instead of formal analytical models, Jones explains. Forty-three percent of survey respondents claimed their Model Quality was “Weak,” as they rely on the intuition of risk practitioners to evaluate risk.

“Mental models are notoriously inconsistent and unreliable in problem spaces as dynamic and complex as cyber, which significantly increases the odds of inaccurate risk information for decision-makers,” he continues. “This affects prioritization and solution selection at both tactical and strategic levels.

Organizations also fail to motivate business leaders to take risk management as seriously as revenue goals, deadlines, and budget requirements. “As long as this is the case, non-compliance with internal policies and/or external regulations will continue to be a problem,” says Jones.

Citing previous root cause analyses he has performed, Jones explains how more than 75% of non-compliant conditions (bad passwords, missing patches) exist because other enterprise imperatives like deadlines and budgets are prioritized.

“Risk imperatives need to be placed on equal footing with other business objectives,” he emphasizes, suggesting that business executives have part of their compensation tied to specific risk management goals each year. Objectives would be agreed on by the execs who will be held accountable, he adds.

Jones advises businesses reset their understanding of risk and normalize their terminologies, mental models, and measurement practices for risk. They should also put more careful thought into who is responsible for rating risk, he adds.

“Just because someone is a great auditor or security engineer doesn’t qualify them to understand or measure risk reliably,” Jones explains. “Risk measurement is an analytic process that requires specific, and relatively uncommon, capabilities such as critical thinking skills, an understanding of basic probability principles, calibrated estimation skills, and an ability to use formal analytic models.”

When businesses can’t manage risk, it has a broader effect on the whole organization. Major issues go unaddressed and resources are wasted on smaller problems. Businesses end up treating the same issues over and over again, Jones says.

Related Content:

• Top 8 Cybersecurity Skills IT Pros Need in 2018
• Is Your Security Workflow Backwards?
• Why Hackers Are in Such High Demand, and How They’re Affecting Business Culture
• Google Sheds Light on Data Encryption Practices

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/risk/businesses-fail-in-risk-modeling-and-management-report/d/d-id/1330667?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Security firm petitions US District Court to rescind decision to prohibit its products on US federal government systems.

Kaspersky Lab is fighting back against the Trump administration’s recent ban of its security products in agency networks with a lawsuit filed today in US District Court for the District of Columbia (DC).

The Moscow-based security company is seeking the appeal of US Department of Homeland Security’s September 13 Binding Operational Directive 17-01 that banned federal agencies from using Kaspersky Lab security products on their systems. The DHS policy prohibiting the use of Kaspersky Lab software came in the wake of concerns about potential ties between officials at Kaspersky Lab and Russian intelligence agenices, and required federal agencies running Kaspersky software to remove it.

Eugene Kaspersky, CEO of Kaspersky, said in an open letter today that DHS’s directive violated his company’s rights and constitutional due process, and harmed its revenue and reputation, so legal action was merited. He also called out “rumors” and media reports.

“The company did not undertake this action lightly, but maintains that DHS failed to provide Kaspersky Lab with adequate due process and relied primarily on subjective, non-technical public sources like uncorroborated and often anonymously sourced media reports and rumors in issuing and finalizing the Directive,” he wrote. “DHS has harmed Kaspersky Lab’s reputation and its commercial operations without any evidence of wrongdoing by the company. Therefore, it is in Kaspersky Lab’s interest to defend itself in this matter.”

Kaspersky Lab argued its case under the Administrative Procedure Act.

Eugene Kaspersky noted that his company contacted DHS in mid-July to discuss any concerns with the company or its products, but the agency did not follow up on the company’s offer to discuss its concerns.

“DHS confirmed receipt of Kaspersky Lab’s letter in mid-August, appreciating the company’s offer to provide said information and expressing interest in future communications with the company regarding this matter. Kaspersky Lab believed in good faith that DHS would take the company up on its offer to engage on these issues and hear from the company before taking any adverse action,” the CEO said in the open letter. “However, there was no subsequent communication from DHS to Kaspersky Lab until the notification regarding the issuance of Binding Operational Directive 17-01 on September 13, 2017.”

DHS in its decision to blacklist Kaspersky Lab software cited its concerns of Russian law requiring companies to cooperate with its intelligence agencies.

“The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks,” the Department of Homeland Security stated in its ban decision. “The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates US national security.” 

According to the firm, it is calling for its due process and “repair the harm caused to its commercial operations, its U.S.-based employees, and its U.S.-based business partners.”  

“Because Kaspersky Lab has not been provided a fair opportunity in regards to the allegations and no technical evidence has been produced to validate DHS’s actions, it is in the company’s interests to defend itself in this matter. Regardless of the DHS decision, we will continue to do what really matters: make the world safer from cybercrime,” Eugene Kaspersky said in a statement.

Related Content:

• Kaspersky Lab and the AV Security Hole
• 121 Pieces of Malware Flagged on NSA Employee’s Home Computer
• Russian Hackers Targeted NSA Employee’s Home Computer
• Post-Breach Carnage: Worst Ways the Axe Fell in 2017

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/kaspersky-lab-files-lawsuit-over-dhs-ban-of-its-products/d/d-id/1330665?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Netskope discovers a new RAT using Dropbox for its payload host and Telegram Messenger for command and control.

A new remote access Trojan is using cloud-based tools to evade traditional security scanners that can’t inspect SSL or provide cloud application-level traffic inspection, according to researchers at Netskope Threat Research Labs.

TelegramRAT uses Dropbox as its payload host and Telegram Messenger for command and control. It arrives as a malicious Microsoft Office document, exploiting a memory corruption vulnerability (CVE-2017-11882 ) patched by Microsoft last month, and it uses Bit.ly redirection to hide the payload hosted on Dropbox.

Its payload uses open-source Python TelegramRAT code, which is hosted in GitHub. The unique aspect of this malware is its reliance on the Telegram BOT API to receive commands and send messages to the attacker using an HTTPS communication channel, so traditional network security tools can’t see it.

Netskope is actively working with Dropbox security team to remediate known threats.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/telegram-rat-escapes-detection-via-cloud-apps/d/d-id/1330669?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Today’s generation has little to no concept of paying for the news they consume, EU press agencies say.

They go online, and they head to Facebook, Twitter or the like to consume news sourced by reporters putting their lives on the line in dangerous locations such as Syria, Zimbabwe, Cameroon or Myanmar.

We get that news without paying a dime to pay for journalists’ livelihoods or for the news bureaus that support them, the photographers or video reporters who also put their lives on the line to send us visual testimony, or for the editing teams who stitch the stories together and check them for accuracy or bias.

Google, Facebook and other internet giants are making billions, while news agencies are withering on the vine: that’s the message from a group of nine European press agencies that on Thursday called for internet giants to be forced to pay copyright for using news content on which they make vast profits.

In a plea published in the French daily Le Monde as well as in the New European, the press agencies point out that the profits being raked in by internet giants, social networks, search engines and content aggregators are massive.

As it is, Facebook tripled its profits in 2016 to $10 billion, the agencies pointed out. A major driver behind Facebook’s traffic is news articles: it’s second only to users coming to Facebook for friends and family. For its part, Google posted profits of $20 billion on sales of $90 billion: growth that represents a 20% increase in one year. Again, news is a big driver of that growth, the agencies say.

But while news is causing profits to surge at the online giants, none of those giants are lifting a finger to actually produce any news themselves, said the groups, which included representatives of France’s AFP, Germany’s DPA, the UK’s Press Association, Spain’s EFE, Italy’s Ansa, Sweden’s TT, the EANA (European Alliance of news agencies), Austria’s APA, Netherlands’ ANP, and Belgium’s Belga.

From the article they co-wrote:

Neither Facebook nor Google has a newsroom. They have no reporting or production networks, national or international. They have no teams of reporters in Syria risking their lives to show the true face of war. No permanent bureau in Zimbabwe to tell the story of Mugabe’s departure. No journalists in Cameroon. Nor Myanmar. No video reporters. No photographers. No editing teams to plan, edit, check and double-check the accuracy and impartiality of the stories sent in by reporters on the ground.

The press agencies’ call for a bigger share of online revenues comes as the EU is debating a directive to make Facebook, Google, Twitter and other major online players pay for the millions of news articles they use or link to.

Commenters have been quick to point out that without the dissemination of links to news reports provided by search engines and platforms such as Twitter and Facebook, news outlets would be starved of readers. Do they really not want Google et al. to link to them?

Of course they do. But they’d also like to see some form of recompense besides the “crumbs” they’ve been tossed in the past. From their cry for help:

The few attempts led by the media industry in Spain, Germany and France in 2013 and 2014 to get internet giants to pay anything more than a few symbolic crumbs all failed to fundamentally change the situation.

At any rate, although the internet giants “undeniably play a crucial democratic role by spreading news worldwide,” the agencies say, reporting news just isn’t their bailiwick. Facebook CEO Mark Zuckerberg, for one, completely agreed with that back when fingers first started pointing over the issue of fake news. Zuckerberg insisted that Facebook is “a tech company, not a media company.”

We build the tools. We do not produce any content.

Facebook doesn’t make news, but it does “offer internet users the work done by others, the news media, by freely publishing hypertext links to their stories,” the EU press agencies said. And that’s making Facebook and other online companies rich from ad impressions:

Their profits from the news business are booming while those of the media are collapsing.

The press groups note that within just a few years, Google and Facebook have captured an estimated 60-70% of online advertising, depending on the region. At the same time, online advertising revenues have collapsed for media: “A disaster for the news industry.”

The danger is to the heart of democracy itself, they say:

Years have passed and today the very business of credible, free reporting is threatened. Quite simply because soon the news media will be unable to finance it. The diversity and quality of news, a pillar of any democracy, may be at risk.

So who should pay to keep the news industry alive? Not the taxpayers, the agencies said. Rather, it’s time for the internet giants to kick back a fair contribution. The EU is considering a solution called neighbouring rights – the right to reproduce news content and to make it available to the public. It would benefit news publishers and news agencies, but it wouldn’t require tax payers to pay up.

As it now stands under the current EU copyright regime, copyright and neighbouring rights are only available to authors, not to press publishers. But in September 2016, the European Commission announced an agenda for a Digital Single Market – a “strategy to ensure access to online activities for individuals and businesses under conditions of fair competition, consumer and data protection, removing geo-blocking and copyright issues” – across the EU.

Part of that would be a key provision that would require member states to provide press publishers with rights to control the reproduction and the power to make content available to the public – rights now only available to authors. The new right, which would last 20 years, would apply to publishing snippets online: those simple news previews that might seem like no big deal to anybody except the press publishers that created the material to begin with.

Some European Parliament members are worried about all this: worried that the proposed directive would threaten free access to news for internet users.

But that’s not what will happen, the agencies insisted.

We should be clear about who is being targeted. People browsing the internet will not be affected. They will pay no more than they do today. Rather, those who have benefitted disproportionately from advertising revenues should repatriate a meaningful share of these revenues to the media which funds content origination.

It’s simple economics, the agencies said:

At the end of the chain, informing the public costs a lot of money.

Anybody who’s ever had a news site beg them to stop using an ad blocker knows they’re desperate for revenue.

What do you say: should we tax Google and Facebook to keep our news outlets alive?

And if we don’t, what will the future internet look like?

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/0z4WXq2LrRI/

A few years ago, fake support call scams were one of the most likely cybercrimes that would reach out and touch you at home.

And, boy, how those guys used to reach out.

Boiler rooms full scammers would make cold call after cold call, ploughing day and night through lists of phone numbers to scare victims into paying up for technical support they didn’t need for malware infections they didn’t have.

Here’s how we summarised the MO of these scummy scammers back in 2014:

The crooks call up and say they’re from “Microsoft” or “Windows”; tell you they’re following up reports of malware activity coming from your computer; convince you that you are infected; and charge you a fee of about $300 to sort you out.

All a pack of lies.

They’re not legitimate IT support technicians; they have no idea whether there is malware on your computer or not; the “evidence” they come up with is harmless and could be found on an uninfected computer; and the $300’s worth of fiddling around they do is simply $300’s worth of fiddling around.

You could achieve the same technical outcome for yourself by doing nothing at all – LITERALLY nothing.

If you didn’t hang up right away – or even if you did – then the crooks would often come back, sometimes calling again and again, ramping up the pressure, the fear and the threats in the hope that you’d eventually cave in.

For better or worse, technical support scams don’t make the headlines as much as they did.

Firstly, other, more directly pernicious threats such as ransomware have understandably grabbed our attention instead; secondly, this fake tech support “business” has become slightly more sophisticated.

We presume that more and more people have become less and less tolerant of cold calls, thus reducing the hit-rate of scammers who rely on contacting you first.

In recent years, support scams usually start from a website that’s poisoned with dubious advertising.

You’ll often get a pop-up a warning urging you to phone the crooks (typically via an in-country tollfree number to add legitimacy), so you end up pre-selecting yourself as a potential victim.

Well, don’t get fooled this Christmas, because the scammers are still hard at it.

Here’s one we saw over the weekend, while reading a legitimate news site, albeit not a mainstream one.

We clicked on one of those “you’ll never believe what happened next” stories (for research purposes only, of course!), and then mis-clicked (honestly!) on an ad simply by tapping the trackpad by mistake just short of our intended on-screen destination:

This one even uses an automatic voiceover, reading out a warning in plummy-sounding English to drive the point home:

Listen to the pack of lies spouted in this scam

The crooks haven’t lined things up perfectly, as you’ll probably realise, especially if you’re a native speaker of English who currently lives in the UK.

For example:

• The automatic text-to-speech conversion has messed up the pronunciation of some of the words. Pornography comes out as poor and/or graphic. The word logins is spoken with a soft -g-.
• The phone number is written US-style, wrongly assuming a three-digit area code. The dialling code for this number would be grouped as four digits, like this: +44-1273-XXX-YYY.
• The number isn’t toll free, as claimed. Numbers starting +44-1237 are paid calls to the Brighton area on the South coast of England.
• The password request is superfluous, and so it should stand out as suspicious. Also, this is not an HTTPS page, so if you put in your password, not only will the crooks get it, but anyone else on the same network will be able to see it, too.

But these are details that are easy to overlook; the crooks often get the details right, anyway; and plenty of legitimate websites make similar mistakes.

What to do?

We haven’t called the number shown above; we don’t intend to; and we recommend that you don’t, either, no matter how much fun you think you can have messing with the criminals.

They’re crooks – why engage at all, especially when you might accidentally give something away about yourself in the process?

This festive season, even if trying new websites, buying from new vendors, contacting people you haven’t heard from in ages, and otherwise living a larger life online that you have all year…

…don’t let anyone, especially someone you don’t know, and whom you didn’t ask for help, pressurise you into doing, saying, posting, calling, texting, clicking or buying anything.

If you’re worried, ask someone whom you know and trust for help, face-to-face.

If you’re one of those “askees” who end up stuck with friends-and-family technical support over the holidays, please try to do it with good grace, to keep your loved ones out of the clutches of fake support sleazebags like the ones shown here.

If in doubt, STOP.THINK. And only then CONNECT.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/C1z4cN9rKGs/

The plot of the Waymo vs Uber fight over stolen self-driving technology was already thick, what with 14,000 pages of intellectual property and a 37-page letter that described an Uber unit called Marketplace Analytics (MA) that allegedly spied on competitors worldwide for years, scraping millions of their records using automated collection systems and conducting physical surveillance…

…and thicker still, with Uber using “non-attributable” servers that couldn’t be traced to Uber to store that data. Plus there are the non-attributable laptops, pre-paid phones and Mi-Fi wireless internet devices. Then there’s the use of “ephemeral” messaging services like Wickr and Telegram to communicate, so as not to leave the digital version of a paper trail that could damage the company in any legal proceeding.

And guess what… it just got thicker. Judge William Alsup has unsealed two letters (over the objections of the US Attorney’s Office in San Francisco) that reveal why the civil trial has been delayed. Namely – surprise, surprise – there’s a criminal investigation into Uber’s behavior.

One unsealed letter dated 22 November contains a former employee’s claim that Uber intentionally used “non-attributable electronic devices” (e.g. burner phones and the like) to conceal use of any wrongfully attained intellectual property, as in, stolen driverless vehicle technology.

In the course of a United States’ pending criminal investigation, the government interviewed a former Uber employee named Richard Jacobs.

… Jacobs further stated that Uber employees routinely used non-attributable electronic devices to store and transmit information that they wished to separate from Uber’s official systems. He surmised that any wrongfully-obtained intellectual property could be stored on such devices, and that such action would prevent the intellectual property from being discovered in a review of Uber’s systems.

Those “hide-the-evidence” allegations jibe with a 37-page letter’s allegations of Uber’s “shadow server” – a good place to stash withheld evidence. The letter was written by an attorney for Richard Jacobs, a former Uber security analyst who worked in the company’s global intelligence unit. It was turned over to the court last month and was expected to be released Friday, 15 December at 12pm Pacific Time.

Jacobs’s letters were explosive enough, and late enough (they should have been added to the case file as soon as Uber received them) to prompt Waymo’s attorneys to move for a delay in the trial, arguing that there was no way they could review them in time for the scheduled 4 December start. Judge William Alsup agreed, granting a two-month delay.

The 22 November letter was sent by San Francisco-based federal prosecutors. The fact that it was sent was highly unusual: judges in a civil case like Waymo vs Uber rarely get a heads-up about a pending criminal investigation involving one of the litigants.

In a separate 28 November letter sent to Judge Alsup, Acting US Attorney Alex Tse asked that the first letter not be made public.

…we request the Court maintain our letter under seal. Although the letter does not identify the nature of the investigation, the offenses being investigated, or any target or subject of the investigation, we believe that maintaining the letter under seal is consistent with protecting the presumption of innocence and protecting the integrity of our investigation.

Nonetheless, the judge unsealed both letters on Wednesday.

The first letter was signed by two Assistant US Attorneys, Matthew Parrella and Amie Rooney. As Ars Technica notes, those prosecutors are assigned to the Computer Hacking and Intellectual Property (CHIP) Unit at the United States Attorney’s Office in San Jose. Parrella is head of that unit.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/dWHsLQzCiuM/

Google Project Zero’s Tavis Ormandy has turned up a howling blunder in a password manager bundled with Windows 10.

On Friday, Ormandy dropped the bug, not in Windows but in the third-party Keeper password manager. He wrote: “I’ve heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages (issue 917). I checked and, they’re doing the same thing again with this version. I think I’m being generous considering this a new issue that qualifies for a ninety day disclosure, as I literally just changed the selectors and the same attack works.“

The detail of the bug’s operation is in the older issue he linked. By injecting its trusted UI into untrusted processes, it allowed a malicious Web page to read the password the user was inserting from Keeper.

I created a new Windows 10 VM with a pristine image from MSDN, and noticed a third party password manager is now installed by default. It didn’t take long to find a critical vulnerability. https://t.co/dbkznucgLm

— Tavis Ormandy (@taviso) December 15, 2017

Very little changed in the new version, Ormandy said, and that gave him the chance to post a demo that could steal a Twitter password.

Keeper Security has issued a patch for the bug.

Posting the patch, the company noted that a victim would have to be lured to an attacker’s site, while logged into the browser extension. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/12/18/windows_10_bundles_vuln/

While cyberattacks continue to grow, deception-based technology is providing accurate and scalable detection and response to in-network threats.

The second of a two-part post on deception.                                       

Distributed deception platforms have grown well beyond basic honeypot trapping techniques and are designed for high-interaction deceptions, early detection, and analysis of attackers’ lateral movement. Additionally, deception platforms change the asymmetry of an attack by giving security teams the upper hand when a threat enters their network and forcing the attackers to be right 100% of the time or have their presence revealed, and by providing decoys that obfuscate the attack surface and through valuable threat intelligence and counterintelligence that is required to outmaneuver the advanced human attacker.

Given the increasing number and sophistication of today’s breaches, it’s not surprising that deception is gaining widespread attention. Neil MacDonald from analyst group Gartner recently recommended it as a 2017 top 10 cybersecurity initiative. Research and Markets has noted the global deception market is expected to grow to $2.12 billion by 2021.

There are a variety of deception solutions available that range from very simple traps to fully automated deception platforms. While individual deceptions offer benefits within their approach, this post focuses on the features common to the distributed deception platforms available on the market that are most actively sought out based on their comprehensive detection and response to advanced threats.

How Deception Works
Fundamentally, deception is designed to detect attackers when they conduct reconnaissance by moving laterally from the initially compromised system, and when they seek to harvest credentials from other systems. The assumption with deception is that no one should be engaging with the deception servers, decoys, lures, or bait because they provide no production capabilities that employees would access. Deception assets aren’t advertised to employees, so any reconnaissance activity is a red flag and any engagement should prompt immediate action to prevent attackers from escalating their invasion.

Changing the Asymmetry on Attackers
Deception technology plays an instrumental role in changing the asymmetry of attacks. However, for deception to work, you need authenticity and attractiveness to fool savvy human attackers. Active Directory credential verification authenticates deception credentials as attractive targets. Deception that runs real operating systems and provides customization to match the production environment will appear authentic and trick attackers into revealing their presence. Facades built on emulation can be identified quickly and avoided by attackers. Dynamic behavioral deception techniques improve deception with machine learning that adapts to the behavior of the network, applications, and device profiles and continually refresh to remain attractive.

Additionally, adaptive deception lets organizations reset the deception synthetic network on demand. If you’re suspicious of attack activity, resetting the attack surface will avoid attacker fingerprinting that could be used to mark and avoid decoys, create uncertainty, and increase the likelihood of an attacker making a mistake. The increased complexity and cost of restarting will slow an attack and serve as a deterrent, driving the attacker to start over or seek out an easier target.

Early and Accurate Detection
Deception-based detection is designed to detect in-network attackers early, regardless of the attack vector. Unlike other forms of detection, the solution does not require time to learn the network and is effective upon deployment. The network, endpoint, data, application, and Active Directory deceptions work collectively to detect lateral movement, credential theft, man-in-the-middle efforts, and Active Directory attacks.

Comprehensive Deployment
Today’s threat landscape and attack surfaces are ever-changing, and detection methods must adapt to provide early detection of threats at the endpoint, and as they move through the network. Comprehensive deception technology scales to the evolving attack surfaces and detects threats throughout user networks, remote office/branch offices, and data centers, and supports data migration to the cloud as well as specialized networks such point-of-sale systems. Out-of-band deployments provide the best operational efficiency and scalability, and agentless endpoint deception simplifies deployment and manageability. If your organization uses an endpoint detection and response solution, look for vendors with integrations that provide automated deployment and integrated management options.

Attack Analysis, Forensic Reporting, and Integrations
Deception platforms with attack threat analysis will save time in automating the analysis and correlation of indicators of compromised information, which can then be used to accelerate incident response. Threat intelligence and forensic evidence reporting let organizations capture and catalogue all attack activity to support understanding of the attacker’s objectives, which can lead to better overall security. Deception solutions capture attacker behavior and through integrations share the full tactics, techniques, and procedures of the engagement with firewalls, security and event management systems, network access control products, and endpoint devices. These integrations also empower automated blocking and isolation of infected endpoints.

Through the use of files that contain fake sensitive data, and beaconing technology that calls back when accessed by attackers, counterintelligence can be gathered on which types of files were stolen and for insight into where the data ends up.

High-Interaction Deception
Deception slows the attack as threat actors get lost in the deception environment while thinking they are escalating their attack. The use of adaptive deception creates complexity for the attacker by dynamically changing the perceived attack surface on attackers, increasing their cost, and acting as a deterrent. Notably, this ability to obfuscate the attack surface has proven itself with pen testers, who have also fallen prey to the deception environment and been tracked for days, only to find themselves defeated.

In addition, high-interaction deception for ransomware can slow down an attack by 25x or more. Deception-mapped drives lure attackers and feed them reams of fake data to keep them busy while the infected system is isolated from the network.

Ease of Operations and Risk Insight
Deception makes it easy to deploy solutions for detecting and responding to threats —important in this age of staff shortages. Deception not only strengthens defenses with early and accurate engagement-based detection but also plays a critical role in deterring attacks with visibility tools to assess likely attack paths, time-lapsed maps of attacker movement, and integrations for accelerated incident response. 

While cyberattacks grow in number and sophistication, deception-based technology is providing accurate, scalable detection and response to in-network threats. Organizations increasingly are turning to deception to close the detection deficit and to gain an advantage over attackers with the ability to perform counterintelligence, increase their costs, and slow their attacks. 

Read part one: Deception: Why It’s Not Just Another Honeypot.

Related Content:

• 8 Low or No-Cost Sources of Threat Intelligence
• Deception: A Convincing New Approach to Cyber Defense
• Deception Technology: Prevention Reimagined

Carolyn Crandall is a technology executive with over 25 years of experience in building emerging technology markets in security, networking, and storage industries. She has a demonstrated track record of successfully taking companies from pre-IPO through to … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/advanced-deception-how-it-works-and-why-attackers-hate-it/a/d-id/1330600?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple