STE WILLIAMS

Email is one of the most successful communications media ever invented, and its reach continues to grow. Almost 300 billion emails are sent worldwide every day, and the number of worldwide users continues to grow at a rate of 3% per year. By 2020 there will be 4 billion active users of email — more than half the planet’s population — according to the Radicati Group, which tracks email usage worldwide. 

Unfortunately, email is unprepared for today’s threats, because it was designed nearly 40 years ago when its eventual global reach and security challenges were unimaginable. Decades of work by the email industry has largely contained spam, but phishing and email-based malware remain enormous threats, with email involved in over 90% of all cyberattacks, according to various estimates. Email vulnerabilities have even played a disruptive role in elections, such as in the 2016 hack of the Democratic National Committee’s email (done via spear phishing email) and in 2018 attacks on Florida election officials. 

That’s why email insiders are busy developing standards aimed at addressing email’s most glaring weakness: that anyone can send email as anyone else. This lack of a strong sender identity model has created an epidemic of spoofing that doesn’t exist through other messaging applications that have strong sender identity controls. In other words, when you get a Facebook message, a WhatsApp message, or a Twitter DM, you can be fairly sure of who the sender actually is. But there are no such assurances in email, and that’s why there are 6.4 billion spoofed emails sent every day, according to a research report from Valimail.

With stronger sender identity protections in place, we can eliminate these fakes. Email will be more trustworthy and better able to support advanced capabilities. And that’s exactly what a variety of standards groups are focusing on. The gold standard for strong sender identity in email is DMARC, and the standards shaping the future of email are increasingly requiring it. Here are some of the new email standards improving sender identity and security for the entire ecosystem.

DMARC 2.0
Domain-based Message Authentication, Reporting Conformance has been an unofficial but widely accepted standard since 2015. It provides a way for domain owners to control which senders are allowed to send email using their domain. DMARC is accepted and enforced by about 80% of the world’s email inboxes, has been growing exponentially among domain owners, and the Internet Engineering Task Force (IETF) is working to make it an official standard. It’s too soon to know exactly what the next version of DMARC will include but it’s safe to say that it is fast becoming part of basic security best practices, along with firewalls and SSL/TLS encryption on websites.

BIMI
Brand Indicators for Message Identification is a way for brands to specify images that appear alongside the authenticated email messages they send. Once their domains are authenticated with DMARC (with an enforcement policy), they gain the ability to display logos with their messages in place of the default avatars most inboxes show. Verizon Media is already running a pilot of BIMI in Yahoo Mail, and Google plans to run its own pilot in 2020. BIMI’s offer of brand impressions is a big incentive for marketers, which will drive many organizations to deploy DMARC in order to reap that benefit — and wider usage of DMARC will mean more trustworthy email overall for everyone. 

AMP for Email
AMP is a framework for accelerating web page load times. AMP for Email creates the possibility of building interactive applications in AMP that live right inside the inbox — no need for users to click out to a separate web page. It includes provisions for authenticating senders and encrypting data in transit, which should alleviate security concerns, while opening up a wide range of possibilities for email-based application design. 

Schema.org for Email
Schema.org is a collaborative, decentralized project creating data ‘”schemas” for different types of structured data, such as informational listings for people, places, and businesses; calendar events; audio and video objects; books; and even recipes. These lightweight metadata frameworks create a common baseline for applications to ingest and use this data. In email, Schema.org-encoded data can simplify integrations: For instance, if you get an order confirmation from a retailer, a Schema.org-formatted email could contain dynamically updated information on its shipping progress. 

STARTTLS and MTA-STS
STARTTLS is an email security protocol that enables email clients and servers to exchange data in encrypted form, using TLS (Transport Layer Security) or SSL (Secure Sockets Layer) if they are available. This is akin to HTTPS for web pages: It ensures that messages are encrypted in transit. MTA Strict Transport Security (MTA-STS) is a related standard that takes this a step further, and can require authentication checks and encryption for connections between mail servers, which helps prevent any unencrypted data from being transmitted and thwarts man-in-the-middle attacks. In combination with DMARC, which assures the sender’s identity is legitimate, these two protocols further improve security for the “hidden plumbing” that makes email work.

As these standards gain acceptance, with strong and widely deployed sender identity, email will become more interactive and more secure for all users. Already a vital communications channel for more than half the planet, it will evolve into an even more engaging, ubiquitous platform for B2B and B2C communications, and many of the problems we currently face with phishing and BEC will fade away. 

That won’t be easy. It will take a lot of effort by many different organizations and individuals. But the groundwork has been laid, and the benefits will be immense, so there is every reason to think that email is going to continue improving – and growing. Email isn’t going away. It’s only going to empower richer experiences and get bigger and better through the process.

Related Content:

• The State of Email Security and Protection
• 4 Ways to Fight the Email Security Threat
• Email Security Tools Try to Keep Up with Threats
• Email Threats Poised to Haunt Security Pros into Next Decade

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “5 Pieces of GDPR Advice for Teams Without Privacy Compliance Staff.”

Seth Blank is the chair of the working group developing BIMI, the secretary of the IETF working group developing DMARC, and an active contributor to many email industry groups. He is the director of industry initiatives at Valimail. View Full Bio

Article source: https://www.darkreading.com/application-security/new-standards-set-to-reshape-future-of-email-security/a/d-id/1336683?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Enterprise Internet of Things security company Armis has agreed to be acquired by US private equity firm Insight Partners for a valuation of $1.1 billion. CapitalG, the investment division of Google parent company Alphabet, also join for $100 million. The deal is expected to close in February.

Armis was co-founded in 2015 by CEO Yevgeny Dibrov and CTO Nadir Izrael. Since then, the company has raised $112 million over four funding rounds and grown to include more than 250 employees. Its agentless platform aims to discover all the devices on a corporate network and identify their type, manufacturer, model, operating system, reputation, username, software, and risk factors, among other data. By tracking behavior and connections, it aims to determine whether a device is acting maliciously.

Gartner anticipates the number of connected devices will reach 25 billion by 2021, creating a challenge for organizations that need to handle them. Unmanaged devices with poor security represent a rapidly growing attack landscape. Armis’ customer base includes organizations across vertical industries, including healthcare, high tech, industrial, retail, and transportation.

Following the deal, Armis will continue to operate independently and be fully management by Dibrov and Izrael, along with its executive team. Under Insight, Armis will work to continue along its growth with the support of Insight’s business strategy and ScaleUp division, Onsite.

Read Armis’ blog post here and the full release here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “What Tools Will Find Misconfigurations in My AWS S3 Cloud Buckets?“

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/insight-partners-acquires-armis-at-$11b-valuation/d/d-id/1336732?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Accenture has announced that it will purchase Symantec’s Cyber Security Services business from Broadcom. The acquisition will add Symantec Cyber Security Services’ portfolio of services, including global threat monitoring and analysis, real-time adversary, and industry-specific threat intelligence and incident response services to that of Accenture Security.

The acquisition is the latest in a series of purchases Accenture has made, including those of Deja vu Security, iDefense, Maglan, Redcore, Arismore, and FusionX. In its fiscal year 2019, Accenture spent approximately $1.2 billion globally on 33 acquisitions.

Financial terms of the deal to acquire Symantec Cyber Security Services were not disclosed. The purchase, subject to customary closing conditions, is expected to close in March 2020.

For more, read here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “What Tools Will Find Misconfigurations in My AWS S3 Cloud Buckets?“

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/application-security/accenture-to-buy-symantecs-cyber-security-services-/d/d-id/1336733?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In 2020, the connected-car market will reach a tipping point, with the majority of vehicles already connected to the Internet when sold in the United States, representing a large base of potential targets for attacks, according to a report released by cybersecurity firm Upstream Security. 

The company documented 176 digital, electronic, and cyberattacks aimed at vehicles in 2019, more than double the 78 attacks from the previous year. The incidents ranged from stealing cars by hacking keyless entry fobs to tracking trucks by compromising online fleet services. For the second year in a row, malicious actors conducted more attacks against vehicle systems than security researchers and white-hat hackers, a trend that is unlikely to reverse, says Dan Sahar, vice president of products for Upstream Security.

“The ‘Charlie Miller days,’ where it is only researcher activity — that’s behind us,” he says. “We are seeing hackers with criminal intent now the most significant actor going after vehicles.”

Since 2010, Upstream has compiled data on 388 digital, electronic, and cyberattacks, more than 45% of which occurred in the last year. In April, for example, a hacker found that two GPS services, ProTrack and iTrack, configured accounts with a default password, which many users had not changed, allowing him to access 27,000 accounts between the two services. Access to the accounts reportedly could have been used to remotely turn off an engine, if the car was moving at 12 mph or slower.

The weak passwords were found by a white-hat hacker, but, increasingly, breaches and attacks are fueled by criminals — 57% of attacks are malicious, Upstream found. In one criminal attack, a video shows car thieves stealing a Tesla in less than 30 seconds using a keyless-entry bypass. In another, nation-state attackers linked to Vietnam stole information on 3.1 million Toyota customers.

While attacks that take down entire fleets of cars are theoretically possible, most attacks have focused on crimes that have a payoff in the end: either the theft of the vehicle, as in the Tesla case, or the accessing of consumer information, as happened to Toyota, says Sahar.

“What will likely continue to happen are attacks more in the lines of service disruption,” he says. “Less about threatening human safety but still cause them to feel the impact. Companies that can no longer turn on the engines across their fleet of trucks, for example. Or consumers not being able to unlock their cars in the morning.”

The surge in incidents, which more than doubled in 2019 from the previous year, is due to the proliferation of connected and embedded systems in vehicles as well as the research that has laid the ground for many of the attacks. 

When two researchers — Charlie Miller and Chris Valasek — demonstrated in 2015 that a Jeep could be hacked while it was going 70 mph on the highway, connected cars were still relatively rare. That’s set to change.

Already, the top-three carmakers in the US — GM, Toyota, and Ford — plan to sell only connected cars this year, according to a report by the nonprofit Consumer Watchdog. Those three companies make up more than half of cars sold in the United States. Others car manufacturers are on track move to 100% of their vehicles connected to the Internet in the next five years.

Most attacks focus on the keyless entry system (30%), the application servers for the service (27%), the mobile application for the service (13%), or the onboard diagnostic port used by mechanics to service the vehicle, according to Upstream’s report. While keyless attacks, which allow thieves to steal a car, are an easy way to monetize a vulnerable system, because the technique requires proximity, it can only affect a single car at a time. Server attacks, however, could affect millions of cars, Upstream stresses.

“When someone gains access to a telematics server, they then have access to everything connected to it, including apps, data, and all the connected vehicles,” the company stated in its report. “This can lead to multi-vehicle or fleet-wide attacks, which are extremely risky to all parties involved, from OEMs to telematics service providers, and companies who manage fleets to the drives themselves.”

Because there is little that consumers can do to secure their cars, the manufacturers have to step up. They have done so somewhat slowly. The industry created its own information sharing and analysis center in 2016, and many companies have started paying for vulnerability information. Tesla kicked off a bug bounty program in 2014. General Motors followed suit in 2016, Toyota in 2018, and Ford just last year.

“Security is something that car companies are investing more budget in,” Sahar says. “Because consumers do not have the capabilities to protect themselves, it is a big responsibility of the OEMs, the carmakers, and the fleet providers to also focus on security.”

Related Content

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “What Tools Will Find Misconfigurations in My AWS S3 Cloud Buckets?”

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/edge/theedge/car-hacking-hits-the-streets/b/d-id/1336730?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

VPN provider Pulse Secure on Monday urged customers to immediately apply a security patch if they have not yet done so. The company issued the patch last April to address a critical, remotely executable flaw in some versions of its products.

The advice stemmed from reports over the last few days of attackers exploiting the flaw — tracked as CVE-2019-1150 — to deliver ransomware on enterprise systems and to delete data backups and disable endpoint security tools.

Among those believed affected in the ongoing campaign is travel insurance and currency exchange provider Travelex, which experienced a massive service disruption this week following a reported ransomware attack on its systems on New Year’s Eve. The attack, involving the use of ransomware known as REvil (Sodinokibi), forced the company to take all of its systems offline and to resort to manual operations at branches worldwide.

Travelex did not respond immediately to a Dark Reading request seeking an update on the incident.

UK security researcher Kevin Beaumont, who first reported the attacks on Saturday, described at least two organizations as having been compromised so far by recent attacks targeting the Pulse Secure VPN flaw.

“Pulse Secure publicly provided a patch fix on April 24, 2019 that should be immediately applied to the Pulse Connect Secure [VPN],” says Scott Gordon, chief marketing officer at Pulse Secure. “Do not delay as the CVE-2019-1150 vulnerability is highly critical,” he warns.

The flaw in multiple versions of Pulse Connect Secure and Pulse Policy Secure gives remote attackers a way to connect via HTTPS to an enterprise network without needing any valid username or password. Attackers can use the flaw to view logs and files, turn-off multifactor authentication, download arbitrary files, and execute malicious code on enterprise networks,

The security vulnerability is one of several that were discovered last year in VPN products from Pulse Secure, Palo Alto Networks, and Fortinet. Flaws like these are considered especially dangerous because they exist in the products that enterprises rely on for protection against cyber threats. Pulse Secure and numerous others have repeatedly urged organizations with vulnerable systems to apply the patch as soon as possible.

Exploits for the vulnerability have been freely available since at least last August. Both the NSA and the US Department of Homeland Security have issued separate advisories on the VPN flaws and warned about nation-state-backed advanced persistent threat groups exploiting them to take control of vulnerable systems.

Despite the warnings, a substantially large number of Pulse Secure’s affected products remain unpatched and vulnerable to attacks. According to threat intelligence firm Bad Packets, at least 3,825 Pulse Secure VPN servers remain unpatched and vulnerable to attack as of January 3, 2020. More than 1,300 of the vulnerable systems are located in the United States. According to Beaumont, Travelex had seven unpatched Pulse Secure servers when it was attacked on New Year’s Eve.

“We estimate that nearly 90% of Pulse Secure VPN systems have been patched, and some of those systems are not in active production,” Gordon says. Back in August, when Bad Packets conducted an Internet scan, it identified 15,000 servers at risk to the vulnerability, he notes.

Gordon says that Pulse Secure has made its support engineers available on a 24/7 basis, including weekends and holidays, to help customers who need assistance to apply the patch fix. Patch assistance is available even to customers that are not currently under an active maintenance contract, he says.

“Any vulnerability in the remote access of a network is a big deal,” says Chris Morales, head of security analytics at Vectra. Any remotely executable VPN vulnerability — especially one that gives an attacker the same level of access as an approved remote user, should have been addressed immediately, he says. “I don’t know all the variables at play specific to Travelex. However, it is a shame that vulnerability management and patching are still difficult to do.”

Colin Bastable, CEO of Lucy Security, says attacks like the one on Travelex highlight the enormous challenges organizations face in addressing threats to the network. “There are too many moving parts in modern IT infrastructure for the IT Team to manage, especially with global businesses,” he says. “Playing defense is always harder than playing offense, because someone, somewhere, or some server, will fail to get the memo and miss or misapply the patch.”

Related Content:

• Malware Hits Travelex Currency Exchange Service
• NSA Issues Advisory on VPN Vulnerability Trio
• CERT, CISA Warn of Vuln in at Least 4 Major VPNs
• 7 Ways VPNs Can Turn from Ally to Threat 

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “What Tools Will Find Misconfigurations in My AWS S3 Cloud Buckets?“

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/widely-known-flaw-in-pulse-secure-vpn-being-used-in-ransomware-attacks/d/d-id/1336729?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple