STE WILLIAMS

Russia, America dig into tug-of-war over Bitcoin laundering suspect

Russia doesn’t want America taking one of its nationals accused of running a $4bn Bitcoin laundering ring – Moscow wants him more.

The Russian foreign ministry said in a statement on Friday that a Greek court’s decision to extradite Alexander Vinnik to the US is “unjust and a violation of international law”.

The 38-year-old was arrested in Greece in July. Both the US and Moscow want him for suspected money laundering on the defunct BTC-e exchange.

Although Vinnik denies the charges from both countries, a Greek court gave the green light on Wednesday for his extradition to America, where the risk of up to 55 years in prison could become a reality if he is found guilty.

The catch is that Russia also has an extradition request in with Greece. The Russian foreign ministry is arguing that its request should take priority since Vinnik is a Russian national.

“The verdict is even more surprising in the context of the atmosphere of friendly relations between Russia and Greece,” the statement added. “We hope the Greek authorities will consider the Russian Prosecutor General’s Office request, and Russia’s reasoning, and act in strict compliance with international law.”

The Register has asked the Greek Ministry for Foreign Affairs and the US Department of Justice to comment, and will update this article if we hear back.

Reuters reports that Vinnik is appealing the Greek court’s decision to the Greek Supreme Court. It is understood that he is willing to return to Russia. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/06/russia_wants_suspected_bitcoin_launderer_alexander_vinnik_first/

FBI iPhone hack lost forever, White House mobe compromised, SSH – and plenty more

Roundup Another week draws to a close so it’s time to review the security news you may have missed in between the big hitters: the NSA contractor who leaked more exploits, Apple’s encryption password blunder, and so on. This week we’ve seen bugs, hacking, and government silliness – take a look…

Computerinsel PhotoLine full of bugs

Researchers at Cisco’s Talos security team have found a series of vulnerabilities in German image manipulation software Photoline.

Hackers could get remote code execution by sending in a specially crafted .gif and do the same with TARGA graphics files. The flaws appear to be in PhotoLine version 20.02 but may also affect earlier versions.

Juniper corrects world’s least secure comma

Networking hardware vendor Juniper has removed a comma from this 2015 security advisory regarding a “denial of service due to maliciously crafted uBFD packet” problem.

As the update dated 2017-09-28 records, the gin palace has “removed a comma from paragraph for clarity”. The paragraph now reads “received directly via VPN, MPLS”. It previously read “received directly, via VPN, MPLS”.

SSH 7.6 drops support for SSHv1, splats bugs

Sysadmins and developers alike, pay heed: the folk who tend SSH have pushed out a new version with a bunch of security patches and bug fixes.

Calling the release “primarily a bugfix”, the maintainers also note that OpenSSH 7.6 “contains substantial internal refactoring”.

Those deploying or writing to 7.6 are given notice of five details that might break existing implementations: SSHv1 support is gone, as is support for the hmac-ripemd160 message authentication code (MAC).

The deprecated arcfour, blowfish and CAST ciphers have been consigned to memory, RSA keys less than 1,024 bits long will be refused, and CBC (cipher block chaining) will no longer be offered by default.

The other security change plucked out by the developers relates to the SFTP server: “In read-only mode, sftp-server was incorrectly permitting creation of zero-length files,” which is now fixed.

Other bug fixes and new features are listed in the release notes linked above.

SEC security team begged for funds before hack

Everyone knows the IT department always get blamed for hacking incidents – in some cases rightly. But leaked memos from the SEC show system administrators knew there were security issues at the agency but lacked the funds to do anything about it.

The head of the US financial watchdog’s Digital Forensics and Investigations Unit officially complained that his department’s budget of $100,000 was half a million dollars short of what was needed. However, his request was blocked and two months later the SEC was forced to admit that it had been comprehensively pwned.

Germany drops NSA spying investigation

The German authorities have dropped a two-year investigation into allegations that the UK and US intelligence agencies were spying on the German chancellor Angela Merkel.

The claims cause a massive row between the US and its allies after it was claimed that the personal phones of politicians were under surveillance. It’s a touchy topic in a country whose Eastern side suffered decades of massive surveillance by the state.

“The prosecutors’ investigations and the investigation by the NSA parliamentary committee have found no tangible evidence that US or British intelligence agencies undertook systematic and mass surveillance of German telecommunications and internet (usage) that is against the law,” officials said.

FBI’s secret iPhone hack won’t be revealed

The hacking technique purchased by the FBI to unlock a murderer’s iPhone won’t be revealed, a US court has ruled [PDF].

After the San Bernardino shooting the FBI bought in a third-party supplier to break into the iPhone of one of the shooters. They reportedly paid $1m for the technology but this was never confirmed and Associated Press and other news organisations sued to find out how it was done. They lost and now we’re unlikely to ever know.

US chief of staff’s phones hacked

US government officials report that the personal phone of White House chief of staff John Kelly had been hacked.

Kelly asked White House IT staff to look at his smartphone after he complained that it wasn’t updating and kept crashing. They found it had been compromised, possibly as early as last December.

A White House spokesperson said that Kelly had not used his personal phone for official business and had relied on government-secured hardware and software. So that’s all right then.

More on Broadcom SoC hacking

For those following Google Project Zero’s epic efforts compromising Broadcom Wi-Fi chipsets, Gal Beniamini has provided a lot more gory detail into how to hack systems-on-chip. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/06/security_roundup/

John Kelly’s Personal Phone Compromised

Officials fear foreign entities may have accessed White House chief of staff Kelly’s phone while he was secretary of Homeland Security.

White House chief of staff John Kelly may have had his personal mobile phone compromised as long ago as December 2016, according to three US government officials, Politico reports.

Tech support staff at the White House found a potential breach after Kelly submitted his phone, claiming it hadn’t been working properly for months and would not update software. Officials do not know the time or location of initial compromise, or the data that may been accessed. After their review, they concluded the phone should not be used due to a potential breach.

Kelly had reportedly avoided using his personal phone since joining the White House in January, instead relying on his government-issued phone for official communication. His travel prior to January is under review. Kelly has begun using a different phone but uses his government phone inside the White House, according to the report.

The discovery of a potential breach has sparked concern that hackers or foreign governments may have been able to access information on Kelly’s phone during his term as secretary of Homeland Security and after he joined the White House.

Read more details here.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/john-kellys-personal-phone-compromised/d/d-id/1330068?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Rise in Insider Threats Drives Shift to Training, Data-Level Security

As the value and volume of data grows, perimeter security is not enough to battle internal or external threats.

Data breaches continue to devastate organizations, and the threat from insiders — whether malicious or accidental — continues to grow as the value and volume of data expands at near breakneck speed.

The latest research from Verizon showed that internal actors contributed to 25% of data breaches, and other research has shown insider threats to be on the rise, with more than half of cybersecurity professionals reporting growth in insider threats over last year, according to Crowd Research Partners’ 2017 Threat Monitoring, Detection and Response report (registration required). 

None of this is surprising. Enterprises are accumulating ever-more data for business intelligence. They’re sharing more data with partners, suppliers, customers, and cloud providers, and they’re linking more data to more applications, mobile and otherwise. This activity is the lifeblood of a robust economy and expanding Internet of Things ecosystem, but it also creates more opportunities for increasingly sophisticated cyber attacks and security breaches.

Not Just an Inside Job
With an insider threat, the culprit is already inside the network. Securing the perimeter around the network — which has long been the focus for enterprise security — does not do the job against this kind of a threat, whether it is malicious or unintentional. Nor is focusing on securing the perimeter the best strategy against many external threats. That’s because data-smart companies want to be able to safely give partners, suppliers, and customers access to their networks in order to increase business opportunities.

As a result of this shift, security needs to rest with the data itself, not just at the network level. The move to the cloud elevates the need for data-level protection. To reduce the risk of insider threats, companies and organizations need to focus on three areas:

Hurdle 1: The Data
Connected enterprises need and want approved partners inside their networks, but they don’t want everybody to have access to all data. As a result, database technologies today offer flexible and granular access controls to ensure that employees only have the privileges necessary to do their jobs — and nothing else. For instance, someone in Human Resources may be allowed to access work-related salary information but not personal information such as an employee’s home address.

Other types of database security measures also can act directly on data. Encryption technologies require people to have encryption keys to unlock data. Redaction enables companies to hide sensitive data, but share other, related data. For instance, if a patient is enrolled in a clinical trial, data about how that patient reacts to a drug can be shared, but the patient’s personal identified information is not. 

All of these tools improve data-level security. But for enterprises to really wring business intelligence out of their data, they also need to trust their data. This requires good data governance: knowing where data came from, when, how and if it was changed, and by whom. With security at the data level, inside actors face another hurdle.

Hurdle 2: Awareness Training
Employee negligence remains the number one cause of most insider security events, concluded CSO’s 2017 U.S. State of Cybercrime survey. All told, 28% of insider security incidents were unintentional or accidental, 18% were intentional, and 8% resulted from theft of insider credentials, according to the survey. In healthcare, the 2017 KPMG Cyber Healthcare Life Sciences Survey of 100 senior executives reported that a full 55% of organizations have seen employees fall prey to phishing scams. All of this points to a need for better education.

Companies vary in how and how often they train, but the key factor is that employees need to buy into the idea that security is important. Educate them on the value of company data, on different types of data, what’s shareable and what’s not, and why access controls are critical. Remind employees that downed networks and lost data affect business reputations, which may hinder future opportunities. Anyone can relate to the pain and cost of having their identity stolen. A company is similarly vulnerable.

Hurdle 3: Executive Buy-in
Executives set the tone for how important something really is to a particular organization. Are executives investing in security and training? Do they talk about security with employees and with board members? Despite the importance of data security in healthcare, KMPG’s survey found that more than one-third of healthcare organizations don’t even have a CISO, and 6 in 10 boards see cyber-risks as an IT problem as opposed to an issue that has a universal impact.

Hurdle 4: The Promise of Big Data
In the past, security detection was limited to looking for patterns in network-centric data. Now, we have data on servers and in databases, all of which can be monitored and audited to provide a richer set of detection opportunities.  Metadata — data about data, such as data origin, quality, owner, geolocation — creates new opportunities for security anomaly detection. Combine all that data with big data compute power and you have another tool to detect breaches or, better yet, stop them before they get that far.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Tom Thomassen is a senior staff engineer of security at MarkLogic. He is responsible for helping identify and implement secure development practices into the company engineering process, educating the team on security best practices, monitoring and responding to changes in … View Full Bio

Article source: https://www.darkreading.com/perimeter/rise-in-insider-threats-drives-shift-to-training-data-level-security/a/d-id/1330066?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Russian Hackers Targeted NSA Employee’s Home Computer

New reports today say it was a National Security Agency employee, not a a contractor, whose home machine running Kaspersky Lab antivirus was hacked for classified files.

New reports on the latest NSA classified data breach revealed yesterday paint the source of the leak as an actual employee of the spy agency, not a contractor, as was originally reported by The Wall Street Journal.

The Washington Post in its reporting described the NSA employee who loaded classified NSA files onto his home computer that in turn was hacked by Russian cyber spies in 2015, as a Vietnam-born US citizen who had been part of the NSA’s famed Tailored Access Operations (TAO) hacking team. The employee, who was removed from his position in 2015, was working on a project to create new TAO tools in the wake of former NSA contractor’s Edwards Snowden’s theft and leak of TAO tools in 2013; the new tools were among the files pilfered by Russian nation-state hackers.

A New York Times report also characterized the targeted man as an NSA employee.

Word of the breach first came yesterday in a Wall Street Journal report, which said the hack of classified cyberattack and defense tools occurred via Kaspersky Lab antivirus software on the NSA employee’s home computer, where the AV flagged the NSA cyberspying tools and code. The breach wasn’t detected until the spring of 2016, and wasn’t known publicly until the WSJ report.

Security experts say the reports raise more questions than answers about how the attack actually occurred. Matthieu Suiche, founder of Comae Technologies and an expert on the mysterious Shadow Brokers group, points out that it apparently took the NSA six months to discover the incident.

Suiche told Dark Reading that it’s “hard to say” if there’s a connection to the NSA exploits held and leaked by Shadow Brokers. He says he’s unclear how investigators tied the NSA data leak to the Kaspersky Lab software specifically, and whether the attacker had an exploit for the AV software.

“It can be a man-in-the-middle or even vulnerability itself” used to steal the files, he notes.

Read the Post’s latest on the breach here.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/russian-hackers-targeted-nsa-employees-home-computer-/d/d-id/1330071?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Update your Androids, the October patches are out

It’s the beginning of the month, and that means Google has published its monthly security bulletin for Android devices, detailing all the vulnerabilities it has addressed in this month’s update. Though it’s not a long list of vulnerabilities, almost everything on it is rated High or Critical. (If you want to know what the formal severity ratings like Critical, High and Moderate actually mean take a look at Android’s Security Updates and Resources page.)

The Android bulletin has two patch levels, one for 1 October 2017 and another for 5 October 2017.

The first part of the bulletin notes that the most severe vulnerabilities are related to the Android Media Framework. The bulletin doesn’t detail the potential impact of each vulnerability it lists, though it says the most severe flaw in the Media Framework could allow arbitrary code execution within the “context of a privileged process.”

The Media Framework, loosely put, is what processes images and videos to display them on the screen, and this isn’t the first it’s come up for patching – the July 2017 Android Bulletin also listed a number of Media Framework-related issues.

Some of the other vulnerabilities – again, details are a bit vaguely worded in the bulletin – would have allowed for privilege escalation, opening the door for malicious applications or the dreaded remote code execution. One of the Critical vulnerabilities, CVE-2017-0809, affects Android versions 4.4 all the way to 8.0.

It’s a similar story for the second part of the bulletin (5 October 2017), where everything’s either Critical or High. The few details in the bulletin also hint that these vulnerabilities could have allowed remote code executions if exploited.

New! Pixel and Nexus-specific security bulletins

Owners of the Google Pixel and Nexus devices should note that, as of October 2017, Google will publish a separate security bulletin for those devices, alongside the generic Android monthly update.

This first Pixel/Nexus bulletin contains a number of patch updates that, similar to the overall Android bulletin, largely fix issues within the Media Framework and hardware components. Unlike the overall Android bulletin though, the vast majority of these vulnerabilities are rated as Moderate.

The advice is, as always—for those that can—patch as soon as possible to benefit from these updates. If you’re a Google Pixel and Nexus user, you’re in luck as you should expect to receive all of these security updates within the next two weeks, so be sure to install them right away.


Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/gMTWc-rmn3M/

Suspected Dark Web drug dealer undone by his own beard

He’s no Pablo Escobar, the Miami Herald points out.

Agreed. He’s far more hirsute: the suspected dark web drug dealer arrested on his way to a worldwide beard contest on 31 August 2017 has a forest of flaming red fur spilling out of his chin and down to his bellybutton.

But if charges stick, it looks like the US Drug Enforcement Administration (DEA) has netted somebody who has one thing in common with the Colombian narcoterrorist: he’s allegedly a modern-day, dark web hidden version of the drug lord.

According to an affidavit (PDF) filed by the US Drug Enforcement Administration (DEA) in September 2017, 38-year-old Gal Vallerius, also allegedly known as OxyMonster, is a five-star-rated drug dealer and admin on a dark web marketplace called Dream Market that’s hidden on The Onion Router (Tor).

Dream Market is your typical dark web marketplace: it’s an eBay-like market for drugs such as meth, heroin, fentanyl and cocaine; drug paraphernalia; hacked passwords; and services such as hacking or counterfeit passports.

Since at least February 2016, DEA agents have gone undercover to buy a slew of drugs – 100 sheets of LSD, 28 grams of crystal methamphetamine and more – and had them shipped to Florida. The vendors’ names on the marketplace include MethForDummies, ReximusMaximus, and OxyMonster, who’s not only a seller but an administrator and senior moderator on Dream Market.

According to the affidavit, OxyMonster’s profile says he works out of France but ships OxyContin and Ritalin to anywhere in Europe and to the US. In his admin role, he’s been very helpful to customers: he’s dealt with complaints, provided tips on staying anonymous on the dark web, and posted the names of Dream Market’s official staff.

That’s great for customers. Not so great when it comes to racking up conspiracy charges, though. From the affidavit:

OxyMonster knowingly participated in the Dream Market conspiracy not only as a vendor, but also in a leadership and organizational role as a senior moderator and administrator.

Agents – DEA agents were joined in the investigation by the FBI, the IRS, Homeland Security Investigations (HSI), and the United States Postal Inspection Service (USPIS) – linked OxyMonster with Vallerius in a few ways over the course of the investigation. For one thing, they compared Vallerius’ writing style on his public Instagram and Twitter accounts to OxyMonster’s forum posts on Dream Market and found many similarities, such as use of the word “cheers,” double exclamation marks, frequent use of quotation marks, and intermittent French posts.

The other thing that connected OxyMonster with Vallerius was the use of his real email address to accept payments. The agents tracked incoming and outgoing transactions from a bitcoin address associated with sales on the site and discovered that most of them went to Vallerius on Localbitcoins.com.

But it was the beard contest that really tripped him up in the end.

On 31 August, Vallerius left France to travel to the US for the first time ever. He came over to attend the finals of the World Beard and Moustache Championships in Austin, Texas.

But upon his arrival at Atlanta International Airport, he was detained for a border search. That’s where agents found what they say is confirmation that Vallerius was OxyMonster: he had the Tor browser installed on his laptop, what seemed to be login credentials for Dream Market, $500,000 worth of bitcoin, and a PGP encryption key labelled ”OxyMonster” that matched the one advertised as belonging to OxyMonster on Dream Market.

According to the Miami Herald, Vallerius chose not to contest his identity and detention at a court hearing in Atlanta. He’s expected to be transferred soon to Miami to face a new conspiracy indictment that carries up to life in prison.

This is the point where we typically mention that maximum sentences are rarely handed out. But it’s been two years since Silk Road founder Ross Ulbricht was given life without parole for his own journeys down the dark web wormhole.

Granted, Ulbricht’s drug dealing and other crimes were one thing. If it was only drugs, maybe he wouldn’t have received such a long sentence. But he also had six separate murder-for-hire incidents leveled against him. None wound up on the final charge-sheet, but the added weight of violence was thought to perhaps have had an impact on the decision to levy a heavy punishment.

The judge most certainly wanted to make an example out of him. At the time of Ulbricht’s sentencing, Judge Katherine Forrest said just that:

For those considering stepping into your shoes… they need to understand very clearly and without equivocation that if you break the law this way there will be very, very severe consequences.

In reality, shutting down Silk Road, locking away Ulbricht and throwing away the key hasn’t put a dent in the dark web trade of illicit goods. In fact, according to a new study, dark web marketplaces are thriving.

Media coverage of Ulbricht has actually amounted to free advertising for the business model he set up. When researcher Isak Ladegaard analyzed sales data from Agora – another large dark web market similar to Silk Road – he found that US sales doubled over the 10-month period following Ulbricht’s sentencing.

Ladegaard says the media coverage surrounding Ulbricht’s case likely made more people aware of the existence of dark web markets. They weren’t discouraged; they were intrigued:

The timing suggests that people weren’t discouraged from buying and selling drugs. The data suggests that trade increased. And one likely explanation is that all the media coverage only made people more aware of the existence of the Silk Road and similar markets.

Perhaps after this arrest the World Beard and Moustache Championships should brace itself for a surge in interest too.


Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/dxcqp0UBO3M/

Avast urges devs to secure toolchains after hacked build box led to CCleaner disaster

VB2017 Avast staffers spoke at the Virus Bulletin International Conference in Madrid, Spain, on Thursday to shed more light on their postmortem of the CCleaner fiasco – and urge developers to protect their software’s toolchain and distribution systems from hackers.

The widely used utility, which removes unwanted temporary files and registry keys on Windows machines, was backdoored with malicious code in August, as in, miscreants tampered with the software’s downloads to introduce a means to remotely control PCs running the code. Nearly 2.3 million computers ended up installing the dodgy version of the tool, and 40 – within companies such as Intel, VMware, Samsung, NEC and Sony – were instructed to download malicious code to commandeer the boxes. This was absolutely a highly targeted espionage caper, it appears.

The compromised CCleaner builds, such as v5.33, were distributed from August 2, and CCleaner Cloud from August 11, until August 25, and connected to a command-and-control server, used to orchestrate the malware, until September 15 when the box was taken down. The shutdown happened three days after Israeli security firm Morphisec alerted CCleaner owner Avast to the scandal. Of the millions of infected PCs, only a few received the truly nasty second-stage payload that handed the computer over to miscreants.

Downloaded CCleaner lately? Oo, awks… it was stuffed with malware

READ MORE

Piriform, the developers of CCleaner and an Avast acquisition in July, released a clean version of its code on September 13, five days before the breach was publicly disclosed on September 18. Security researchers at Cisco Talos had independently discovered backdoor code in the popular cleanup utility.

The discovery of the back passage came almost a month after the hackers behind the attack had fled the scene of their crime – specifically, Piriform’s infrastructure – it was revealed on Thursday at the Virus Bulletin conference. The miscreants “disappeared” on August 25, according to a post-breach forensic analysis by Avast. The reasons why they vanished at that point are unclear. Jakub Křoustek and Jiří Bracek, both Avast researchers, who provided the postmortem update were reluctant to speculate.

The malware injected into PCs had code similar to that found in cyber-espionage tools developed by APT17 aka Aurora, a Chinese state-sponsored hacking crew in 2014 and 2015. Forensic work by Avast has identified that operations were performed and builds created by the CCleaner hackers during the working day of the Beijing timezone.

Although many leads – some of which Avast is not ready to disclose to its peers – point to China, there is nothing conclusive about these findings. What Avast can now say is that the hacker gang infiltrated Piriform’s build server in April. This was the system used by a lead developer at the 30-person outfit to generate code before it was digitally signed. Anyone whitelisting the CCleaner will have been pwned because the signatures were legit, which explains why the initial detection of the compromised utility was so poor among security software firms.

Other vendors should be wary of similar supply chain attacks, Avast warned. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/06/ccleaner_megahack_timeline/

Crazy but true – Apple’s “show hint” button reveals your actual password

It’s only eight days since Apple’s latest and greatest macOS 10.13 release, better known as High Sierra.

But the first security update has already come out, and we suggest you apply it urgently.

The update is called High Sierra 10.13 Supplemental Update, detailed in the security advistory APPLE-SA-2017-10-05-1.

There are two bugs fixed; the facepalming one is described thus:

[BUG.] A local attacker may gain access to an encrypted APFS volume. If a [password] hint was set in Disk Utility when creating an APFS encrypted volume, the password was stored as the hint.

To explain.

APFS is short for Apple File System, Apple’s new way of organising hard disks that replaces the old (but still supported) HFS Plus, a 20-year-old filing system itself derived from Apple’s Hierarchical Filing System, or HFS, that dates back to the 1980s.

By some accounts, APFS was long overdue: HFS Plus dated from the early days of Mac OS, and wasn’t really designed for the Unix core that was introduced in OS X (now macOS).

For example, HFS Plus can’t deal with dates after 2040, and doesn’t allow multiple processes to access the filesystem at the same time, making it more sluggish and less future-proof than other widely-used filing systems such as NTFS on Windows and ext4 on Linux.

New drivers, new utilities

APFS was introduced as Apple’s default and preferred filing system in High Sierra.

This means new drivers inside the operating system to support disks formatted with the new system, and new features in Apple’s disk management utilities to prepare APFS disk volumes for use.

There are two main disk management tools in macOS – the easy-to-use graphical tool Disk Utility, and the super-powerful but arcane command line program diskutil.

It turns out that the APFS support in the High Sierra version of Disk Utility has feet of clay, as we’ll show here.

  • We erased a USB disk and created a new APFS (Encrypted) volume on it.

  • Disk Utility prompted us for a password (twice) and an optional hint.
  • We entered keepthisSecret as the password and The hint should be shown as the hint.

  • Disk Utility created the encrypted volume and mounted it automatically.
  • We unplugged the USB disk and then plugged it back in, and macOS asked for the password.
  • We entered keepthisSecret and the disk was unlocked and mounted, showing that the password had been set as expected.

So far, so good, until we unplugged the device and plugged it back in:

  • Again, macOS asked for the password.
  • This time, we clicked the [Show Hint] button before entering the password.
  • The password dialog revealed that keepthisSecret has been set as the hint as well as the password.

The text The hint should be shown had, it seemed, simply been thrown away.

In other words, if you set a password hint as suggested, anyone who stole your disk could “hack” the password simply by using Disk Utility’s [Show Hint] button!

What to do?

  • If you haven’t created any new APFS encrypted volumes since upgrading to High Sierra, you are OK.
  • If you created an APFS encrypted volume but didn’t specify a hint, you are OK.
  • If you created an AFPS encrypted volume using diskutil you are OK (the bug is in Disk Utility, not the operating system itself).
  • If you upgraded to High Sierra from an earlier version of macOS, your disk will have been converted to APFS, but any hint you had before is left untouched (so far as we can tell), so you are OK.
  • Apply the APPLE-SA-2017-10-05-1 Supplemental Update as soon as you can.

By the way, you can blank out the password hint on any APFS volume, just in case, with the following diskutil command in a terminal window:

$ diskutil apfs hint /Volumes/[YOURNAME] -user disk -clear
Removing any hint from cryptographic user XXXXXXXX on APFS Volume diskYsZ
$

If there wasn’t a hint, no harm is done, but you’ll see an error message like this, so by repeating the above command until you proovke the error message, you can verify that any hint was indeed scrubbed:

Error editing cryptographic user on APFS Volume: 
Unable to set APFS crypto user passphrase hint (-69554)

Of course, if you had set a hint with Disk Utility, then for all you know someone who knew the [Show Hint] trick might have seen your password, so you ought to change it.

You can update the passphrase on an APFS Encrypted volume quickly and easily as follows:

$ diskutil apfs changepassphrase /Volumes/[YOURNAME] -user disk
Old passphrase for user XXXXXXXX: ..............
New passphrase: ..............
Repeat new passphrase: ..............
Changing passphrase for cryptographic user XXXXXXXX on APFS Volume diskYsZ
Passphrase changed successfully
$ 

A bad look for Apple, letting a buggy system utility like that into a production release…

…but a creditable response by Apple in getting a fix out quickly.


Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/QgikTizfWhQ/

Russian spies used Kaspersky AV to hack NSA contractor, swipe exploit code – new claim

Russian government spies extracted NSA exploits from a US government contractor’s home PC using Kaspersky Lab software, anonymous sources have claimed.

The clumsy snoop broke regulations by taking the classified code, documentation and other materials home to work on using his personal computer, which was running Kaspersky’s antivirus, sources told the Wall Street Journal. It is alleged Kremlin hackers exploited the security package in one way or another to identify those sensitive files and exfiltrate them.

In effect, it means the Russian government has copies of the NSA’s tools used to exploit vulnerabilities in computer systems and equipment to spy on other nations and targets. It also means Russia can turn the cyber-weapons on American corporations, government agencies and other networks, and steal secrets, cause merry havoc, and so on.

The theft, reported today, is said to have occurred in 2015, but apparently wasn’t discovered until earlier this year. The allegedly stolen NSA code and dossiers sound an awful lot like the Shadow Brokers archive of stolen agency spyware. The brokers’ pilfered exploits dates back to 2013, though.

And this case is not thought to be related to the former Booz Allen Hamilton contractor Harold Thomas Martin III who stashed classified NSA materials at his home to study. Martin was indicted in February and faces prison time for removing top-secret files from his employer’s workplace, if convicted. He denies any wrongdoing.

“Whether the information is credible or not, NSA’s policy is never to comment on affiliate or personnel matters,” an NSA spokesperson said.

Like almost all security software, Kaspersky’s software scans files on computers to look for anything matching known malware, or programs that behave in a way that looks like malicious code. It may be that the antivirus package sent the contractor’s NSA code back to a cloud service to inspect, which set off internal alarms and attracted the attention of Russian spies, or the product was tampered with to open a backdoor to the PC, or the software was remotely exploited to gain access.

stop

Homeland Security drops the hammer on Kaspersky Lab with preemptive ban

READ MORE

The WSJ’s sources don’t say if Kaspersky was actively involved in helping hack the contractor’s computer, or if President Putin’s spies exploited vulnerabilities in the security software to silently swipe the exposed documents. And there are a lot of exploitable holes in antivirus packages for hackers to abuse.

It is also possible, under Russian law, the Kremlin instructed staff within Kaspersky to hijack the mark’s computer and extract its contents. The software maker is denying any involvement.

“Kaspersky Lab has not been provided any evidence substantiating the company’s involvement in the alleged incident reported by the Wall Street Journal on October 5, 2017, and it is unfortunate that news coverage of unproven claims continue to perpetuate accusations about the company,” the Moscow-based biz told The Register in a statement.

“As a private company, Kaspersky Lab does not have inappropriate ties to any government, including Russia, and the only conclusion seems to be that Kaspersky Lab is caught in the middle of a geopolitical fight.

“Kaspersky Lab products adhere to the cybersecurity industry’s strict standards and have similar levels of access and privileges to the systems they protect as any other popular security vendor in the US and around the world.”

The organization’s founder Eugene Kaspersky was more blunt, tweeting the following before today’s revelations hit the ‘net:

Kaspersky has repeatedly offered up its source code for officials to review since allegations that it was working with Russian intelligence surfaced a year or so ago. No evidence has ever been made public about such claims, and that didn’t stop the US government banning Kaspersky code from federal computers last month. American box-shifter Best Buy followed suit.

“It’s a lot harder to beat your opponent when they’re reading your playbook, and it’s even worse when someone on your team gives it to them. If these reports are true, Russia has pulled that off,” said US Senator Ben Sasse (R-NE), who is on the Senate Armed Services committee.

“The men and women of the US Intelligence Community are patriots; but, the NSA needs to get its head out of the sand and solve its contractor problem. Russia is a clear adversary in cyberspace and we can’t afford these self-inflicted injuries.”

Matthew Hickey, cofounder of British security shop Hacker House, told The Register that Kaspersky could well be blameless and the security software was simply doing its job. The Russian software maker has been detecting NSA malware since 2014, and this could be where the connection lies. The antivirus may have identified Uncle Sam’s powerful exploit code on the home PC, and flagged it up, possibly all the way to the FSB, Russia’s security services.

“It’s likely that the Kaspersky detection of NSA tools was somehow responsible for FSB targeting the contractor’s home computer but it doesn’t mean the company was complicit,” Hickey said.

“Kaspersky have detected many of the NSA tools being used in the wild, the FSB would surely know that, and target the company for that reason alone. The Kaspersky statement holds no punches and makes it clear they don’t cooperate with governments. I’m inclined to believe them, their software is top grade at detection of new threats, and is notoriously difficult to bypass.”

He pointed out that the alternative is that Kaspersky deliberately backdoored its own software, and handed over the keys to Putin”s snoops, putting billions of dollars of business at risk to do a favor for Russian intelligence. Occam’s razor would suggest this is unlikely.

Meanwhile, cybersecurity expert Matt “Pwn all the Things” Tait said the focus should be on the embarrassing claims that yet more dangerous NSA tools have escaped Uncle Sam’s highly secretive surveillance agency:

Senator Jeanne Shaheen (D-NH), one of Kaspersky’s most vocal critics in Congress, has few doubts. In a strongly worded statement, she condemned the company and called for the Trump administration to declassify and release the evidence it has in this case.

“The strong ties between Kaspersky and the Kremlin are extremely alarming and have been well documented for some time,” she said today. “It’s astounding and deeply concerning that the Russian government continues to have this tool at their disposal to harm the United States.” ®

PS: The Washington Post says the contractor was a US citizen born in Vietnam, and worked for the NSA’s ace hacking team, Tailored Access Operations. He was fired in 2015, and is under a federal investigation.

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/05/anonymous_report_russian_spies_used_kaspersky_lab_software_to_steal_nsa_secrets/