STE WILLIAMS

Security researchers have uncovered what they believe is a vulnerability that allows malware to completely bypass Windows Defender. Microsoft dismissed the report as of “limited practical applicability” in practice (i.e. a low-risk threat).

The team at CyberArk Labs nonetheless claims the security shortcoming could impact tens of millions of devices running on Windows 10 and 8.1.

“In order to abuse Windows Defender,” the researchers write, “an attacker would have to implement the SMB protocol and create a ‘pseudo-server’ that can differentiate Windows Defender’s request from normal requests.”

The group goes on to explain this creates a means to trick the system into scanning a different file than the one actually carrying malware. This means attackers could execute known malware behind the pretence of a legitimate file fed from an server message block (SMB) server, according to CyberArk Labs. A malicious file served in this way can be clicked on, and Windows Defender will scan a completely different and innocuous file – missing the malicious file. Despite this Windows will still load the real, malicious file. The technique therefore represents a means to circumvent Windows Defender, CyberArk said.

The researchers warn the flaw could be combined with phishing in targeted attacks. CyberArk goes on to suggest that other antivirus engines might also be vulnerable while admitting it hasn’t actually tested this itself.

Fooling Windows Defender (Source: CyberArk Labs)

CyberArk writes that when it reported the “Illusion Gap” to Microsoft, the firm told it: “Based on your report, successful attack requires a user to run/trust content from an untrusted SMB share backed by a custom server that can change its behaviour depending on the access pattern. This doesn’t seem to be a security issue but a feature request, which I have forwarded to the engineering group.”

When El Reg asked Microsoft about this, it explained: “The technique described has limited practical applicability. To be successful, an attacker would first need to convince a user to give manual consent to execute an unknown binary from an untrusted remote location. The user would also need to click through additional warnings in order to grant the attacker Administrator privileges. Should the attacker successfully convince a user to carry out the manual steps mentioned, Windows Defender Antivirus and Windows Defender Advanced Threat Protection will detect further actions by the attacker.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/28/windows_defender_flaw/

Analysis The British government is publicly threatening to stop giving defence contracts to American aerospace firm Boeing – even though this is laughably unrealistic.

Both the Prime Minister and the Defence Secretary have, over the last couple of days, warned Boeing that it is undermining its relationship with the UK, in financial newswire Reuters’ words.

A trade spat between Boeing and Canada-headquartered Bombardier, whose civil aviation division is building a new airliner that threatens Boeing’s pre-eminent market position, prompted the US company to complain to US trade regulators. They slapped 220 per cent tariffs on Bombardier’s Cseries jets, which are light airliners that directly compete with the latest models of the Boeing 737.

Boeing formally accused Bombardier of receiving unfair state aid from the Canadian government, and of selling the Cseries aircraft to an American airline at below cost price. The American Federal Trade Commission, funnily enough, agreed with the American manufacturer.

The UK comes into this spat because Bombardier employs 4,200 people in Northern Ireland, of which around a thousand directly work on building Cseries wings. Hence why Sir Michael Fallon, the defence secretary, said: “This is not the behaviour we expect of Boeing and could indeed jeopardise our future relationship with Boeing.”

This is nonsense. Britain’s armed forces are heavily dependent upon Boeing products, and therefore ongoing Boeing support for them. These include:

• the C-17 Globemaster heavy transport aircraft
• the Chinook heavy helicopter
• the AH-64 Apache attack helicopter (but see below)
• the RC-135 Rivet Joint airborne signals intelligence aircraft
• the E-3D Sentry airborne radar platform
• the Harpoon anti-ship missile (under what used to be called McDonnell Douglas, until Boeing bought them out)
• a signed purchase order for P-8 Poseidon maritime surveillance aircraft

The Royal Air Force has no alternative to the C-17 in its fleet. The Army has no realistic alternative to the Apache attack helicopter, though its new Lynx Wildcat helicopters can mount anti-surface guided missiles. Naturally, the decades-old Sentry has no alternative in the RAF inventory. Similarly, the Rivet Joint aircraft have no long-haul RAF alternative – though, ironically, the air force does have modified Bombardier Global Express business jets performing similar duties under the service name Sentinel. These aircraft do not have the endurance of the Rivet Joints.

Alienating Boeing, therefore, would put the UK in a very difficult position. The Ministry of Defence did, in fact, do this very thing with Chinook helicopters several years ago, deciding that paying for Boeing’s own flight control software upgrades was too expensive. When the resulting homebrew upgrades failed to gain full certification from the MoD’s own military aviation regulators, however, something very interesting happened.

Boeing quietly agreed with the MoD that it would publicly carry the can for the ministry’s own cockup. Instead of admitting that it was too tight-arsed to pay for OEM software upgrades, the MoD told the world – seemingly with Boeing’s consent – that the dastardly American firm had outwitted the MoD’s contract negotiators. Of course, no such thing had happened.

Today, the UK’s ruling Conservative Party’s main political partner is the Democratic Unionist Party. The DUP not only provides the government’s majority in Parliament but has a number of seats in and around Belfast, where Bombardier’s Northern Ireland operations are headquartered. DUP MPs’ majorities there are relatively slim; two have majorities of just 2,000, in seats with more than 65,000 registered voters. In the context of an international trade spat, headlines shrieking about “thousands of jobs at risk” means local politicians are going to be demanding the government does something, indeed anything, to reassure their voters and protect their seats.

It is entirely probable that behind the scenes, Boeing and the government have agreed that the public shouting match won’t affect defence equipment support. Indeed, given how dependent the RAF is upon Boeing products, it’s hard to see how things could be going any other way.

The UK does have a little leverage: as the London bureau chief of Aviation Week magazine noted, only 38 of the UK’s 50 Apaches have been contracted: the final 12 are worth, very approximately, half a billion pounds or so. In addition, the MoD very recently (and very quietly) decided it wouldn’t bin the ageing Harpoon system next year after all, though that decision could easily be reversed. Boeing does offer upgrades to Harpoon, which doubtless have been offered to the UK.

Aside from that, though, all these high-level turds being flung at Boeing by Britain are unlikely to represent reality. With the UK defence budget as critically overstretched as it is, Boeing only has to threaten to raise prices in order to quieten British objections to its commercial behaviour. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/28/britain_boeing_bombardier_brouhaha/

In what looks like an Apple oversight, a developer has discovered that apps can access image metadata and therefore a pretty good history of iThing users’ location.

Felix Krause, founder of Fastlane.Tools, reported the issue here and explains that “If an app gets permission to access the image library, it will get full access to all image metadata also, including the exact location.

“This is a serious privacy issue, as third party camera apps that want to just store a picture the user took, will also get full access to all photos and their locations in their image library.”

It’s ridiculously easy to grab user image metadata after that:

```objective-c
PHFetchResult *photos = [PHAsset fetchAssetsWithMediaType:PHAssetMediaTypeImage options:nil];

for (PHAsset *asset in photos) {
    if ([asset location]) {
        // Access the full location, speed, full picture, camera model, etc. here
    }
}
```

In his proof-of-concept at GitHub, Krause explains he “built the initial prototype within under an hour”.

The entire EXIF data set is available to an app with permission to access the image library, so it’s more than just a user’s location. Krause gives the following list:

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/28/ios_image_metadata_location_leaks/

Updated Prior to its disastrous 2015 mega hack, UK ISP TalkTalk had told British spies at GCHQ that should an attack occur, its main focus would be to restore “online sports streaming”, according to the head of operations at the country’s National Cyber Crime Unit.

Speaking at the Cyber Security in Healthcare event in London, Mike Hullett said all the major telcos had been surveyed by the spooks prior to the hack that affected 157,000 TalkTalk customers’ personal details.

“They were all asked what they would need to stand up after an attack,” he said. TalkTalk responded its live sports streaming, as it was most concerned about being able to maintain a competitive advantage against BT. “That is a company with its priorities wrong.”

It transpired that just before the hack, the company had been advertising for an information security officer.

Former boss Dido Harding later told MPs there was no specific line manager for cybersecurity, as the responsibility cuts across multiple roles in the company.

The company estimated the attack cost it £42m. Since then it said it has “substantially” increased its investment in cybersecurity, and has appointed a chief information security officer.

Hullett said he did not have the data to hand as to how other companies responded to GCHQ, but said it was important to add that TalkTalk was still a victim.

“The other point to make is that if an attack against a big high-profile company happens [people think] it must be high-end actors in place, but that is not necessarily the case.”

Earlier this year, Matthew Hanley, 22, and Connor Douglass Allsopp, 20, both from Tamworth, pleaded guilty to the 2015 attack.

Allsopp admitted to police that he had supplied details on the vulnerabilities in TalkTalk’s website that were exploited to get to the customer records.

The Register has asked TalkTalk for a comment. ®

Updated to add

A spokesperson for TalkTalk has been in touch to say:

We do not recognise these comments. Our biggest security priority has always been protecting our customers.

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/27/talktalk_told_gchq_resuming_sports_streaming_main_focus_prior_to_mega_attack/

A French national and suspected online drug dealer has been collared by US government agents – after he flew to America for the World Beard and Mustache Championships.

Gal Vallerius, 38, was arrested on August 31 after he landed in the States to attend the contest. US Drug Enforcement Administration officials searched his laptop and, it is claimed, uncovered some interesting evidence. The agents alleged they discovered about $500,000 – split 50/50 in Bitcoin and Bitcoin Cash – on the computer, plus Tor installed and PGP crypto-keys for someone calling themselves OxyMonster.

OxyMonster is a term of interest for Uncle Sam’s drugs squad: the moniker is used by a major player in the Dream Market narcotics souk found on the dark web. The DEA has been investigating the bazaar, hidden within the anonymizing Tor network, for over a year and had identified OxyMonster as both an administrator and senior moderator on the site – and also a major seller of OxyContin and Ritalin.

According to court documents [PDF] filed in Florida earlier this month, for the past year and a half, agents in the Sunshine State have been buying small quantities of drugs from the Dream Market, including 100 tabs of LSD, 11 tablets of hydrocodone and 28 grams of crystal meth.

Dark web doesn’t exist, says Tor’s Dingledine. And folks use network for privacy, not crime

READ MORE

Having established themselves as legit buyers on Dream Market, the g-men dug deeper and identified OxyMonster as a site kingpin. His profile showed that he joined in May 10, 2015, and was an active participant.

“OxyMonster’s vendor profile featured listings for Schedule 11 controlled substances Oxycontin and Ritalin,” testified DEA agent Austin Love. “His profile listed 60 prior sales and five-star reviews from buyers. In addition, his profile stated that he ships from France to anywhere in Europe.”

OxyMonster has a Bitcoin tip jar for satisfied customers, and investigators claim they found that 15 of the 17 outgoing transactions from the jar went to a Localbitcoins.com account registered to Gal Vallerius. The agents then searched Twitter and Instagram to see if Vallerius was posting on social media as well.

He was – and an analysis of his writing style on both social accounts was compared with more than 1,000 comments OxyMonster had made on Dream Market. The indictment claimed Vallerius and OxyMonster both made repeated use of the word the word “cheers,” the use of double exclamation marks, frequent use of quotation marks, and “intermittent French posts.”

Based on this evidence, a warrant was issued for his arrest, and Vallerius was a marked man. When he made his first-ever trip to the US to attend the 2017 World Beard and Mustache Championships, he was arrested at Atlanta airport in Georgia before he could catch a connecting flight to the contest in Austin, Texas.

Armed with the contents of his laptop, the DEA has now charged Vallerius with conspiracy to distribute controlled substances including cocaine, fentanyl, methamphetamine, LSD, and oxycodone in violation of Title 21, United States Code, Section 846. He faces the possibility of life in prison if convicted. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/27/suspected_dark_web_druggie_cuffed/

Encrypted call and messaging app Signal gets a lot of love in the security community. Now its developers have decided to toughen it up even more to avoid the possibility of it being turned against its users.

Signal prides itself on being secure for netizens by taking the bare minimum of information from them to function – but it does need access to your contacts to reveal who is messaging or calling. You can shut down the app’s access to contacts and it’ll still function, but you’ll have to recognize for yourself the raw numbers to identify who is getting in touch.

Crucially, Signal seeks to connect you and your friends, relatives, colleagues and other contacts who also use the app. If you install the software, and let it access your address book, it will identify any contacts who have also installed the application.

To do this, the application sends your contacts’ numbers to its backend servers. It calculates the SHA256 hash for each number, and uploads truncated copies of the hashes to Signal’s systems. Those backend machines use the hashes to link contacts. In other words, if Emma and Julie both have each others’ numbers on their Android phones, and both install Signal for secure end-to-end encrypted chat, Signal’s systems can flag up to both of them that they are available on Signal.

While this is a pretty solid system, it’s possible that if someone hacked the Signal servers, or a government seized control of the operation, they could work out everyone’s associates by obtaining and studying the hashes. This could be done by infecting the machined with malware, or otherwise using the host operating system to spy on incoming data from users.

Due to the relatively limited number of phone numbers, it’s possible to calculate, say, all the possible truncated hashes for US cellphone numbers and use these to convert Signal’s hashes into numbers and therefore individual people.

Intel’s SGX security extensions: Secure until you look at the detail

READ MORE

In a blog post Tuesday, Moxie Marlinspike – the dreadlocked security advocate who founded Open Whisper Systems (OWS), which makes Signal – explained that situation wasn’t ideal. Ultimately Signal needs to be bulletproof.

“We simply don’t want people to have to trust us,” he said. “That’s not what privacy is about.”

To avoid hashes falling into the wrong hands, Signal is using technology from Intel – specifically its Software Guard Extensions aka SGX. Introduced in 2013, SGX is intended as a tool to support anti-piracy and anti-copying mechanisms, among other things. Signal will process hashes within SGX enclaves in hardware-encrypted RAM on its backend servers. This should, in theory, mean the hashes can’t be read by anyone who has infiltrated the box – not the OS nor any other programs running on the system. This should stop cops taking over a machine and keeping it running to inspect the hashes.

The contacts are also stored in an “oblivious” hash table: an inefficient data structure that, hopefully, prevents snoopers from deducing its contents and layout. Here’s the recipe, according to Marlinspike:

SGX isn’t perfect. There have been proof-of-concept hacks that could break the system, so OWS is taking extra precautions – particularly by observing memory access patterns to divine the data it is parsing. That’s what the cache observations above refer to. It’s estimated that an attacker would need a few million bucks to crack SGX, which is within the budgets of the NSA, FBI et al – so a rich attacker could defeat all the above defenses, anyway.

The code has now been put online so that it can be checked and verified over the next few months before being rolled out. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/27/signal_turns_to_intels_sgx_to_lock_down_contacts_from_spying_eyes/

Businesses buckle down on encryption as it becomes table stakes for securing data in the cloud.

Encryption has become less of a nice-to-have and more of a must-have as companies determine how to best protect their cloud-based data. Cloud providers are taking note and integrating encryption to stay competitive among security-savvy customers.

In the past, businesses have put off encryption because it took up a lot of time and resources, explains Marty Puranik, CEO at Atlantic.net. Now, as breaches regularly make headlines, more are buckling down on data security and providers are adjusting their services to help. In industries like healthcare, leaving data unencrypted isn’t an option.

“There are lots of compromises in the news and companies don’t want to have that happen,” he explains. “A lot of best practices are actually becoming requirements as the industry matures and standards form.”

How providers are simplifying encryption

Cloud providers large and small are buckling down on security to win customers’ trust, Lane says. “They need to make sure they’re secure because nobody trusts cloud vendors at first,” he explains. “A way to differentiate their service is to be more secure than on-prem.”

Microsoft recently updated its service with Azure confidential computing. This will encrypt data in use in the public cloud, which has so far lacked this level of security. People can maintain control over their data while it’s processed in the cloud, protecting it from threats like malicious insiders with administrative privilege, or third parties accessing it without their consent.

It makes sense in the broader context of Microsoft’s approach to security, which Prendergast describes as “hardened by default.” If users want to make information accessible to others, they have to open it themselves. The idea is to give people a more secure cloud environment by default so they don’t have to figure it out themselves.

Amazon is different, he continues. The company provides encryption and management tools, but the customer has to be able to properly implement and run them. It’s easy for someone to start playing with a project that spreads into production, bringing data into an unsecure place — an issue he says contributed to the AWS data leaks in recent news.

The encryption trend isn’t only popular among tech giants. Cloud companies like Atlantic.Net and Fortanix have also begun to jump on the encryption trend. The former recently began encrypting all user data by default; the latter encrypts data while applications are using it.

Encryption challenges and mistakes

Several factors have hampered the growth of encryption, says Adrian Lane, CTO and analyst at Securosis. For starters, it’s expensive. Security teams struggle to justify technologies that aren’t directly tied to revenue and provide more benefit in the short term than the long term.

“Over the years, cost justification was the biggest impediment,” he explains. “Businesses didn’t see a big enough risk to procure and pay for encryption.”

Some held back because they feared they would lose their encryption key and as a result, lose all of their data. Complexity proved another obstacle; businesses could easily encrypt their databases but didn’t know how to leverage decryption for file access.

“There is overhead, and it is more work,” says Puranik. “If [encryption] wasn’t something required in the past, people didn’t do it. Now it has become more common.”

This isn’t to say security teams don’t make mistakes when they encrypt their data. One major error Lane frequently sees is the use of application encryption, especially with older legacy applications.

“If you want to be the most secure, you implement [encryption] within an application so the app itself manages its own keys, can determine which users and which circumstances can see decrypted data, and decrypt the data itself,” Lane says. “It’s the most secure use case itself, but implementing that into the application is really hard.”

Some businesses neglect to encrypt data at rest, which Evident.io CEO Tim Prendergast describes as a severe oversight.

“There’s no excuse not to encrypt data at rest,” he notes. “It doesn’t make any sense unless you just don’t care about the data … and some people don’t.” This mistake has led to data compromise at major companies including Viacom and Fedex.

The issue of bring your own key (BYOK) is also critical, Lane adds. Many companies use multiple clouds and as more turn to different cloud providers, it will be important to use a consistent multicloud key management approach so they can use their keys for various providers.

If you don’t trust the vendor or think a malicious actor could access keys, you might want to do BYOK, he says. In some cases, you may not even want to leverage native cloud key services at all.

The case for encrypting everything

When businesses decide which data gets encrypted, they prioritize sensitive data like personal financial records and health information. While this arguably makes sense, what’s considered “important” data varies from person to person.

What doesn’t get encrypted? Puranik points to metadata; for example, customer logs containing information on the websites they visit and options they prefer. This data is often kept on the back burner, unencrypted, and many businesses don’t realize its value to attackers.

He points to social media, which is a treasure trove of data that may seem harmless in small chunks but when pieced together, can paint an accurate picture of someone’s life. While he abstains from Facebook and LinkedIn, Puranik explains how both networks can generate data on him based on account holders who ask him to join.

“Is that data relevant? Well It’s not a Social Security Number or driver’s license, but in a way, it’s a digital fingerprint,” he says. An attacker could use this data to, for example, launch a targeted phishing attack by sending a fraudulent email and claim to know one of his contacts.

Consumers and end users want everyone to encrypt everything, explains Prendergast. While the operational cost used to make companies say “we’ll do that later,” now, they have no excuse.

“It’s table stakes,” he says.

Related Content:

• Cybercrime Costs Each Business $11.7M Per Year
• Chevron’s Jump to the Cloud is a Journey
• Popular Mobile Trading Apps Riddled With Vulnerabilities, Security Firm Warns
• 7 SIEM Situations That Can Sack Security Teams

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/cloud/companies-push-to-decode-cloud-encryption/d/d-id/1330000?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Launches program to incorporate security by design and a strategic governance policy across all of its IoT products.

Caterpillar’s security is undergoing a metamorphosis, following its launch earlier this year of its Connected Asset Security program.

Over the past five years, Caterpillar has provided “tactical” security for its remote-controlled equipment used in its three areas of business – construction, resources, and energy and transportation, says Joseph Zacharias, global head of information security engineering at Caterpillar.

But earlier this year, as part of its Connected Asset Security program, the heavy-equipment manufacturer approved plans to inject a strategic governance policy across all of its IoT products and require a security by design approach, said Zacharias, a speaker at the ISC(2) Security Congress convention in Austin, Texas.

Security by design requires the security team to be brought into the mix when the product is undergoing the design phase, rather than “bolting it on later,” explained Zacharias.

As part of the Connected Asset initiative, Caterpillar is piloting a predictive analytics platform that is designed to gather data from the sensors on its products that are in operation, aggregate the information, then notify users of a potential equipment failure prior to it occurring as a safety measure.

The predictive analytics platform will be another service offering and one to leverage Caterpillar’s current monitoring and equipment remote control services that it currently offers.

“The Connected Asset Security program will give us a competitive advantage,” Zacharias said.

Selling Security to the Board

In order to put these Connected Asset Security plans into action, Caterpillar’s CIO went to the company’s board of directors and outlined why it would be important to move forward with an enterprise-wide security policy, how vulnerabilities could harm the company’s reputation, and noted how much of what was being asked of the board was already being done informally.

The outcome was an easy sell to the board, Zacharias said.

“If you provide IoT devices, it’s important to show the business value of securing the connected devices,” he explained. “You need to talk about the safety, quality, and security of the IoT devices and how security can also be used as a competitive advantage.”

He added it’s also important to get management to buy into the notion that internal IoT devices should be managed and viewed as another endpoint that should be secured.

The program received a $13.8 million budget, and although there is funding put in place, Zacharias says it has been difficult to hire the needed IT security staff. As a result, it has extended the two-year program by an additional six months to address the 40 projects that need to be deployed.

“It’s been a challenge. We now have 14 projects running simultaneously,” said Zacharias.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Related Content:

• Securing IoT Devices Requires a Change in Thinking
• The Hunt for IoT: The Rise of Thingbots
• 4 IoT Cybersecurity Issues You Never Thought About

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

Article source: https://www.darkreading.com/iot/caterpillar-eyes-competitive-edge-with-connected-asset-security-program/d/d-id/1330001?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The infrastructure behind a web shell used in an attack earlier this year suggests methodical and purposeful threat actors, Palo Alto Networks says.

A security vendor’s investigation into the source of malware that was used in a recent security incident involving a Middle Eastern organization has revealed just how sophisticated and interlinked modern cyber attack infrastructures have become.

For the past several months, researchers at Palo Alto Networks have been investigating a web shell dubbed TwoFace that was used in the Mideast incident to remotely access the victim’s network and establish a persistent point for lateral movement.

In following IP addresses associated with the TwoFace attack, the researchers stumbled upon a much larger-than-expected adversary network that included multiple compromised websites, credential harvesting systems, command-and-control servers and post-exploitation tools.

Several of the credential harvesting websites were crafted to be identical replicas of legitimate websites belonging to organizations in Israel. The credential harvesting sites included those that purported to belong to the Institute of National Security Studies, a national security think tank, Tel Aviv University, strategic consulting firm Macro Advisory Partners, and the Hebrew University of Jerusalem.

The researchers also discovered a significant link between the operators of the TwoFace campaign and those behind OilRig, a malware used in a major data theft campaign targeting airline, financial services, government, and critical infrastructure organizations in Saudi Arabia last year.

Palo Alto Network researchers are still unraveling the full extent of the links between the two campaigns. But they have already found several overlaps in the targeting of organizations throughout the Middle East.

One possible scenario is that both OilRig and TwoFace are being used in conjunction to break into and infect systems on target networks and to enable additional post-exploitation tools to be uploaded to them, the researchers said. “While we cannot be absolutely certain that this is the same adversary in both attacks, we are able to ascertain that this specific entity does have access to OilRig tools,” they noted.

Christopher Budd, senior threat communications manager at Palo Alto Networks says the findings are important considering the extent to which the Middle East has become a hotbed of threat activity in recent times. “It’s significant because we don’t have a total picture of the scope and scale of these operations yet,” Budd says. “It’s like pulling on a thread; the more we pull, the more it unravels.”

Palo Alto Network’s research showed that the networks of some victims of the two campaigns have been added as part of the attack infrastructure. For instance, one of the IPs interacting with the TwoFace web shell belonged to the Ministry of Oil of a Middle Eastern country. The IP address not only communicated with the TwoFace shell but was also used to upload post-exploitation tools to the network of a MidEast educational institution.

Budd says Palo Alto Networks researchers have been following these investigations for one-and-a-half years and have begun to gain better visibility of the operations of the threat actors behind OilRig and TwoFace.

“We see threat actors who are methodical in their approach,” he says. “We also see threat actors that are purposeful in their approach. Our research traces these threat actors back to at least May 2016 and the infrastructure we’ve found takes time to assemble, deploy, and maintain.”

There’s a lot more that remains to be uncovered, he says. “The important thing is the more we understand, the more we can share that information so everyone can better prevent attacks,” he says. The key takeaway from the research is that attacks don’t just “happen,” Budd noted. “There is planning and staging, infrastructure, and logistical work involved in attacks.”

Related content:

• Report: ‘OilRig’ Attacks Expanding Across Industries, Geographies
• 7 Indicted Iranian Nationals Now Hit with Sanctions by US Treasury
• ‘Operation Ghoul’ Targets Industrial, Engineering Companies In 30 Countries
• Meet Some Of The Emerging Israeli Cybersecurity Firms 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/malware-investigation-leads-to-sophisticated-mideast-threat-network/d/d-id/1330002?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Instagram’s user base has grown to 800 million, with 500 million using it every day, it said on Tuesday.

With that kind of burgeoning user population, it’s important to keep the space as safe and as kind as possible, the company says. That’s why Instagram has introduced the ability to block the people – or the groups of people – who can comment on your photos and videos.

A year ago, Instagram gave users the ability to filter comments on their posts.

It made sense: just like other social media apps such as Twitter, Instagram has been trying to figure out how to serve its burgeoning, highly diverse, occasionally boisterous, all too often cyberbullying user base without too many restrictions, while still maintaining an environment that’s as kind as possible (and doesn’t stop people using the service or signing up.)

On Tuesday, it put more muscle on comment filtering, by giving users the ability to block the people allowed to comment on their posts.

It’s about kindness, Instagram Co-Founder and CEO Kevin Systrom said on the company’s blog:

Today, we’re announcing new tools and programs to keep Instagram a safe and positive place for self-expression. Since the beginning, we’ve tried to make Instagram a welcoming place for everyone.

As of Tuesday, owners of public accounts got a new way to choose who can comment on their posts, be they everyone or groups of people, such as the people you follow or who follow you. Also, regardless of whether their accounts are public or private, users are now able to block specific users.

Instagram also introduced more tools to clean up the place.

In June, it had launched a filter to block certain offensive comments in English. On Tuesday, it expanded the filter to Arabic, French, German and Portuguese. Instagram promises that the filter will improve over time, as the community uses it.

Instagram, which is owned by Facebook, is also now mirroring its parent company by introducing anonymous reporting for livestreams. If you see live video from somebody who’s depressed or needs support, you’ll be able to report it anonymously. The person will then be presented with a message offering help, including the options of talking to a helpline, reaching out to a friend, or getting other tips and support.

Instagram says it’s got teams working around the clock and around the world to help out.

This is an important move: as it is, live murder and suicide videos are spreading online, with videos showing Facebook users taking their own lives, or the lives of others, despite pleas from viewers.

If you ever find yourself watching such a Facebook Live video, here’s how to report it:

1. Click the scroll-down menu in the top right of the post
2. Click Report post or Report photo
3. Select the option that best describes the issue and follow the on-screen instructions

Instagram, for its part, has taken over Facebook’s former position as No. 1 worst online social media platform for cyberbullying, according to the UK anti-bullying charity Ditch the Label’s annual survey, which consulted over 10,000 young people between the ages of 12 and 20.

Does the world really need hashtags like #loser, #whatnottowear and #ugly?

No, it does not.

In an effort to make Instagram safe, welcoming, and a whole hell of a lot less toxic than hashtags like those above make it, Instagram plans, over the next few momths, to turn cities around the world into “colorful murals inspiring #KindComments.”

Visit a wall, take a photo or video and share a #KindComments to make someone’s day. You can also participate by using a new kindness-themed heart-shaped sticker. Both the murals and stickers are created by artists from the global community.

Heart-shaped stickers: will it make a difference?

It’s worth a try. Kudos to Instagram for trying.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/xPTKIWH-BfQ/