STE WILLIAMS

Those looking on the dark web for malware capable of hijacking computers might have thought they were getting a bargain when a free trojan appeared on various online souks over the past few months.

The malware generator, dubbed the Cobian remote access trojan (RAT) by researchers at security shop Zscaler, is a fairly elemental bit of code and is based around the njRAT that surfaced around four years ago. It comes with all the usual bells and whistles – a keylogger, webcam hijacker, screen capturing and the ability to run your own code on an infected system.

But the Cobain RAT also has a secondary payload built in, hidden in an encrypted library. Once activated, it allows the original author of the malware to take control of any computers infected by the attack code and, if necessary, cut off the criminal who caused the infection in the first place.

“It is ironic to see that the second level operators, who are using this kit to spread malware and steal from the end user, are getting duped themselves by the original author,” said Zscaler’s advisory on Thursday. “The original author is essentially using a crowdsourced model for building a mega Botnet that leverages the second level operators’ Botnet.”

The secondary payload communicates with a preset page on Pastebin to get the current address of the command and control servers run by the original writer. But the malware checks first to see if the second level operator is online, in which case it keeps quiet to avoid detection.

It’s likely the original author won’t automatically cut off the second level operator for fear of alerting that person. Instead it’s in the author’s interests to encourage as many infections as possible and to run a massive botnet without the bother of distributing the malware necessary to build a zombie army.

It’s a logical thing to do when you think about it, and the thought of all those lower-level malware operators doing the hard work for nothing won’t exactly bring salt tears to our eyes. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/31/free_trojan_for_hackers/

It’s never good news to receive an alert from the Have I Been Pwned? (HIBP) project but it’s better to know than not.

Founded by Troy Hunt after the historically embarrassing Adobe breach of 2013, HIBP is a database of breached, scraped and otherwise stolen email accounts that lets anyone check whether theirs is known to be circulating among cybercriminals.

Vast numbers are, and to this total we can now add another 711m, recently discovered by a researcher called Benkow in an unsecured state inside text files on a Netherlands-based server that has been using them to fuel the “Onliner” spambot.

This, HIBP informs me, includes an email address registered to a domain I’ve used for years, the third time the site has spotted it inside a breach cache in four years.

Should I, or anyone else receiving the same email alert from HIBP about this spam list, be worried?

Hunt sums up the cache’s mountainous size:

Just for a sense of scale, that’s almost one address for every single man, woman and child in all of Europe.

It’s true the 711m haul is the largest yet reported by the site, but some of these will have been mentioned in previous breaches, in my case Adobe (152m) and Dropbox in 2012 (68m). Aggregated from different sources, the numbers aren’t cumulative.

HIBP also describes my email address as having been “pwned” in the latest dump although, strictly speaking, it’s the sites that allowed a breach to happen that deserve to be chastised – my failing was to entrust the address to companies that failed to protect it.

More concerning is what these addresses are being used for. Much of the new cache appears to be email addresses, which means that anyone whose address appears within it will be targeted by spam including, in the case of Onliner, the Ursnif banking malware.

Because my email address appeared in previous breaches, that was already the case, so arguably I’m no worse off than before. I’m in good company at least – Hunt spotted an email address used by him mentioned twice in the cache.

Of larger concern might be the group whose passwords are included, including those apparently extracted from unsalted SHA-1 hashes that were part of the 2012 LinkedIn breach whose troubling scale was didn’t come to light until 2016.

Other files contained tens of thousands of email server credentials, including SMTP server and port configuration. Explains Hunt:

Thousands of valid SMTP accounts give the spammer a nice range of mail servers to send their messages from.

Separately, Benkow, the researcher who discovered the cache, estimates a total of 80m credentials of different kinds.

Hunt and Benkow are now trying to have the cache data removed from the site it was found on, which is still up and accessible to anyone who knows where to look. Ironically, whomever was farming this data didn’t devote much effort to keeping it to themselves.

Anyone who thinks they might be affected can check HIBP manually for their email addresses or account name. Anyone anxious about their email server credentials should change the password at the very least before going for a long, calming lie down.

Sometimes it’s better to know what’s really going on even if that knowledge is depressing or troubling. In the case of this cache, it’s that addresses, credentials and personal data have long since become a criminal commodity. This can’t be stopped or reversed, merely contained.

But at least email addresses and credentials can be changed, more than can be said for users whose names, addresses, dates of birth and social security numbers are breached. This cache of breached data looks bad – but it could be so much worse.

Follow @NakedSecurity
Follow @JohnEDunn

 

 

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/HiDE_pADn9M/

Security vendors – Sophos included – continue touting the benefits of machine learning-based malware analysis. But, as we’ve written in recent weeks, it must be managed properly to be effective. The technology can be abused by bad actors and corrupted by poor data entry.

Sophos data scientists spoke about the challenges and remedies at length during Black Hat USA 2017 and BSidesLV, and have continued to do so. The latest example is an article by data scientist Hillary Sanders about the importance of proper labeling.

• Also see: 5 questions to ask about machine learning

Sometimes, says Sanders, the labels companies inject into their models is wrong.

Dirty labels, bad results

As she put it, supervised machine learning works like this:

• Researchers give a model (a function) some data (like some HTML files) and a bunch of associated desired output labels (like 0 and 1 to denote benign and malicious).
• The model looks at the HTML files, looks at the available labels 0  and 1 and then tries to adjust itself to fit the data so that it can correctly guess output labels (0,1) by only looking at input data (HTML files).
• Researchers define the ground truth for the model by telling it that “this is the perfectly accurate state of the world, now learn from it so you can accurately guess labels from new data”.

The problem, she says, is when researchers give their models labels that aren’t correct:

Perhaps it’s a new type of malware that our systems have never seen before and hasn’t been flagged properly in our training data. Perhaps it’s a file that the entire security community has cumulatively mislabeled through a snowball effect of copying each other’s classifications. The concern is that our model will fit to this slightly mislabeled data and we’ll end up with a model that predicts incorrect labels.

To top it off, she adds, researchers won’t be able to estimate their errors properly because they’ll be evaluating their model with incorrect labels. The validity of this concern is dependent on a couple of factors:

• The amount of incorrect labels in a dataset
• The complexity of the model
• If incorrect labels are randomly distributed across the data or highly clustered

In the article, Sanders uses plot charts to show examples of when things can go wrong. Those charts are in the “problem with labels” section.

Getting it right

After guiding readers through the examples of what can go wrong, Sanders outlines what her team does to get it right. To minimize the amount and effects of bad labels in their data, the team…

• Only uses malware samples that have been verified as inherently malicious through sandbox analysis and confirmed by multiple vendors.
• Tries not to overtrain, and thus overfit, their models. “The goal is to be able to detect never-before-seen malware samples, by looking at similarities between new files and old files, rather than just mimic existing lists of known malware,” she says.
• Attempts to improve their labels by analyzing false positives and false negatives found during model testing. In other words, she explains, “we take a look at the files that we think our model misclassified (like the red circled file in the plot below), and make sure it actually misclassified them”.

She adds:

What’s really cool is that very often – our labels were wrong, and the model was right. So our models can actually act as a data-cleaning tool.

Follow @NakedSecurity
Follow @BillBrenner70

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Ny2531AtpCM/

It has long been obvious – or should be – that phishing criminals are like looters: they are good at spotting crimes of opportunity.

And there has been considerable high-profile opportunity lately, in the form of a natural disaster and a big-money lottery win. The seemingly endless rains (maybe not 40 days and 40 nights, but 40-plus inches) in Texas from Hurricane Harvey (pictured) have, predictably, opened the hearts and wallets of people throughout the country and beyond, hoping to help offset some of the damage and suffering from catastrophic flooding.

So that, also predictably, has drawn the cyber underbelly – scammers – looking to exploit that generosity. US CERT (United States Computer Emergency Readiness Team) issued a “Potential Hurricane Harvey Phishing Scams” notice this week, warning people to

… remain vigilant for malicious cyber activity seeking to capitalize on interest in Hurricane Harvey … even if it appears to originate from a trusted source. Fraudulent emails will often contain links or attachments that direct users to phishing or malware-infected websites.

Indeed, the risk is much more than “potential”. The scams are up, spreading like kudzu. Fortune reported “several suspicious online profiles and personas that, although their legitimacy couldn’t be determined, raised several red flags: a small number of followers, unverified accounts, no apparent links to accredited charities, and no means to track where proceeds go”.

Security researcher Perry Carpenter warned about Facebook pages supposedly dedicated to victim relief that contain links to scam websites; tweets with links that claim to lead to charitable websites that are actually spam links or lead to a malware infection; and phishing emails asking for donations to a “#HurricaneHarvey Relief Fund”.

One might think such scams would be obvious. But they sprout overnight online because, says Carpenter:

 … they still work. With a circumstance like Hurricane Harvey, so many people truly want to help others in need. Scammers use that vulnerability and empathy to prey upon the human spirit.

But it is not just disasters that bring scammers out of the woodwork. Mavis Wanczyk’s good fortune has done it as well. The 53-year-old Chicopee, Mass. resident and (former) hospital worker recently won one of the biggest Powerball jackpots in history, at $758m.

And now there are dozens of “Mavises” on social media, offering people some of that cash in exchange for some of their personal information – you know, “she” would need to know your bank info so she can deposit the money in your account.

These are apparently more credible than the emails from the Nigerian princess who addresses you as “Dear One”, and then offers a few million bucks if you send her some info, because the Boston Globe reported this week that police in Chicopee had issued a warning on Facebook:

PLEASE do not fall for these scams. DO NOT give out any personal information to these accounts. Do not fall victim to a scammer by releasing ANY of your information.

The Globe reported that a quick social media scan produced more than a dozen Facebook accounts using Wanczyk’s name and photo – one with 3,000 likes and purported messages from her – plus another 13 Twitter accounts, “using photos of Wanczyk, or the giant lottery check she received, claiming to be her”.

None of this is new, of course, nor is the fairly foolproof advice on how to avoid becoming a victim. The most important of which is: NEVER click on a link in an email or social media post unless you are absolutely sure it is from someone you know and trust. Do not click on “click to donate” unless you’re sure it’s a reputable site.

It is laudable, and possible, to donate safely to worthy causes: the way to do that is to go to the website of a credible charity.

Along with that, the recent US CERT notice has a list of recommendations with links (they’re good ones – we checked) to other helpful information, some of it specifically aimed at hurricane relief. They include:

• Review the Federal Trade Commission’s information on Wise Giving in the Wake of Hurricane Harvey.
• Be cautious opening email attachments. Refer to the US-CERT Tip Using Caution With Email Attachments for more information.
• Keep antivirus and other computer software up-to-date.
• Refer to the Avoiding Social Engineering and Phishing Attacks.
• Verify the legitimacy of any email solicitation by contacting the organization directly through a trusted contact number. Trusted contact information for many charities is on the BBB National Charity Report Index.

“You don’t have to sacrifice your humanity and sympathy for the sake of security,” Carpenter said. “Act. Give. Help. But do so in a wise and informed manner.”

Follow @NakedSecurity
Follow @tarmerdint2

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/PM3IOp3m5jg/

When a cardiac pacemaker or defibrillator is implanted into a patient, thin, flexible wires called leads are attached to deliver electric shock from the pulse generator directly to the heart.

Those leads sometimes fail. Sometimes, they get infected. Other times, they’re recalled. Removal involves surgery – a complex, delicate procedure that risks damage to the heart tissue.

So what happens when the manufacturer of an internet-connected, radio frequency (RF)-enabled pacemaker finally, begrudgingly stops fighting and litigating over potentially life-threatening attacks and issues a firmware fix for its pacemakers?

Fortunately, it’s not open heart surgery, though it will entail an in-person trip to a healthcare provider’s office.

Abbott (formerly St. Jude Medical) fixed the software side of the security vulnerabilities in January. Now, on Monday, it got to the vulnerabilities in the devices themselves.

In a Dear Doctor letter, Abbott described the firmware update as a three-minute process, during which the pacemaker will operate in backup mode, pacing at 67 beats per minute.

Essential, life-sustaining features will remain available. At the completion of the update, the device will return to its pre-update settings.

Abbott said that with any firmware update, there’s always a (low) risk of an update glitch. Based on the company’s previous firmware update experience, installing the updated firmware could potentially result in the following malfunctions, with the tiny rates of occurrence that St. Jude Medical has previously observed:

• 0.161% chance of reloading of previous firmware version due to incomplete update
• 0.023% chance of loss of currently programmed device settings
• 0% (as in, none have been reported on other firmware upgrades) loss of diagnostic data
• 0.003% chance of complete loss of device functionality

That last one may seem like a vanishingly small potential, but it’s a dire one. Pacemaker failure has two outcomes, depending on how well the patient’s heart works: you get sick, or you die.

But fortunately, that tiny chance of pacemaker failure will likely be smaller still, given that both Abbott and the US Food and Drug Administration (FDA) say they’re not recommending prophylactic removal and replacement of affected devices.

Here’s the list of St. Jude’s/Abbott’s affected implantable cardiac pacemakers, including cardiac resynchronization therapy pacemaker (CRT-P) devices:

• Accent
• Anthem
• Accent MRI
• Accent ST
• Assurity
• Allure

We’re talking about a total of 465,000 implanted devices that are affected by the firmware flaws, which leave the devices vulnerable to tampering that could cause them to pace at potentially dangerous rates or fail by rapidly draining their batteries.

In January, St. Jude had announced security updates for its Merlin remote monitoring system, which is used with implantable pacemakers and defibrillator devices.

The fixes were designed to reduce what St. Jude claimed to be extremely low cyber-security risks.

At the time, the pacemaker company said it was unaware of any security incidents related to, nor any attacks explicitly targeting, its devices. The same was true as of this week: there have been no known security incidents.

Well, that’s a blessing. Still, that January software update addressed some, but not all, known cyber-security problems in the heart devices. The holes left in place by the incomplete fix were those in the firmware. They were deemed to be pretty serious: Matthew Green, an assistant professor at John Hopkins University, described the pacemaker vulnerability scenario as the fuel of nightmares: for one, weak authentication protocol left the devices open to commands sent via RF, from a distance, leaving no trace, by anybody who knows the protocol (including home devices).

After installing the update that Abbott made available on Tuesday, any device attempting to communicate with the implanted pacemaker would have to provide authorization – received from the Merlin Programmer and Merlin@home Transmitter – to do so.

Pacemakers manufactured from August 28 2017 will have this update pre-loaded in the device and won’t need the update.

Abbott and the FDA are recommending that doctors discuss the risks and benefits of the vulnerabilities and the firmware update with their patients at their next regularly scheduled visit. They’re saying that it’s important to consider factors such as each patient’s level of pacemaker dependence, the age of the device, and patient preference.

Their suggestions:

• For pacing-dependent patients, consider performing the firmware update in a facility where temporary pacing and pacemaker generator can be readily provided.
• Print or digitally store the programmed device settings and the diagnostic data in case of loss during the update.
• After the update, confirm that the device maintains its functionality, is not in backup mode, and that the programmed parameters have not changed.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Suv5Dyj2noI/

Nearly half of global organisations fail to comply with the security standards laid out by the Payment Cards Industry (PCI) to ensure customer payment data is protected, according to a new report.

Verizon’s latest Payment Security Report (PSR) found that overall PCI compliance has increased among global businesses, with 55.4 per cent of organisations Verizon assessed passing their interim assessment in 2016. This is an increase from 2015, when only 48.4 per cent of organisations achieved full compliance during their interim validation.

By failing to comply with the PCI Data Security Standard (DSS), organisations are putting consumers at increased risk of payment fraud, Verizon warns. While the number of companies complying with the PCI DSS has increased compared to previous years, non-compliant organisations are failing to implement more controls than ever before.

“While it is good to see PCI compliance increasing, the fact remains that over 40 per cent of the global organisations we assessed – large and small – are still not meeting PCI DSS compliance standards,” said Rodolphe Simonetti, global managing director for security consulting at Verizon. “Of those that pass validation, nearly half fall out of compliance within a year – and many much sooner.”

The hospitality industry – hotels, restaurants, bars and the like – were the worst payment security complacence culprits, scoring the lowest percentage of any industry for achieving full PCI DSS compliance at their interim validation.

In one recorded example, a hotel was found to be storing almost a decade’s worth of receipts containing full, unmasked card numbers next to its laundry room. Security hardening, protecting data in transit and physical security are all issues for the hospitality industry in general.

In another case, a financial services organisation seeking exemption from the Wi-Fi requirements of PCI DSS was surprised to learn that it did in fact have a wireless network operating in its building, a shortcoming that caused it to fail its security audit. An IT admin had got tired of traipsing from the server room in the basement to the IT department on the third floor, and had installed a router to access the servers from his desk.

About three fifths (61.3 per cent) of IT services organisations achieved full compliance during interim validation in 2016, followed by 59.1 per cent of financial services organisations (including insurance companies) and retail (50 per cent).

Troy Leach, chief technology officer for the PCI Security Standards Council, said: “The report highlights the challenges organisations have to consistently maintain security controls on an ongoing basis, leaving their cardholder data environments vulnerable to attack. This trend was a key driver for changes introduced in PCI Data Security Standard version 3.2, which focuses on helping organisations confirm that critical data security controls remain in place throughout the year, and that they are effectively tested as part of the ongoing security monitoring process.”

Verizon’s Payment Security Report is based on actual casework, encompassing the results from thousands of real-world PCI compliance assessments. These assessments are run by Verizon’s team of PCI Qualified Security Assessors for Fortune 500 and large multinational firms in more than 30 countries.

The report can be downloaded here. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/31/pci_compliance_survey_verizon/

A UK council has been fined £70,000 for leaving vulnerable people’s personal information exposed online for five years.

Nottinghamshire County Council posted the gender, addresses, postcodes and care requirements of elderly and disabled people in an online directory that was left accessible to world+dog. No usernames, passwords or any other access controls limited access to the sensitive information. Although the service users’ names were not included, a determined person would have been able to identify them.

The screw-up was only discovered when a member of the public inadvertently stumbled on the data using nothing more sophisticated than a search engine query. The person, who wasn’t required to log in, was concerned that it could be used by criminals to target vulnerable people or their homes. The breach was even more severe because it revealed whether or not elderly and vulnerable people were still in hospital.

In July 2011 the council launched its Home Care Allocation System (HCAS), an online portal allowing social care providers to confirm that they had capacity to support a particular service user. By the time the breach was reported to the Information Commissioner’s Office (ICO) in June 2016, the HCAS system contained a directory of 81 service users. Data of an estimated 3,000 people had been posted in the five years the system was online.

ICO head of enforcement Steve Eckersley said: “This was a serious and prolonged breach of the law. For no good reason, the council overlooked the need to put robust measures in place to protect people’s personal information, despite having the financial and staffing resources available.

“Given the sensitive nature of the personal data and the vulnerability of the people involved, this was totally unacceptable and inexcusable.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/31/council_vulnerable_elderly_privacy_snafu/

Many social media apps sink their fangs into users’ devices to suck out their contact lists.

It makes sense. How else would they a) offer to hook you up with people you know and/or b) send a swarm of marketing email to pester your friends?

It’s not only potentially useful; it has the potential to drive your buddies insane with the resulting plague of marketing email, if LinkedIn’s past pestering is any indication.

And now, there’s a problem with the way that the latest viral sensation app, Sarahah, siphons contact lists. Namely, it is quietly sucking up users’ contacts, but it’s not giving them anything in return.

Sarahah, the latest people-rating app, bills itself as a way to “receive honest feedback” from friends and employees… anonymously. How the “anonymous” part of the equation jibes with showing users who else they know on the app is anybody’s guess.

Sarahah claims that on iOS it uses contact data to show users who in their address books are using the app. But according to Zachary Julian, a senior security analyst at Bishop Fox, the app is sucking up contacts without handing over the goods.

Zain al-Abidin Tawfiq, the developer who created Sarahah, said in a Tweet that the feature is in the works:

Sarahah App asked for contacts for a planned “find your friends” feature

— ZainAlabdin Tawfiq (@ZainAlabdin878) August 27, 2017

He also said, in a subsequent tweet, that the Sarahah database is currently empty: it has nary a single contact in it. Tawfiq said that the Find Your Friends feature was delayed “due to a technical issue,” that the database isn’t currently hosting contacts, and that the app’s data request is going to be yanked in the next release.

But there are a few issues with Find Your Friends that Twitter respondents, and Julian, posed to him:

1. Why didn’t he wait until the feature was ready before gobbling up address books?
2. Doesn’t Find Your Friend defeat the purpose of an anonymous people-rating app?
3. Maybe Sarahah has some empty database lying around, but wherever else the data is flowing, the app’s been caught in the act of siphoning.

Some sound like they want to see Tawfiq’s father give him a little bit of “people rating” over the first issue:

You were caught in deception and you should be ashamed. You are also a coward for not owning up. Your father would likely slap your head.

— Dan Jovonovich (@DanJovonovich) August 29, 2017

Julian has posted a video to show the address book harvesting in action on Android. He notes that the iOS version of the app also contains functionality to send every phone number, email address and associated names on a device to Sarahah’s servers.

As soon as users log into the app, Sarahah attempts to upload all phone and email contacts. On iOS and Android 6+, the operating system will prompt the user before allowing access to the phone’s contacts, but phones running Android 5 and below – and there are a lot of them – won’t be prompted. All they get is the permissions prompt during installation from the Play Store.

Julian:

On Android 5 and below, these requests will be issued silently and without user interaction. With an estimated 54% of users running Android 5 and below, this is probably a substantial amount of Sarahah’s 10 [million] to 50 million Android users.

It’s likely that most users permit access to their contacts without considering how this data may be used.

iOS does a better job at warning users about the data upload, he said, by explicitly prompting whether to allow the application access to the phone’s contacts and giving users a chance to say no.

Why should this trouble us? It’s not as if social media apps didn’t regularly request our contacts. But Julian notes that at this point, we don’t have the feature, and “all we have is the company’s word” that it’s coming.

We can take Tawfiq’s claims at face value — maybe that database is indeed an empty holder, without any contact details, be they phone numbers, names or email addresses.

Otherwise, given tens of millions of installs – Sarahah is a top free downloaded app on iTunes – that means tens of millions of address books harvested.

The thing is, Julian found that Sarahah did indeed upload his private information when he installed the app on his Android phone, a Galaxy S5 running Android 5.1.1. Julian told The Intercept that his phone was outfitted with monitoring software, known as Burp Suite, that intercepts internet traffic entering and leaving the device, allowing the owner to see what data is sent to remote servers.

Sure enough, when Julian launched Sarahah, Burp Suite caught it uploading his private data.

Here’s some non-anonymous, honest feedback: there are many ways for personal data to be revealed, be it through data breaches or from a supposedly anonymous app offering to show users who else is using it.

If Sarahah is struggling with “technical” issues that caused it to prematurely grab data (that just maybe it shouldn’t be grabbing in the first place), should you trust that it will keep your name out of the picture when you give “honest” feedback about your boss?

Honestly? I’ll take a pass.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/0s3IaJCgAwg/

ARM’s “mbed TLS” software can be tricked into an authentication bypass and needs a patch.

Created by PolarSSL, which was acquired in February by ARM, mbed is a crypto library designed to make it easy for embedded system developers to add SSL/TLS capabilities to their products.

As well as client-server models (that is, an embedded IoT device talking to a server), mbed also lets peer devices set up TLS sessions between each other.

As explained in this advisory, there’s a slip in the software’s peer authentication, leading to an authentication bypass.

“If a malicious peer supplies an X.509 certificate chain that has more than MBEDTLS_X509_MAX_INTERMEDIATE_CA intermediates (which by default is 8), it could bypass authentication of the certificates, when the authentication mode was set to ‘optional’ eg. MBEDTLS_SSL_VERIFY_OPTIONAL. The issue could be triggered remotely by both the client and server sides.”

If exploited, an attacker could impersonate a device and act as a man-in-the-middle.

The bug is fixed in mbed TLS 1.3.21, mbed TLS 2.1.9 or mbed TLS 2.6.0; if developers or users can’t upgrade, setting authentication to “required” instead of “optional” (setting the MBEDTLS_SSL_VERIFY_REQUIRED flag) will block the issue.

mbed TLS also ships as part of some Linux distributions, including Debian and Ubuntu. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/31/arms_embedded_tls_library_patched_to_fix_mitm_bug/

A new project aims to mitigate cybercrime by making it in the economic and business interests of ISPs and telcos to clean up the internet.

CyberRehab wants to prove that it can establish an IP range that hackers choose to stay away from. If miscreants try to attack, they will lose their infrastructure.

The IP range will be protected by a combination of honeypots, nagging and certification for good ISPs. It will probably include discrimination of non-certified ISPs through peering, tagging of suspected malicious traffic, making the ISPs closest to the hacker in charge of cleaning up, and a global secured segmented corporate-style network as a replacement for Tor and more.

Detection of malware will be based on firewalls, intrusion detection systems and internet provider security on the receivers’ end, and therefore will not introduce any packet inspection by ISPs (a class of technology that poses a privacy risk).

It’s a lofty aim and some knowledgable security observers are expressing scepticism about its practicality. “Cybercrime can’t and never will be eradicated, just like crime can’t and never will be eradicated,” said Brian Honan, founder and head of Ireland’s CSIRT and special advisor on internet security to Europol.

Bulletproof vest

CyberRehab faces a cybercrime ecosystem that includes bulletproof hosting sites run by ISPs that ignore takedown requests.

The immediate focus of the project is Africa rather than eastern Europe, which many experts see as the locus of more malfeasance. “[The] problem in eastern Europe may be bigger, but governments may also be more involved which will make this much more complicated,” Oystein Torsas, a spokesman for the project, told El Reg. “The IP range may be established in an African IP range, because there are more available addresses and because African countries need a more aggressive approach to cybercrime than what is normally accepted in Europe.”

Countries and ISPs that don’t implement sufficient cybersecurity represent a problem not only to themselves but to others as well, backers of the project argue.

“CyberRehab is about making the sender responsible for blocking malicious traffic,” Torsas added. “The sender is in much better position to determine what’s malicious or not. Even better than to block, is to get rid of infected units, malicious servers and peering contracts with ISPs that are addicted to cybercrime.”

Legislation is ‘useless’

Fighting the problem of poor internet hygiene through cooperation and offering incentives to service providers that act as good netizens is preferable to approaches that rely on tougher regulations and new laws, according to CyberRehab.

“Legislations are useless because hackers know how to hide in one jurisdiction and attack in another,” Torsas explained. “That changes if we hold the sender responsible. Influencing peering agreements between ISPs is the best way to make the sender responsible for ensuring that criminals end in prison or get rehabilitated.”

CyberRehab is preparing an EU research project with some universities, mainly in Spain and the UK. The project is looking to encourage further industry and academic participation.

“It’s led by UPC university in Barcelona. Oxford also claims to be very interested along with 20+ other universities,” Torsas told El Reg. “When it comes telcos, it’s also hard to make things happen, but I’ve received positive feedback from Telefónica Spain, BT Spain, Euskaltel, Telstra, Telenor, Orange Poland, SwissCom and a few more. I wouldn’t call any of them signed up yet, though.”

CyberRehab is owned by a Norwegian NGO but will do business with for-profit partners in individual countries.”The first countries will hopefully generate proof of concept free of charge while those joining later will pay a much higher price,” Torsas explained.

Eventually a “hacker-free” IP address range could be curated and sold by commercial partners all over the world, or so the plan goes. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/31/cyberrehab_net_cleanup/