STE WILLIAMS

Multiple vulnerabilities in the AppleAVEDriver when linked together create an opportunity to launch an iOS exploit that can take full control of the iOS kernel, security researcher Adam Donenfeld of Zimperium’s zLabs revealed today.

Donenfeld, who today demonstrated the exploit at the Hack In the Box conference in Singapore, says all iOS devices running versions 10.3.1 released in April as well as earlier versions are currently vulnerable to the attack. 

Apple patched eight vulnerabilities Donenfeld previously discovered – seven in AppleAVEDriver.kext and one in the iOSurface kernel extension – in its iOS version 10.3.2 in May.

It all began in January when Donefeld was researching the favored path attackers take in hitting Apple’s iOS, which entails focusing on the direct containerized app-to-kernel vulnerabilities.

“The attack surface in between [the containerized app and kernel] is often underlooked and has more vulnerabilities, which are, usually, much, much easier to exploit. So, in most cases, even though an attacker has to go through more lines of code, finding and exploiting those bugs is usually an easier job,” Donefeld says.

In his app-to-kernel vulnerabilities search, Donefeld did find a bug on Jan. 24, which in turn raised questions in his mind about other iOS attack surfaces. That curiosity led him to dive deeper into Apple’s closed-source kernel modules, where he found one he was not familiar with called Apple AVEDriver. That module lacked basic security fundamentals and contained seven vulnerabilities that would allow attackers to elevate privileges by overtaking the kernel and gaining arbitrary read-write and root control.

Building an iOS Kernel Exploit

Donefeld created the fully chained iOS kernel exploit – which he dubbed ZIVA – by linking together the seven vulnerabilities he found in the AppleAVEDriver module, he says.

Some of these AppleAVE vulnerabilities could allow information disclosures, denial of service (DoS), and elevation of privilege (EoP), Donefeld says.

“The issues are severe and could allow the attacker to take complete control of any iOS device on the market prior to version 10.3.2., as well as access information including GPS data, photos, and contact information, or conduct denial-of-service (DoS) attacks,” Donefeld says.

He notes that because Apple issued a patch for the flaws with version 10.3.2, iOS users who updated their device to the latest iOS version should be protected. Others, he adds, should invest in a third-party security solution.

“This provides a complete control over the kernel,” he says of the exploit.

Related Content:

• Multiple Apple iOS Zero-Days Enabled Firm To Spy On Targeted iPhone Users For Years
• Apple iOS Threats Fewer Than Android But More Deadly
• iOS 8 Vs. Android: How Secure Is Your Data?
• 14 Social Media-Savvy CISOs to Follow on Twitter

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

Article source: https://www.darkreading.com/application-security/apple-ios-exploit-takes-complete-control-of-kernel/d/d-id/1329721?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

New research by threat intelligence firm Recorded Future has yielded some surprising insights on risky IP addresses, their distribution around their world, and how organizations can protect against them.

Recorded Future tied four million known bad IP address back to the network operators to which they belonged in order to try and understand the risk posed by each operator. Each of the IPs in the list was known to be either currently or historically risky and was associated with behavior that ranged from “unusual” to the “very malicious.”

The four million IPs that Recorded Future analyzed traced back to a total of 26,581 Autonomous System Numbers (ASNs), which are unique numbers for identifying the IP subnets managed by different operators.

The company’s analysis yielded some interesting results: China, for instance, had more risky or suspicious IP address than any other country. Given the country’s tight control over the Internet, the high number of risky IPs suggests government awareness of malicious use, Recorded Future said.

Russia, which in recent months has been accused of a wide range of malicious activity, had a relatively low level of risky IP addresses, suggesting that bad actors there are exploiting infrastructure in other countries. Surprisingly, Brazil had 20% more risky IP addresses than Russia, while a group of Asian countries including Korea, Thailand, Vietnam, and India had two times as many bad IPs as Russia and Ukraine.

The US, which is often regarded as safer than many other countries, actually had the second highest number of bad IPs – second to China. But the IP addresses in the US were distributed across 360% more IPs in total than China.

Recorded Future’s analysis revealed other interesting insight as well. The ASNs with the most number of risky IP addresses were both from China, and are currently ranked the first and fourth largest IP subnets in the world.

However, when Recorded Future ranked the ASNs by the percentage of risky IPs in them, a different picture emerged entirely. For instance, though China’s Chinanet had by far the highest raw number of risk-scored IPs, that number represented a mere 0.4% of the total 100 million IP addresses managed by Chinanet overall.

In contrast, three operators — one each in Russia, Germany, and Latvia — though much smaller, appeared completely compromised with 100% of their IP addresses found risky.

Russia’s ADM Service Ltd., for instance, accounted for just 511 of the 4 million IPs that Recorded Future looked at, but that number represented 100% of ADMs IP address space. Overall, Russia and Brazil topped the list of countries with network operators that had 2% or higher of their IP addresses classified as risky — a number that represents endemic risk, the analysis shows.

US Dominates

When Recorded Future looked at ASNs with the highest number of IPs associated with command and control activity, the US dominated the charts. The top three ASNs in this category were located in the US, while there were four ASNs overall in the top 10 list. The same result emerged when Recorded Future inspected IP addresses that were hardcoded into malware samples.

One explanation of why malicious activity is based in the US and countries like Canada and the UK is because threat actors want to make their traffic appear as innocent as possible, Recorded Future conjectures.

For network professionals, the key takeaway is that it is possible to proactively identify and block risky parts of the Internet by doing ASN-level risks assessments, says Bill Ladd, chief scientist at Recorded Future.

“Country-level assessments are useful for general situational awareness and ASN level assessments are useful for blocking,” he says.

Instead of looking merely at the total number of bad IPs associated with an ASN it is more informative to consider the percentage riskiness of an ASN, he says. ASNs with endemic levels of risky IPs are much smaller in number and blocking them is likely to have less of a negative impact, he says.

Blocking ASNs based on their risk percentage can be effective. For example, when Recorded Future implemented rules for blocking the 10 riskiest ASNs, it preemptively also blocked over 1,720 IP addresses that later turned out to be risky. When Recorded Future tightened its rule to block all ASN’s with 6% or higher of risky IPs, the company proactively blocked close to 12,000 IPs that later emerged as risky.

“High-risk ASNs can be identified and blocked,” Ladd says. With almost 60,000 ASNs worldwide, it is impossible to evaluate all of them. So a risk-ordered list is needed to prioritize the most important ones to block, he notes. Organizations should review the riskiest ASNs and make blocking decisions based on both risk and business value.

“My advice to organizations is to identify and evaluate ASNs that are of highest risk. I’d also advise organizations to block any that have minimal business value,” Ladd says

Related Content:

• Principles of Malware Sinkholing
• Securing BGP Not As Difficult As You’d Think
• ‘Ghost Hosts’ Bypass URL Filtering
• 8 Most Overlooked Security Threats

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/cloud/china-us-top-list-of-countries-with-most-malicious-ips/d/d-id/1329710?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The countdown to the European Union’s General Data Protection Regulation (GDPR) continues, and while companies spend their millions on compliance, questions remain as to whether they are spending their precious euros wisely. Data management tech firm Veritas recently issued a report concluding that although 31% of companies surveyed believe they are already compliant with GDPR, which goes into effect May 2018, only 2% really are operating under the terms of this omnibus data security and privacy regulation.

That’s a gaping hole in readiness, one that should give pause to everyone doing business in the EU and with European trading partners.

Part of the problem may be in the vagaries that come with any regulation. Initially, terminology can be unclear and subject to broad interpretation. Often regulators draft their laws in the hope that vigorous legal challenges will aid in setting precedents and establishing the definitions that provide clarity. This is an important part of the regulatory process.

When it comes to data security, the landscape seemingly shifts daily, upsetting convention. In recent months, for example, two global malware campaigns — WannaCry and NotPetya — exposed common vulnerabilities in the security of thousands of companies whose systems were infected by ransomware. It’s difficult to say whether the companies whose data was affected would have been found in violation of GDPR. However, if such an attack takes place after May 2018, and it is believed negligence was involved, there’s a chance the European Commission could choose to act.

I’ve spoken to several legal and compliance experts regarding whether the WannaCry and NotPetya attacks could trigger action under the current GDPR regulation. One expert’s answer summed up the consensus: “It depends; it’s complicated.”

This particular expert told me his firm has fielded inquiries from companies concerned that US data breach notification laws could have been triggered as a result of the ransomware attacks. In the case of California’s data breach law, SB 1386, the conditions for noncompliance are “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.”

This expert commented that the information known about the NotPetya attack doesn’t seem to meet California’s data breach standard. However, when working with hypotheticals, there’s no way to definitively say. Perhaps there are terms in customer agreements that bind the enterprise to a lower standard of compliance under contractual obligation.

The definition of a data breach under GDPR is much broader than US law, he said, and includes the “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” In short, according to GDPR there is a lower threshold for the conditions under which an incident may be considered a data breach. Falling victim to a ransomware campaign may well qualify.

The challenge for organizations preparing for GDPR compliance is in determining their appetite for risk and investing in the tools and processes necessary to achieve their desired level of security.

After that, businesses can only wait and hope their data protection measures meet with the authorities’ approval and that their organization isn’t chosen by the EU to be used as a cautionary tale.

Given the questions and uncertainties that are swirling around GDPR compliance today, I wonder if Veritas’s figure of a 2% rate of compliance isn’t overly optimistic.

Related Content:

• 8 Things Every Security Pro Should Know About GDPR
• Are Third-Party Services Ready for the GDPR?
• GDPR Doesn’t Need to be GDP-Argh!

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Peter Merkulov serves as vice president of product strategy and technology alliances at Globalscape. He is responsible for leading and overseeing the product strategy, product management, product marketing, and technology alliances teams. Merkulov has over 15 years of … View Full Bio

Article source: https://www.darkreading.com/cloud/gdpr-compliance-preparation-a-high-stakes-guessing-game-/a/d-id/1329708?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In 2015, The NSA’s Information Assurance Directorate issued guidance to postpone moving from RSA cryptography to elliptic curve cryptography (ECC) if they hadn’t already done so. The guidance stated:

For those partners and vendors that have not yet made the transition to Suite B elliptic curve algorithms, we recommend not making a significant expenditure to do so at this point but instead to prepare for the upcoming quantum-resistant algorithm transition.

The timing of the announcement was curious. Many in the crypto community wondered if there had been a quantum computing breakthrough significant enough to warrant the NSA’s concern. Since then, the crypto community has been trying to prepare for the transition to “quantum-resistant” algorithms — that is, algorithms that are secure against an attack by a quantum computer. Let’s look at some of the likely candidates for those algorithms and how they’ll be fitted into the Transport Layer Security (TLS) protocol that we all use today with HTTPS. But first, a bit of explanation.

If the day ever comes when a real, working, large-scale quantum computer can be built, then the era after that moment will become known as the “post-quantum” era. Encryption algorithms used in the “post-quantum” era should be puzzles that are not easily solved by quantum computers.

What’s the Current Quantum Computing Exposure?
Cryptographers currently believe that asymmetric encryption algorithms are vulnerable to quantum computing. Unfortunately, these include all the ones we use for TLS protocol handshakes!

• RSA: Vulnerable
• Elliptic Curve Digital Signature Algorithm (ECDSA): Vulnerable
• Elliptic Curve Diffie-Hellman (ECDH): Vulnerable
• Diffie-Hellman (DH): Vulnerable

Interestingly, a 2017 paper, Quantum Resource Estimates for Computing Elliptic Curve Discrete Logarithms, by Martin Roetteler, Michael Naehrig, Krysta M. Svore, and Kristin Lauter, appears to confirm suspicions that ECC will fall to quantum computing before RSA does. That may have been another factor in the NSA’s announcement.

Symmetric algorithms (used by bulk encryption) are thought to be safe from quantum computing by merely doubling their key sizes, for example, using the advanced encryption standard AES-256 instead of AES-128.

How Post-Quantum Computing Will Affect TLS
So, what’s the problem that quantum computing introduces? Before we look at that, let’s start with the good news, which is that record processing in a quantum computing world will be exactly the same. That’s because the symmetric encryption ciphers (like AES) and hash message authentication code  (HMAC) hashing algorithms (like SHA) are thought to be mostly resistant to quantum computing, requiring only a doubling of key size to be resistant until the end of time. According to the NSA’s Information Assurance Directorate, “The AES-256 and SHA-384 algorithms are symmetric, and believed to be safe from attack by a large quantum computer.”

F5 Labs’ own research shows that 75% of TLS hosts on the Internet already prefer AES-256, so we’re practically there already—at least for the record processing!

That leaves just the asymmetric encryption functions that need to be replaced: RSA, DSA, DH and their ECC variants, ECDSA and ECDH. Those are only used during the initial handshake phase of the TLS protocol, which for many clients is only done once per site, once per day, because of session reuse. That’s pretty good news when you think about it!

So, we don’t have to replace all of TLS, just shoe-horn in a new asymmetric handshake cipher. But which one will we use?

NIST Projected Timeline for Choosing Post-Quantum Algorithms
The National Institute of Standards and Technology (NIST) has issued a timeline by which they would like to see a post-quantum algorithm ready to replace the existing asymmetric algorithms. At the time of this writing (summer of 2017), we’re currently in the submissions phase, with deadlines for submissions at the end of November, followed by submitters’ presentations in early 2018. A three- to five-year analysys will follow when NIST will report findings, and one or two workshops will be scheduled. Finally, two years after that, draft standards may be read.

In 2009 two NIST researchers, Ray A. Perlner and David A. Cooper, published a white paper examining the (then) likely post-quantum algorithm candidates. They included the chart below showing some of the algorithms’ comparative metrics against non-post-quantum algorithms (RSA, DSA, DH, ECC).

Since that paper was published, new algorithms have found currency in the community. You quickly find that none are perfect!

Current Candidates for Post-Quantum Asymmetric Encryption Algorithms
Several candidates are already being discussed, all of which have chosen key sizes that achieve the 128-bit level of security necessary to be quantum-safe: NTRUEncrypt, McEliece with Goppa codes, and Ring Learning with Errors. One promising algorithm is Supersingular Isogeny Diffie-Hellman (SIDH).

SIDH uses the smallest key sizes of the candidates (3K public keys), can support forward secrecy, and is free of patents. However, SIDH is not perfect; some researchers have already been poking holes at it and have come up with some pretty disturbing attacks, which can be mitigated against, but  add a whole new rash of complications.

Related and Relevant IETF Projects
The IETF TLS working group has already started design work to fit a post-quantum algorithm into TLS. At the 93^rd IETF in 2015, William Whyte proposed a hybrid handshake. Like Google’s CECPQ1, Whyte’s proposal uses a classical key exchange for half of the key, and a post-quantum key exchange for the other half. The two halves are then combined into a key derivation function to get the final master key, from which the rest of the session key data is derived.

If it seems unlikely that any of these algorithms will make an ideal candiate, well, that’s okay. Many people in the crypto community are skeptical that a large-scale quantum computer is even possible. But if it really does become a thing, we’ll be (sort of) ready for post-quantum in pretty short order, at least from a protocol point of view.

Get the latest application threat intelligence from F5 Labs.

David Holmes is the world-wide security evangelist for F5 Networks. He writes and speaks about hackers, cryptography, fraud, malware and many other InfoSec topics. He has spoken at over 30 conferences on all six developed continents, including RSA … View Full Bio

Article source: https://www.darkreading.com/partner-perspectives/f5/how-quantum-computing-will-change-browser-encryption/a/d-id/1329713?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Apple Mac devices, while largely considered safer than their Windows and Android counterparts, are vulnerable to a growing number of malicious applications.

More Mac malware was seen in Q2 than the entirety of 2016, report researchers at Malwarebytes, which today published a report on Mac and Android threats. Mac malware families hit an all-time high in 2017, with more appearing this year than any previous year.

“Mac users typically think they’re safe, that Macs don’t get viruses, and they’re being proven increasingly wrong,” says Thomas Reed, director of Mac and mobile for Malwarebytes. “The number is much smaller than on Windows, but this is a very concerning trend we’re seeing on the Mac,” he adds.

Christiaan Beek, lead scientist and principal engineer for McAfee, agrees Mac malware has increased overall but that trends tend to shift as Apple catches and addresses threats.

“With Mac malware, it goes up and down,” Beek says. “Apple’s really good at catching malicious apps in their stores … if it’s discovered, it’s quickly discovered and quickly solved.”

Beware of the App Store

Threats like ransomware are still rare on Macs, researchers report. The most significant problems are adware and potentially unwanted programs (PUPs), which began to ramp up in 2013 and have been multiplying since. Despite vetting processes and safety settings, the App Store is not immune to malicious applications.

“If you go into the Mac App Store and search for adware and antivirus, most stuff you find will be junk software that doesn’t do what it claims to do,” says Reed. “The primary goal is to get the user to purchase an app or service they really don’t need and doesn’t fulfill the promises it makes.”

He cites the example of Proton, a remote access Trojan (RAT) targeting macOS in 2016. Proton is a backdoor developed to exfiltrate password data from sources including macOS keychain, 1Password vaults, and browser auto-fill data. Users were hit with the RAT when they downloaded open-source video conversion tool HandBrake.

The emergence of Proton, which affected consumers and experts alike, was a wake-up call for Mac users to be careful about what they download.

PUPs are difficult to handle because “it’s like malware with lawyers,” says Reed. There are companies behind the malicious apps on the App Store, he explains, and detecting PUPs can lead to complicated legal matters with businesses developing the software.

“Apple has its own built-in antimalware features, but they don’t seem to want to poke at PUPs and adware until they really cross the line,” he adds. For example, Apple blocked a form of Genio adware when it used a system vuln to download browser extensions on victims’ computers.

Who are the Mac attackers?

While the amount of Mac malware is “a drop in the bucket” compared with Windows threats, as Reed says, it’s worth taking a closer look at who might be targeting Mac devices and why.

“Honestly, it takes time to write a nice piece of malware for Mac,” says Beek, adding that most cybercriminals prioritize mass distribution and quick, fast cash. “Mac is still not their interest,” he adds. Mac exploits are also expensive, selling for up to $40K on the Dark Web.

Threat actors who target Macs likely aren’t looking for money, he continues, but user data or access. “Mostly what we’d see is a backdoor on the Mac that would try to snoop on you by activating a microphone or keylog strokes, or try to activate a camera.”

State-sponsored attackers and governments are looking into Mac exploits and backdoors, says Beek. These actors can afford to develop Mac malware or purchase it online, and they are typically those looking for backdoors to gain access to victims’ machines.

Macs are getting more affordable but still pricey, and people who use Macs in the enterprise are more likely to be nation-state targets. Executives, researchers, developers, and system administrators have high levels of access and appeal to actors seeking corporate data.

Beek anticipates we’ll see a slight increase in Mac malware in 2018 as Apple continues to improve its security and attackers explore ways to work around it. Reed also expects an increase, particularly with respect to the amount of PUPs populating the App Store.

“Attackers are starting to realize Macs are not invulnerable – they are attackable,” says Reed. “So they’re trying new things.”

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/application-security/macs-biggest-threats-lurk-in-the-apple-app-store/d/d-id/1329715?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple