STE WILLIAMS

BLACK HAT USA – Las Vegas – Buckle in for a wild ride in the next two decades where the role of security professionals will rise in dramatic importance, Mikko Hypponen, F-Secure chief research officer, predicted at a Black Hat presentation today.

“Our work is not to secure computers, but our work is to secure society,” says Hypponen in his presentation The Epocholypse 2038: What’s In Store for the Next 20 years.

The security researcher pointed to likely sea changes the industry will witness in the coming 20 years: the 2038 Unix Millennium bug that will drive industry worry on par with Y2K, major shifts in the way security professionals deal with Internet of Things devices, cryptocurrency, SSL encryption and national security.

Y2k Redux in 2038?

When January 19, 2038 rolls around, the industry is bracing for a situation where the computer industry running on Unix will out of bits and systems will crash.

The 2038 epocholypse has been compared to Y2K, in that fear and loathing hype is mounting. Hypponen recalls how he was busy standing guard on New Years Eve when 2000 rolled in and the entry into the new millennium went smoothly. But despite all the bashing that the industry cried wolf about the doom that could have occured on New Years’ day 2000, Hypponen says two points were missed — and it’s something to keep in mind for 2038.

One point is that an enormous amount of work went into finding bugs and fixing them prior to Y2K, so the impact was greatly minimized on the actual day, said Hypponen.  The second point is that not all Y2K-related problems immediately emerged on Jan. 1. Some came much later, such as inaccurate readings for Down Syndrome risk in pregnant women, he recalled, noting how some women underwent abortions unaware of the misdiagnosis.

“[The year] 2038 is way off in the future. People think we have plenty of time to fix it,  but I will guarantee you we will run out of time,” Hypponen warned.

Cryptocurrency Game Changer

Bitcoin and other forms of cryptocurrency will likely take a big chunk of business away from the brick-and-mortar banks but these virtual currencies won’t likely cause institutions to go out of business, predicted Hypponen.

But cryptocurrency is dramatically changing the landscape related to how law enforcement will chase the bad guys and follow the money. Cryptocurrency not only allows cybercriminals to conduct transactions anonymously but also gives them an avenue for laundering the money through multiple digital accounts with lightning speed, he noted.  

And thugs are also using the cryptocurrency when committing traditional physical crimes, Hypponen said, pointing to a Brazilian kidnapping where the attackers demanded a ransom payment in Bitcoins.

SSL, IoT, and Nation State Attacks, Oh My

Quantum computing is reaching a point where in the very near future it may pose a threat to SSL encryption, Hypponen predicted, explaining how the ability of quantum computers to crunch through waves of prime numbers puts the security of SSL encryption at risk. Evidence: IBM’s announcement earlier this year about the construction of a commercially available universal quantum computing systems for its IBM cloud platform.

In addition to the potential demise of SSL encryption, humans are also facing greater risks with the rise of IoT devices. “There will be a day when consumers buy products and don’t even realize they are IoT devices,” Hypponen said. “If it is a smart device, it is a vulnerable device,” which he predicts will create the need for a separate IoT network.

But what keeps Hypponen awake at night is the prospect of a nation state attack on consumers. “Wars today are fought with drones,” he said, asking what would happen if the software that feeds into computer chips and devices were instructed to have the device catch on fire, simultaneously across millions of homes.

“Technically, it can be done,” Hypponen said, showing a demo of one device in flames.

Related Content:

• Truly Random Number Generator Promises Stronger Encryption Across All Devices, Cloud
• Nation-State Hackers Go Open Source
• IoT Security By The Numbers

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/get-ready-for-the-2038-epocholypse-(and-worse)!/d/d-id/1329479?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

BLACK HAT – Las Vegas – Officials involved in the investigation, arrest, and trial of Roman Seleznev dove into the details of how he operated his hacking empire, the slipups that led to his arrest, and evidence that led to his sentencing.

Seleznev, a notorious Russian computer hacker, was responsible for more than 400 point-of-sale hacks and at least $169 million in credit card fraud. He was sentenced to 27 years in prison and $170 million in restitution after a trial that took place earlier this year.

He went through three “chapters” in his time as a card thief, each defined by a different name, explained Norman Barbosa, assistant US attorney at the US Attorney’s Office for the Western District, at Black Hat. The first began in the early 2000s when he adopted the handle nCux, which he used to operate online shops for selling stolen information.

“By 2005, he picked up on the fact that credit cards were an easy way to monetize hacking,” said Barbosa. This was around the time the Secret Service began to notice his criminal activity and gather intelligence on him. By 2009, they had collected enough information to determine his identity — just in time for Seleznev to vanish.

“Unfortunately, approximately a month later, he disappeared from the Internet, putting the Secret Service investigation back a step,” Barbosa said. “They had to rethink how they would go about seeking international cooperation on the case.”

Seleznev reappeared in 2009 under aliases Track2 and Bulba. Officials noted his activity on Carder.su, a forum and online marketplace for credit card details and personal data. He was listed as a “trusted vendor of dumps,” which tipped them off to the fact this wasn’t a new player.

The investigation was reopened in May 2010 and accelerated through June 2011. During this time, Seleznev was involved in hacking restaurants and stealing credit card data from their point-of-sale devices.

Following his injuries in the 2011 Morocco terrorist attacks, Seleznev returned to Russia and closed his online shop in January 2012. Investigators continued to chase him until 2013, when he reappeared under the alias 2PAC.CC. At this point he wasn’t only selling his own stolen data; other major hackers were coming to him to resell credit cards.

Seleznev was arrested in the Maldives in 2014. Normally, the extradition process can take between six months and four years, said Barbosa. In this case, it took about two days to get the Secret Service to the Maldives, and only three more to get Seleznev to the United States.

Independent trial attorney Harold Chun discussed the evidence seized after Seleznev’s arrest and mistakes he made leading up to it. Officials seized his laptop, passport, phone, and travel documents, all of which confirmed their earlier hypotheses.

“What these things did was confirm all the attribution that had been gleaned in the investigation, year after year,” said Chun.

Seleznev’s laptop proved to be a gold mine of evidence. Law enforcement found 1.7 million credit card numbers stored on his device, along with Web pages he created to teach people how they could use stolen card details. On the page, he reminded users: “Remember this is illegal way!!”

“There’s not much to say when you have 1.7 million credit card numbers on you when you’re on vacation,” Chun quipped.

Investigators also discovered an account on Pacer Records, an online court system for recording indictments and search warrants. Before he traveled, Seleznev would search for information on his name and nicknames to determine whether it would be safe to leave.

Other pieces of evidence included information from Windows artifacts, registry keys, event logs, and the System Resource Usage Monitor. Officials also found cellphone backups stored on his computer and in the cloud.

Seleznev made several key slipups leading up to his arrest. He reused passwords for multiple online accounts, making it easy for investigators to guess the password to his laptop. He had two email addresses for his online aliases, some of which he used for crime and some of which he used for personal communications — for example, opening a PayPal account.

Barbosa explained how Seleznev used one of these email addresses to place a flower order for his wife, which he did using his own name and phone number that could be traced back to him.

Seleznev attempted to claim he had been framed by someone — either the US government or another hacker — and also tried to bribe the prosecutor for his case. Neither worked, and it only took a few hours for a Seattle jury to convict him on 38 counts, Chun said.

Related Content:

• Get Ready for the 2038 ‘Epocholypse’ (and Worse)!
• Best of Black Hat: 20 Epic Talks in 20 Years
• Downtime from Ransomware More Lethal to Small Businesses Than the Ransom
• How Attackers Use Machine Learning to Predict BEC Success

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/inside-the-investigation-and-trial-of-roman-seleznev-/d/d-id/1329481?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

BLACK HAT – Las Vegas – Android and iOS smartphones loaded with a Broadcom Wi-Fi chipset offer attackers a common means to launch a remote exploit that could affect millions of users, according to a presentation here today at Black Hat by security researcher Nitay Artenstein of Exodus Intelligence.

The discovery came about when Artenstein was looking for ways to launch a remote exploit from Android and iOS smartphones, but he knew it would be tough given the way the devices have been hardened with Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP).

“It’s hard to get past ASLR and DEP, so I started looking around the neighborhood to see what would work,” said Artenstein, who gave the Black Hat presentation Broadpwn: Remotely Compromising Android and IOS via a Bug in Broadcom’s Wi-Fi Chipsets.

He looked at the application processor and toyed with the idea of looking for vulnerabilities in the baseband processor. But he noted that the iPhone, Samsung Galaxy and Note, Google Nexus, HTC, and other smartphones used different chipsets in the devices. However, when he turned his attention to exploring Wi-Fi chipsets, he found that Broadcom was used across the board.

“It’s an interesting situation for attackers because they can write an exploit and repeat their work,” Artenstein said.

He added that the Wi-Fi Broadcom chipsets have no ASLR or DEP to contend with.

A bug he found in the chipsets had the three necessary ingredients to launch a remote attack.

One is that the vulnerability did not require human interaction to launch an exploit. In this particular case, the smartphone would search for WiFi access points and when it found one, it would automatically connect, Artenstein explained.

The second characteristic is the bug did not require complex assumptions because a wrong assumption could reveal the exploit. “We wanted to find a bug that had static, consistent memory, if possible,” Artenstein recalled.

And the third characteristic that’s needed for a remote exploit is that its code could be cleaned up after the payload is installed to reduce the chance of it crashing or failing.

In this particular case, the security researcher searched for a location in the chipset where he could write large quantities of data for the payload, and he found that in the packet ring buffer.

With all the elements in place, Artenstein created an exploit that had the ability to be remotely launched without user interaction and could self-propagate, like a worm. Broadcom was informed of his discovery and patched the problem last month.

Related Content:

• Multiple Apple iOS Zero-Days Enabled Firm To Spy On Targeted iPhone Users For Years
• Androids Under Attack: 1 Million Google Accounts Hijacked
• 6 Ways To Keep Androids Safe

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/broadcom-chipset-bug-in-android-ios-smartphones-allows-remote-attack/d/d-id/1329482?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

BLACK HAT USA – Las Vegas – The researchers who discovered the game-changing malware used against Ukraine’s power grid in 2016 that knocked out power for an hour in part of Kiev released a tool here this week for analyzing malicious code targeting industrial networks.

ESET researchers Robert Lipovsky and Anton Cherepanov wrote an IDAPython script for IDA Pro that allows researchers and security team members to reverse-engineer binaries that employ the OPC Data Access industrial communications protocol, namely the CrashOverride/Industroyer malware that turned out the lights in Kiev in 2016, as well as Havex, a remote access Trojan used for cyber espionage against industrial control system environments.

CrashOverride/Industroyer is the fourth publicly known piece of malware designed specifically to target ICS/SCADA: first was Stuxnet, then Havex, and BlackEnergy.

“If there are other future malware [families] like Industroyer or Havex, [investigators] will have an easier time” finding and analyzing them, Lipovsky says.

“This tool helps you understand what the threat was designed to do,” he says. Detection is important, he says, “but if you want to understand what the attackers are up to, you need to dig in deeply.”

Phil Neray, vice president of industrial security at CyberX, applauded Lipovsky and Cherepanov’s open-source tool. “ESET’s reverse-engineering tool is important because we have a big shortage of defenders with deep knowledge of ICS systems, and it helps automate and reduce time spent on critical reverse-engineering tasks such as figuring out if the industrial malware is focused only on reconnaissance — like Havex — or whether it was written to disrupt and destroy, like Industroyer/CrashOverride,” he says.

Industroyer/CrashOverride’s modular framework easily could be adapted to other industries, including pharmaceutical and chemicals, Neray notes.

Lipovsky and Cherepanov in June of this year discovered the CrashOverride/Industroyer malware framework, a sophisticated attack that they and researchers at Dragos say was the handiwork of a seasoned and well-resourced attacker, likely a nation-state. While neither firm will speculate who is behind the attack, the obvious culprit is Russia as part of its campaign against Ukraine, experts say.

The malware – which is actually a framework – includes a port scanner for recon of the network, and attack modules that take control of the ICS/SCADA devices.

Lipovsky says cyber espionage-type attacks or malware should be a red flag for an ICS/SCADA operator. “A lot of people are downplaying these sorts of things as ‘not an attack.’ Spying is an attack,” however, he says. “These things are detectable.”

The goal is to catch attackers before they burrow deeper. “What you’ll see before [a major attack] is probing. Probing may be more serious than you think,” says Stephen Cobb, senior security researcher at ESET.

Lipovsky announced the release of the tool during a session here at Black Hat yesterday, “Industroyer/Crashoverride: Zero Things Cool About a Threat Group Targeting the Power Grid.”

Related Content:

• Data Theft The Goal Of BlackEnergy Attacks On Industrial Control Systems, Researchers Say
• Russian Cyberspies Hit Ukrainian, US Targets With Windows Zero-Day Attack
• More Signs Point To Cyberattack Behind Ukraine Power Outage
• 8 Notorious Russian Hackers Arrested in the Past 8 Years

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/researchers-release-free-tool-to-analyze-ics-malware/d/d-id/1329484?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The next time a crisis communication manager states that their organization suffered from a “highly sophisticated” attack, someone may want to cross-check that with how most attacks are actually carried out.

According to new research out this week culled from an extensive honeypot operation, most attackers using phishing to initiate attacks are the opposite of sophisticated. They’re lax with their opsec– most don’t go through much effort at all to hide their attacks. Considering that some estimates peg 91% of all cyberattacks starting with phishing emails, that tells you that the vast majority of attacks are noisy and very identifiable. Yet the bad guys still manage to do a ton of damage because the resistance they face is paper thin.

The recent report was released by researchers at Imperva, who maintained close to 90 personal accounts on various online and email services over the course of nine months. These “honey accounts” were planted with various traps within them to collect data about how long it took for attackers to exploit stolen passwords and compromise accounts, how and when attackers explored and collected data, and how attackers tried to muffle their malicious activity from detection by the account owner. 

“One of the more interesting areas of the research was uncovering which practices attackers used to cover their tracks, destroy evidence of their presence and activities in the account, and evade detection,” says Luda Lazar, security researcher for Imperva. “Our research also showed that not all attackers take equal care in covering their tracks. We were surprised to find that only 17% made any attempt to cover their tracks.”

For example, only 15% of attackers deleted sign-in alerts from the inbox and just 13% deleted sent emails and failure notification messages. And a measly 2% went through the trouble to permanently delete sign-in alerts.

What’s more, attackers frequently take their sweet time taking advantage of stolen login credentials. Over half of attackers in this experiment took 24 hours or more to access honey accounts after the credential theft. Additionally, nearly three-quarters of attackers explore account content manually rather than through automated tools. 

The lesson here is that most of these attacks are leaving tons of evidence behind for users and defenders alike to start detecting attacks before well before the bad guys have owned the account for the months-long time-period that is today’s average industry dwell time. What’s more there is a workable window between credential theft and account takeover where it’s possible to mitigate the attack before it even starts to sink its fangs into systems.

Unfortunately, statistics indicate that phishing continues to flourish worldwide. According to a report out last week from Kaspersky Lab, in Q1 of 2017 alone, the company blocked over 51 million attempts by users to open a phishing page.

Related Content:

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: https://www.darkreading.com/endpoint/the-lazy-habits-of-phishing-attackers/d/d-id/1329485?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple