STE WILLIAMS

When built right, deep learning models are hugely effective malware and malicious web page detectors.

But there’s a problem: they almost never provide useful information about why they think a particular web page or application is rotten. They just spit out one number that basically says how likely the model thinks the sample is to be malicious. It’s a “black box” where the sample goes in, magic happens, and a classification comes out.

It’s all well and good for security shops that need to spot and stop danger in a hurry without having to think much about it. But if you’re a security researcher, you need to answer the why question to build better defenses down the road.

The good news is that tools to get there exist. At BSidesLV  on Tuesday, Sophos principal data scientist Richard Harang focused one of them – Local Interpretable Model-Agnostic Explanations (LIME).

LIME was developed by researchers Marco Tulio Ribeiro, Sameer Singh and Carlos Guestrin at the University of Washington as a technique to explain how deep learning models make decisions about what’s safe or sinister.

The machine learning movement

A lot of security experts tout machine learning as the next step in anti-malware technology. Indeed, Sophos’ acquisition of Invincea earlier this year was designed to bring machine learning into the fold.

Machine learning is considered a more efficient way to stop malware in its tracks before it becomes a problem for the end user. Some of the high points:

• Deep learning neural network models lead to better detection and lower false positives.
• It roots out code that shares common characteristics with known malware, but whose similarities often escape human analysis.
• Behavioral-based detections provide extensive coverage of the tactics and techniques employed by advanced adversaries.

The ‘why’ problem

As great as that sounds, no technology is perfect. When it comes to machine learning, data scientists want a better explanation of why something is labeled malicious. Harang said:

The generic black-box nature of these classifiers makes it difficult to evaluate their results, diagnose model failures, or effectively incorporate existing knowledge into them. A single numerical output – either a binary label or a maliciousness’ score – for some artifact doesn’t offer any insight as to what might be malicious about that artifact, or offer any starting point for further analysis.

This is a problem, he said, because:

• If you’re an analyst whose job it is to say, “well, we can tell this executable is an example of ransomware because of X, Y, and Z,” deep learning models really don’t help you do your job, since all you can do is say “it’s probably malicious” without any sort of supporting evidence.
• Without supporting evidence, it’s hard to troubleshoot a deep learning model. If it suddenly starts giving us bad answers on some samples, it can be very hard to figure out why it’s doing it and how to fix it.

Enter LIME

In his talk, Harang explained how LIME can be adapted to take the analysis a step further than simply identifying features of the document that are critical to performance of the model (as in the original work). Analysts can also use it to identify key components of the document that the model “thinks” are likely to contain malicious elements.

By making some modifications to the LIME technique, researchers can figure out what kinds of patterns a model has extracted from the data, which can help improve the overall model, troubleshoot any mistakes it makes, and maybe even find and fix mistakes before they happen, Harang said.

LIME has what’s called Human Interperable features (HIFs). Each class of HIFs acts as a kind of lens through which researchers can analyze a file, allowing them to examine how specific features, such as scripts, hyperlinks, or even just particular pieces of the file might impact its classification.

Other points:

1. Given 120kb of HTML document, LIME can narrow it down to the salient bits quickly and efficiently.
2. Even when documents are not classified by the model as malicious, you can often identify key elements that look suspicious.
3. By looking at different HIFs and their success in analyzing a document, you can examine what kinds of features the model has learned from the data.
4. By moving HIFs to another sample and looking at their impact, you can evaluate the contextual sensitivity of features.

As Harang noted in his slides, “complex models are complex”. This makes it hard – but not impossible – to extract the right insight.

LIME is a good, general-purpose tool to do it. With some tweaks, LIME can turn a deep learning model into a useful tool for analysis of artifacts, highlighting potential sections of interest, he said.

By applying LIME across a range of documents and HIFs, he added, one can better understand the strengths and weaknesses of a model and biases in data, and use that fresh knowledge to make your deep learning model more effective going forward.

Follow @NakedSecurity
Follow @BillBrenner70

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Uf4lndlG5oA/

Is voice recognition technology really something we want the open-source community to break loose from the big corporations that have developed it and held it tight? Is it technology we want to see used far and wide?

That’s certainly what Mozilla, the organization behind the Firefox browser, wants. It’s building a massive repertory of voice samples, crowdsourcing 10,000 hours of audio so anyone and everyone can use it to train and build voice apps.

The project is called Common Voice. Mozilla says the purpose behind the project is to open up voice recognition technology to those outside large corporations such as Google, Apple and Amazon – a situation that it says is stifling innovation. To make voice recognition available to everyone, it’s asking for people to donate their voice samples, to give developers a rich set of accents and intonations to work from.

You can help by donating your voice or validating others’ voice donations. You can do so on the Common Voice page on your PC or you can download the dedicated iOS app on iTunes. You’ll be asked to read a few sentences aloud, which will be saved into the system.

But should you?

Voice is, after all, a biometric identifier. Yes, it can alter when we have a cold or a sore throat, when we age, or if we undergo gender reassignment. But voice recognition technology has grown sophisticated enough to see through such alterations and still discern identity, with some authentication technologies capable of analyzing more than 100 voiceprint characteristics based on the physical configuration of a speaker’s mouth and throat.

In other words, voice is a more or less unalterable biometric, like our fingerprints or irises.

As such, what happens when and if our voiceprints are compromised? It’s worth considering the ramifications, given that use of voice as a form of secure ID is becoming more widespread. For example, Barclays announced last year that it’s using the technology for telephone banking, and Santander followed suit in February.

But while it’s worth contemplating how our privacy may be affected by sharing our unique voiceprint biometrics with Mozilla’s Common Voice, which will then be made available to developers, it turns out that it’s possible to share voice recordings without giving out other personal information.

According to the Common Voice privacy notice, while sending demographic information such as your accent, age and gender helps researchers improve and create speech-to-text technology and tools, it’s an optional step. So is using an email address to create an account.

That’s a relief. We’ve had plenty of frightfests over voice recognition as it is, thank you very much – the internet-enabled, speech-recognizing, joke-telling, surveillance-ready Hello Barbie springs to mind.

Or Cayla, the doll that used speech recognition and Google translation tools and could be made to say any creepy thing a nearby Bluetooth connection fed to it. Germany’s telecoms watchdog’s take on it: Cayla is an “illegal espionage apparatus”.

Here’s hoping that Mozilla’s project won’t lead to anything as voiceprintishly creepy as that. The lack of requirements to provide personal data associated with the donated voiceprints is a good sign that it won’t.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/IV54Sp5-Pfs/

Your daily round-up of some of the other stories in the news

Adobe calls time on Flash

How many times over the years have you cursed Adobe Flash for hammering battery life and for being a vector for malware? Curse no more, for Flash is finally reaching the end of the road – although it’s going to be with us for a couple of years yet.

Adobe said on Tuesday that it was working with big technology partners including Apple, Facebook, Google, Microsoft and Mozilla to put Flash out of its – and our – misery. “Specifically, we will stop updating and distributing the Flash Player at the end of 2020 and encourage content creators to migrate any existing Flash content to these new open formats,” Adobe said in a blog post.

But wait – 2020? That’s three years away. Why not put Flash out of its misery now? As with any technology, other people build their products and services around it and need time to phase it out, as Adobe points out: “Adobe will continue to support Flash on a number of major OSs and browsers that currently support Flash content through the planned EOL [end of life]. This will include issuing regular security patches, maintaining OS and browser compatibility and adding features and capabilities as needed.”

So not gone yet – but if you’re a content creator or make anything that relies on Flash, now’s the time to start to say goodbye.

Microsoft Paint lives on

Meanwhile, if parting is such sweet sorrow, one goodbye seems to have been premature. Yesterday we reported on the apparent demise of Microsoft’s venerable Paint program, which appeared on a list of products that the Redmond giant was planning to deprecate in the next big update to Windows 10, which is due in the autumn.

After Microsoft’s announcement, fans of the app, which has been part of Windows since 1985, before some of its fans were born, took to the web to proclaim their love for it, with the BBC, among others, showcasing the work of Paint artists – and Microsoft has listened.

In a blog post published on Monday, Microsoft said it was “amazing to see so much love for our trusty app”, and said that amid the “incredible outpouring of support and nostalgia”, it wanted to take the opportunity to set the record straight.

Paint isn’t being killed off after all: it “will just have a new home soon, in the Windows Store, where it will be available for free”.

Cybercriminals sent to rehab

Young cybercriminals in the UK could be sent to a rehab camp to deter them from further crime and help them harness their skills and put them to good use.

The National Crime Agency held a pilot weekend rehab camp in Bristol earlier this month for offenders, the BBC reported on Tuesday, where the young attendees were taught about responsible use of their skills and were given advice about careers in cybersecurity.

The seven who went to the camp had been caught and either arrested or warned about their activities, which had included defacing websites, taking down servers and hacking into networks.

One of the young men who attended the two-day rehab camp told the BBC: “Now I know cybersecurity exists it sounds like it would be something I really, really want to go into. You get the same rush, the same excitement, but you are using it for fun still, but it is legal and you get paid. So it’s every kind of benefit.”

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/SY_x9r0_7Yg/

F-35 software development will be finished by the end of this year, Lockheed Martin has said – which contradicts the view of various American government audit agencies.

“We are well positioned to complete air vehicle full 3F and mission systems software development by the end of 2017,” said exec veep Jeff Babione, in a statement announcing that the fleet has passed its 100,000^th flying hour.

The supersonic fighter jet’s onboard software will eventually be running Block 3F, the final revision as referred to by Babione. Ground operations will be supported by the Autonomous Logistics Information System (ALIS) suite, which was stuck on version 2.0.1.3 at the beginning of this year thanks to delays in rolling out a newer version.

Meanwhile, the Pentagon’s director of operational test and evaluation told a US Congress committee earlier this year that the aircraft won’t be ready before 2019, mentioning 158 “Category 1” software flaws that could cause death, severe injury or illness unless fixed.

The USAF hit back at these reports, announcing in May that Block 3F would be ready by “September or October” this year. Block 4 is said to be already in development, in spite of the delays to Block 3F. New software “drops” will be rolled out about every two years, with Block 4 scheduled for the beginning of the 2020s.

United Press International also took a closer look at the Block 3F aircraft software release, citing a US Government Accountability Office report from last year. “Using historical data of delays over the course of the program, GAO estimates that the Block 3F software package might need until May 2018 to finish SDD, as opposed to the program office’s projection of Oct 2017 to the end of the year,” reported the site.

The Times reported earlier this month that the cost of UK F-35Bs had increased amid various problems with the jets and the aircraft carriers that will host them in UK service, although informed defence sources immediately cast doubt on the accuracy of the paper’s reporting. Among other things it linked poor “broadband” speeds available to the warships’ crews with the effectiveness of air-to-ship communications links, as well as describing the NATO Link 16 encrypted communications standard as an “unsecured wavelength”.

The paper also pegged the cost of each aircraft at around £198m, though post-publication commentary appeared to suggest that the newspaper had included the through-life costs of each aircraft (i.e. spare parts, software upgrades, fuel, etc). The majority of public cost estimates are done on an “upfront” basis and do not include projected spares packages and the like.

Delays and cost overruns have been a frequent feature of the F-35 saga. Given the sheer quantity of software in not only the aircraft but its ALIS logistics suite too, it should be no surprise that costs have spiralled and unforeseen delays reared their heads. After all, since when did any Big Government IT Project run on time and within budget? ®

Bootnote

All credit to Inventor of the Marmite Laser for inspiring the headline.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/25/f35_software_block_3f_complete_end_2017_says_lockheed/

Adobe has officially set a kill date for its beleaguered Flash.

The Photoshop giant said today it plans to end support for the hacker-prone multimedia browser plugin by the end of 2020. This means no more updates for Flash Player after that date and the end of support on many browsers, including Chrome, Internet Explorer and Edge, and Firefox.

Facebook also says it will shut off Flash games by the end of 2020, and is advising developers to change their FB games over to a different format.

“Where we’ve seen a need to push content and interactivity forward, we’ve innovated to meet those needs. Where a format didn’t exist, we invented one – such as with Flash and Shockwave,” said a spokesperson for Adobe, which didn’t actually invent either format.

“And over time, as the web evolved, these new formats were adopted by the community, in some cases formed the basis for open standards, and became an essential part of the web.”

Programmers, designers and companies whose websites still rely on Flash (Google estimates that is about 17 per cent of all sites) are being encouraged to start planning now to transition to a more modern format, such as HTML5 and WebGL, though they probably should have already done that already.

The announcement will be welcome news for security professionals and administrators, as it is one less attack vector to worry about. The notoriously insecure Flash Player plugin has emerged in recent years as the favorite target for automated exploit kits due to both its prevalence and the large number of serious flaws lingering in the code.

In the meantime, however, it will be at least another three-plus years of dutifully patching Flash Player every month and advising users to either disable or at least make Flash content click-to-play in their browser settings. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/25/flash_nahuh_internets_screen_door_gone_for_good_by_2020/

Ransomware as a service (RaaS) has been around for a while. But it has typically been found on the dark web. In recent months, its creators have grown more brazen about promoting it on the open web, and that has the potential to change everything.

Few RaaS kits exemplify this the way Philadelphia does.

At Black Hat 2017 this morning, Sophos released an in-depth report on the subject, Ransomware as a Service (Raas): Deconstructing Philadelphia, written by Dorka Palotay, a threat researcher based in SophosLabs’ Budapest, Hungary, office. It delves into the inner mechanics of a ransomware kit anyone can buy for $400. Once purchased, the bad guys can hijack and hold computer data for ransom in exchange for payment.

Out in the open

The RaaS kit’s creators – The Rainmakers Labs – run their business the same way a legitimate software company does to sell its products and services.

While it sells Philadelphia on marketplaces hidden on the dark web, it hosts a production-quality “intro” video on YouTube, explaining the nuts and bolts of the kit and how to customize the ransomware with a range of feature options.

A detailed Help Guide, walking customers through set-up is also available on a .com website.

Their first RaaS product was Stampado, which they started to sell last summer for only $39. Based on their experiences by the end of 2016, they developed a much more sophisticated piece of ransomware called Philadelphia, which they currently sell for $389 on their website.

Customers include an Austrian teenager police arrested in April for infecting a local company. In that case, the alleged hacker had locked the company’s servers and production database, then demanded $400 to unlock them. The victim refused, since it was able to retrieve the data from backups.

While ransomware-as-a-service is not new, the glossy, overt marketing of a do-it-yourself ransomware attack is. Palotay said:

It’s surprisingly sophisticated what The Rainmakers Labs is trying to do here. Details about Philadelphia are out in the open on the world wide web as opposed to underground and secretive on the dark web, which is where most other ransomware kits are marketed. You don’t need a Tor browser to find Philadelphia, and the fact that it’s brazenly peddled is sobering and, unfortunately, indicative of what’s to come.

Sophos global security research head James Lyne agreed:

Philadelphia exemplifies the common marketing strategies and features that are making RaaS so popular. By combining the practices of the legitimate software industry, such as documentation, regular feature updates and friendly user interfaces, RaaS services have made it far more viable for those with intent but not technical skill to execute relatively high-quality attack campaigns.

Defensive measures

For best practices against all types of ransomware, Sophos recommends:

• Back up regularly and keep a recent backup copy off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands.
• Don’t enable macros in document attachments received via email. Microsoft deliberately turned off auto-execution of macros by default many years ago as a security measure. A lot of malware infections rely on persuading you to turn macros back on, so don’t do it!
• Be cautious about unsolicited attachments. The crooks are relying on the dilemma that you shouldn’t open a document until you are sure it’s one you want, but you can’t tell if it’s one you want until you open it. If in doubt, leave it out.
• Patch early, patch often. Malware that doesn’t come in via document macros often relies on security bugs in popular applications, including Office, your browser, Flash and more. The sooner you patch, the fewer open holes remain for the crooks to exploit. In the case of this attack, users want to be sure they are using the most updated versions of PDF and Word.
• Use Sophos Intercept X, which stops ransomware in its tracks by blocking the unauthorized encryption of files.
• Try Sophos Home for Windows and Mac for free with family and friends.

• Check out our webcast on RaaS, scheduled for August 23.

Follow @NakedSecurity
Follow @BillBrenner70

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/IVAjR8UUDEQ/

Ransomware as a service (RaaS) has been around for a while. But it has typically been found on the dark web. In recent months, its creators have grown more brazen about promoting it on the open web, and that has the potential to change everything.

Few RaaS kits exemplify this the way Philadelphia does.

At Black Hat 2017 this morning, Sophos released an in-depth report on the subject, Ransomware as a Service (Raas): Deconstructing Philadelphia, written by Dorka Palotay, a threat researcher based in SophosLabs’ Budapest, Hungary, office. It delves into the inner mechanics of a ransomware kit anyone can buy for $400. Once purchased, the bad guys can hijack and hold computer data for ransom in exchange for payment.

Out in the open

The RaaS kit’s creators – The Rainmakers Labs – run their business the same way a legitimate software company does to sell its products and services.

While it sells Philadelphia on marketplaces hidden on the dark web, it hosts a production-quality “intro” video on YouTube, explaining the nuts and bolts of the kit and how to customize the ransomware with a range of feature options.

A detailed Help Guide, walking customers through set-up is also available on a .com website.

Their first RaaS product was Stampado, which they started to sell last summer for only $39. Based on their experiences by the end of 2016, they developed a much more sophisticated piece of ransomware called Philadelphia, which they currently sell for $389 on their website.

Customers include an Austrian teenager police arrested in April for infecting a local company. In that case, the alleged hacker had locked the company’s servers and production database, then demanded $400 to unlock them. The victim refused, since it was able to retrieve the data from backups.

While ransomware-as-a-service is not new, the glossy, overt marketing of a do-it-yourself ransomware attack is. Palotay said:

It’s surprisingly sophisticated what The Rainmakers Labs is trying to do here. Details about Philadelphia are out in the open on the world wide web as opposed to underground and secretive on the dark web, which is where most other ransomware kits are marketed. You don’t need a Tor browser to find Philadelphia, and the fact that it’s brazenly peddled is sobering and, unfortunately, indicative of what’s to come.

Sophos global security research head James Lyne agreed:

Philadelphia exemplifies the common marketing strategies and features that are making RaaS so popular. By combining the practices of the legitimate software industry, such as documentation, regular feature updates and friendly user interfaces, RaaS services have made it far more viable for those with intent but not technical skill to execute relatively high-quality attack campaigns.

Defensive measures

For best practices against all types of ransomware, Sophos recommends:

• Back up regularly and keep a recent backup copy off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands.
• Don’t enable macros in document attachments received via email. Microsoft deliberately turned off auto-execution of macros by default many years ago as a security measure. A lot of malware infections rely on persuading you to turn macros back on, so don’t do it!
• Be cautious about unsolicited attachments. The crooks are relying on the dilemma that you shouldn’t open a document until you are sure it’s one you want, but you can’t tell if it’s one you want until you open it. If in doubt, leave it out.
• Patch early, patch often. Malware that doesn’t come in via document macros often relies on security bugs in popular applications, including Office, your browser, Flash and more. The sooner you patch, the fewer open holes remain for the crooks to exploit. In the case of this attack, users want to be sure they are using the most updated versions of PDF and Word.
• Use Sophos Intercept X, which stops ransomware in its tracks by blocking the unauthorized encryption of files.
• Try Sophos Home for Windows and Mac for free with family and friends.

• Check out our webcast on RaaS, scheduled for August 23.

Follow @NakedSecurity
Follow @BillBrenner70

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/IVAjR8UUDEQ/

US government cybersecurity apparently doesn’t include email security.

High-profile declarations and executive orders from both former US President Barack Obama and his successor, President Donald Trump, list cybersecurity is a “top priority”. But that hasn’t yet been applied to one of the biggest, most vulnerable attack surfaces in any organization.

A recent open letter from Sen. Ron Wyden (D-Ore.) to the Department of Homeland Security (DHS) notes that most federal departments aren’t using an email security protocol that has been around for the past five years.

Wyden, in a July 18 letter, asked the agency to “take immediate steps” to mandate that all federal agencies implement DMARC (Domain-based Message Authentication, Reporting and Conformance), an email authentication, policy, and reporting protocol launched in 2012 that helps prevent email domain spoofing.

This wasn’t his first request. In an earlier letter this past April to the commissioner of the Internal Revenue Service (IRS), Wyden complained that the agency had only partially enabled DMARC – to protect itself, but not taxpayers.

The IRS, he wrote had configured DMARC, “in a less restrictive mode. As a result, the IRS receives automatic alerts when the organization is impersonated by fraudsters, but unsuspecting taxpayers are not warned or automatically protected.”

According to Wyden, the only federal agencies so far that have enabled it are the National Institute for Standards and Technology (NIST), the Federal Trade Commission (FTC), Federal Deposit Insurance Corporation (FDIC) and Social Security Administration (SSA).

Industry standard technologies exist, and are already used throughout the private sector and even by a few federal agencies, which, if enabled, would make it significantly harder for fraudsters and foreign governments to impersonate federal agencies.”

Wyden went on to add that it would, “prevent fraudsters from being able to send emails that purport to come from .gov domains”.

“Prevent” might be promising too much. While the launch of DMARC had the backing of internet giants like Google, Microsoft, PayPal, Facebook, LinkedIn and Comcast, and generated breathless headlines about the elimination of phishing emails, that obviously has not happened – something Naked Security’s Paul Ducklin predicted at the time.

But, if used as instructed, which requires it to be built on a foundation of “the basics” – email security tools DomainKeys Identified Mail (DKIM) and the Sender Policy Framework (SPF) – DMARC does indeed making spoofing emails “significantly harder”.

As Naked Security’s John Dunn put it recently:

For the first time, organisations using DKIM and SPF could add a policy to their DNS records that told others how to treat email failing their security criteria. Importantly, it provided a feedback mechanism for recipients to tell senders what was being received in their name, essential for domain owners that wanted to gain intelligence on email spoofing.

And while the phishing industry is endlessly adaptable – Dunn also wrote that “phishing criminals have evolved to exploit a broader set of weaknesses in email, especially mobile clients” – the evidence strongly suggests that DMARC would keep government email systems out of the “low-hanging fruit” category.

Wyden’s letter noted that since last year, when the UK required all government agencies to enable DMARC, the nation’s tax agency said, “it reduced the number of phishing emails purporting to come from that agency by a staggering 300 million messages in one year.”

And Brett McDowell, executive director of the FIDO Alliance and founding chairman of DMARC, said while the threat of phishing remains, when DMARC is implemented by both the sender and receiver, “it is 100% effective in shutting down the most dangerous vector” – the spoofing of domains.

“Finally, in the history of email, it’s a way to look at the address to see if it’s a legitimate domain – is it coming from [a company like] PayPal or not. It’s a huge enabler,” he said, adding that when properly implemented it is friction-free: “The user never sees it – never has to deal with it. Every domain you protect, you can block them all.”

He said the full implementation of DMARC by the Internal Revenue Service could prevent millions of bogus emails purporting to come from the agency around tax time.

In a 2013 tweet following news stories about it, he said, “Part of the reason bogus IRS e-mail continues […] is because the agency has not yet adopted […] DMARC.”

Wyden is not the first to urge adoption of DMARC. NIST did so last September, in its Special Publication 800-177 titled “Trustworthy Email”

All of which raises the obvious question: why hasn’t this been in place across government agencies at all levels – not just federal – for several years?

Wyden’s office did not respond to requests for comment. But McDowell said while he has been shocked that the federal government hadn’t adopted DMARC years ago, and remains, “surprised that it took an elected official” to prod departments like DHS to mandate it, he is glad the matter is getting some attention.

“Hey, whatever it takes,” he said. “If things get more secure as a result, that’s what matters.”

Follow @NakedSecurity
Follow @tarmerding2

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/dghiFDGuCOw/

US government cybersecurity apparently doesn’t include email security.

High-profile declarations and executive orders from both former US President Barack Obama and his successor, President Donald Trump, list cybersecurity is a “top priority”. But that hasn’t yet been applied to one of the biggest, most vulnerable attack surfaces in any organization.

A recent open letter from Sen. Ron Wyden (D-Ore.) to the Department of Homeland Security (DHS) notes that most federal departments aren’t using an email security protocol that has been around for the past five years.

Wyden, in a July 18 letter, asked the agency to “take immediate steps” to mandate that all federal agencies implement DMARC (Domain-based Message Authentication, Reporting and Conformance), an email authentication, policy, and reporting protocol launched in 2012 that helps prevent email domain spoofing.

This wasn’t his first request. In an earlier letter this past April to the commissioner of the Internal Revenue Service (IRS), Wyden complained that the agency had only partially enabled DMARC – to protect itself, but not taxpayers.

The IRS, he wrote had configured DMARC, “in a less restrictive mode. As a result, the IRS receives automatic alerts when the organization is impersonated by fraudsters, but unsuspecting taxpayers are not warned or automatically protected.”

According to Wyden, the only federal agencies so far that have enabled it are the National Institute for Standards and Technology (NIST), the Federal Trade Commission (FTC), Federal Deposit Insurance Corporation (FDIC) and Social Security Administration (SSA).

Industry standard technologies exist, and are already used throughout the private sector and even by a few federal agencies, which, if enabled, would make it significantly harder for fraudsters and foreign governments to impersonate federal agencies.”

Wyden went on to add that it would, “prevent fraudsters from being able to send emails that purport to come from .gov domains”.

“Prevent” might be promising too much. While the launch of DMARC had the backing of internet giants like Google, Microsoft, PayPal, Facebook, LinkedIn and Comcast, and generated breathless headlines about the elimination of phishing emails, that obviously has not happened – something Naked Security’s Paul Ducklin predicted at the time.

But, if used as instructed, which requires it to be built on a foundation of “the basics” – email security tools DomainKeys Identified Mail (DKIM) and the Sender Policy Framework (SPF) – DMARC does indeed making spoofing emails “significantly harder”.

As Naked Security’s John Dunn put it recently:

For the first time, organisations using DKIM and SPF could add a policy to their DNS records that told others how to treat email failing their security criteria. Importantly, it provided a feedback mechanism for recipients to tell senders what was being received in their name, essential for domain owners that wanted to gain intelligence on email spoofing.

And while the phishing industry is endlessly adaptable – Dunn also wrote that “phishing criminals have evolved to exploit a broader set of weaknesses in email, especially mobile clients” – the evidence strongly suggests that DMARC would keep government email systems out of the “low-hanging fruit” category.

Wyden’s letter noted that since last year, when the UK required all government agencies to enable DMARC, the nation’s tax agency said, “it reduced the number of phishing emails purporting to come from that agency by a staggering 300 million messages in one year.”

And Brett McDowell, executive director of the FIDO Alliance and founding chairman of DMARC, said while the threat of phishing remains, when DMARC is implemented by both the sender and receiver, “it is 100% effective in shutting down the most dangerous vector” – the spoofing of domains.

“Finally, in the history of email, it’s a way to look at the address to see if it’s a legitimate domain – is it coming from [a company like] PayPal or not. It’s a huge enabler,” he said, adding that when properly implemented it is friction-free: “The user never sees it – never has to deal with it. Every domain you protect, you can block them all.”

He said the full implementation of DMARC by the Internal Revenue Service could prevent millions of bogus emails purporting to come from the agency around tax time.

In a 2013 tweet following news stories about it, he said, “Part of the reason bogus IRS e-mail continues […] is because the agency has not yet adopted […] DMARC.”

Wyden is not the first to urge adoption of DMARC. NIST did so last September, in its Special Publication 800-177 titled “Trustworthy Email”

All of which raises the obvious question: why hasn’t this been in place across government agencies at all levels – not just federal – for several years?

Wyden’s office did not respond to requests for comment. But McDowell said while he has been shocked that the federal government hadn’t adopted DMARC years ago, and remains, “surprised that it took an elected official” to prod departments like DHS to mandate it, he is glad the matter is getting some attention.

“Hey, whatever it takes,” he said. “If things get more secure as a result, that’s what matters.”

Follow @NakedSecurity
Follow @tarmerding2

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/dghiFDGuCOw/

Security researchers have lifted the lid on a new cyber-espionage crew that has targeted the German Bundestag and Turkish diplomats.

CopyKittens has attacked government, security and academic institutions, websites in Germany and Turkey, as well as United Nations employees and organisations in Saudi Arabia, Israel and Jordan for the last four years. Government institutions, defence companies, sub-contractors and large IT companies are among the most targeted organisations.

A study on the group co-authored by ClearSky, an Israeli cyber-intelligence firm, and Trend Micro reports how members of the German Bundestag were compromised by a watering hole-style attack run by the group. In another case a malicious email was sent from a breached account of an employee in the Ministry of Foreign Affairs in the Turkish Republic of Northern Cyprus, trying to leverage trust in the supposed source of the email in a bid to infect multiple targets in other government organisations worldwide. In a different case, a document likely stolen from the Turkish Ministry of Foreign affairs was used as decoy.

Israeli embassies have been targeted by the group, as well as foreign embassies in Israel. Fake Facebook profiles (some active for years) have been used to spread malicious links and build trust with marks. Other tactics included breaching exposed webmail accounts.

The group has developed its own bespoke hacking tools. These include TDTESS backdoor; Vminst, a lateral movement tool; and NetSrv, a Cobalt Strike loader. The group also uses Matryoshka v1, a self-developed remote access trojan.

CopyKittens (AKA Rocket Kittens) also makes use of commercially available pen-testing tools such Cobalt Strike and Metasploit.

“CopyKittens is very persistent, despite lacking technological sophistication and operational discipline,” according to ClearSky. “These characteristics, however, cause it to be relatively noisy, making it easy to find, monitor and apply counter measures relatively quickly.”

Previous studies on CopyKittens, like this one by CheckPoint, also accused the group of rubbish OpSec practices.

More on the latest CopyKittens research can be found here and here. Neither ClearSky nor Trend Micro speculates about the identity of CopyKittens but (based on the targets and social media shenanigans) Iran has to be a strong suspect. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/25/copykittens_hacking_crew/