STE WILLIAMS

Plans by the Dutch government to increase surveillance powers are likely to face opposition from privacy activists.

A revamp of the country’s laws (in Dutch) was passed by the Senate on Wednesday, clearing the final legislative hurdle after years of debate and protest, Reuters reports.

The new Intelligence and Security Act gives police the ability to go after the relatives of suspected terrorists or other serious criminals instead of only specified individuals. The Act also grants Dutch intelligence agencies new surveillance powers such as data retention for three years by service providers and permission for intel agencies to share intelligence with their foreign counterparts (GCHQ, NSA, and so on).

Lawmakers argue the Act is necessary to combat increased terrorism and cyber threats. The authority of the Commission for the Supervision of Intelligence and Security Services (CTIVD) has been enhanced, giving it the role as a complaints body.

Interior minister Ronald Plasterk said (according to Google Translate): “Protecting national security and contributing to the international legal order, including, for example, protection against terrorism, the protection of high-tech business and government against cyber attacks, requires modernisation of the law.”

Security experts remain unconvinced, at best.

“It increases the intel agency’s ability to wiretap, to hack and to work with organisations to volunteer them information,” said Martijn Grooten, a security researcher and editor of industry journal Virus Bulletin. “Wiretapping can now be less targeted (think dragnet), hacking could also target close relations of targets. Voluntary informers could also be companies rather than individuals (e.g. ISPs giving easy access to data).”

The proposed increase in surveillance powers is counterbalanced by promises of better oversight. But these are unlikely to placate critics, such as online rights group Bits of Freedom.

“Some privacy organisations are against it and will take action” through lawsuits or other protests, according to Eddy Willems, a security evangelist at infosec firm G DATA.

Local reports (in Dutch) by rtlnieuws and national broadcaster NOS provide more information and background about the surveillance law changes. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/13/dutch_surveillance_law_revamp/

Cisco announces plans to acquire Observable Networks as part of a plan to bring its Stealthwatch solution into the cloud.

Cisco today confirmed plans to acquire Observable Networks, a St. Louis-based software firm focused on cloud-native network forensics security tools, the company announced in a blog post. This is part of Cisco’s broader plan to transition to software-centric products.

Observable Networks’ tech is founded on behavioral modeling of all network devices. It’s designed to give analysts extended and detailed visibility of the users, traffic, and devices on a network, both in the cloud and the data center.

Cisco plans to leverage this acquisition to bring its Stealthwatch network security tool to the cloud with behavioral analytics and more visibility. The deal is expected to close in fiscal Q1 2018; financial terms were not disclosed.

Read more details here. 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/cisco-plans-to-buy-observable-networks-for-cloud-security/d/d-id/1329347?_mc=RSS_DR_EDT

Human error at travel company Flight Centre has resulted in a leak of personal information, including data of customers’ passports.

“Personal information relating to some leisure customers in Australia was accidentally made available to a small number of potential third party suppliers for a short period of time,” a spokesperson told Vulture South, attributing the situation “human error, not by a system or security failure”.

“When we became aware of the issue, we acted quickly and contained the information,” the spokesperson added. “We also sought and received assurances from the suppliers that they did not retain copies” and “we acted quickly and contained the information.”

The spokesperson added that the company believes “the risk that this information will be misused is relatively low given the circumstances”.

Pressed on how it reached that conclusion, the spokesperson had this to say:

There are a few reasons why we believe the risk is relatively low. Firstly, the suppliers involved were looking to develop products for us and to establish longer term relationships (they still are). Secondly, we noticed our error fairly quickly. Thirdly, we were engaging with these potential suppliers via a formal process, so they were familiar to us.

The Register asked the company how many records were mis-placed. In response to that request Flight Centre’s spokesperson said “I don’t really want to get into ongoing QA.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/13/flight_centre_data_breach/

Smart-home controllers from German company AGFEO have adopted best practice internet things security by offering an unsecured Web admin interface.

The now-patched attack vectors included unauthenticated access to some services, authentication bypass, cross-site scripting (XSS) vulns, and hard-coded cryptographic keys.

The bugs were discovered by SEC Consult, and landed on Full Disclosure after the vendor finally released an update.

The AGFEO ES 5xx and 6xx firmware has three certificates with their associated private keys, which would ultimately let an attacker get administrative credentials and do as they pleased.

Why they’d work so hard, however, is a mystery, because you don’t need credentials to p0wn the kit: the developers made a debugger Web service in the ES 5xx range, and forgot to remove it when the products shipped.

The advisory says the Web service is “accessible from an unusual port” (“They’ll never think a Web service isn’t running on port 80 will they!”), and it runs with root privileges. There’s also a handy script to read files, meaning “al files on the operating system” are visible.

The configuration ports (TCP 19002, 19004, 19006, 19009, 19010, 19080, and 19081) are also wide open: “Multiple different instances of TCP services are present on the device”, the note says, all of which are forked from the debug/config service, letting attackers read device information and change configuration.

Because user names and passwords are stored in an SQLite database, the pwnage also lets an attacker dump credentials for all users.

After being notified in January, AGFEO posted new firmware on June 30. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/13/agfeo_smart_home_controllers_need_patch/

Edgewise Networks launched on Wednesday with a project to reengineer the firewall and make it suitable for cloud-based environments by moving beyond traditional address-centric controls.

The US startup’s so-called Trusted Application Networking technology is designed to block the spread of network-borne threats by allowing only legit applications to communicate over approved network paths. This defense mechanism – which is aimed at data centers and cloud environments rather than enterprise LANs and WANs – looks beyond network addresses, instead validating the identity of applications, users, and hosts.

The name of the game is to safeguard critical cloud and data center apps rather worry about controlling the flow of network traffic by port and destination, the traditional role of the firewall. Edgewise Network claims it uses machine learning to model application communication patterns and generate protection policies for a business.

Chief exec Peter Smith told El Reg: “Edgewise Networks does not do deep packet inspection. We’re looking past the packet to identify software and connections.”

It’s hoped this will stop software nasties, such as the SMBv1-exploiting NotPetya, from spreading across networks. The technology is delivered as a cloud-based service, with a software agent running on end points.

Chief technology officer Harry Sverdlove said that while traditional firewalls can be compared to a phone switchboard that blocks calls depending on the caller ID, and that app-aware firewalls are like telephone equipment that can identifying a voice call is in progress and its language, Edgewise’s system validates the person or party making the phone call. In data centers, these parties will be various enterprise software applications chatting among themselves.

Other vendors are grappling with next-generation firewall defenses in data centers. Other notable initiatives along these lines include an alliance to integrate Fortinet’s intrusion prevention and management capabilities into Microsoft Azure Security Center to better protect cloud workloads against malware and miscreants. That deal is more about intrusion detection – aka high-tech burglar alarms – than reimagining the firewall, as such.

Edgewise’s technology competes with micro-segmentation products from the likes of vArmour, but goes beyond them in its capabilities, the startup told El Reg.

Segmentation, micro-segmentation, and VLANs are based on addresses, ports, and protocols, and in some cases on pulling open the packets and looking at the content of the traffic. But these constructs are fundamentally limiting, especially in dynamic environments like cloud and data centers. Edgewise policies are based on the actual applications or services communicating, the actual users running those applications, and the hosts or containers on which they are running.

They are not dependent on the network addresses or the content of their conversation, making it far more secure (harder for a malicious actor to spoof valid communication or hijack user sessions) and far more agile, so the policies work regardless of where they are deployed (e.g. private network, hybrid cloud, public cloud).

Edgewise’s tech is pitched at, among others, retailers, financial service firms, and cloud providers. One infosec pundit described the protections as a “properly implemented default deny.”

Clive Longbottom, the founder of analyst house Quocirca, agreed that standard firewalls are unsuited to operation in cloud environments while suggesting that Edgewise will have challenges of its own to contend with.

Longbottom told El Reg: “The big problem is that these days there are no defined edges to a network. Therefore, you have to create them.

“The use of defined paths means that those edges – in reality, contact points – can be created and any traffic to do with a task routed through these specific paths. Rules can then be applied; deep packet inspection can be carried out on a per path or stream basis. Standard firewalls cannot operate this way easily.”

Kurt Seifried, a senior software engineer at Red Hat product security and a contributor to the Cloud Security Alliance, added: “We’ve known we need smarter network controls for a while now.”

Edgewise Networks was founded by Smith, a cybersecurity entrepreneur, and Sverdlove, former CTO of Carbon Black (formerly Bit9). The biz has banked $7m from early investors including New England venture capital firm .406 Ventures and tech chief execs from the Boston area including Patrick Morley of Carbon Black, Omar Hussain of Imprivata, and Bob Brennan of Veracode. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/13/edgewise_firewall/

The maker of password manager 1Password says it will not force its users to stop using private password vaults – as it sweeps this local storage functionality under the rug.

There was growing alarm in the computer security community this week that 1Password local vaults were going to be a thing of the past.

Basically, if you – as many do – opt for the local approach, your credentials for websites and other online services are held in an encrypted data store on your machine, and you can optionally back up this enciphered database to third-party cloud storage or a separate drive. This allows you to use complex passwords for websites: they’re stored in your vault, and recalled when necessary, provided you give the master password to unlock the store.

Alternatively, you can subscribe to 1Password.com, where your local encrypted password vault is synchronized with a copy held on 1Password’s servers, so that if you lose your local copy, such as if your laptop gets nicked, you can retrieve your encrypted credentials from the 1Password cloud. You can also access them from another machine. This costs a monthly fee.

The downside to the subscription scheme is that you’re trusting 1Password.com with all your passwords. Although they are stored encrypted on its servers, they are accessed through your web browser, so anyone who manages to hack into the service could – potentially, worst-case scenario – screw around with the JavaScript code that’s served to browsers to subvert the encryption and decryption process and thus break into a lot of people’s vaults.

1Password’s developer AgileBits, based in Canada, reckons that won’t happen due to the protection mechanisms it has in place. In fact, it’s so confident in its centralized security that it would greatly prefer users opt for the paid membership plan over local storage, where you basically fend for yourself to stay secure. In a support forum post earlier this year, a rep told users:

1Password is no longer marketed as a standalone product. We strongly feel that our 1Password memberships provide a much better experience. If you would like to discuss your particular situation, and what solution may work best for you, please feel free to email us at [email protected].

In other words, no one is being forced to drop their local vaults, but AgileBits won’t promote them nor willingly sell licenses to its standalone apps. Instead, the biz will “emphasize” its cloud subscription package.

“Regardless of the exact trigger for the sudden proliferation of this belief, folks have speculated that we’re sunsetting local vaults from time to time almost since 1Password accounts were announced,” a spokesperson told us on Wednesday.

“They’re still here and we have no plans to change that. For 99.9 per cent of our customers, a 1Password membership really is the best choice, so we do emphasize that option.”

In fact, AgileBits is so certain users should pick the cloud service, it has all but erased any mention of local storage. Going back to March, AgileBits has held a policy of not marketing a local vault option for 1Password.

“Our customers aren’t all security researchers and IT professionals. They’re college students, retired steel workers, stay-at-home moms and dads, lawyers and everything in between,” the outfit said.

“Many of these folks don’t want to mess with manually setting up sync, so we emphasize an option that doesn’t require that. But the choice to use standalone vaults remains.”

In short, you can still use your existing private local vault with 1Password. If you’re new to 1Password, get in the cloud with everyone else. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/13/1password_not_killing_onprem_storage/

Samsung’s Tizen appears to have more holes than a screen door, but the mobile operating system, which powers Samsung watches, TVs, and a few phones, may not be as disastrous as it seems.

It does look bad. According to Andrey Karpov, founder and CTO of Program Verification Systems, the Russia-based maker of static code analyzer PVS-Studio, Tizen’s codebase contains approximately 27,000 programming blunders.

This is, though, based on extrapolating from 900 errors found in 3.3 per cent of the 72.5 million lines of C/C++ code (excluding comments) that compose the Tizen project.

Karpov’s claim echoes the findings of Israeli security researcher Amihai Neiderman, who in April at Kaspersky Lab’s Security Analyst Summit, identified 40 zero-day vulnerabilities in Tizen code.

At the time, Neiderman characterized Tizen’s codebase as possibly the worst he’d seen.

Those developing Tizen software have said as much. In a post to the Tizen developer mailing list in April about the project’s slow response to bug reports, Maxim Khitrov, who develops software for the Biotechnology High Performance Computing Software Applications Institute (BHSAI), said, “Tizen is a mess with really bad code all around.”

Even Samsung insiders concede the way Tizen is managed leaves something to be desired. Responding to Khitrov’s complaint, Samsung open-source developer Carsten Haitzler observed that Tizen platform maintainers have limited control over product groups that ship Tizen devices.

“They are completely different teams and there is no single coherent ‘Tizen leader’ who tells everyone what to do with Tizen, how to do it and when,” Haitzler lamented. “We can fix bugs in the platform but can’t guarantee if an update will ship for devices or if it will be changed by the time it ships for a device.”

Envisioned as an Android competitor, Tizen at least matches Google’s mobile operating system in terms of disorganization. In terms of numbers, Samsung hopes to reach 10 million Tizen phones this year; Google in May said there are two billion monthly active Android devices.

A bug identified by PVS-Studio

Yet, Samsung doesn’t see Tizen’s many bugs as a problem. Karpov assembled his list of bugs as a sales pitch for his company’s static analyzer. And Youil Kim, from Samsung Electronics, declined his offer on the Tizen mailing list by noting that Samsung is already working on static analysis of Tizen code but prefers another unnamed code quality tool that can find additional problems.

“We don’t agree with that Tizen has 27,000 defects that should be fixed,” said Kim. “As you know, many of static analysis warnings are often considered as insignificant issues.”

Even so, Kim left the door open for further discussions with Karpov on how to improve Tizen’s code quality.

In an email to The Register, Neiderman acknowledged that Tizen code had and still has problems. After he reported the vulnerabilities in April, he explained, several people who used to work on Tizen as developers got in touch. “What they all said was that the Samsung didn’t really care about security and tried to rush Tizen to the market ASAP,” he said.

Neiderman believes the news reports that followed from his research got Samsung’s attention. “They started spending more efforts on securing Tizen and even contacted some companies to help them with that,” he said.

Asked whether he still considered Tizen’s code to be the worst he’d ever seen, Neiderman expressed regret about his choice of words.

“I have since learned to watch my tongue,” he said, punctuating his reply with an emoticon grin. “Back then I meant that the code was very bad, something that you could see about 15-20 years ago in terms of security,” he added. “They changed stuff, but I haven’t checked everything they fixed and changed in their code. I’m not sure if they went back and fixed stuff I didn’t find or report to them, so I’m not sure how widespread was their security auditing for their code was.”

Neiderman said Tizen presently isn’t terrible and isn’t great either. “But the worst part for Samsung is that Tizen isn’t really lifting off the ground enough, it’s not an Android replacement like they wanted it to be,” he said.

A Samsung spokesperson said no one was immediately available to field questions about the state of Tizen. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/12/samsungs_tizen_no_longer_worst_ever/

A US health insurer is taking heat for its decision to mail USB drives containing coverage information to businesses that offer its plans to employees.

Alabama-based developer Thomas Gamble said he received a mailer from Blue Cross and Blue Shield of Alabama that included a USB key, along with instructions to insert the gadget into his PC.

The thumb drive would then launch the insurer’s online portal that provides details on a specific business’s health plans and benefits. This, says Gamble, immediately set off alarms in his head. His insurance company was actually telling him to commit an infosec blunder.

Aside from the fact that these sorts of gimmicks backfire when the USB keys get infected with malware, it conditions people to think it’s OK to plug random storage devices into their computers. It is not OK.

“As many things do, I’m sure it started as something innocent: a marketing ploy or a tool to better service customers. I’m sure it never was intended to provide a blueprint for cyber security attacks on high value targets,” Gamble noted earlier today.

“Regardless, it’s a huge reason why major corporations need to have their security team more involved in all aspects of their business.”

The USB drives themselves posed no risk and Blue Cross Blue Shield said businesses can access the same information through the insurer’s web portal.

The problem, Gamble explains, is that the practice encourages what is essentially the infosec equivalent of pulling gum off the sidewalk and popping it into one’s mouth.

“I am not accusing BCBS of creating software that is less than above board. However, now someone wanting to exploit your computer can copy this concept and just start randomly mailing these out to companies hoping that they will insert it into their computer and run their nefarious software,” he said.

“The fact that BCBS appears to have officially sent these out increases the likelihood that someone will trust the next wave of them, whether they are official or forged.”

The insurer does, however, seem to have gotten the message. A spokesperson told The Register it was halting the mailers.

“Blue Cross and Blue Shield of Alabama recognizes the importance of exercising the proper security measures before inserting an unknown device, even from a reputable source, into a computer or electronic device,” the company said.

“Due to the current technical environment and breach risks, our company is re-evaluating this communication tool. The security of our customers’ information remains one of our top priorities.”

In the meantime, it should go without saying that people should never plug untrusted USB devices into their PCs, and admins should make sure end-users are always wary of unsolicited attachments, whether in email or snail mail form. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/12/blue_cross_usb_card_mailers/

The “how to crack mobile phones” tutorial posted by an Australian Taxation Office employee appears not, as widely reported, to be evidence that the agency has the ability to penetrate a wide range of devices.

The Australian Broadcasting Corporation reported that the ATO had “disciplined” a staffer who posted a presentation to LinkedIn’s Slideshare service and to his LinkedIn profile. That account page has since been removed, but Google Cache has preserved much of the presentation and accomnpanying text.

The LinkedIn page that Google can’t forget shows just 148 views of the presentation since May 2016, when it was posted. It’s since spread to other free document hosting sites, with versions appearing as early as February 2017.

According to the ABC – and several other outlets – the presentation “reveals” the taxman’s “fraud investigation tactics”, and suggests “a push for powers normally associated with police and intelligence agencies.”

But a glance at the presentation was cribbed from mostly-public information, all linked in the text:

What of the devices the document uses as demonstrations? While Samsung and Motorola are mentioned, that’s only in the context of explaining things like time and date formats. The only example device in the presentation – that is, “how to unlock it” – is a Nokia 1100, which looks like this:

The ATO knows how to crack phones like this, apparently

In other words: rather than being a reveal-all leak of the ATO’s “phone cracking” techniques, it was an obsolete for-dummies level presentation. If it represents current best practice in the ATO, Vulture South suggests phone cracks are better left to agencies with more up-to-date tools. And that’s before we consider whether the document was presented as a “how-to” for staff, as has been assumed, or in another and more innocent context. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/13/ancient_hacking_techniques_put_on_show_by_ato_staffer/

Researchers at Black Hat USA will demonstrate how active intrusion detection strategies can help administrators detect hackers who are overly reliant on popular attack tools and techniques.

Penetration testers as well as bad-guy hackers typically rely on several common attack tools to break into business networks. 

Enterprises defending their networks can flip the equation on attackers by using active intrusion detection strategies to create situations where attackers overly reliant on these tools inadvertently expose themselves to detection and other complications, says John Ventura, practice manager for applied research at Optiv. It’s a trap that even pen testers can fall into while running their tools, he says.

Ventura will this detail a more active approach to intrusion prevention – where defenders can use basic network software applications to look for threats and stop attacks – later this month in his Black Hat USA talk entitled “They’re Coming for Your Tools: Exploiting Design Flaws for Active Intrusion Prevention.” 

The field of intrusion detection and prevention systems has been “relatively stagnant” for the past 15 to 20 years, Ventura says. Passive intrusion detection systems can be computationally intensive and their responses rarely go far.

“If your company is using intrusion detection and prevention systems, and dealing with those alerts responsibly, you are doing great relative to the rest of the industry,” he notes.

Ventura at Black Hat will take hacking tools popular among attackers and pen testers such as Metasploit, and show how design flaws in those tools can be exploited for intrusion prevention.

“There are common hacking tools that a lot of people use, and if you target those tools, you can make it harder to break into computers,” he explains.

Ventura plans to demonstrate methodologies for finding and disrupting common attacks; organizations can integrate these into their IDS/IPS products to make the software better. Software written over the course of this research can be used on lightweight hardware to defend against real-world attacks. It’s an effective swap for more expensive “magic box” solutions.

One of the examples he plans to discuss involves man-in-the-middle (MitM) attacks. The goal is to target the communications channel while it’s being established, he says. The attacker introduces his or her software onto a compromised host, and that software initiates communication with the attacker’s computer. The goal is to disrupt that “handshake,” Ventura says. Attackers need to maintain control over the target machine once they break in, but it’s hard to communicate during a MitM attack.

“It is really hard to get two computers to talk to each other in a secure fashion if they have never communicated before,” Ventura continues. “Even with a head start, they’ll still have vulnerabilities that pop up from time to time.”

Though they have decades of experience, developers and researchers working on these problems still find themselves facing serious vulnerabilities in their tools, he notes.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

 

Ventura will demonstrate IDS/IPS software that uses the Metasploit Framework’s Meterpreter control channel to take control over a machine that has been compromised and breaks its communication channel, replacing it with one of the user’s choosing. Traffic still goes to where you might expect it; however, the attacker has a broken TCP connection, so the person running the software has control over a machine that the initial attacker compromised, he explains.

The topic is relevant to both offensive and defensive security professionals. Blue team defenders can become more proactive by manipulating their network traffic to detect and complicate common attacks, targeting attackers, and exploiting vulnerabilities in their software.

Red teamers who break into computers need to understand how their tools work, says Ventura. Those who don’t understand the functionality of their tools may heighten the risk for detection and exploitation.

Related Content:

• New SQL Injection Tool Makes Attacks Possible from a Smartphone
• Microsoft Patches Critical Zero-Day Flaw in Windows Security Protocol
• Desperately Seeking Security: 6 Skills Most in Demand
• How Code Vulnerabilities Can Lead to Bad Accidents

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/how-active-intrusion-detection-can-seek-and-block-attacks/d/d-id/1329342?_mc=RSS_DR_EDT