STE WILLIAMS

On Wednesday, NPM, Inc, the California-based biz that has taken it upon itself to organize the world’s JavaScript packages into the npm registry, warned that its command line tool, the npm CLI, has a rather serious security vulnerability. Version 6.13.4 has been rushed out with a fix.

The flaw – also present in less-than-current versions of yarn, a Facebook-spawned open-source alternative client for fetching modules from the registry – could allow a hackers to alter the files on systems of users who have installed a malicious package.

That’s a risk that exists independent of this particular vulnerability, given that developers who install npm packages (or third-party libraries in other package management systems) are running code of uncertain origin. But in this instance, the problem resides in the npm client itself.

“In versions of npm prior to 6.13.3 (and versions of yarn prior to 1.21.1), a properly constructed entry in the package.json ‘bin’ field would allow a package publisher to modify and/or gain access to arbitrary files on a user’s system when the package is installed,” NPM’s security team said in a blog post.

A separate vulnerability allows the creation of arbitrary symlinks to any file.

Version of npm prior to 6.13.4, and all versions of yarn currently, allow the arbitrary overwriting of an existing binary with another file, but only in the /usr/local/bin directory.

What should happen is that packages should only be allowed access to the node_modules folder in a given app file.

Developer Daniel Ruf identified the security vulnerability and on Thursday published a blog post about his findings.

“The problem is that we can define any (valid) paths for the binary name and the file which is then symlinked,” explained Ruf.

And doing so is not particularly difficult. It requires an entry for the “bin” key in package.json, a file that npm uses to convey the metadata about the project and its dependencies. It would look something like this:

"bin": {
        "../some/path": "../some/other/path"
       }

NPM today stands for Now Pay Me: JavaScript packaging biz debuts conduit for funding open-source coders

READ MORE

“This is basically everything that is needed to execute these attacks,” said Ruf. “What you can do with this depends on the package manager and the result can be pretty bad.”

To demonstrate this, he created proof-of-concept exploits that write or overwrite arbitrary files and allow unauthorized file access. As in the “bin” example above, they consist of a JSON key-value pair. A possible consequence of this security failure could be the theft of crypto wallets.

NPM said it has scanned the registry looking for modules that use this attack but hasn’t found any. “That does not guarantee that it hasn’t been used, but it does mean that it isn’t currently being used in published packages on the registry,” NPM’s security team said.

So that’s all right then. ®

Sponsored:
How to get more from MicroStrategy by optimising your data stack

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/12/13/npm_path_traversal_bug/

Hacking group has been targeting telecommunication providers.

Edit: This story has been updated to reflect findings from Cybereason, which reported on this APT in its Operation Soft Cell report in June 2019.

Microsoft today published a report detailing activity by a new threat group it dubbed Gallium in keeping with the company’s internal practice of assigning chemical elements to attack groups.

This attack group was previously detected and reported by Cybereason researchers, who call the threat Operation Soft Cell in a June writeup of their findings. In 2018, researchers identified an advanced, persistent attack targeting telecommunications providers and using techniques associated with Chinese-affiliated threat actors. Researchers report the attackers, believed to be active since 2012, was attempting to steal data stored in Active Directory, compromise credentials, and access personally identifiable information, billing data, call records, email servers, and users’ geolocations.

The bulk of Gallium’s activity, which primarily targeted telecommunication providers, was observed throughout 2018 into mid-2019, researchers with the Microsoft Threat Intelligence Center (MSTIC) reported today. While the group is still an active threat, they say, its activity levels have fallen in comparison to what they saw earlier in their research.

To gain access into a target network, Gallium detects and exploits Internet-facing services. The group has been spotted exploiting unpatched Web services; for example, WildFly/JBoss, for which exploits are widely accessible. While it’s often tough to determine a group’s reconnaissance methods, MSTIC says Gallium’s targeting of Internet-facing services is a sign the group uses open-source research and network scanning tools to pinpoint its new targets.

“MSTIC investigations indicate that Gallium modifies its tooling to the extent it evades antimalware detection rather than develop custom functionality,” researchers write in a blog post. “This behavior has been observed with Gallium across several operational areas.”

Gallium’s commonly used tools include Mimikatz, NBTScan, Netcat, WinRAR, and Windows Credential Editor. The group mostly relies on compromised domain credentials to move across a network; once they have credentials, attackers use PsExec to move from host to host. 

Researchers point out Gallium does little to hide its intent and often uses common versions of malware and publicly available toolkits with slight modifications. The group has used the Poison Ivy RAT, which is widely accessible, and QuarkBandit, an altered version of Gh0st RAT. Poison Ivy RAT, Gh0st RAT, and the China Chopper Web shell are the foundation of its toolkit.

Gallium mostly uses dynamic DNS subdomains for its C2 infrastructure. Analysis shows the group tends to favor low-cost, low-effort operations, as indicated by its use of dynamic DNS providers instead of registered domains. Its domains have been seen hosted on infrastructure in mainland China, Hong Kong SAR, and Taiwan. Observed IP addresses seem to be exclusive to this group, have minimal or no legitimate activity, and are used in several operations.

Follow the Malware

Gallium primarily uses Web shells to create persistence in a target network, and this access is used to deliver subsequent malware. Attackers also use a native Web shell for servers running Microsoft IIS that is based on China Chopper. MSTIC calls it “BlackMould.” On a target host, BlackMould can enumerate local devices, conduct basic file operations (find, read, write, delete, copy), set file attributes, exfiltrate and infiltrate files, and execute a command prompt with parameters.

When attackers have deployed Gh0st RAT or Poison Ivy RAT, they’ve altered the malware’s communication method in an effort to prevent detection by antimalware signatures. In addition to these malware families, Gallium has been seen using SoftEther VPN to enable access and maintain persistence on a target network. This tactic also has the added benefit of Gallium’s activity appearing harmless as the group moves throughout a corporate environment.

Researchers list several defenses security teams can adopt to lessen the threat of a Gallium attack. Among these are:

• Maintain Web server patching and log audits
• Run Web services with minimum required operating system permissions 
• Promptly install security updates on all applications and operating systems 
• Employ behavior detection to catch credential dumping or other suspicious activity 

Related Content:

• Lessons from the NSA: Know Your Assets
• Waking Up to Third-Party Security Risk
• 13 Security Pros Share Their Most Valuable Experiences
• 8 Trends in Vulnerability and Patch Management

 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/gallium-the-newest-threat-group-on-microsofts-radar/d/d-id/1336604?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Commodity malware and ransomware continue to be the biggest threats, says VMWare Carbon Black.

A new analysis of threat data suggests retailers will experience a 20% increase in attempted cyberattacks this holiday shopping season, according to VMWare Carbon Black.

Commodity malware and ransomware will continue to account for a major portion of attack volumes. But often these attacks will be just a means to attain other broader objectives, the security vendor says in a report out this week.

“Retailers should be most concerned that their websites or mobile apps will be hijacked via watering-hole attacks,” says Tom Kellermann, head cybersecurity strategist at VMware Carbon Black.

The other major concern is lateral movement, where attackers gain an initial foothold in a network and then expand their presence to other systems, he says. Sometimes, threat actors can attack the network of a retailer’s business partner or vendor and use that access to break into the retailer’s system.

VMWare Carbon Black’s analysis combined data gathered from its retail customers during the 2018 holiday season, from this year, and from a recent survey of 20 CISOs and major retail organizations

The analysis shows a surprisingly high proportion of retailers already have been impacted by recent cyberattacks. More than seven in 10 organizations (73%) reported an increase in online attacks over the past year, and 40% said they had lost revenue in 2019 as the result of one.

One-third of the CISOs VMWare Carbon Black surveyed described their organizations as having experienced an attack where threat actors got into their networks by moving laterally from the network of a partner or vendor. Troublingly, one in five organizations experienced a destructive attack, such as one involving ransomware or disk-wiping malware.

“The macro-level takeaway is that attempted cyberattacks against retailers tend to spike right now – during the holiday shopping season,” Kellermann says. “Attacker sophistication continues to evolve across verticals,” he notes.

New Trickbot Campaign Another Threat
A separate report from Cybereason, also released this week, shows another threat many retailers are going to have to deal with this holiday season: targeted attacks involving the Trickbot malware.

According to Cybereason, its researchers have observed a new campaign where attackers are using TrickBot to infect POS and other systems at retailers, financial companies, and manufacturing businesses in the US and Europe. On some high-value systems the attackers have been deploying a new version of a previously known backdoor for stealing data. The attackers also have been using a previously unknown piece of malware, dubbed “Anchor,” for stealing sensitive data from systems that are determined to contain information of value to the attacker.

“These attacks start with a TrickBot infection and, with high-profile targets, can escalate to a hacking operation leveraging a new malware, Anchor,” the security vendor says. Unlike many previous Trickbot attacks that results in mass ransomware infections, “these new attacks focus on stealing sensitive information from POS systems and other sensitive resources in the victims’ network by compromising critical assets,” Cybereason warns.

Retail CISOs are responding to the worsening threat environment. According to Carbon Black, more than half (53%) of the retail CISOs it surveyed plan on increasing cybersecurity staff next year. Four in 10 expect their security budgets will increase at least 10% compared to 2019. Carbon Black’s survey also shows that one-third of organizations have implemented a threat-hunting capability for proactively looking for and mitigating security issues before they develop into a full-blown attack.

“The number was not as high as I would have liked,” Kellermann says. “In other verticals, like finance and healthcare, we’re seeing some more active threat hunting occurring.”

Related Content:

• As Retailers Prepare for the Holiday Season, So Do Cybercriminals
• PCI Security Council, Retail ISAC Warn Retailers on Magecart Attacks
• Retail Fraud Spikes Ahead of the Holidays
• 8 Holiday Security Tips for Retailers

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “The Next Security Silicon Valley: Coming to a City Near You?“

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/cyberattacks-on-retailers-could-increase-20--this-holiday-season/d/d-id/1336608?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Researchers scanned 4,200 Android apps and found many exhibit malicious behavior or have a dangerous level of permissions.

Be careful what you download: A recent analysis of 4,200 Android applications reveals how attackers leverage mobile apps to defraud users, especially during the holiday shopping season.

Barracuda Networks researchers analyzed more than 4,200 holiday-related Android apps, such as shopping apps, themed games, and Santa video chats. Seven exhibited malicious behavior, such as replacing the app with a version downloaded from the Internet via a C2 server. Thirty-five contained adware, while 165 had “excessive or dangerous combination of permissions.”

Senior security researcher Jonathan Tanner says he was surprised by the nature of some holiday apps. When searching for Black Friday and Cyber Monday apps, researchers saw many described as “aggregate shopping apps” where users can browse a variety of retail websites.

“I would presume that for some of these sites … the app would require you to enter your account credentials for the specific site, so users would be offering all of their various shopping credentials to a single app that undoubtedly has far less security around protecting this data than the actual shopping sites,” says Tanner of the potential risk. Even if the apps are safe from a malware perspective, there is a risk of credentials leaking from a number of sites in one app.

Many of the apps laced with adware seemed to be related to DIY gift projects, which Tanner notes is surprising given the range of apps downloaded. On the surface, many – like those advertising coupons and deals – seem more likely to leverage suspicious ad networks.

Tanner warned of apps requesting more permissions than they need, a risk that merits close attention from users. At least half of the apps that required dangerous permissions asked for access to the phone, camera, microphone, location, and text messages. The only apps that should access the phone or texts are apps that specifically work with these features, such as robocalling, he notes. The camera and microphone have more legitimate use cases, but based on the types of apps researchers scanned, very few should have needed either, he points out.

“There isn’t a direct line between benign permissions and dangerous ones as they are dependent on what the app is supposed to do compared to how much risk they introduce,” Tanner says. A shopping app designed to scan barcodes will need access to the camera, for example, so granting permission is appropriate but not guaranteed to be safe. A quarter of apps analyzed could read contacts, which is suspicious if it doesn’t support collaboration or sharing.

“The mobile-first market is growing rapidly, and the majority of users still haven’t made the connection that they’re carrying a computer in their pocket – one which has the same risks as any computer,” Tanner says. Raising awareness that the same precautions are necessary is key.

“The main behavior attackers take advantage of during the holidays is users letting their guards down,” he says. Users looking for holiday sales in their email may not think twice when a deal seems too good to be true or let their guard down when scrutinizing mobile apps they install. In stores, many don’t consider point-of-sale devices they share their credit cards with.

Mobile phone owners should be careful to check the reputation of every app they download, researchers advise: Look for user reviews, be aware of permissions granted, and consider whether they’re necessary. A shopping or gifting app shouldn’t require the ability to write text messages, for example.

Users should also enable parental controls to prevent app installs by children, be careful to check the senders of suspicious messages before clicking them, and shop directly from retail websites rather than using aggregate shopping apps.

Related Content:

• Cyberattacks on Retailers Could Increase 20% this Holiday Season
• What’s in a Botnet? Researchers Spy on Geost Operators
  
• StrandHogg Vulnerability Affects All Versions of Android
  
• 7 Ways to Hang Up on Voice Fraud
• New Free Emulator Challenges Apple’s Control of iOS

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “The Next Security Silicon Valley: Coming to a City Near You?“

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/android-app-analysis-uncovers-seasonal-shopping-risk/d/d-id/1336609?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Thanks to Vikas Singh of SophosLabs for his work on the malware in this article.

B-r-e-x-i-t!

Not just in the UK but all over the world, it’s a word you can’t escape.

And it turns out it’s not just ‘the rest of us’ that are fascinated by/have strong feelings about/can’t stop arguing for or against this Brexit thing?

Malware writers are too…

In the bad old days before cybercrooks figured out how to make real money out of malware, they tended to let viruses loose for a range of different reasons, including to score political points, to cheer their favourite teams, to wreak havoc on society, to show off to imaginary friends, to celebrate anniversaries and birthdays and, in one infamous case, to tell us all, “Beer and tequila forever!”

Sometimes, the messages were overt – such as popup boxes, tunes playing, files trashed on specific days.

And sometimes they were hidden, buried like treasure inside the malware code itself so that if you didn’t know where or how to look, you’d miss out on the secret.

Well, the art of the hidden political malware comment isn’t dead!

In a number of recent attacks, SophosLabs has encountered a variant of the WannaMine malware family that was similar enough to other samples in the family that you could guess what it was going to do, but with a sneaky and unexpected change right at the end of the main malware script.

The WannaMine malware family

You may remember WannaMine from when it first showed up – it got its name because it could spread virally like the WannaCry ransomware did, which gave it the Wanna- part at the beginning, but instead of delivering ransomware, it stitched you up with cryptocoin mining software instead, thus the -Mine suffix in the name.

Actually, the WannaMine family of malware does a lot more than just cryptojacking, although it’s the mining code – which revs up your CPU, slows down your computer, steals your electricity, heats up your lap and keeps the cryptocoins for itself – that is likely to attract your attention.

Unlike ransomware, which jolly well wants you to know it’s there so you can get busy paying the blackmail money to get your files back, coinminers would prefer to remain unnoticed, because the amount of money they earn for the crooks is directly proportional to how long they keep running.

But coinmining is, for the most part, a CPU-intensive task that doesn’t play well with anything else on your system, such as your laptop battery, your CPU temperature, your electricity consumption and the speed at which all your other software runs.

While it’s busy, though, WannaMine malware variants typically try to do a bunch of other stuff in the background, such as:

• Sneaking through memory looking for credentials for already-logged in accounts.
• Cracking passwords for other computers on the network to spread further.
• Looking for computers on the network that can be broken into using the ETERNALBLUE exploit.
• Turning off Windows security settings.
• Carrying out DoS (denial-of-service) attacks.
• Looking for updates to itself so it can fetch the latest version of the malware.

Getting ready to attack

The last few lines of the main script set up the main part of the attack, something like this:

$mimi = ([WmiClass] 'rootdefault:Window_Core_Flush_Cach').Properties['mimi'].Value
$a, $NTLM= Get-creds $mimi $mimi
$ipsu = ([WmiClass] 'rootdefault:Window_Core_Flush_Cach').Properties['ipsu'].Value
$i17 = ([WmiClass] 'rootdefault:Window_Core_Flush_Cach').Properties['i17'].Value
$scba= ([WmiClass] 'rootdefault:Window_Core_Flush_Cach').Properties['sc'].Value
[byte[]]$sc=[System.Convert]::FromBase64String($scba)

The PowerShell code above builds a load of data variables that include a mixture of data and code.

For example, the $mimi variable has an in-memory copy of the well-known Mimikatz program, a password harvesting and cracking tool commonly used by crooks once they’re inside your network.

The $scba variable is a downloader tool that can be used for fetching new files; ba refers to ‘base64 encoded’, because the $scba content is immediately base64 decoded to produce $sc, another in-memory copy of a program that, in a conventional world, would be saved on disk as a regular .EXE file.

You’ll also notice that the data is fetched using WMI, short for Windows Management Instrumentation, which means that the code and data used by this malware is buried inside the Windows WBEM database (short for Web-Based Enterprise Management).

In other words, even though the malware components are, strictly speaking, saved on disk, they aren’t visible as regular files that a regular program can read and analyse – the WBEM database is sort of like the Windows registry, but completely different.

(Your local WMI database files usually live in a directory called C:WindowsSystem32WbemRepository, if you are interested – but be really careful if you plan to mess with them by hand!)

Show me the Brexit

So, where’s the Brexit?

Right in the last line of the malware script, the virus writer calls their main ‘do-the-bad-stuff’ function.

Earlier in the code, they’re rather boring, using function names such as:

RunDDOS
KillBot

But the parting shot in this one is a function called like this:

Invoke-Brexit -scccccc $sc -ipsu $ipsu -i17 $i17 -nic $nic -a $a -NTLM $NTLM

What we can’t tell you is whether the virus writer has embedded a secret message to imply that Brexit is a good idea, and we should get on with it…

…or whether they intended this code as a metaphor to invite us to infer that invoking Brexit is something best avoided.

We’re not going to get drawn into expressing a public opinion on real-life Brexit, but we are prepared to tell you that the virus writer’s Brexit is definitely not one you want!

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/DkMfkmqt7vk/

Version 79 of Chrome is out, and it promises to do a better job of protecting you against phishing sites and credential stuffing attacks.

Since 2017, Chrome has protected users against phishing by checking the sites you enter your Google credentials into against a list of known phishing sites. It keeps these as part of its Safe Browsing initiative. Google synchronises its list of bad sites with the browser every 30 minutes, but because sites change so quickly, that means users might fall victim to new sites that had come online just minutes earlier.

Chrome 79, released on Tuesday 10 December, now performs that phishing protection in real-time, even for users with the synchronisation feature turned off. The company says this will protect users in 30% more cases. The protection has also been extended to include all the passwords stored in the Chrome password manager rather than just Google accounts. You can turn it on by enabling the ‘Make searches and browsing better’ option in Chrome.

The browser also now includes some other protections. It will now show you more clearly which profile the browser is currently using, which is handy for those sharing a browser and using different profiles. There’s also a feature that Google has been testing out for months: a built-in check for hacked passwords during site logins.

The feature began as a Chrome extension called Password Checkup that warned users their login credentials had been breached. Released in February 2019, it found that 1.5% of all web logins were using breached credentials, according to a Google survey released in August this year. That fuelled Google’s next move, in which it folded the feature directly into Chrome’s password manager. The service still didn’t check your credentials against hacked logins whenever you logged into a website. Instead, it would run the passwords you’d stored in the password manager service periodically to see if it found a match.

The version of Password Checkup integrated into Chrome 79 goes a step further. Now, it runs the check whenever you log into a site. Google is at pains to avoid any suggestion of creepiness or spying as part of this move, so it’s been pretty clever about how it performs the check. It wants to be clear that it doesn’t get to see your login credentials.

When you log into a website, Chrome will now send a hashed copy of your login credentials to Google. A hash creates a unique and reproducible string of text using whichever data you give to it, which identifies the data without revealing it. This data is encrypted in the browser using an encryption key to which only you have access.

Google already used its own key to encrypt the list of hacked login credentials that it sniffed from various sources online. It does the same thing with the credentials that Chrome sends it, encrypting them a second time.

This double encryption is part of a technique called private set intersection with blinding. It tries to match the login credentials you entered against Google’s database of hacked usernames and passwords.

For your privacy, Google doesn’t do this matching itself. Instead, it sends a small part of its encrypted hacked credentials database back to Chrome, along with your double-encrypted login credentials (which you’ll remember have now been encrypted twice). Chrome removes the encryption it applied to your login credentials using your own key, leaving only Google’s encryption in place. It then tries to match those hashed encrypted credentials against the small subset of the database that it received from Google. If it finds one, then your credentials have been hacked.

Google knows which small subset of the database to send back because your browser also creates a hash of the username you tried to enter into the website. It sends part of that hash to Google along with the other data. Google uses that snippet of your hashed username to select the part of its database including the same snippet in the index.

It’s an ingenious system, and as long as you feel you can trust the encryption (and Google), then it looks like a good way to automate hacked password detection. It will alert you that your credentials have been pwned at the point in time when you’re most likely to do something about it – when you’re trying to log into the site.

As with all password breaches, you should change your password if Chrome does discover a match, and turn on multi-factor authentication if the hacked site makes it available, to prevent a possible attack. You should also avoid reusing passwords across multiple sites so that attackers won’t be able to unlock your other accounts with a hacked password. You can make that easier by using a password manager with a built-in password generator.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/kPx8Ii--vqQ/

Congress on Tuesday told Facebook and Apple that they better put backdoors into their end-to-end encryption, or they’ll pass laws that force tech companies to do so.

At a Senate Judiciary Committee hearing on Tuesday that was attended by Apple and Facebook representatives who testified about the worth of encryption that hasn’t been weakened, Sen. Linsey Graham had this to say:

You’re going to find a way to do this or we’re going to do this for you.

We’re not going to live in a world where a bunch of child abusers have a safe haven to practice their craft. Period. End of discussion.

It’s the latest shot fired in the ongoing war over encryption. The most recent salvos have been launched following the privacy manifesto that Facebook CEO Mark Zuckerberg published in March.

At the time, Zuckerberg framed the company’s new stance as a major strategy shift that involves developing a highly secure private communications platform based on Facebook’s Messenger, Instagram, and WhatsApp services.

Facebook’s plan is to leave the three chat services as standalone apps but to also stitch together their technical infrastructure so that users of each app can talk to each other more easily.

The plan also includes slathering the end-to-end encryption of WhatsApp – which keeps anyone, including Facebook itself, from reading the content of messages – onto Messenger and Instagram. At this point, Facebook Messenger supports end-to-end encryption in “secure connections” mode: a mode that’s off by default and has to be enabled for every chat. Instagram has no end-to-end encryption on its chats at all.

You had better end – or at least pause – your plan, three governments warned Facebook in October.

US Attorney General William Barr and law enforcement chiefs of the UK and Australia signed an open letter calling on Facebook to back off of its “encryption on everything” plan unless it figures out a way to give law enforcement officials backdoor access so they can read messages.

“No,” Facebook said – with all due respect to law enforcement and its need to keep people safe.

On Monday, Facebook released an open letter it penned in response to Barr.

In the letter, WhatsApp and Messenger heads Will Cathcart and Stan Chudnovsky said that any backdoor access into Facebook’s products created for law enforcement would weaken security and let in bad actors who would exploit the access. That’s why Facebook has no intention of complying with Barr’s request that the company make its products more accessible, they said:

The ‘backdoor’ access you are demanding for law enforcement would be a gift to criminals, hackers and repressive regimes, creating a way for them to enter our systems and leaving every person on our platforms more vulnerable to real-life harm.

People’s private messages would be less secure and the real winners would be anyone seeking to take advantage of that weakened security. That is not something we are prepared to do.

In his opening statement on Tuesday, Sen. Graham – the chairman of the Senate Judiciary Committee – told Apple and Facebook representatives that he appreciates “the fact that people cannot hack into my phone,” but encrypted devices and messaging create a “safe haven” for criminals and child exploitation.

In Facebook’s letter, Cathcart and Chudnovsky pointed out that cybersecurity experts have repeatedly shown that weakening any part of an encrypted system means that it’s weakened “for everyone, everywhere.” It’s impossible to create a backdoor just for law enforcement that others wouldn’t try to open, they said.

They’re not alone in that belief, they said. Over 100 organizations, including the Center for Democracy and Technology and Privacy International, responded to Barr’s letter to share their views on why creating backdoors jeopardizes people’s safety. Facebook’s letter also quoted Cryptography Professor Bruce Schneier from comments he made earlier this year:

You have to make a choice. Either everyone gets to spy, or no one gets to spy. You can’t have ‘We get to spy, you don’t.’ That’s not the way the tech works.

And as it is, Facebook is already working on making its platforms more secure, they said. It’s more than doubled the number of employees who are working on safety and security, and it’s using artificial intelligence (AI) to detect bad content before anyone even reports it or, sometimes, sees it. For its part, WhatsApp is detecting and banning two million accounts every month, based on abuse patterns. It also scans unencrypted information – such as profile and group information – looking for tell-tale content such as child abuse imagery.

Facebook says that it’s been meeting with safety experts, victim advocates, child helplines and others to figure out how to better report harm to children, in ways that are more actionable for law enforcement. It’s doing so while trying to balance the demands of other needs: as in, it’s also working to collect less personal data, as governments are demanding, and to keep users’ interactions private, as those users are demanding.

At a Wall Street Journal event on Tuesday, AG Barr granted that yes, there are benefits to encryption, such as to secure communications with a bank …a financial institution that will, and can, give investigators what they need when served with a warrant.

But he said that the growth of consumer apps with warrant-repellent, end-to-end encryption, like WhatsApp and Signal, have aided “terrorist organizations, drug cartels, child molesting rings and kiddie porn type rings.”

This war over encryption has been going on since the FBI’s many attempts to backdoor Apple’s iPhone encryption in the case of the San Bernardino terrorists.

Both sides are sticking to the same rationales they’ve espoused since the start of this debate. The only real difference in the events of this week is the renewed call for legislation to force backdoors: a threat that is apparently uniting both sides of this otherwise extremely partisan Congress and hence carries that much more weight.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Lghno3KWNa0/

Iran claims to have staved off a major cyber attack on its national infrastructure, a couple of months after the Middle Eastern theocracy was blamed for real-world assaults on two Saudi oil refineries.

“We recently faced a highly organized and state-sponsored attack on our e-government infrastructure which was successfully identified and repelled by the country’s security shield,” Mohammad Javad Azari-Jahromi, Iran’s ICT minister, was quoted as saying yesterday.

He specifically did not blame a particular country, adding: “I can’t say the attack was carried out by which country right now.”

Separately, the United Nations said yesterday it couldn’t tell whether or not the Islamic Republic was involved in two attacks which used military drones and missiles to destroy parts of Saudi Arabia’s Abqaiq oil-processing facility and the Khurais oilfield.

The BBC reported that UN secretary general Antonio Guterres wrote in a report about the attacks: “At this time, [the UN] is unable to independently corroborate that the cruise missiles and unmanned aerial vehicles used in these attacks are of Iranian origin.”

Iran and Saudi Arabia are both heavily dependent on petrochemical exports. Nobbling a rival’s oil-processing capabilities has obvious economic advantages. Likewise, a third party with an interest in setting both nations at each other’s throats could also do such a thing. Attribution carries far more weight in this scenario than just another line on a spreadsheet of whodunnits.

Meanwhile, Iran and the US have been at cyber loggerheads ever since the Stuxnet attack, first uncovered in 2010, thought to have been jointly developed by American and Israeli spies in order to disrupt Iran’s nuclear weapons programme.

In October Reuters reported that US officials told its journalists they had staged a cyber attack against Iran, something Azari-Jahromi denied when asked about it at the time.

Also in October, British and American spies claimed an “Iranian” hacker crew was actually a bunch of Russians leaving false flags in their wake. Just in case anyone got the idea that this was a straightforward tit-for-tat you-hack-me-I’ll-hack-you, the US and Brit agents claimed Russia had stolen actual Iranian hacking tools and deployed them itself.

Continuing back along the line of US-Iranian cyber aggression, America’s Department of Homeland Security wailed in June that Iranians had hacked their IT infrastructure in order to wipe large chunks of it, which at the time was thought to be the Iranian way of sending a message to the US about its cyber capabilities.

Meanwhile, completely aside from the international flinging of cyber bog rolls at each other, fed-up Iranian officials turned off the country’s internet in November after locals started rioting when fuel prices jumped 50 per cent.

Whoever was to blame for the latest attack on Iran, it certainly won’t be the last. ®

Sponsored:
From CDO to CEO

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/12/12/iran_cyberattacked_no_attribution/

In 2020, expect to hear more about smart building security.

In 2015, USA Networks aired one of the most realistic depictions of building hacking ever to be featured in a TV or movie. The lead character, Elliot, posing as a tech billionaire, walks into a highly secured data facility in upstate New York and obtains a tour. Afterward, he manages to sneak into a sensitive area where he attaches a Raspberry Pi board to the facility’s HVAC system, ultimately overheating the building to compromise the magnetic tape backup systems stored there. 

While obviously still in the realm of fiction, the episode did highlight the potential damage an adversary could cause to any networked facility that is a strategic target. Earlier this year, McAfee demonstrated in real time the feasibility of a similar attack on a networked data center.  

In general, as buildings become more infused with IT and networking technology, security professionals and building managers are becoming aware of the risk of smart building security. Mirel Sehic, global director of cybersecurity for Honeywell Building Solutions, points to a CEB (now a part of Gartner) study indicating nearly one in five organizations with IoT networks have already suffered an attack.

Read the full article here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/smart-building-security-awareness-grows/d/d-id/1336597?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A no-tech trick, a la social engineering, can lead to huge corporate security consequences — and it might just score the criminal a new car.

Source: Altamash Sayed

What security-related videos have made you laugh? Let us know! Send them to [email protected].

Beyond the Edge content is curated by Dark Reading editors and created by external sources, credited for their work. View Full Bio

Article source: https://www.darkreading.com/edge/theedge/thanks-larry!/b/d-id/1336592?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple