STE WILLIAMS

Qubes is once again regretting how long it’s taken to abandon Xen’s PV hypervisor, disclosing another three bugs including host escape vulnerabilities.

The most serious bugs are in PV (paravirtualization) memory handling, XSA-213 and XSA-214.

“An attacker who exploits either of these bugs can break Qubes-provided isolation. This means that if an attacker has already exploited another vulnerability, e.g. in a Web browser or networking or USB stack, then the attacker would be able to compromise a whole Qubes system” Qubes says in this note.

The bug in XSA-213 only affects 64 bit x86 systems and relates to how root and user mode page tables are handled by 64-bit PV guests. The IRET hypercall, which stands in for identically-named CPU instructions, transfers control from user mode to kernel mode.

“If such an IRET hypercall is placed in the middle of a multicall batch, subsequent operations invoked by the same multicall batch may wrongly assume the guest to still be in kernel mode”, Xen explains, with the result that the guest could get writable access to the wrong root page table.

This means a buggy or malicious PV guest “may be able to access all of system memory, allowing for all of privilege escalation, host crashes, and information leaks.”

The bug in XSA-214 is in an operation that lets guests pass pages between each other, but there’s a bug in the GNTTABOP_transfer operation.

“The internal processing of this, however, does not include zapping the previous type of the page being transferred. This makes it possible for a PV guest to transfer a page previously used as part of a segment descriptor table to another guest while retaining the ‘contains segment descriptors’ property.”

The result is, once again, a complete host escape: a malicious pair of guests can get access to all system memory, resulting in “privilege escalation, host crashes, and information leaks.”

“Pair of guests” is an important qualifier, as Qubes notes in its document, since it “requires cooperation between two VMs of different types, which somewhat limits its applicability.”

Finally, there’s XSA-215. It falls short of the “all of system memory”-level seriousness of the previous two, but it’s plenty bad enough.

A guest attack could modify “part of a physical memory page not belonging to it”, with the resulting attack vectors covering privilege escalation, host crashes, crashing other guests, and information leaks.

The bug is in Xen’s exception handling, which under some conditions means it returns to guest mode “not via ordinary exception entry points, but via a so call failsafe callback. This callback, unlike exception handlers, takes 4 extra arguments on the stack (the saved data selectors DS, ES, FS, and GS).

“Prior to placing exception or failsafe callback frames on the guest kernel stack, Xen checks the linear address range to not overlap with hypervisor space. The range spanned by that check was mistakenly not covering these extra 4 slots.”

As with XSA-214, this bug is confined to 64-bit Xen on x86 (in this case, version 4.6 and earlier), and with particular physical memory boundaries (5 TB or 3.5 TB).

We’re getting sick of this

Of the four bugs, Qubes says XSA-213 is the worst (“fatal, reliably exploitable” it says), and there’s more than a hint of frustration in its discussion.

Over eight years, Qubes complains, there have been four Xen bugs in the same class, all of them relating in “Xen mechanisms for handling memory virtualisation for paravirtualised (PV) VMs.”

Qubes says after XSA-212 emerged ten months ago, “we immediately began working on a way to move away from using PV-based VMs and toward using only hardware-based virtualization (HVM) VMs in Qubes 4.x” – but this is turning out to be harder than it looks.

The major undertaking delayed Qubes 4.0, the outfit says, and even then, there’s still stuff on the to-do list.

“We originally hoped we could transition to running all Linux VMs in a so-called PVH mode of virtualization, where the I/O emulator is not needed at all, but it turned out the Linux kernel is not quite ready for this.

“So, in Qubes 4.0, we will use the classic HVM mode, where the I/O emulator is sandboxed within… a PV VM (which is also the case when one runs Windows AppVMs on Qubes 3.x). This makes it possible for an attacker to chain attacks: one for QEMU with another hypothetical for PV virtualisation, to break out of a VM.”

If there were an alternative which Qubes believed was both more secure than Xen, and which supported all the architectural features Qubes needs (the post includes running network and storage backends in unprivileged VMs), the organisation would consider replacing Xen.

That’s not on the cards yet, but the post notes that since Qubes 3.0, the system’s architecture should be able to treat Xen as a replaceable component, should that be necessary.

All of the bugs are credited to Jann Horn of Google’s Project zero. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/05/03/xen_bugs/

If you’re enthused about governments operating large-scale online identity projects, here’s a cautionary tale: the Indian government’s eight-year-old Aadhaar payment card project has leaked a stunning 130 million records.

Aadhaar’s role in authenticating and authorising transactions, and as the basis of the country’s UID (unique identification database) makes any breach a privacy nightmare.

India’s Centre for Internet and Society (CIS) made their estimate public in a report published on Monday.

It’s not that there was a breach related to Aahdaar itself: rather, other government agencies were leaking Aadhaar and related data they’d collected for their own purposes.

The research paper drilled down on four government-operated projects: Andhra Pradesh’s Mahatma Gandhi National Rural Employment Scheme; the same state’s workers’ compensation scheme known as Chandranna Bima; the National Social Assistance Program; and an Andhra Pradesh portal of Daily “Online Payment Reports under NREGA” maintained by the National Informatics Centre.

In total, the CIS says, the portals leaked 135 million Aadhaar card records linked to around 100 million bank account numbers.

Given India’s enthusiasm to try and eliminate cash, it’s a big deal: the Aadhaar card funnels benefits to recipients’ linked bank accounts. As the report states: “To allow banking and payments using Aadhaar, banks and government departments are seeding Aadhaar numbers along with bank account details”.

The centre says the leaks represent significant and “potentially irreversible privacy harm”, but worse they also open up a fraud-ready source of personal information.

Online databases examined by the CIS included “numerous instances” of Aadhaar Numbers, associated with personal information.

The Indian government responded through Aruna Sundararajan, secretary at the Union Electronics and Information Technology Ministry, who announced amendments to the country’s IT legislation to beef up the system’s privacy and security.

“Aadhaar has very strong privacy regulation built into it”, she told The Hindi, but it needs better enforcement.

Sundararajan said those issues will be addressed in the legislative amendments. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/05/03/135_million_aadhaar_indian_government_payment_card_details_leaked/

Apple has moved to thwart a malware attack that used a legitimate – probably hijacked – developer certificate, by revoking the cert.

Check Point wrote up the malware last week, calling “OSX/Dok” “the first major scale malware to target OSX users via a coordinated email phishing campaign”.

A hapless user who okayed all the stages of infection would end up having all their communications snooped – even HTTPS sessions encrypted with SSL.

The malware installation process included a legitimate-looking “your computer has a security problem” window that opened on top of all other windows, which Check Point captured:

The fake nagware dialogue

If a user relents and okays the dialogue, the malware gets admin privileges, installs the Brew package manager, installs Tor and SORCAT, and forces the user’s connections through a proxy for snooping. The traffic interception is supported by the Comodo certificate installed by the malware.

According to Kaspersky’s Threatpost, Apple revoked the certificate on Sunday, US time, and also dropped an update to its XProtect anti-malware software. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/05/03/osx_dok_malware_neutered/

Mozilla has weighed in to the ongoing Symantec-Google certificate spat, telling Symantec it should follow the Alphabet subsidiary’s advice on how to restore trust in its certificates.

Readers will recall that Symantec has repeatedly issued certs that didn’t ring true with browser-makers and at the end of April 2017 Google started a countdown, the conclusion of which would see its Chrome browser warn users if it encountered Symantec certs.

Symantec offered up a remediation plan, mostly based on putting auditors through the joint. But it looks like that’s not sufficient for Mozilla.

UK-based Mozilla developer Gervase Markham has posted his note to Symantec at Google Docs here.

Mozilla strongly suggests that Symantec take a deep breath and swallow the bitter pills doctor that Google has prescribed here.

Chief among Google’s suggestions is that Symantec work with one or more existing certificate authorities (CAs) to take over its troubled infrastructure and rework its validation processes.

That would relegate the company to more-or-less reseller status, letting it maintain its customer relationships but relieving it of responsibility for ongoing operations.

The alternative, Markham writes, is for Symantec to:

Why so harsh? The core of Mozilla’s argument is that it just doesn’t feel Symantec grasps how serious its issues are. As Markham writes, Symantec cannot establish that it “adequately demonstrates that they have grasped the seriousness of the issues here, and that their proposed measures mostly amount to doing more of what, in the past, has not succeeded in producing consistent high standards.”

The reason, Markham writes, isn’t wrongdoing (so “we are not in StartCom/WoSign territory”), it’s simply that Symantec seems to have lost control of its intermediaries. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/05/03/mozilla_backs_google_in_symantec_cert_dispute/

Hillary Clinton today gave her first full interview since dramatically losing the US presidential election – and has placed the blame for her downfall on Russian hackers, FBI director James Comey and Wikileaks.

“If the election had been on October 27, I would be your president,” Clinton told CNN anchor Christiane Amanpour at a women’s event in New York.

That was a reference to a letter sent from FBI director James Comey to Congress on October 28, 2016 which stated the federal investigator was looking into newly discovered messages that were linked to the private email server run by Clinton while Secretary of State.

The letter reopened a constant line of attack on Clinton less than two months after it had effectively been put to bed, with an FBI report saying it had found no wrongdoing and no hacking of her server.

The “new” emails, found on the phone of dick-texting former politician Anthony Weiner who was husband to Clinton aide Huma Abedin, turned out to be nothing at all, as the FBI officially noted two weeks later – just two days before the election. But by then the damage was done. It is understood Comey was required by law to disclose the probe to Congress.

Clinton also flagged the release of emails taken from the account of her campaign director John Podesta by Russian hackers and supplied to Julian Assange’s vanity project Wikileaks as key to her defeat.

“I was on the way to winning until a combination of Jim Comey’s letter on October 28 and Russian WikiLeaks raised doubts in the minds of people who were inclined to vote for me and got scared off,” she argued, noting the “unprecedented interference” by Russian president Vladimir Putin.

Just for good measure, she also blamed the media and woman-hating for her failure to take the top job. Asked by Amanpour whether misogyny had played a role in the first female presidential candidate losing, Clinton replied: “Yes, I do think it played a role.”

And then, somewhat bizarrely given the effort put into highlighting external forces as destroying her bid, she said that she took “absolute personal responsibility” for losing to Donald Trump.

Maybe not the whole story?

While there is little doubt that the hacks, Comey’s completely unnecessary letter, and misogyny played a role in Clinton’s defeat, the fact that the former first lady and senator was unwilling or unable to see the flaws in the performance of both herself and her staff is, ironically, one of the main reasons she lost.

A new book out last month, Shattered, dug into Clinton’s campaign and reached some pretty damning conclusions about her team’s election efforts – many of which were flagged but ignored during the long journey to the polls.

Although Clinton lost some states by very narrow margins (and easily won the popular vote) – which supports the idea of Russia/Comey tipping the balance – her team also took some states like Wisconsin and Michigan for granted and paid the price.

While those high up in the Clinton campaign kept playing to their core supporters, and even started talking up the possibility of turning Texas (Texas!) blue, those on the ground were complaining that she was failing to connect with working-class white voters, as well as undecided and young voters.

The book Shattered places a big part of the blame on the over-confidence of her campaign manager Robby Mook on a data analytics program he used that provided predictions of polls. Mook placed the program’s insights above those of his local organizers and even her husband, former president Bill Clinton, and directed resources accordingly – and wrongly.

There is no way the program could have accounted for Donald Trump’s wildly unorthodox and populist campaign. And it almost certainly was not capable of understanding the dueling personalities of a TV celebrity willing to say anything and a firm establishment figure that many voters had disliked for over a decade.

And the loss to Barry?

In addition, it seems that Clinton never learned the lessons from her failure to beat Barack Obama as the Democratic candidate at the previous election, and continued to surround herself with long-term supporters thanks to her habit of valuing loyalty over competence.

Even the sudden, unexpected success of Bernie Sanders as a potential Democratic candidate failed to wake up the Clinton campaign to the realities of what was happening.

In large part that’s because Hillary Clinton has lived within a bubble of the super-rich and powerful for nearly 20 years. When you are paid over $200,000 just to give a speech, you have no meaningful connection to 99.9 per cent of voters.

Even now, having lost in the most spectacular fashion to probably the least-qualified US presidential candidate in history, Clinton is unable to see her and her team’s own failings.

No doubt, she hopes that the ongoing investigations into the numerous and deeply troubling links between Vladimir Putin’s intelligence services and senior members of the Trump campaign will exonerate her failed bid for the presidency.

But the truth is, dodgy email security aside, Clinton didn’t win because not quite enough of America liked her or wanted her to be their commander in chief. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/05/02/clinton_election_loss/

Are you thinking of implementing or expanding a threat intelligence program? These guidelines will help you succeed.

The array of startups in the threat intelligence market and the sheer volume of talk on the subject have enterprises racing to implement a solution. Many are placing big bets that subscribing to various threat intelligence offerings will enable them to spot threats faster and thereby minimize the damage and losses associated with security incidents.

This is a tall order, and high expectations have been set by the industry. So it’s no surprise that threat intelligence already has a lot of tired and disillusioned followers, as I’ve discussed at length with CISOs and security practitioners over the past few months. From these conversations, I’ve concluded that what enterprises need most is a strategic plan to operationalize and automate security based upon actionable intelligence.

Unfortunately, enterprises are often advised that they need to add a lot of new, arbitrary information feeds and sources, regardless of the enterprise’s operational maturity and resource constraints. Too often, the result is performance misfires coupled with a damaging loss of confidence in an approach meant to guide continuous improvement.

If you are considering implementing or expanding a threat intelligence program, here are a few principles that can increase the likelihood of success.

Define What You’re Trying to Achieve 
What’s the goal for your threat intelligence program? The primary purpose for threat intelligence is to accelerate incident response so that individual breaches are dealt with before they become full-blown incidents (which are far more costly). If this is your plan, then you need to know where the blind spots are. Can you gather the information you need from your security products?

For example, if your historical product selection was biased toward prevention rather than detection, you may not have the indicators of compromise (IOCs) or indicators of attacks (IOAs) required. You may be in a closed loop where “you don’t know what you don’t know,” because by definition, if a security product failed to block an attack it’s probably because it failed to see the attack. If not having visibility into what you missed is your problem, you may need to start by gaining visibility into your network before layering in third-party intelligence.

It’s important to stay focused on the most urgent needs first, and effectively optimize the information being gathered. Once you’ve crossed that hurdle, you can start adding external threat data for correlation with your internal data sources. Small but concrete gains in collection and use are crucial signs of progress and usually prove whether you’re on the right track to achieve your objectives.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 16, where Dark Reading editors and some of the industry’s top cybersecurity experts will share the latest data security trends and best practices.]

Only Ingest What Your Systems Can Digest
It’s tempting to grab every new threat intelligence feed and dashboard widget. However, if your team and security operations processes are consumed by taking in large volumes of information instead of acting on what they deliver, you’re only magnifying the information-overload problem.

Getting to a better place isn’t always about adding more resources. Focus instead on the platforms and other tools you use to share information. What formats do they support? How extensible are they? How can you gain value now and optimize operations with these tools today? Can relevant, contextual information be easily surfaced from the tools? Make sure you don’t lose important contextual information in transit. For example, some products export full data directly to a CSV file but only deliver some of the contextual information via their API. Others export into PDFs that you will need to parse in order to use the data in an automated system.

Know Your Intelligence Consumers
You need to cater to your audience. These days, senior executives want security metrics (in return for increased security budgets) almost as often as network defenders want faster analysis of IOAs and IOCs. These are vastly different demands, so as the intelligence decision-maker you need to understand your audience. Who are they and what do they need most?

“Reports or It Didn’t Happen”
Know in advance how you will measure success in a threat intelligence program — whether that means a few PowerPoint slides to please top executives or key performance indicators for the team. Otherwise, you risk losing perspective. Milestones that show progress are important ways to measure progress toward your objective.

Start with metrics that show how you’re improving visibility into your environment, for example, or decreasing lag time in incident-response workflows. Those numbers are arguably the most important, because successful intelligence programs inform, fundamentally, by dispelling assumptions and uncertainty that traditionally plague security decision-making.

Threat intelligence now accounts for significant budget spend in many security operations centers. It holds significant promise, but it isn’t a silver bullet. Good luck on your journey!

Related Content:

• The Road Less Traveled: Building a Career in Cyberthreat Intelligence
• The Power of the Crowd: 3 Approaches to Sharing Threat Intel
• Reactive to Proactive: 7 Principles Of Intelligence-Driven Defense

 

Vikram Phatak is Chief Executive Officer of NSS Labs, Inc. Vik is one of the information security industry’s foremost thought leaders on vulnerability management and threat protection. With over 20 years of experience, he brings unique insight to the cybersecurity problems … View Full Bio

Article source: http://www.darkreading.com/threat-intelligence/getting-threat-intelligence-right/a/d-id/1328720?_mc=RSS_DR_EDT

Semiconductor giant releases patch for its Intel Active Management Technology vulnerability that could allow an attacker to escalate privileges in its high-end chipsets.

Intel issued a fix yesterday for a long-standing escalation privilege vulnerability in the firmware of its high-end Active Management Technology as well as its Intel Standard Manageability and Intel Small Business Technology products.

The bug could allow remote attackers to gain control of the network or local system privileges on certain firmware versions of Intel Active Management Technology (AMT), Intel Standard Manageability, and Intel Small Business Technology. The flaw does not exist on Intel-based consumer computers, however, the company says.

“This is a major surprise and a huge risk for those organizations who have AMT systems and using it to remotely manage their systems and applications. AMT allows many organizations to remotely manage hardware and systems including the ability to remote control those systems,” said Joseph Carson, Thycotic chief security scientist.

The vulnerability could allow an attacker to remotely control, wipe a device, or disable security features on the systems, he said.

Intel is advising affected companies to check their system with the original equipment manufacturer to see if an updated firmware has been issued. If not, then it is asking users to download its patch.

Read more about the Intel vulnerability here and here..

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/endpoint/intel-patches-critical-elevation-privilege-bug-in-high-end-chips/d/d-id/1328783?_mc=RSS_DR_EDT

Organizations often discover a DDoS attack only after being alerted to the fact by a third-party or customer, Neustar survey shows.

Despite heightened awareness of distributed denial-of-service (DDoS) attacks, organizations are taking longer to detect and respond to them.

Neustar, as it has done the previous three years, surveyed some 1,010 CISOs, CIOs, CTOs, and other corporate executives from around the world on the frequency and impact of DDoS attacks on their organizations. About 50% of the respondents identified themselves as belonging to companies with revenues of between $500 million and $1 billion.

The results show that DDoS attacks have increased in frequency and volume even as organizations are struggling to detect and mitigate them quickly. About 850 respondents, or 84% of the total, say their organizations have experienced at least one DDoS attack in the past 12 months, compared to the 73% who said the same thing in last year’s survey.

Eighty-six percent of those 850 organizations say they have contended with multiple DDoS attacks over the past year. That number represents a 4% increase over the proportion of organizations who say they had experienced more than one DDoS attack last year.

Nearly half of the impacted organizations say their DDoS attacks coincided with some form of breach or malicious activity on their networks, including data theft and ransomware. For instance, 47% report discovering virus activity on their network after a DDoS attack, 43% cite malware as being activated, and 32% report customer data theft.

The survey found that in many cases victim organizations did not know they were the targets of a DDoS attack until a third-party or  a customer alerted them. In fact, about one in 5 victim organizations over the past year learned about a DDoS attack only after being notified about it by an external third-party or by their customers.

Hours to ID a DDoS

Globally, slightly more than half of all organizations that sustained a DDoS attack required a minimum of three hours to positively identify it, while 38% say it took them between three and five hours. On average, victims needed about three hours to respond to a DDoS attack, which was slower overall than the response times reported by respondents in last year’s survey.

The numbers are significant because of the potential losses that companies can experience as the result of a DDoS attack. More than 6 in 10 of the organizations surveyed estimate they would lose up to $100,000 in revenue per hour in the event of a disruption caused by a DDoS attack. Some 31% say they could lose between $250,000 to $1 million per hour, while 12% claim potential revenue losses of over $1 million per hour.

Inexperience dealing with DDoS attacks could be one reason for the delayed detection and response, says Barrett Lyon, Neustar’s head of research and development. Another is that large attacks that take infrastructures offline are rather easy to detect, but smaller ones are much harder to pin down.

“To those who have limited experience in mitigating attacks or have low-end protection, small complex attacks may be initially treated with performance investigations and diagnostics before arriving at the conclusion of an attack,” Lyon says. “Unfortunately, many types of DDoS attacks ramp up quickly and can be over in a matter of minutes.”

This can be, fast enough to bypass detection but long enough for external users to notice especially if the target is a Web-based service such as online banking, airline reservations, or utility payment systems.

Spike in Connectionless LDAP DDoS Attacks

The Nesutar survey uncovered a significant increase in DDoS attacks involving the abuse of the Connectionless LDAP (CLDAP) protocol in the first quarter of 2017. CLDAP is a version of LDAP that many organizations use for directory services — and inadvertently also leave exposed to Internet access.

Unlike LDAP, which uses the Transmission Control Protocol (TCP) for communication, CLDAP uses the less secure User Datagram Protocol (UDP), making it somewhat easier to exploit in DDoS attacks.

Earlier this year, content distribution network Akamai published an alert noting a substantial increase in CLDAP-enabled DDoS attacks over the past several months. The company had described the new trend as troubling because of the extent of attack traffic amplification an attacker could achieve by exploiting CLDAP services that were exposed on the Internet.

In a similar report, security vendor Corero Network Security reported seeing a remarkable 416 CLDAP attacks since last October. The largest of these attacks had a peak bandwidth of 33Gbps, while the average volume was around 10Gbps.

Neustar says the largest CLDAP-enabled DDoS attack it has mitigated so far this year had a peak bandwidth size of 20.9 Gbps and lasted 14 minutes. In terms of size, that was much smaller than some of the terabit-scale DDoS attacks generated by the Mirai-botnet last year. Still, the incident demonstrated that CLDAP attacks can generate considerable momentum and are something to keep an eye on for the rest of the year, according to Neustar.

“A few years ago, a two gigabits-per-second attack could be quite disruptive, but its size was restricted to the amount of resources that could be economically and electronically marshaled,” Lyon says. “Now, attackers can leverage resources such as web domains that use DNS Security Extensions [DNSSEC] to create tremendous amplification.”

He points to a Neustar study last year, which identified a typical amplification factor of 29 for an 80-byte query: The largest attack was a 217-time amplification of an 80-byte query. “Better economics, more potent DDoS creation code being shared, and many [easily exploitable] are driving up attack size,” he warns.

Nuestar’s survey also suggests that the growing deployment of Internet of Things (IoT) devices such as connected sensors and actuators will pose new DDoS-related challenges for organizations. Of the organizations using IoT devices that became victims of a DDoS attack last year, 32% report damage to physical equipment, or a network compromise.

Related Content:

• New Breed of DDoS Attack On the Rise
• DDoS, Web Attacks Surge; Repeat Attacks Become the Norm
• Another Massive DDoS Closes Out 2016, But Mirai Not To Blame
• 6 Steps to Find Your Next Dozen Cloud Security Experts

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/ddos-attacks-surge-organizations-struggle-to-respond/d/d-id/1328788?_mc=RSS_DR_EDT

Consumer hygiene and poor authentication practices create toxic combo.

World Password Day couldn’t come at a better time. It’s just a couple days away and in the last month running up to it, no fewer than five studies have come out warning how consumers remain lousy at password hygiene and businesses still stink at identity and access management across the board.

Meanwhile, news a few weeks ago of wide-scale breaches of Amazon third-party resellers demonstrate how rampant password reuse opens so many sensitive systems to compromise with a trivial amount of effort from the bad guys.

Most notable among the studies was the release last week of the 10th annual Verizon Data Breach Investigation Report (DBIR), which included a heavy emphasis on the risk of poor password management and hygiene. According to this year’s report, 81% of hacking-related breaches examined in this year’s crop leveraged stolen and/or weak passwords.

According to a different study released last week by Gigya, 70% of consumers use seven or fewer passwords across all of their online accounts. That’s pretty scary considering that according to another study this spring the average American Internet user now has 150 accounts requiring a password. Meanwhile, in a report out today by VMware, the number one identity and access management challenge named by IT pros is password management, 41% of whom named it as a top challenge. Even security professionals are guilty of poor password hygiene.

A survey by Thycotic released last month showed that 53% of security professionals haven’t change their social network passwords in more than a year and 20% haven’t changed them at all.

With the volume of stolen passwords floating around on the Dark Web now well into the billions these days, the DBIR authors warn businesses that they need to be wary of the ramifications of credential stuffing attacks that look to take advantage of reused passwords lurking in their user base. 

“Even if you are not breached, there are armies of botnets with millions (or billions) of credentials attempting to reuse them against other sites. In other words, even though components of authentication weren’t compromised from you, it doesn’t mean they were not compromised,” the DBIR explained. “Again, if you are relying on username/email address and password, you are rolling the dice as far as password re-usage from other breaches or malware on your customers’ devices are concerned.”

This means bolstering multi-factor authentication and rethinking the situations in which username/passwords are the only barrier between credential-stuffers and sensitive data.

“If a username and password is the only barrier to escalating privilege or compromising the next device, you have not done enough to stop these actors,” the DBIR explained. “Network segmentation establishing more granular security zones that require multi-factor authentication may require the attackers to shift their tactics and stand out from the crowd.”

While all of these dire warnings may sound like scare tactics and FUD, there are plenty of real-world examples of how poor password management and a lack of multi-factor authentication put business at risk. Most recently, a report by the Wall Street Journal claimed that a dramatic increase of malicious takeover of Amazon third-party seller accounts to perpetrate fraud was likely the result of organized credential-stuffing attacks.

The idea behind World Password Day on May 4 is to help break the cycle of data breaches that beget more data breaches through credential stuffing. Organizers use the day as an opportunity to encourage people to change their existing passwords and ensure that each of their accounts has got a unique password guarding it.

“There is an interesting ‘domino effect’ that data breaches can have across multiple accounts. To avoid needless risk and to protect their identity in the event of a breach, people can take a minute to adhere to some password management best practices that include using a unique password for every application or account, and making sure the password is long and more complex – ideally twelve characters should be thought of as a minimum,” says Kevin Cunningham, president of IAM vendor SailPoint. “After all, protecting identity is key to the safety of personal data.”

Related Content:

• Microsoft App Aims to Delete the Password
• Millions of Stolen US University Email Credentials for Sale on the Dark Web
• 7 Ways Hackers Target Your Employees
• 20 Cybersecurity Startups To Watch In 2017

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: http://www.darkreading.com/endpoint/authentication/striving-for-improvement-on-world-password-day/d/d-id/1328789?_mc=RSS_DR_EDT

Lawyers for former Fox News host Andrea Tantaros are alleging that after she was fired over a sexual harassment complaint against Fox execs and filed a lawsuit, they planted a keylogger on her computer, eavesdropped on private phone conversations and tormented her with sockpuppets who referenced specific personal material: a friend’s scorpion sting, a family trip to Disney, her brother’s death, and more.

In this most recent lawsuit, Tantaros’s lawyers point to the cyber-harassment, which continued after Roger Ailes resigned as Fox News chairman in July, as proof of a that still-thriving culture of misogyny.

Tantaros told ABC News Good Morning America in October that she wanted to force cultural change at a “sex-fueled, Playboy Mansion-like cult” under his tenure. The court had ordered the earlier sexual harassment case into mediation.

This latest lawsuit, filed in New York last week, concerns alleged illegal surveillance and electronic harassment. As such, it’s an entirely separate case.

Her lawyers say that the alleged sexual harassment was “unsavory” but the alleged cyber-harassment is “criminal”.

From the suit:

[T]he Defendants in this case subjected Ms. Tantaros to illegal electronic surveillance and computer hacking, and used that information (including, on information and belief, privileged attorney-client communications) to intimidate, terrorize, and crush her career through an endless stream of lewd, offensive, and career-damaging social media posts, blog entries and commentary, and high-profile “fake” media sites which Fox News (or its social influence contractors) owned or controlled.

These accounts and sites were made to appear as held by independent persons or neutral media entities (“sockpuppet accounts”). While the use of professional social influencers and fake stories, accounts and posts has been part of Fox News’s stock and and trade for years, the use of illegal electronic surveillance and computer hacking has taken the company’s conduct to a profoundly disturbing next level.

A sockpuppet is a fake online identity created to promote marketing fluff pieces, to defend or attack a person or organization, to get around an online ban or suspension, or, as Tantaros’ lawyers allege, to torture her with reminders that she’s being spied on.

Her lawyers say that after Tantaros refused the buyout, there ensued a “constant stream of social media posts from multiple sockpuppet accounts designed to make it clear to Ms. Tantaros that she was being illegally surveilled”.

The suit catalogs and provides exhibits of such sockpuppet posts, allegedly put up by an “army” of independent contractors who carried out Fox News execs’ instructions on targeting perceived enemies through sockpuppet accounts, fake websites and trolling.

The alleged cyberstalking was carried out by a company called Disruptor, one of the defendants in the suit. Disruptor is run by Peter Snyder – also named in the suit – who for years ran a similar company called New Media Strategies. That ealier company managed social media campaigns by using fake websites and social media. It also ran what’s been described as “leering blogs promoting female Fox personalities”.

As the lawsuit describes, on April 25, Tantaros learned she’d been taken off the air by Fox News. Then, messages started getting wiped from her Blackberry.

She put it in a Faraday bag to block any further remote manipulation. But a subsequent forensic investigation of her laptop allegedly showed evidence of “unique surveillance viruses that are not found in any mass malware”.

According to the lawsuit, Tantaros believed that somebody working for Fox News was responsible for “hacking Ms. Tantaros’ computer so she could be spied on”.

We don’t have details about the spyware. The results of the forensic investigation weren’t included in the exhibits attached to the copy of Tantaros’s complaint. Ars Technica contacted Tantaros’s lawyer for more information on the allegedly discovered spyware, but that information wasn’t forthcoming.

Much of the material posted to the alleged sockpuppet accounts was subsequently deleted. The complaint’s exhibits carry screenshots taken of some of the cyber-baiting material, though, and purport to show that the people behind the sockpuppet accounts had access to material that appears to have come from eavesdropping.

One example: in early June, one of Tantaros’s close friends was hospitalized after a scorpion sting. She had multiple calls with her friend and others about the incident. Then, “out of the blue,” one of the sockpuppet accounts tweeted an advertisement for a 1957 movie titled “Black Scorpion“.

Around the same time, Tantaros was talking to her brother’s children while they were at DisneyLand. At what her lawyers describe as “the very same time,” a sockpuppet account tweeted out an image of “two children being hugged by Micky Mouse with the message: “Mickey Mouse and ‘new friends’…”

Ars found that some of the accounts that had been stalking Tantaros are still live, though the tweets mentioning her – and personal data such as the anniversary of a brother’s death – have been removed. Ars has posted a slideshow of some of those deleted tweets.

Other sockpuppet accounts have since been deleted. The complaint lists a number of them that all used the same stock photo of a model. One of those posted to one of Tantaros’s male friends:

are you still dating @AndreaTantaros? If not DM me! Just a quickie Q.

Tantaros’s lawsuit also claims that Fox News used a Twitter account and WordPress blog called The Cable Game to spread a false story about why she was fired: for writing a book titled Tied Up in Knots: How Getting What We Wanted Made Women Miserable without first getting Fox’s clearance.

The Cable Game doesn’t contain the musings of some random blog, the suit claims. It alleges that the author is Jim Pinkerton, whom the lawsuit says is one of the Ailes operatives who conducted surveillance campaigns out of Fox News’s “Black Room”: an operation Ailes reportedly established around 2011 to conduct PR and surveillance campaigns against people he targeted, both inside and outside the company.

From the suit:

Yet, The Cable Gamer’s Twitter profile shows a picture of the actress Lori Singer accompanied by the following statement: “I’m not a former cable news insider. I didn’t spend nearly a decade at a US cable news network. I was never a highly placed source quoted in leaks to the press.”

Tantaros’s lawsuit is seeking compensatory damages and punitive damages as well as court fees and costs. Besides Snyder and his Disruptor company, defendants include Ailes, co-president Bill Shine, and media relations chief Irena Briganti.

Follow @NakedSecurity
Follow @LisaVaas

Image courtesy of tishomir / Shutterstock

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/7q-1kLik_LY/