STE WILLIAMS

Symantec is hoping to get its certificates back on Google’s trust list.

In March, an ongoing spat between the two companies came to a head. After a scandal in 2015 over three certs issued by Symantec subsidiary Thawte, the number grew to 23, then 164, then 2,458 within a month.

Google decided in December 2015 to distrust the company’s ‘Class 3 Public Primary CA’ root certificate.

Things went quiet for a while, but in January Google started another investigation, turned up an alleged 30,000 dodgy certs, and decided to sin-bin Symantec.

To stave off disaster, Symantec has put forward another proposal to put things right, published here.

Saying it wants a “collaborative process” (rather than leaving the Chocolate Factory in charge of the guillotine), Symantec’s Roxane Divol, executive veep and general manager at Symantec Website Security, says a fix requires “understanding the needs of all parties”.

The key actions Symantec proposes are:

• Rather than have Chrome remove Extended Validation status from Symantec certs, the company offers a third-party audit of all its EV certs, to be completed by August 31, 2017;
• Another third-party audit will cover all active certificates issued by partners, including CrossCert, Certisign, Certsuperior and Certisur;
• A third WebTrust audit will cover December 1, 2016 to May 31, 2017, and after that, Symantec will conduct WebTrust audits quarterly;
• Audits will be reported quarterly;
• ”We will work through the CA/B forum to recommend new (or where applicable, updated) guidelines for appropriate customer exception requests to baseline requests”, the post states; and
• Symantec promises to get the lead out of its pants when responding to the browser community’s concerns.

The company also says it’s going to offer SSL/TLS certs with three-month validity; it will run a domain validation of all certificates valid longer than nine months (at no extra cost to customers); and it promises to improve its back-end processes.

The company says with these actions, it hopes to avoid the inconvenience that would befall embedded systems and mobile apps with pinned certificates, and disruption to enterprise apps chained to Symantec roots. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/27/symantec_ca_proposal_for_google/

Cyberespionage and ransomware attacks are on the increase, according to the latest annual edition of Verizon’s breach report.

Organisations in manufacturing, the public sector and education bore the brunt of spying attacks, it adds. Mounting high proliferation of propriety research, prototypes and confidential personal data made these sectors a tempting target for cyber-spies.

More than 90 per cent of 289 confirmed breaches related to espionage were attributed to state-affiliated groups, with competitors and former employees accounting for the rest. Phishing was by far the most prevalent tactic used to target victims by spies of various stripes.

More generally phishing was present in over a fifth of all security incidents (21 per cent), up from just 8 per cent last year. Verizon attributes the increase in prevalence to more hackers adopting phishing as an increasingly potent tactic. One in 14 (7.3 per cent) of phishing attacks were successful, as defined by assaults that result in the victim clicking on a link or email attachment sent by attackers. Spoofed website harvesting credentials are becoming less of a threat in such attacks than macro-enabled malware.

Verizon’s 2017 edition of its annual Data Breach Investigations Report (DBIR) was based on an analysis of more than 42,000 security incidents and 1,935 confirmed data breaches, across 84 countries. A total of 65 partners contributed to the report, making its the industry’s most authoritative study on breach prevalence, trends and causes.

The top three industries for data breaches are financial services (24 per cent); healthcare (15 per cent) and the public sector (12 per cent). Four in five (81 per cent) of breaches using either stolen passwords and/or weak or guessable passwords.

Organised criminal groups were behind 51 per cent of breaches and state-affiliated groups were involved in 18 per cent. Financial services firms were the most prevalent victims (24 per cent of breaches), with financial gain (72 per cent) and espionage (21 per cent) the top two motives for cybercriminals.

Ransomware continued its seemingly inexorable rise with a 50 per cent year-on-year increase.

Some industries are under greater threat from ransomware than others. For example, ransomware accounted for 72 per cent of all malware incidents in the healthcare sector, according to Verizon’s tenth annual DBIR.

Elsewhere inadequate password security is still causing problems. Four in five (81 per cent) of hacking-related breaches succeed through either stolen, weak or easily guessable passwords. Greater awareness of phishing, or the use of two-factor authentication, would limit the effect of these shortcoming but many firms are still failing to apply basic security control, leaving them more open to attack as a result.

Gabe Basset, ‎senior information security data scientist at Verizon, told El Reg that different industries face diverse threats. Manufacturing is most exposed to espionage by comparison to other industries, for example, while hotels and restaurants bear the brunt of PoS attacks. “The goal of the study is to help organisations to understand what they are protecting against,” he said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/27/verizon_breach_report/

The US Federal Trade Commission has been urged to launch a probe into a hackable sex toy, which is potentially exposing couples’ teledildonic frolics to cyberpervs.

Earlier this month, the Siime Eye vibrator was discovered to utilise hard-coded credentials making it “trivial” for attackers to gain unauthorised access to the toy’s webcam feed.

These inadequacies have led Access Now, an international internet rights group, to complain that the sale of the toy is unacceptable and constitutes unfair and deceptive trade practices.

Amie Stepanovich, the US policy manager at Access Now, said that the FTC “must send a clear message to the adult Internet of Things industry that bad security will not be tolerated. These devices can give access to people’s most private information and they are being put on the market with laughably weak security settings.”

Access Now urged the FTC to investigate the $249 sex toy, stating such an investigation was “even more important given the growing trend to provide internet connectivity for sex toys and other related products without proper thought given to digital security problems.”

The complaint follows another teledildonics company settling a privacy infringement lawsuit for $3.75m back in March. Standard Innovation’s internet-enabled sex toy was bashed for collecting user data, including the date, time, and duration of each session in which the toy was used.

In that instance, two settlement funds were to be established: a $3m pot for users of the app affected by its data-slurping activities, and $750,000 for purchasers of the toy itself. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/27/ftc_urged_to_probe_easily_penetrated_tellyenabled_teledildonic_toy/

Default passwords, unpatched firmware, unencrypted traffic: according to a report from a Canberra University research organisation, Australia’s smart electricity meter rollouts are characterised by n00b-level security gaffes.

The warning comes from the University’s Centre for Internet Safety, which published its Smart Meters: What does a connected house really mean? report earlier this week (PDF).

In particular, the report highlights two-way communication as a risk for consumers: meters that only send upstream metering data to the retailer have a much smaller useful attack surface, the report says.

The Register spoke to Patrick Phair of the Centre for Internet Safety at Canberra University about the findings.

Phair’s biggest complaint is about the lack of information available about the progress of smart metering in the Australian electricity sector, a problem he attributes to fragmented retail markets.

Only Victoria documents the smart meter rollout at the state level, he explained, because that state mandated their installation (the program was the subject of a critical auditor-general’s report in 2015 and available here (PDF).

In other states, a plethora of competing retailers made it hard to collate figures for smart meter rollouts. Phair also said with multiple retailers between distributors and customers, smart meters are more likely to be exposed to the Internet, simply because those different players need a ubiquitous communications platform.

The next step from installing smart meters, he said, will be smart home integration, and “that’s when we’ll get into really spooky stuff – ultra-targeted information based on your family make-up, what you do, and when you do it.”

That makes better security even more of an imperative, Phair said, and in the report, he called for “robust” consumer protection frameworks to be put in place.

He warns that the combination of unencrypted communications from smart meters and weak password protection raises the risk that attackers could fingerprint households’ electricity use – for example, exposing them to the risk of burglary when a home’s occupants are absent.

The only possible bright spot is that a meter using electricity infrastructure as its communications channel might not be exposed to the Internet, thereby reducing the risk of intrusion.

Phair told The Register he’d like utilities to clean up their act before widespread deployments spread to water and gas utilities.

In Australia, electricity metering comfortably the pack in terms of adopting smarter technology, simply because those meters are easiest to power.

Water and household gas utilities are a long way behind (the report only cites one Australian case study in these sectors, that of Mackay Regional Council’s low-power WAN from Taggle Systems, designed to cut demand and avoid building a new AU$100 million water treatment plant).

Both the water and gas sectors tend to stick with one-way smart meters, to preserve the devices’ 15-year battery life. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/27/oz_smart_meter_leaders_lag_in_securing_devices/

General Electric is pushing patches for protection relay bugs that, if exploited, could open up transmission systems to a grid-scale attack.

The company hasn’t published much by way of detail, but spoke to Reuters after this Black Hat abstract was published (the talk will be delivered to the July conference in Les Vegas).

The three New York University researchers say they cracked the homebrew encryption in the ancient GE Multilin systems. The abstract is light on detail, but it appears the researchers found a hardcoded password: “we completely broke the home brew encryption algorithm used by these protection and management devices to authenticate users and allow privileged operations. Knowledge of the passcode enables an attacker to completely pwn the device and disconnect sectors of the power grid at will, locking operators out to prolong the attack”.

GE told Reuters the bug is in units dating from the 1990s (a time when, The Register notes, “homebrew” encryption was the norm, rather than known bad practice).

GE’s Annette Busateri told Reuters the company is notifying customers and rolling out upgrades for the bug. There’s a patch available for five out of the six affected products, she said, with the sixth to land soon.

The protection relays are used to cut off parts of the grid to protect against dangerous conditions.

A remote exploit would demand that the relays are connected to the Internet, with inadequate protection against access.

The researchers, Anastasis Keliris and Charalambos Konstantinou of New York University and Mihalis Maniatakos of NYU in Dubai, say they’ll show off an exploit on a feeder management relay – but don’t specify that they’ll be demonstrating a remote attack.

The Register has contacted GE for comment. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/27/ge_rushing_patches_to_grid_systems_ahead_of_black_hat_demonstration/

A new branded bug (sigh) has landed, specific to an ASIC-based Bitcoin miner: dubbed “Antbleed”, it allows remote shutdown of hardware sold by a company called “Bitmain”.

Bitmain’s Antminer cryptocurrency-mining hardware performs a start-up with a remote server, handing over MAC address, serial number and IP address – but as this site details, there’s also a curious piece of code in the current firmware:

        if(strstr(rec,"false"))
            if_stop = true;

The upshot is described by the Antbleed site is that at each check-in (a random time between 1 minute and 11 minutes), the firmware expects a response “true” from Bitmain.

If the response is “false”, the device will stop mining Bitcoin – and that could be applied to any device, which the Antbleed site claims could be up to 70 percent of the global hashrate.

Not to mention that the information Bitmain collects is personally-identifiable, and as Bitcoin Magazine says, “mining is a small industry, so it shouldn’t even be hard to connect the machine to specific pools, or blocks”.

Since the device runs an unauthenticated API, MITM, DNS or domain hijack attacks make it possible that third parties could exploit the same problem.

The Antbleed site suggests users force the API to treat localhost as the unit’s connection to the Bitmain server (auth.minerlink.com) to block the issue – at least until the firmware is patched. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/27/prospect_of_trouble_in_bitcoin_world_major_miner_vulnerable/

Ad-displaying malware in nearly 50 apps on the Google Play Store has infected nearly two million phones.

And it’s all thanks a combination of user stupidity, and the ad giant failing to spot and remove the software nasty lurking in its application souk.

The rogue code – dubbed Falseguide because it is contained within game walkthrough applications – has been spreading fast, in part because of poor app checking by Google. According to infosec vendor Check Point, some of these apps have been hiding in plain view in the Google Play store since November of last year, and their malicious nature wasn’t picked up by the Chocolate Factory.

“Mobile botnets are a growing trend since early last year, growing in both sophistication and reach,” Check Point said in an advisory that lists the dodgy apps – all of which have belatedly been removed from the Play Store.

“This type of malware manages to infiltrate Google Play due to the non-malicious nature of the first component, which only downloads the actual harmful code. Users shouldn’t rely on the app stores for their protection.”

These apps may have been able to slip past Google’s malware radars by appearing to be innocent programs and later smuggle malicious code onto the devices. Rather than bundling ad-slinging code and spyware into the app, the software’s masterminds use Google’s Firebase SDK to access an online discussion board, which is used to control the tw-million-strong army. Messages containing URLs to additional modules are posted to the forum, which the apps read and obey by installing the linked code.

So far the only nasties Falseguide downloads and executes just display annoying adverts on handsets, but future modules could, for example, install spyware on the devices, or be used to launch denial-of-service attacks on victims.

This is all possible thanks to the level of access the apps ask for when first installed: the software pops up a permission request screen telling users that it wants full device admin rights.

Obviously this should set alarm bells ringing – a game guide is no more than a collection of pictures and text, and there’s no reason for it to have such access rights. But, people being people, around two million idiots have ignored this red flag waved by someone in a scarlet leotard and ruby slippers screaming “red flag, red flag” – and tapped OK.

The source of the malware is unknown, but the apps were uploaded by two developers named Sergei Vernik and Nikolai Zalupkin. These are highly likely to be fake accounts, but Russia is churning out some quality malware these days, as many people are finding out to their cost.

Google had no comment at time of publication. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/26/android_falseguide_malware_hits_2m/

Linux users, the free lunch is over. Pennsylvania-based Open Source Security on Wednesday decided to stop making test patches of Grsecurity available for free.

The software, a set of powerful Linux kernel security enhancements, includes features such as support for role-based access controls and chroot restrictions that harden Linux implementations.

Two years ago, the Linux security outfit did the same for stable patches of Grsecurity.

The company’s decision to limit its open-source security software to paying sponsors stemmed from alleged misuse of Grsecurity’s trademark by an undisclosed company that appears to have been Intel’s Wind River.

Asked whether the company in question was Wind River, Grsecurity creator and Open Source Security president Brad Spengler, in an email to The Register, declined to comment.

In any event, when legal saber-rattling failed to produce the desired result, Spengler’s company closed its free software spigot, except for test patches.

Now those too have been paywalled. And as a consequence, there will be no more public PaX patches for future kernel releases, because PaX includes Grsecurity contributions.

Organizations willing to pay the subscription fee, which starts at $200 per month, will be able to continue to benefit from Grsecurity patches.

Freeloaders will have to explore other options, which Open Source Security contends don’t exist.

“Unfortunately, in contrast to Microsoft’s post-Windows XP Trustworthy Computing initiative which drastically changed its security trajectory, the Linux community at large has failed to invest adequately in security over the past two decades,” the company said in a blog post.

“Partially due to this, there is no direct alternative to Grsecurity or even any option that provides a substantial fraction of Grsecurity’s features or overall benefits.”

Asked whether he had anything to add to the announcement, Spengler pointed to a post from security researcher Jonathan Zdziarski as representative of his thoughts on the matter, and added:

All I would say other than that at this time is that I’ve spent nearly half of my life (16 out of 34 years) on this work and published it for free for people to learn and benefit from. The testimonial we added to the site today from Tavis Ormandy speaks to the impact we’ve had on our field.

There are many commentators and complainers today, especially when it involves free software, and very few people dedicating half of their life to creating useful original work. When those efforts suddenly get co-opted by companies using misleading marketing and essentially corporate-funded plagiarism, it’s not conducive to the desire to create and publish new work. So we’re refocusing our efforts back to those who respect and value our time. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/26/grsecurity_linux_kernel_freeloaders/

The last quarter has been a trying one for Mexican fast-food chain Chipotle. People are returning to its restaurants after the great 2015 E coli outbreak, but now customers are being struck by a different kind of virus.

The taco takeaway admitted that it had become the latest victim of what sounds like classic cash register malware. The infection occurred between March 24 and April 18 of this year; the guacamole gormandizers haven’t specified yet which locations were affected, but it’s fair to assume a lot of them were.

The software nasty is the kind that sits in tills, takes a copy of bank cards swiped through for payment, and siphons off the data to crooks so they can clone the cards and blow victims’ accounts.

“We recently detected unauthorized activity on the network that supports payment processing for purchases made in our restaurants,” said the burrito baristas in a statement this week.

“We immediately began an investigation with the help of leading cyber security firms, law enforcement, and our payment processor. We believe actions we have taken have stopped the unauthorized activity, and we have implemented additional security enhancements.

“Because our investigation is continuing, complete findings are not available and it is too early to provide further details on the investigation. We anticipate providing notification to any affected customers as we get further clarity about the specific timeframes and restaurant locations that may have been affected.”

A few years ago, when this style of credit-card slurping began to appear, companies infiltrated by malware usually offered credit protection services to affected customers. However, that’s becoming less common, and the carnitas crew is merely telling chicken wrap scoffers to watch their credit card statements for dodgy purchases.

“Consistent with good practices, consumers should closely monitor their payment card statements. If anyone sees an unauthorized charge, they should immediately notify the bank that issued the card. Payment card network rules generally state that cardholders are not responsible for such charges,” the chorizo chuckers said, with the implication “had money stolen? Not our problem.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/26/chipotle_malware_infection/