STE WILLIAMS

If you think you’ve finally gotten control of unsanctioned user apps, think again. The next wave of rogue apps is on its way from your data center to the cloud.

Over the years, the consumerization of IT has spurred a free-for-all in the adoption of cloud services. As employees found unsanctioned applications to help them do their jobs, overwhelmed security teams took a head-in-the-sand approach, giving rise to a serious problem dubbed “Shadow IT.” But how big of a problem is Shadow IT, really? That depends who you ask.

Based on my personal conversations, CIOs estimate the number of unsanctioned cloud apps to be around 100. But in a tally based on an analysis of network logs, Shadow IT totals are much larger –averaging roughly 1,000 cloud services in use since early 2015.

Since those early days, companies have taken a more proactive and managed approach to the cloud by moving to enterprise-wide deployments of applications like Office 365, Salesforce, and Box. But just as organizations think they have Shadow IT under control, a new area of rogue cloud computing has emerged: custom applications developed by a company on its own and hosted in the cloud.

Everyone Is in the Business of Software Development
New research Skyhigh Networks conducted with the Cloud Security Alliance surveyed over 300 technology professionals from departments including software developers, IT, security, operations, and DevOps. The research showed that security teams, on average, estimate their organization uses 179 custom applications. But in reality, according to the research, the average organization uses 464 custom applications, with larger companies with over 50,000 employees averaging 788 applications! That means security is aware of only 38% of custom cloud applications in use in their businesses.

Developers and DevOps build these applications for business use cases, but the applications do not necessarily pass through a security review before they are deployed. What are they? Custom applications serve diverse functions across internal employees, third-party business partners, and customers. A company may develop their own HR benefits application, code-sharing platform, or customer service tools. As a result, these applications often hold sensitive data ranging from personally identifiable information, confidential intellectual property, and payment data.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 16, where Dark Reading editors and some of the industry’s top cybersecurity experts will share the latest data security trends and best practices.]

These applications pose many of the same risks to corporate data as SaaS applications. But they also can trigger additional threats because they are hosted in IaaS platforms. In 2017, we will witness a tipping point for custom app deployment, when, for the first time, companies plan to deploy a majority of their computing resources in the cloud. According to Skyhigh and CSA’s survey, 61% of custom applications are currently hosted in corporate data centers, but that percentage will decline to 46% by the end of the year.

And, it’s not just trivial, low-impact applications that are moving to the cloud. According to our survey, of companies with business-critical custom applications, 46% already host those applications in the cloud with the remaining majority of custom applications developed for use in the datacenter. Retrofitting these data center applications with cloud-specific security will require development resources that most talent-strapped security departments simply do not have.

Missing Pieces of Custom Application Security
Custom applications hosted on IaaS share many of the same threats to data as SaaS. But SaaS security gives us a framework to understand these threats in IaaS-hosted custom apps. Malicious insiders, employee error, and compromised accounts, for example, all create risk to sensitive data in custom applications that could potentially lead to compliance violations. For instance, in a typical IaaS environment, a company could have a custom CRM application in the cloud with an encrypted field for credit card numbers, but employees may carelessly enter credit card numbers in a different unencrypted field like “Notes,” violating PCI regulations.

Hosted in IaaS platforms, custom applications pose unique security challenges as well. Enterprise SaaS service providers develop robust APIs that allow customers to monitor and enforce security policies at scale across billions of activities every month. For example, Slack recently launched an Enterprise Grid API to accommodate security teams’ requirement to monitor high risk activity on the application. Enterprise SaaS applications also create markets for security solutions from third-party providers. Custom enterprise applications lack both traits, leaving security teams on their own to lock down hundreds of applications.

As a result, companies will be left struggling to address four critical areas of security functionality:

Threat Protection: SOC teams require behavioral monitoring to detect threats in action – for example, anomalous behavior that is indicative of a compromised account. Enterprise SaaS services provide APIs or event logs for consumption from third party security providers, but custom applications require custom-developed solutions to analyze activity data. There is a huge blindspot across custom applications for threats from inside and outside the company.

Encryption: Regulations like HIPAA require organizations to encrypt sensitive data uploaded to the cloud. Specifically, organizations often need to encrypt data in their own geographic district with their own customer-managed encryption keys. Companies did not have to contend with these requirements when their custom applications were in the data center, but now that custom applications are on IaaS cloud platforms, they will be held responsible for violations.

Data Loss Prevention: SaaS platforms open the door to access to data anywhere. Cloud-hosted custom applications are available via the open Internet, putting sensitive data at risk of violating corporate security policies. The data companies want to protect with data loss prevention includes social security numbers, salaries, IP addresses, file names containing “password,” and more. Controls enforcing off-network, BYOD, location-based, and content-based access policies are just a few of the capabilities IT security should insist on.

Activity monitoring: Incident response and audit teams require an audit trail of behavior on an application for post-incident forensic investigations. When custom applications leave the datacenter for IaaS platforms, they lose event logging capabilities by default. Without any record of employee activity, IT security cannot effectively respond to and remediate security incidents.

Why has security been circumvented in the flood of custom applications to the cloud? If the first wave of Shadow IT was the consumerization of applications via SaaS, the next wave has become the consumerization of infrastructure where developers and DevOps no longer need to work with security to access datacenter resources. As a result, security is faced with a stark ultimatum: Enable security for custom applications or be left behind.

Related Content:

• As Cloud Use Expands, So Do Security Blind Spots, Studies Show
• Cloud Security: New Research Says IT Pros Still Skittish
• Trust, Cloud the Quest for a Glass Wall around Security

 

Kaushik Narayan is a co-founder and CTO at Skyhigh Networks, where he is responsible for Skyhigh’s technology vision and software architecture. He brings over 18 years of experience driving technology and architecture strategy for enterprise-class products. He has been … View Full Bio

Article source: http://www.darkreading.com/cloud/the-new-shadow-it-custom-data-center-applications/a/d-id/1328590?_mc=RSS_DR_EDT

Why in the world would you need an endoscopic camera at the end of a vibrator?

Why, to record “love through pictures and videos”, says Svakom, maker of the $249 Siime Eye sex toy… and to then “share the wonderful sex adventure to your partner via pictures or videos”.

Yes, that’s right, “share”. As in, Internet of Things sharing, as in yes of course it’s got a built-in tiny camera and a hidden searchlight that can be connected to a PC, tablet or mobile phone via WiFi.

… And of course it’s hackable.

The company assures customers that Siime Eye has a “powerful but quiet motor when operating”, so you don’t have to worry about being overheard by others. But it turns out that you do have to worry about somebody wardriving through the neighborhood, picking up on who’s using the vibrator and intercepting the video stream.

Researchers at Pen Test Partners – a penetration-testing (we’re not going to touch that one) outfit that probes the security of IoT gadgets and which has looked at the security of cyberdildonic sex toys in the past – decided to look at the security of Siime Eye in the wake of the WeVibe lawsuit and settlement.

It found that after seeing some pretty bad things in IoT security, “this has to take the biscuit”.

Pen Test Partners found hard-coded credentials, plus a hard-coded IP address and port. It also found what it says is “hidden” functionality to connect to Skype, to save videos automatically to a network file share, and to send pictures in emails. It also has code injection in its web interface.

The hard-coded credentials, admin:blank, make it “trivial” to connect to the vibrator’s web admin interface, the researchers say. And given that the web app serves the video from the camera, and because it’s an access point, an attacker within range can identify users.

Given that the credentials are hard-coded, users who aren’t combing through their IoT gadgets for security weaknesses will never think to change those credentials. And anybody who can get on to the wireless AP will instantly gain access to everything on the web app. As it is, Siime Eye is already turning up on wardriving sites: Pen Test Partners spotted a user in Tokyo who showed up on wigle.net, for example.

As far as access to Skype goes, they found a cgi script called skype_pwd, along with other scripts for adding a Skype account, sending emails and changing DNS settings.

With a bit more work – including cracking the thing open to dump its firmware, discovering a command injection point, logging themselves in as root user and then logging in over telnet – the researchers got at the hardcoded telnet password.

After that, it was “plain sailing,” they wrote:

We’ve got complete control over every inbuilt function in the Siime Eye, easy access to the video stream, a root shell and persistence on a dildo.

There are two attack scenarios:

1. Get a user to connect the device to their home WiFi so as to siphon off their video data and WiFi passwords and send it off to wherever the attacker likes.
2. Get anywhere near a Siime Eye and crack the WiFi access point with what’s likely to be a weak or default password and hence “almost immediately” get a root shell and the video stream.

Pen Test Partners reached out to Svakom three times, starting in December, without receiving a reply, after which the company decided to publicize the device’s security shortcomings.

It’s telling users to change that default passcode to something complex and long. Better yet, try to get in touch with Svakom, they advise: maybe you’ll have better luck than PTP did!

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/XOJljdAkmMk/

One of the United States Senate’s most tech-savvy members is asking why much of the US military’s email still isn’t protected by standard STARTTLS encryption technology.

Last month, Sen. Ron Wyden (D-Oregon) shared his concerns with DISA, the federal organization that runs mail.mil for the US army, navy, marines and the Coast Guard:

The technology industry created STARTTLS fifteen years ago to allow email servers to communicate securely and protect email messages from surveillance as they are transmitted over the internet. STARTTLS is widely supported by email server software but, critically, it is often not enabled by default, meaning email server administrators must turn it on.

Wyden noted that major tech companies including Google, Yahoo, Microsoft, Facebook, Twitter, and Apple use STARTTLS, as do the White House, Congress, NSA, CIA, FBI, Director of National Intelligence, and Department of Homeland Security – but not DISA.

A 2015 Motherboard investigation originally uncovered the limited use of STARTTLS by U.S. government security agencies. Since then, Motherboard reports, many of the aforementioned agencies have started using STARTTLS – but not DISA.

Wyden observed that “until DISA enables STARTTLS, unclassified email messages sent between the military and other organizations will be needlessly exposed to surveillance and potentially compromised by third parties”.

Even if all the military messages sent through DISA’s servers are unclassified, if Wyden is correct, this might conceivably give adversaries additional insights into the US military’s structure, decision-makers, and decision-making processes.

Early reports on Wyden’s letter quoted DISA as saying that it would respond formally to him. DISA told Naked Security:

We are not at liberty to discuss specific tactics, techniques, and procedures by which DISA guards DOD email traffic. Email is one of the largest threat vectors in cyberspace. We can tell you that DISA protects all DOD entities with its Enterprise Email Security Gateway Solution (EEMSG) as a first line of defense for email security.

DISA’s DOD Enterprise Email (DEE) utilizes the EEMSG for internet email traffic and currently rejects more than 85% of daily email traffic due to malicious behavior. DISA inspects the remaining 15% of email traffic to detect advanced, persistent cybersecurity threats. The Agency always makes deliberate risk-based decisions in the tools it uses for cybersecurity, to include email protocols for the DoD.

In the “news you can use” spirit, this might be a good time for a brief primer on STARTTLS. This SMTP extension aims to partially remedy a fundamental shortcoming of the original SMTP email protocol: it didn’t provide a way to signal that email communication should be secured as messages hop across servers towards their destinations.

Using STARTTLS, an SMTP client can connect over a secure TLS-enabled port; the server can then advertise that a secure connection is available, and the client can request to use it.

STARTTLS isn’t perfect. It can be vulnerable to downgrade attacks, where an illicit “man-in-the-middle” deletes a server’s response that STARTTLS is available. Seeing no response, the client sends its message via an insecure connection, just as it would have if STARTTLS never existed. But, as the Internet Engineering Task Force (IETF) puts it, this “opportunistic security” approach offers “some protection most of the time”.

IETF says protocols like STARTTLS are:

…not intended as a substitute for authenticated, encrypted communication when such communication is already mandated by policy (that is, by configuration or direct request of the application) or is otherwise required to access a particular resource. In essence, [they are] employed when one might otherwise settle for cleartext.

For context, Google reports that 88% of the Gmail messages it sends to other providers are now encrypted via TLS (in other words, both Google and the other provider supports TLS/STARTTLS encryption); 85% of messages inbound to Gmail are encrypted.

Would STARTTLS offer value in securing the military communications DISA manages through mail.mil? From the outside, it’s easy to say “Yes”. But it sure would be fascinating to hear the technical conversation between DISA’s security experts and Senator Wyden’s.

Email service providers are caught on the horns of a dilemma, it seems. Naked Security’s Paul Ducklin says:

STARTTLS only deals with server-to-server encryption of the SMTP part, so it isn’t a replacement for end-to-end encrypted email in environments where that’s appropriate. In other words, there are situations in which you may be able to make a strong case for not needing STARTTLS. But my opinion is that it’s easier just to turn on STARTTLS anyway – just think of all the time you’ll save not having to keep explaining that ‘strong case’ of yours.

As for you: if you aren’t using STARTTLS wherever it’s available to you, why not?

Follow @NakedSecurity
Follow @BillCamarda

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/TKDFWMrlDqI/

Another month, another fledgling social network. Every so often, another service emerges as an alternative to “big social”, the large social networks like Facebook and Twitter that slurp up hundreds of millions of users. This month, it’s Mastodon, an alternative to Twitter but with strong privacy and non-profit principles. All the cool kids are using the service, we’re told.

They’re drawn by several things. The web’s typical short attention span is one reason – there’s always a new, cool tool to try. Another is dissatisfaction with Twitter, which has been stagnating of late, and which recently revamped elements of its user interface, inciting its users’ wrath.

Another reason focuses on control of your content. When you post on Twitter or Facebook, you are giving others more data about yourself, and becoming the product that the service offers up to advertisers. Facebook makes nearly $20 per user per year in the US.

As corporate-owned networks , big social services call the shots: they can decide what is posted and what isn’t. They can also decide what you see, and use those algorithms to control you. You have very little comeback if you don’t like any of that.

The developers of these more privacy-conscious social networks want to give that power back to the people.

Rather than storing all user information and data centrally, Mastodon works by letting people host their own instances of the service on their own servers. The idea is that federated instances of the service will appeal to special interest groups and cliques of users, while also spreading the hosting burden. However, those instances can also make their data searchable by others, meaning that your friend on one instance can theoretically find you on another.

Privacy is a top concern at Mastodon, as is the ability to shield content from other users voluntarily. Posters can make selected updates private, and can also tack parts of their posts with content warnings, automatically hiding it until a user explicitly chooses to read it.

Other attempts at alternative social networks

Mastodon isn’t the first project to try and disrupt big social. An alternative, launched in March 2014, is Ello. It was founded on principles of never selling user data or showing ads, but it is a centralized service, and has taken venture funding, drawing criticism from advocates for privacy in social networking. Ello’s manifesto attempts to preserve its position as a Public Benefit Company (PBC) and make any commercial exits evil-proof.

Mastodon is more like Diaspora, launched in 2010, which also uses decentralized federation and open source to retain independence for participants. It’s difficult to measure the number of users in a federated network, when individual servers (Diaspora calls them “pods”) can choose whether to reveal their statistics. At writing time, a list of all reporting pods showed 667,433 users.

Further along the decentralization spectrum, others have based their technologies on the blockchain. One of these is Synereo, a content distribution platform that wants to use blockchain technology to remove any centralized control at all. However, the project is still based on centralized systems for now.

Meanwhile, Ethereum-based censorship-free social network Akasha is currently in alpha. It uses the Interplanetary File System, a blockchain-based peer-to-peer file storage network, as the basis for its data storage platform.

There are many other alternative networks. Here are a few more.

Challenges: inertia, interoperability, ideology

These systems’ efforts are laudable, but how likely are they to succeed? They each face similar challenges in driving user adoption. One of the first is ease of use.

Most users simply aren’t that tech-savvy, and any extra steps in signing up to a service form a cognitive speed bump. People sign up for Facebook because it’s easy. Having to peruse a range of different federated servers without a clear understanding of what choice to make and why will turn off large numbers of people.

The other reason the people sign up for Facebook is because all their friends are on it. Critical mass is a powerful force in social networks. Metcalfe’s law states that the value of a network is proportional to the square of the number of its users – in short, its value grows exponentially as people join.

Analyses since then have questioned that law, arguing that there are nuances, such as the quality of those users, that will affect the overall value. Consider also the pace of technical innovation on a network’s underlying service. Twitter’s user count has largely plateaued.

Nevertheless, the fact remains that large social networks are sticky. If most of your friends use Facebook or Twitter, moving away from that service means moving away from them, too. Many people find their online social networks too valuable to do that.

Big social is a digital version of the roach motel – once you’ve checked in, you never check out. So the pull of another network – or the force repelling you from big social – has to be strong. Privacy is generally the go-to ideological reason for leaving incumbent networks to try something new. But is it enough?

If you’re reading this website, the chances are that you are security- and privacy-conscious. You understand the issues. But you are a minority group. Large numbers of your Facebook friends either aren’t aware of what information big social is sharing about them, or simply don’t care enough to invest the necessary time in exploring a new social networking platform.

It might not be so bad if this new gaggle of social networks spoke to each other, but interoperability is a weak spot. Diaspora includes connections to big social sites, and apps are being built that link Mastodon to Twitter, but it’s all still a work in progress, and users must put in the effort to set these things up.

There are de facto standards already that could help these sites connect and become more than the sum of their parts. Mastodon supports 0Status, an open standard for distributed status updates, which is in effect the communication protocol that enables different federated servers to talk to each other.

Mastodon also kind of supports GNU Social, a federation standard for social networks that enable different instances (servers) to communicate with each other. Mastodon describes itself as compatible with GNU Social for server-server communications, but “client apps that were made for specifically GNU social will not work with Mastodon”.

To really threaten mainstream big social sites, alternative social networks need both sides of this interoperability equation: server-server, and server-client interoperability. The latter would enable a single social networking app to support multiple back-end decentralized networks. That would drive user adoption, especially if such clients were a) shiny and b) available on Android and iOS, from which social networks are most accessed.

You could give Mastodon a try, or any of the many others on offer. Or, if you want to be as unplugged as possible while remaining connected, you could always try Scuttlebutt. Created by a developer who lives on a sailboat in New Zealand, it’s a protocol that mimics word of mouth, gossip-based structures, sharing messages between users that are friends with each other whenever they are connected on the same network. There are federated servers, known as “Pubs” that act as hubs to exchange information more widely, but the network would survive in an ad hoc fashion without them. As an exercise in information dissemination theory, it’s a fascinating idea.

Or you could just fire up your go-to big social network again and re-view the same Trump video or self-indulgent inspirational meme that everyone’s posting this week. Then, you can calculate how much the network is making from manipulating you. If it makes you feel better, you can always be a rebel and tweet about it.

Follow @NakedSecurity
Follow @DannyBradbury

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/AslivB_PfFE/

Hackers have brewed up a new variant of the IoT/Linux botnet “Tsunami” that exploits a year-old but as yet unresolved vulnerability.

The Amnesia botnet targets an unpatched remote code execution vulnerability publicly disclosed more than a year ago in DVR (digital video recorder) devices made by TVT Digital and branded by over 70 vendors worldwide.

The vulnerability affects approximately 227,000 devices around the world with Taiwan, the United States, Israel, Turkey, and India being the most exposed, specialists at Unit 42, Palo Alto Networks’ threat research unit, warn.

The Amnesia botnet is yet to be abused to mount a large-scale attack but the potential for harm is all too real.

“Amnesia exploits this remote code execution vulnerability by scanning for, locating, and attacking vulnerable systems,” the researchers warn. “A successful attack results in Amnesia gaining full control of the device. Attackers could potentially harness the Amnesia botnet to launch broad DDoS attacks similar to the Mirai botnet attacks we saw in Fall [autumn] 2016.”

El Reg asked TVT Digital, based in Shenzhen, China, for a response to Palo Alto’s warning but are yet to receive a reply. We’ll update the story as and when we hear more. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/07/amnesia_iot_botnet/

Motive behind BrickerBot puzzles experts who think it maybe the work of a vigilante.

Cybersecurity experts are warning of a new type of malware strain that uses known default user credentials to attack unsecured Internet of Things (IoT) devices and destroy them, reports Bleeping Computer.

Discovered by cybersecurity firm Radware, BrickerBot has two versions – BrickerBot.1 and BrickerBot.2 – and was found to be active since March 20, targeting only Linux BusyBox-based devices with Telnet ports left open.

This malware renders devices inoperable within seconds of infecting them through PDoS (Permanent Denial of Service) or “phlashing” attacks. The two versions work in the same manner but through different sets of commands; while BrickerBot.1 comes through worldwide IPs likely assigned to Ubiquiti network devices, BrickerBot.2 attacks are hidden behind Tor exit nodes and difficult to trace.

The attacker’s motive has confounded cybersecurity experts because it destroys without benefiting the destroyer. They suspect it could be the work of a vigilante who wants to alert users to unsecured devices.

Victor Gevers of GDI.foundation is however critical of the approach and believes that, “Instead of bricking you could also allow the devices to still work and just patch the vulnerability.”

Click here for details.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/endpoint/new-malware-deliberately-destroys-unsecured-iot-devices/d/d-id/1328587?_mc=RSS_DR_EDT

Personal data of 100,000 taxpayers compromised after IRS’ students financial aid tool hacked.

The Internal Revenue Service (IRS) has said that personal data of nearly 100,000 taxpayers may have been compromised by a breach of its tool to apply for student financial aid, The Chronicle of Higher Education reports. The Free Application for Federal Student Aid (FAFSA) tool was taken offline in March after discovery of suspicious activity, and will be operational only in October.

In a statement to the Senate Finance Committee, IRS chief John Koskinen said 35,000 affected people had been notified of the breach and $30 million been paid for around 8,000 fraudulent tax refunds.

The IRS has come under fire for cutting off the tool and Senator Lamar Alexander of Tennessee, urged authorities to “continue to prioritize getting the helpful data-retrieval tool back online quickly with adequate protection for users’ data.”

The agency admits being made aware in September last year that FAFSA could be misused by hackers.

“To shut it down without a clear indication of criminals actually using it seemed to us that it was going to unnecessarily disadvantage millions of people who used it,” Koskinen clarified, says The Wall Street Journal.

Read full story here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/endpoint/fafsa-tool-taken-offline-after-breach-report/d/d-id/1328586?_mc=RSS_DR_EDT

Customers of managed security service providers, website of U.S. trade lobby group targeted in separate campaigns

An unknown number of managed service providers and their customers are victims of a massive, global cyber espionage campaign by a China-based threat actor that this week was also fingered in another attack against a U.S. group involved in lobbying around foreign trade policy.

News of the campaigns coincides with Chinese President Xi Jinping’s first official visit to the U.S. to meet with President Trump. It suggests that cyber-enabled espionage out of China continues to be an issue, despite a September 2015 agreement between the U.S and Chinese governments not to support or engage in such activities.

“Even as IP-focused cyber-espionage has reduced since the Xi Jinping-Obama agreement, big business will continue to be targeted, if nothing else than for the influence they hold over governments,” warns Hardik Modi, vice president of threat research at Fidelis Cybersecurity.

Fidelis was one of the organizations that this week disclosed new cyber espionage activity by APT10, a well-known China-based advanced threat group that is also known as Stone Panda. The other warning about the APT10 group’s resurgent activity, after a period of relative quiet, came from PwC UK and BAE Systems.

‘TradeSecret’ campaign against National Foreign Trade Council

The Fidelis report involves “TradeSecret,” the company’s name for a targeted and strategic campaign directed at the website of the National Foreign Trade Council (NFTC), a trade lobby group representing some of America’s largest companies.

According to Fidelis, its security researchers in February discovered a reconnaissance tool called “Scanbox,” previously associated with China government-sponsored threat actors, embedded on specific pages of the NFTC site. Among the infected page were those that NFTC board members used to register for meetings.

The malware was configured to infect the systems of anyone that visited the pages and to collect credential and session information and also system-level data that could later be used in phishing attacks or for exploiting specific vulnerabilities. It’s unclear how the APT10 group initially breached the site in order to embed Scanbox on it.

“Scanbox is a robust framework that can include a variety of reconnaissance modules,” Modi says. It can, for instance, be used to determine the software running on a target system, the type and version of antivirus on it, and other details. “In some instances, it has been known to serve up a JavaScript keylogger that can be used to grab credentials that the target enters on the page,” he says.

NFTC members have been major contributors to the dialogue around the new U.S. trade policy framework being developed by the Trump Administration. It is highly likely the APT10 group will use data that Scanbox collected to craft targeted attacks against them.

‘Cloud Hopper’ campaign against MSPs

Meanwhile, in a separate advisory, PwC and BAE Systems warned about a systematic and widespread APT10 campaign they have dubbed “Cloud Hopper” to steal data from an unknown, but most likely large, number of organizations.

What makes the campaign scary and highly scalable, according to the two organizations, is the APT10 group’s tactic to target companies via their managed service providers, rather than directly.

Multiple MSPs have been hit since late 2016 and their infrastructure has been used to gain access to the networks of their customers. Typical attacks have involved APT10 gaining access to a MSP network, looking for customers that match its interests, and then breaking into their networks using the MSP’s legitimate access.

The China-based group has then been extracting data from the victim’s network, putting the data into compressed files, sending it back to the MSP network and from there to servers controlled by APT10.

The investigations by BAE and PwC show that the campaign is focused on extracting intellectual property and other sensitive data from organizations. “APT10 is known to have exfiltrated a high volume of data from multiple victims, exploiting compromised MSP networks, and those of their customers, to stealthily move this data around the world,” the two companies said in their report.

The Cloud Hopper campaign is a classic example of the evolution of third-party cyber risk, says Fred Kneip, CEO, CyberGRX. It takes advantage of the implicit trust that many organizations place on their cloud service providers and other third parties that they do business with.

“Although attacks via third parties are the second biggest source of security incidents, most organizations do not have a consistent process to help them understand which partners pose the most risk to their organization,” Kneip says. Organizations need to truly understand their residual risk from each third party, and perform their own validation of key controls as opposed to relying on self-assessments, he says.

“Customers need to ask relevant questions of their provider as to how they achieve customer segmentation and segregation,” advises Jim Reavis, executive director of the Cloud Security Alliance. “Customers also need to understand their own responsibilities and in many cases it is their job to add data protection controls like encryption or to use the provider’s logging capabilities to monitor access to their own cloud instances.”

Meanwhile, campaigns such as Cloud Hopper also highlight the need for cloud service providers to perform segmentation at multiple levels, including networks, users, applications and data, to mitigate the fallout from a data breach, Reavis says. “No company can prevent all breaches, but systems should be designed so that a single breach impacts a maximum of one customer.”

John Pescatore, director of emerging threats at the SANS Institute said that attacks targeting cloud service providers are nothing new. Edward Snowden’s leaks showed the US government was targeting IT service providers as far back as 2013. And attacks on Google and others in subsequent years have shown that Chinese threat actors have been doing the same for some time now, he says.

“The bigger suppliers are pretty good at protecting themselves, but they are rarely the low cost providers,” Pescatore says.  “All too often obtaining [specific security] certifications are all the lower cost providers have to show in order to win competitions,” he says. “There has been talk in the IT service provider industry association of raising the bar, like has been done in the UK, but not much movement forward.”

Related stories:

• Chinese APT10 Hacking Group Suspected of Global Campaign Targeting MSPs
• China, US Agree To Not Conduct Cyberespionage For Economic Gain
• Chinese Military Behind South China Sea Cyber Espionage Attacks

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/china-based-threat-actor-apt10-ramps-up-cyber-espionage-activity/d/d-id/1328584?_mc=RSS_DR_EDT

Your daily round-up of some of the other stories in the news

Spacecraft to crash into Saturn

Two decades after its launch, NASA’s Cassini probe is being prepared for the final part of its journey before it’s deliberately crashed into Saturn. Launched in 1997, the probe arrived at Saturn in July 2004, and has spent the past 13 years exploring the planet, its rings and its 62 moons.

NASA scientists said this week that as part of its Grand Finale, the spacecraft will on April 22 dive between Saturn’s upper atmosphere and its innermost ring 22 times before crashing into the planet’s surface and being destroyed.

The aim is to prevent it crashing into and contaminating one of the planet’s moons where there could be conditions for alien life. Enceladus in particular fascinated NASA: Cassini found that the moon has an underground saltwater ocean that could have hydrothermal vents of the kind that are thought to have been the spark for life on Earth.

“Cassini’s own discoveries were its demise,” project manager Earl Maize said. “We cannot risk an inadvertent contact with that pristine body.”

Laptop ban might be extended

The ban on using laptops and tablets in the cabin of aircraft heading to the US might be extended, Homeland Security secretary John Kelly said on Wednesday.

Speaking at a congressional hearing on homeland security, Kelly suggested that the current ban, which covers 10 airports in eight countries, doesn’t go far enough in response to the threat of terrorism.

He told the hearing: “It’s real. I think it’s getting realer. We may take measures in the-not-too-distant future to expand the number of airports,” though he gave no indication of where those airports might be.

The UK rolled out a similar ban at the same time, and other countries including Canada are said to be considering a similar bar on portable devices in the cabin from some airports.

Facebook launches tips to spot fake news

Facebook users will start to see the social media giant’s tool to help them spot fake news as part of its measures to crack down on “false news and hoaxes” that are “harmful to our community and make the world less informed”.

Clicking on the ad that appears at the top of your feed if you’re in one of the initial 14 countries will take you to the help centre’s list of 10 tips to help you spot a dodgy story. Those tips include warnings to look closely at the story’s URL and being sceptical of catchy headlines.

Meanwhile, German lawmakers agreed a plan on Wednesday to fine social networks including Facebook up to €50m if they don’t take down hateful posts quickly enough, Reuters reported. The proposed legislation also provides for fines of up to €5m for individual executives if hate speech and fake news aren’t taken down quickly enough.

Justice minister Heiko Maas said: “There should be just as little tolerance for criminal rabble-rousing on social networks as on the street.”

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

 

 

 

 

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/LF63xtLI5SU/

F-Secure has completely absorbed Little Flocker, the macOS security tool built by computer forensics boffin Jonathan Zdziarski.

Financial terms of the deal, announced Thursday, were undisclosed. Zdziarski just recently joined Apple on its security engineering team, so the handover of the paid-for software to F-Secure makes a lot of sense.

Little Flocker acts as a file system firewall: it basically intercepts file accesses by applications and processes, and asks the user if they are OK with that. This means folks can stop errant processes, ransomware, and other malware, from meddling with documents, executables, and system data. A whitelist can be built by the user for trusted apps so their file accesses usually get through.

The software – which runs at the kernel level and can also detect microphone and webcam snooping – will be built into F-Secure’s products, such as XFENCE, its Protection Service for Business, and F-Secure SAFE.

Right now, the Little Flocker website is down, and has been since just before the weekend leaving punters wondering what was going on.

The software also cannot be updated if you’ve already bought and installed it. We’re told the tool will be available soon as a free beta as part of the XFENCE suite – so this looks like the end of the road for a standalone Little Flocker. You’ll have to install F-Secure’s gear to get hold of future versions, it appears.

F-Secure was not available for immediate comment. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/06/fsecure_buys_mac_security_specialist/