STE WILLIAMS

Crowdsourced intelligence can help you build a stronger, more informed cyberdefense. Here’s how.

In today’s cyber landscape, threats move and change faster than ever, making a quick and effective response to a potential intrusion critical. But, according to EY’s latest Cyber Threat Intelligence Report, 36 percent of companies surveyed report that it’s unlikely they would be able to detect a sophisticated attack.

To help solve this problem, cybersecurity experts often look outside their own organization for intelligence to help them diminish a cyber attacker’s advantage. The fact is, the only way to really change the game in cybersecurity response, and even threat prevention, is to understand how the adversary works, what their end goal may be, and to predict where they might go next. Unfortunately, this battle is nearly impossible to win alone. It requires intelligence from a variety of sources, with the power of the crowd being an integral piece of the puzzle.

Connected Communities
Crowdsourcing intelligence in cybersecurity means connecting a community of similarly trained, like-minded, and trusted individuals and organizations to solve the problem of a specific threat, adversary, or industry target. There are some amazing organizations leading the edge in threat intelligence sharing and collaboration such as The Arizona Threat Response Alliance, Inc. (ACTRA). ACTRA is a hub for collaborative cyber information-sharing between partners, industry, academia, law enforcement, and intelligence. It’s a prime example of how cyber information sharing across industries can help all the organizations involved analyze critical, real-time data in a quick, neutral, and cost-effective manner. In this case, ACTRA’s crowdsourced threat sharing enables more effective responses to cyber threats across Arizona’s critical infrastructure and key resources.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 16, where Dark Reading editors and some of the industry’s top cybersecurity experts will share the latest threat intel trends and best practices.]

While threat sharing is occurring to a certain degree today through open source tools and even across a handful of industry groups, there is still much room for improvement to create truly crowdsourced threat intelligence sharing. Threat intelligence sharing as we know it today is hindered by manual tracking and analysis, as well as ineffective sharing models, analytic standards, and reporting vehicles that don’t disseminate accurate and actionable intelligence in a timely manner.

So, how can more organizations overcome the obstacles to sharing – and most especially the constraints on time? Here are three industrywide approaches that can grease the wheels for sharing:

1. Learn from others. Make use of existing Information Sharing and Analysis Centers (ISACs) and Information Sharing and Analysis Organizations (ISAOs), such as the recently launched Sports ISAO, which shares intelligence to protect athletes, facilities and event sponsors from cyberattacks. Joining an ISAC or an ISAO is a great introduction to internal teams, such as legal, who may be apprehensive about the intel sharing process. The established standards and processes of these groups make it easier to gain executive level buy-in.
2. Leverage analytics. Rather than looking at one incident at a time and then drawing conclusions to share, it’s better to use data science and analytics to surface the most relevant threats, especially when all indicators and other threat intelligence is maintained in a single database, Of course, you can do this with your own data, but storing data in a platform where it can be compared against other sources, will greatly increase your chances of surfacing threats.
3. Orchestration and automation. In an under-staffed industry like cybersecurity, it is not surprising that many people are looking to orchestration for efficiency with use cases like pushing indicators to the firewall. Now, imagine applying that power to threat intelligence sharing. You could create set rules to push the information out to your partners automatically.

It wasn’t so long ago that you couldn’t go a day without seeing an article on how the secret to getting ahead of cyberthreats was sharing. While in theory that worked, it didn’t go very far. It was all just too hard. But, crowdsourcing threat intelligence – gathering it all in one place, leveraging analytics to process it and using orchestration to share it further – has real potential to make this a reality.

Related Content:

• Russian-Speaking APT Recycles Code Used in ’90s Cyberattacks Against US
• Data Visualization: Keeping an Eye on Security
• Prioritizing Threats: Why Most Companies Get It Wrong

 

Adam is an information security expert and is currently the CEO and a founder at ThreatConnect, Inc. He possesses over a decade of experience in programming, network security, penetration testing, cryptography design cryptanalysis, identity and access control, and a … View Full Bio

Article source: http://www.darkreading.com/threat-intelligence/the-power-of-the-crowd-3-approaches-to-sharing-threat-intel-/a/d-id/1328554?_mc=RSS_DR_EDT

Security firm is no longer part of Intel Corp.

McAfee has finalized its planned spinoff from Intel Corp. and as of today returned to its roots as a stand-alone security company.

The move to separate the company was first announced by Intel in September, when the chip company revealed that it planned to sell a majority stake in its McAfee subsidiary to TPG for $3.1 billion after what industry analysts considered a failed investment. Intel purchased McAfee for $7.7 billion in August 2010 in hopes of providing it a security foothold in areas such as wireless mobility and the Internet of Things.

But the combination of Intel and McAfee didn’t pan out the way either company had hoped. McAfee said today that the final spinoff deal closed at a value of $4.2 billion, with TPG adding Thomas Bravo as a minority investor in McAfee. Intel, as planned, will retain a 49% stake in McAfee.

The former Intel Security arm’s general manager Christopher Young will serve as CEO of the new privately held McAfee.

Steve Grobman, CTO of McAfee and former CTO at Intel Security, says the spinoff allows McAfee to operate more nimbly. “We came to the conclusion that given the pace of changes [in cybersecurity threats] McAfee needs a level of agility to build technology at a rate and pace that matches the threat landscape,” Grobman said in an interview with Dark Reading. “As compared with a semiconductor manufacturing company, there’s a different technical discipline. The spinout is really about giving both companies the ability to get a lot more focused on our core competency.”

It’s less about changing direction in strategy for McAfee and more about speeding up the direction it began two years ago with the arrival of Young to Intel Security, Grobman says.

McAfee will continue its security platform focus, as well as moving to cloud security capabilities, he says.

“We are building out our portfolio to adapt to the way the industry is shifting,” he says. “As the industry is embracing cloud more aggressively, we’re shifting capabilities to the cloud as well.”

The new McAfee, which also unveiled a new logo today, will have between 7,500- to 8,000 employees.

“We offer Chris Young and the McAfee team our full support as they establish themselves as one of the largest pure-play cybersecurity companies in the industry,” Brian Krzanich, Intel CEO, said in a statement. “Security remains important to Intel, and in addition to our equity position and ongoing collaboration with McAfee, Intel will continue to integrate industry-leading security and privacy capabilities in our products from the cloud to billions of smart, connected computing devices.”            

/p

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: http://www.darkreading.com/endpoint/mcafees-back-as-an-independent-security-firm/d/d-id/1328556?_mc=RSS_DR_EDT

Here’s one thing that administrators of major dams know about their public utilities: they’re targets for terrorists.

When the violence-filled gangsta rap movie Straight Outta Compton was released two years ago, it was met by law enforcement already primed for violence in those beginning days of the Black Lives Matter protests. But as for the Bonneville Dam Administration, it turned to the Department of Homeland Security (DHS) to request that it please sniff out any threats.

So that’s what James Williams did: the (now former) researcher at the  Oregon TITAN Fusion Center Unit searched for any possible planned protests. Fusion centers, intelligence-gathering centers created after the 9/11 attacks by the Department of Justice (DOJ) and DHS, are set up to share tips with government agencies.

Researchers at these centers monitor groups known to be hostile to authority – say, the KKK, Skinheads, ELF, ALF, Hells Angels and Gypsy Jokers. At the behest of the Bonneville dam, Williams also searched on illegal activities that at the time were centered on two hashtags: “#BlackLivesMatter” and “#fuckthepolice”, scouring social media, the deep web and the dark web, to “identify and anticipate threats to people, places and brands”.

Williams’ searches did, in fact, ferret out what could be perceived as racist and anti-police postings: some depicting violence against police, some photos of police holding guns to the heads of children.

But one of those images in particular led straight back to the Justice Department. It also led to Williams getting fired. In fact, the post was tied to a Twitter profile of Erious Johnson, Jr., the ethics and civil rights attorney for the DOJ, where Williams found yet more potentially racist and anti-police postings.

What do you do when your job is to find offensive postings, and it leads you straight to the civil rights attorney of the DOJ? In Williams’s case, he asked for the opinion of a supervisor on whether the posted images were 1) offensive, and 2) appropriate for a DOJ employee to post.

So Williams did that. In October 2015, he reported the posts to a special agent in charge. A few weeks later, on November 10, he was put on paid administrative leave.

Then, after an investigation that ended in the suggestion that Williams receive further training but no disciplinary action, he was fired on August 16 2016.

The investigation had found that Williams showed a lack of internet savvy, Oregon Public Broadcasting reported in April 2016.

He was using a trial version of the software Digital Stakeout, which takes search terms and sorts them by the geographic location of the social media user. Williams searched “black lives matter” on Twitter because he believed that its supporters were threatening police. In fact, a few weeks before he ran his search, the DOJ had issued a bulletin to law enforcement agencies about #BlackLivesMatter.

When that search led him to Johnson’s tweets protesting police brutality – and to one featuring the logo of the rap group Public Enemy – Williams reportedly misinterpreted the posts as active threats against law enforcement.

Now, Williams is suing those in the DOJ chain of command who concurred with him over the #BlackLivesMatter tweets and told him to report them. In his lawsuit (PDF), filed last Tuesday, Williams is claiming damages including mental anguish and distress, humiliation, loss of public esteem, respect, good will, and loss of reputation in the community. Also among his claims are unlawful employment practices due to his “whistleblowing”.

But was it whistleblowing? This is no straightforward case of official retaliation against a whistleblower. In fact, in April 2016, Johnson himself filed a racial discrimination and hostile workplace complaint about the hashtag searches with Oregon’s Bureau of Labor and Industries. The complaint was against his employer, the Oregon attorney-general. And in that complaint (PDF), Johnson didn’t deny tweeting with the #BlackLivesMatter hashtag.

But he did deny that doing so broke any tenet of his employer’s social media policy. From Johnson’s complaint:

Coworkers, and agents of my employer, designated me a ‘threat’ to public safety based on a racially motivated ‘threat assessment’ for my use of the Twitter hashtag #BlackLivesMatter.

In October 2016, Johnson also followed up with a lawsuit (PDF) alleging that the Oregon Department of Justice violated his constitutional rights for targeting political speech. He’s demanding damages and payment of his legal bills.

In the suit, Johnson, who is African American, named Williams, the investigator whose hashtag search led to his #BlackLivesMatter tweets.

Johnson also named the other links in the chain of command that resulted in the download of his entire Twitter account and all of his posts and photos: Oregon attorney-general Ellen Rosenblum (also named in Williams’s suit), Oregon deputy attorney-general Frederick Boss (ditto for Williams’s suit), Oregon DOJ chief counsel Darin Tweedt, and Oregon DOJ special agent David Kirby. All of those in the chain of command are Caucasian.

This story shows that there’s nothing simple about the small collection of characters that make up hashtags. They can easily be misconstrued, filtered as they are through our own cultural lenses. The resulting collateral damage can be profound and career-damaging.

Follow @NakedSecurity
Follow @LisaVaas

Image courtesy of Joseph Sohm / Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/G-V12yGdjYI/

Sex toy designer Svakom decided that a vibrator needed a camera on the end, and it also needed a Wi-Fi access point – with the utterly predictable result that the device is hackable.

Pen Test Partners – these jokes just write themselves, really – took a look at the device, and the researchers probably wish they hadn’t, because the Svakom Siime Eye is an early favourite for a hypothetical 2017’s Worst Internet-of-S**t Product award.

Looking at the Android app, Pen Test Partners’ (PTP’s) researchers first turned up “some hard-coded credentials, and a hard-coded IP address and port.”

The hard-coded credentials, admin:blank, make it “trivial” to connect to the dildo’s Web admin interface, PTP writes, and even better – the Web app serves the video from the camera, and because it’s an access point, an attacker within range can identify users.

It gets worse.

Unless it’s bought by someone who pays attention to their home security, the access point name is static “under normal use.” That means “Siime Eye” is already turning up on war-driving sites (the post cites wigle.net as its example) so that pervs can figure out where the device is in use, and tune in to its output.

And there’s a Skype interface – or, at least, there’s a cgi script called skype_pwd, along with other scripts for sending emails and changing DNS settings.

With a little work, PTP was able to siphon the video stream from the dildo, meaning someone’s most intimate activities are badly protected.

With a little more work – we’re actually into hacking here, people, PTP had to look at the UART outputs! – the unremarkable Telnet password reecam4debug, and with that, the dildo is rooted: “We’ve got complete control over every inbuilt function in the Siime Eye, easy access to the video stream, a root shell and persistence on a dildo.”

Responsible disclosure says you only go public (a) after a patch is available, or (b) you get no response from the vendor. Guess which one of these made PTP publish the post? ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/04/intimate_adult_toy_fails_penetration_test/

Your daily round-up of some of the other stories in the news

Deep-frozen data

You might have heard of the so-called Doomsday seed vault in Svalbard, the remote Arctic archipelago better known for the Northern lights and polar bears than high tech, where more than a million seeds from all over the world are stored deep under the frozen ground against disaster.

Now that vault is to get a neighbour – the Arctic World Archive, which says it will be “for the world’s digital heritage and valuable data – a safe place where the data will be when all other systems fail”.

Piql, the small Norwegian archiving company that’s setting up the vault, says it will store key documents, books and files on analogue film rather than on magnetic hard drives or in the cloud. The vault is the result of a €20m research project supported by the EU and by the Norwegian government, and will apparently last and be accessible for at least 500 years, and possibly up to 1,000 years, reports Wired.

Three countries – Norway, Mexico and Brazil – have started storing data from their national archives in the vault, which is heavily fortified and will – hopefully – withstand catastrophes.

Firms ‘shelving GDPR plans’

Some UK businesses have shelved their preparations for GDPR, the EU data protection regulation that’s set to take effect in May next year, thinking they’ll no longer have to comply now that the UK has formally notified the European Union that it will leave the union in March 2019.

That’s the somewhat alarming result of a report by Crown Records Management, which found that nearly a quarter of the businesses surveyed by Crown Records Management said they had stopped preparing for GDPR – and 44% said they didn’t think GDPR would apply once the UK leaves the EU in March 2019.

GDPR-watchers might not be surprised by this, as survey after survey reveals that many businesses simply aren’t ready for the new regime. Crown Records Management said their findings were “shocking”, adding: “For so many businesses to be cancelling preparations is a big concern.”

However, the good news is that almost three quarters said they had already hired a Data Protection Officer, and half have started training staff.

Android squeaks ahead of Windows for the first time

Android, the open-source mobile operating system, has for the first time overtaken Microsoft’s Windows as the world’s most used OS in terms of total internet usage across desktop, tablet and mobile, said analytics firm StatCounter.

Android is only a whisker ahead of Windows, with 37.93% market share against 37.91% for Windows, but StatCounter’s graph shows the gap between the two steadily closing over the past five years.

This shift towards Android comes as no surprise to Naked Security – we’ve reported recently on the growth of Android malware over the same period.

It’s worth noting that StatCounter is measuring internet use across 2.5m websites rather than total users, as Windows continues to dominate on the desktop, but it’s an interesting shift and one to keep an eye on.

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

 

 

 

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/H477s27tiiw/

The IAAF has been hacked and it blames the notorious Russian hacking group APT 28, also known as FANCY BEAR, for the attack which targeted athletes’Therapeutic Use Exemption (TUE) applications stored on IAAF servers.

The attack was uncovered by Context Information Security, a cyber incidence response firm contracted by the athletes’ governing body in January to investigate IAAF systems. On 21 February, Context detected the “presence of unauthorised remote access to the IAAF network … where meta data on athlete TUEs was collected from a file server and stored in a newly created file,” the IAAF said.

“It is not known if this information was subsequently stolen from the network, but it does give a strong indication of the attackers’ interest and intent, and shows they had access and means to obtain content from this file at will.”

The IAAF informed the authorities (UK National Cyber Security Centre and the Agence Monégasque de Sécurité Numérique) and worked with Context to scope the breach, identify how the attacker came in, and remove the attackers’ access to the network. This was carried out and completed over the weekend.

Athletes were notified of the suspected breach on Monday (April 3)

IAAF president Lord Coe apologised in a statement, in which he said: “Our first priority is to the athletes who have provided information they believed would be secure and confidential.”

Matthias Maier, security evangelist at Splunk, commented: “The announcement by the IAAF that it was recently hit by a cyber attack that compromised athlete data is yet another warning that organisations of all types should expect to be targeted. In fact, in this incident the IAAF has proved that organisations now need to go a step further and assume that they have already been breached by malicious threats and so should begin threat-hunting exercises as a matter of routine.”

From Russia with Love: Cyber Espionage

APT 28 – the APT stands for Advanced Persistent Threat – has been blamed for compromising the Democratic National Committee (DNC) during last year’s US presidential election and researchers at Secureworks point to close links between the hacking crew and the GRU, Russia’s foreign intelligence agency.

In September 2016, the group attacked the World Anti-Doping Agency (WADA) database and leaked confidential details of athletes, including TUE-based permissions to take prohibited substances because of a medical need. Tour de France winner Sir Bradley Wiggins and long distance runner Mo Farah were among many who faced scrutiny after their medical files were made public.

The WADA raid was said to be motivated by the imposition of a ban by many sports prohibiting Russian athletes from participating in the 2016 Olympic Games, following revelations of a state-sponsored doping program. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/03/iaaf_security_breach/

Apple hasn’t provided much detail, but you don’t want to ignore the latest iOS release – 10.3.1 – because it plugs a very nasty Wi-Fi vulnerability.

Cupertino has rushed out the emergency patch because: “An attacker within range may be able to execute arbitrary code on the Wi-Fi chip” – meaning, presumably, that malicious packets gave attackers a vector.

The fix for the bug, which Apple attributes to Gal Beniamini of Google’s Project Zero, was a buffer overflow fixed by better input validation.

The bug affected iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation and later.

The release of 10.3.1 comes just a week after Apple released 10.3.

9to5Mac notes that while 10.3 left older 32-bit devices off the list, 10.3.1 includes them – indicating how serious Apple views the bug. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/03/driveby_wifi_ithing_fix/

What’s worse than an actively exploited zero-day vulnerability for which there is no patch? Answer: an actively exploited zero-day security vulnerability for which there will never be a patch.

If this sounds like an April Fool riddle, this is the situation facing anyone unwise enough to still be using Microsoft’s ancient Internet Information Services 6.0 (IIS) web server after Chinese researchers last week said they’d got wind of a flaw that has been exploited since July or August 2016.

In a disclosure on March 27 that included their own simple Python proof-of-concept, the researchers outlined the “buffer overflow in the ScStoragePathFromUrl function in the WebDAV service” when an attacker sends an overlong IF header request as part of a PROPFIND request (if that sounds obscure you can read about WebDAV here).

Designated CVE-2017-7269, that’s bad news, but the fact that it has been known about for months – with new exploits now likely – is the main takeaway.

Given that IIS 6.0 shipped with Windows Server 2003 R2 in 2005 and Microsoft stopped supporting it after the end of life deadline passed in July 2015 (ie no more patches), one might assume that the install base is small.

One would be wrong. More likely, this is another version of the Windows XP situation where organisations find it hard to wean themselves off core software and end up putting themselves at risk.

In 2015, research from analysts RiskIQ found 2,675 installs of IIS 6.0 inside 24 of the top FTSE-100 UK companies alone. Incredibly, the same analysis found 417 installs of IIS 5.0 in the same companies, which at that time was a year beyond extended support death.

Shodan estimates 600,000 machines still visibly running this software globally, perhaps 10% of which have the PROPFIND extension running according to an analysis by one enterprising researcher. That sounds containable until you realise that each of those servers will be hosting numerous websites.

How many? Nobody knows, but with Microsoft unlikely to step in with a fix, it could be more than enough to cause problems. The premium fix is to stop using IIS 6.0 immediately but for anyone who finds that difficult there is one hope: guerrilla patching.

We discussed this phenomenon in our recent coverage of Google’s “Operation Rosehub”, but it can be summed up by the simple idea that if the vendor in whose software a vulnerability has arisen can’t or won’t fix the issue then someone else does it for them.

A company called Acros Security dubbed this the “0patch” and, lo and behold, has come up with a “micro-patch” for CVE-2017-7269. We can’t vouch for this but Acros explains how developed this in some detail for anyone staring down the barrel of limited options.

What the latest episode challenges is the fixed idea of software lifecycles according to big software vendors, which runs something like “we’ve told them in advance that support will be removed by a given date so if they don’t follow our advice and upgrade then that’s their lookout”.

The near debacle of XP’s zombie afterlife was an example of this MO running aground on the rocks of business reality, beside which the latest IIS 6.0 event might look modest. But an unpatchable zero-day affecting hundreds of thousands of compromised web servers won’t be fun for anyone – Microsoft included.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/MHjHVDduDp0/

Thanks to Gabor Szapannos of SophosLabs for providing the research for this article.

Last October, Microsoft released Security Bulletin MS16-121, patching an Office vulnerability attackers could exploit to run malware on infected computers. Those who have yet to apply it should do so immediately: SophosLabs researchers have discovered fresh cases of AKBuilder and Microsoft Word Intruder (MWI) exploiting the flaw.

Specifically, copies of AKBuilder are being sold on an underground forum, and MWI’s authors are now using it to concoct new exploits against the RTF flaw. SophosLabs principal researcher Gábor Szappanos said:

This vulnerability is already under fire by two major exploit builders. It all happened within a couple of weeks, with the help of an underground forum.

A tale of two exploit builders

AKBuilder generates malicious Word documents, all in Rich Text. Once purchased, malicious actors use it to package malware samples into booby-trapped documents they can then spam out. It uses exploits to deliberately corrupt files that automatically trigger bugs in Office and underlying bugs in Windows itself. SophosLabs has seen several cases of this builder in action recently.

MWI is one of the best known Office exploit builders and certainly one of the most popular in cybercrime groups. Though SophosLabs recently discovered new versions that include non-Office exploits, the one targeting the Office RTF flaw goes on the attack the old-fashioned way.

Targets the CVE-2016-7193 vulnerability

The samples analyzed by the lab exploit the vulnerabilities outlined in Common Vulnerabilities and Exposures bulletin CVE-2016-7193. This is a memory corruption bug that causes Office software to mishandle rich text format (RTF) files.

The bad guys can exploit this by creating a tainted RTF document that, once downloaded, infects the victim’s computer. If the user is logged on with administrative user rights, an attacker could, as Microsoft says in its bulletin, “take control of the affected system and install programs, view, change, or delete data; or create new accounts with full user rights”.

Latest MWI files

SophosLabs intercepted and analyzed two corrupted files designed to exploit the vulnerability. The lab reached out to Microsoft, which confirmed the exploit.

The first file – SIMON WERNER GMBH – RFQ.doc – was first submitted to the VirusTotal malware scanner March 20 from sources in Hong Kong and the UK. The file drops a Dofoil downloader to %PROFILE%AppDataLocalTempmsvc.exe, which then downloads AMcr35.exe from a remote site.

The second file – “security instructions” from Visa.doc,  выписка.doc, 2017april.doc – was submitted to VirusTotal on March 28 from sources in Kazakhstan, Ukraine and Russia. Malware from that file is downloaded to %PROFILE%AppDataLocalTempmsvc.exe. It opens a Metasploit-generated reverse shell at 92.63.111.201:443/ZVHd.

If opened, the viewer will see the following decoy content:

SophosLabs followed the trail further back to March 8 and discovered AKBuilder samples that are the same as the first MWI sample described above. The conclusion is that an actual copy of AKBuilder was sold on the underground forum and used by the MWI author.

Characteristics

Both files contain the CVE-2016-7193 exploit. The shellcode used in both samples is very similar to the dropper code used in Microsoft Word Intruder-generated samples. SophosLabs suspects they were generated by a new version of MWI.

Both documents use the same algorithm to decrypt the payload – a one-byte XOR with the key incremented in each step and the first few hundred bytes swapped, and shellcode that uses Windows Management Instrumentation functions to execute the payload.

The builder from the original author was distributed as a Python script that worked very much like AKBuilder, based on comments made in an online forum.

Despite the similarities to AKBuilder, this one used different encryption keys and a different embedded exploit block.

The following image is the final RTF exploit generated by the builder which, in the case of first file, is very similar to the RTF files generated by recent AKBuilder versions:

We suspect the author of MWI purchased the script, then released a first version based on it. It was only later fitted to be more in the MWI-style.

One week after the initial public announcement on the underground forum, SophosLabs saw the first sample in the wild, followed by a larger deployment of the exploit.

Defensive measures

As noted, Microsoft released a patch for the vulnerability in MS16-121. In that bulletin, Microsoft also noted that users whose accounts are configured to have fewer user rights on the system are less vulnerable than users who operate with administrative rights.

Meanwhile, users should be careful to only download files from trusted sources.

Follow @NakedSecurity
Follow @BillBrenner70

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/VYO4m48pzlQ/

Samsung’s last flagship phone went up in smoke, literally and figuratively.

So the company went for something a bit cooler with the Galaxy S8, and supposedly more secure – facial recognition.

The theory seem to be that if your phone can reliably recognise you via the front-facing camera as soon as you pick it up, then you don’t need to press or swipe any buttons for it to wake up and unlock.

In other words, you get frictionless convenience and security, rather than convenience at the expense of security.

Set the marketing aside, however, and many of us have mixed feelings about facial recognition – it’s one of those technological developments that is neutral in its own right, but can go either way in real life.

A bit like Google Street View, for example.

My golly, but Street View is useful when you’re trying to find your way to a business in a town you’ve never visited before…

…but it gets a bit creepy when you take a look at your own street, and realise just how much lifestyle detail it reveals to anyone who cares to look.

So too with facial recognition.

Most of us would probably approve if facial recognition helped a border agent to detect a violent criminal trying to flee from justice using a stolen passport.

On the other hand, many of us would feel uneasy if facial recognition cameras in a shopping centre were used to track us walking round to guess where we were going next and what we might want to buy.

And all of us (except the crooks themselves, of course) would be hopping mad if facial recognition claimed that we were present at a crime scene when we weren’t.

The last-mentioned problem isn’t quite what has arisen in this case, but it’s not that far off.

Show me a photo

Simply put, Samsung’s soon-to-be-released new phone, the Galaxy S8, has been touted as including facial recognition software that can help to improve security in much the same way that fingerprint scanners have in recent years.

As we said at the start, this is, in theory, a great way of combining convenience and security…

…if, indeed, the security is up to scratch.

It hasn’t been all plain sailing for fingerprints, however.

Apple’s fingerprint sensor, introduced in the iPhone 5s back in 2013, quickly succumbed to German hackers equipped with woodglue.

They took a 2D picture of a fingerprint on a glass surface, printed out what you might call a 2.5D mould on a laser printer by turning up the toner to its thickest setting, and filled up the printout with woodglue to make fake fingerprints.

With a bit of spit to make the conductivity about right, the deception fooled the iPhone.

The same trick – which was already about a decade old when applied to the iPhone 5s – worked against Samsung’s own Galaxy S5 in 2014.

Nevertheless, as a basic factor of authentication, fingerprint sensors have proved surprisingly popular and successful.

Even though you leave partial copies of them all over the place, decent-quality fingerprint images aren’t as easy to get hold of as, say…

…photos of your face.

You can probably guess where this is going.

According to reports, Samsung’s facial recognition “unlock” system can be fooled simply by putting a photo on the screen of one phone and showing it to a second phone.

Apparently, it really is that easy.

What to do?

Don’t panic. You don’t have to use facial recognition to unlock your phone, any more than you have to use your fingerprints on present-day iPhones and Androids.

And even if you do use your fingerprint (or your picture, or your iris, or any other biometric factor), you don’t have to configure things so that one factor unlocks everything, in just the same way that you don’t have to stay logged into your webmail, your Twitter or your Facebook account all the time.

After all, if you are determined to maximise convenience and minimise security, most mobile phones will still let you choose the simplest possible “swipe to unlock” option, so there is plenty of chance to do the wrong thing already.

Here’s our plain-speaking advice:

• Don’t make it too easy to unlock your phone. Aim for the greatest amount of inconvenience you think you can tolerate, plus a bit extra. Additional complexity will annoying for a while (for example, if you switch up to a 10- or 12-digit lock code, which means much more typing every time), but after a while it will become second nature.
• Don’t shout at your work sysadmins if they enforce minimum levels of unlock complexity. After all, even if your phone contains a pile of juicy confidential data from work, it probably contains even more personal digital secrets from your world outside the office.So, heeding your sysadmins will not only protect your employer, your colleagues and your job, but will also protect your own online life.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/qgVOQ2P4lqI/