STE WILLIAMS

Western Digital is preparing patches for its My Cloud storage devices because they can be easily hijacked from across the internet or network.

At the time of writing, there’s no fix, so the best thing to do is firewall or power off My Cloud kit and wait. Whoever can reach one of the at-risk storage system’s builtin administrative web server – be it anyone on the public internet or someone within your network – can execute arbitrary commands on the machine and upload files. This is bad news for a SOHO backup system.

WD’s firmware also has cross-site request forgery vulnerabilities, meaning a malicious webpage can potentially make a victim’s browser connect to a My Cloud device on the network and compromise it. Surfing to a booby-trapped website would be enough to lose control of your My Cloud device. The affected firmware versions (and models) are:

At least version 2.21.126 (My Cloud), 2.11.157 (My Cloud EX2), 2.21.126 (My Cloud EX2 Ultra), 2.11.157 (My Cloud EX4), 2.21.126 (My Cloud EX2100), 2.21.126 (My Cloud EX4100), 2.11.157 (My Cloud Mirror), 2.21.126 (My Cloud Mirror Gen2), 2.21.126 (My Cloud PR2100), 2.21.126 (My Cloud PR4100), 2.21.126 (My Cloud DL2100), and 2.21.126 (My Cloud DL4100).

Word of the security blunders came from SEC Consult Vulnerability Lab, which published an advisory on Tuesday after someone went public with full details of the flaws. SEC Consult warned WD back in January that it had uncovered holes in the My Cloud firmware, and gave the vendor 90 days to fix the bugs before it would reveal its findings to the world.

Then, at the turn of March, someone calling themselves Zenofex blabbed there were more than 80 ways to get remote root on the boxes, covering “the entire series” of the hardware. These flaws can be exploited to bypass logins, perform arbitrary root file writes, and execute remote commands with or without authentication. This week, SEC Consult pulled the trigger and went into full disclosure mode.

“By combining the vulnerabilities documented in this advisory an attacker can fully compromise a WD My Cloud device. In the worst case one could steal sensitive data stored on the device or use it as a jump host for further internal attacks,” SEC Consult noted. “SEC Consult recommends not to attach WD My Cloud to the network until a thorough security review has been performed by security professionals and all identified issues have been resolved.”

Here’s a video demonstrating the vulnerabilities:

Youtube Video

Zenofex says he or she discovered WD’s security cockups simply by examining the authentication code in the My Cloud firmware’s web-based user interface.

For example, the command injection bugs are simple: “A majority of the functionality of the WDCloud web interface is actually handled by CGI scripts on the device. Most of the binaries use the same pattern, they obtain post/get/cookie values from the request, and then use the values within PHP calls to execute shell commands. In most cases, these commands will use the user supplied data with little or no sanitisation.”

SEC Consult Vulnerability Lab has published Curl commands for some of the vulnerabilities to prove the bugs are real. The lab’s Wan Ikram and Fikri Fadzil also note there is “no anti-CSRF mechanism implemented for all accessible scripts in the firmware.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/08/wd_my_cloud_vulnerabilities/

Google has revealed its emergency patching efforts to fix a widespread and “pernicious” software vulnerability that affected thousands of open source projects in 2015.

Referred to as “Mad Gadget” by Google (aka the Java “Apache Commons Collections Deserialization Vulnerability” CVE 2015-6420), the flaw was first highlighted by FoxGlove Security in November of that year, months after the first proof-of-concept code garnered almost zero attention.

That was despite it eventually affecting software shipped by Oracle, Cisco, Red Hat, VMware, IBM, Intel, Adobe, HP, OpenNMS , Jenkins and SolarWinds.

It was serious enough to figure as part of the 2016 ransom attacks on Baltimore’s Union Memorial Hospital in March 2016 and the infamous San Francisco Municipal Transportation Agency (MUNI) attack in November.

We should, then, view FoxGlove’s sarcasm in its 2015 alert as prescient: “No one gave it a fancy name, there were no press releases, nobody called Mandiant to come put out the fires.”

We now know the problem was that in 2015 everyone sat back and assumed the affected open source projects would get busy – except that many didn’t.

In March 2016, a Google researcher noticed the lack of activity and decided to start updating the code herself on GitHub.  Enlisting help from colleagues to speed the effort, the team soon realised they had bitten off more than they could chew.

Says Google in its blog:

We were furthermore patching all the projects that depended on those projects and so forth. But even once those users upgraded, they could still be impacted by other dependencies introducing the vulnerable version of Collections.

Even projects that had been upgraded could later be undermined by vulnerable older versions of the code that were likely to hang around.

“We were alarmed when we discovered 2,600 unique open source projects that still directly referenced insecure versions of [Apache] Collections.”

In response, Google’s engineers initiated Operation Rosehub, a volunteer effort by 50 engineers dedicating 20% of their working time to the huge patching effort.

Going forward, we believe the best thing to do is to build awareness. We want to draw attention to the fact that the tools now exist for fixing software on a massive scale, and that it works best when that software is open.

Guerilla patching on this scale is extremely unusual and might even be viable beyond open source.  Last week, Acros Security coined the idea of the “0patch” by posting a patch for the Windows gdi32.dll memory disclosure zero day (CVE-2017-0038) that Microsoft has yet to fix.

You read that correctly: a third party has released a temporary patch affecting Microsoft. Goodness knows who might apply such a thing before Microsoft ships its own native fix in mid-March but a “zero patch” now exists for a zero day. Say its authors, ominously: “Now onward to writing the next 0-day 0patch.”

It a small insurgency but an interesting one. Hitherto, flaws were fixed when companies or developers got around to fixing them. With Rosehub and 0patch we’ve been given a window into an alternative future where not fixing something might become an open invitation for others to do it for you.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/tJqTHH84uTw/

WikiLeaks has launched a new series of leaks on the US Central Intelligence Agency it calls “Vault 7”. It claims this will represent the largest dump of confidential documents on the agency in history.

The first full part of the series dropped Tuesday. Called “Year Zero”, this release yields 8,761 documents and files from an isolated, high-security network inside CIA headquarters in Langley, Virginia. If it proves to be authentic, then it paints an intimate picture of America’s cyber-espionage efforts.

Wikileaks said in its press release that Year Zero introduces the scope and direction of the CIA’s global covert hacking program, its malware arsenal and dozens of zero-day weaponized exploits against a wide range of US and European company products, include Apple’s iPhone, Google’s Android and Microsoft’s Windows and even Samsung TVs, which are apparently turned into covert microphones.

By the end of 2016, the CIA’s hacking division, which formally falls under the agency’s Center for Cyber Intelligence (CCI), had over 5000 registered users and had produced more than a thousand hacking systems, trojans, viruses, and other ‘weaponized’ malware. Such is the scale of the CIA’s undertaking that by 2016, its hackers had utilized more code than that used to run Facebook. The CIA had created, in effect, its ‘own NSA’ with even less accountability and without publicly answering the question as to whether such a massive budgetary spend on duplicating the capacities of a rival agency could be justified.

The CIA hadn’t yet confirmed or denied the information at the time of publication, but WikiLeaks does have a long track record of releasing top-secret government documents.

WikiLeaks made the following claims from Twitter:

For example:

So far, experts who have had a look say the document dump looks authentic. One is Dave Kennedy, CEO and founder at TrustedSec, an information security consultancy based near Cleveland, Ohio:

This looks to be tons of code, lots of capability overviews and tactics. This is the largest intelligence dump I think I’ve ever seen and it appears to be largely legitimate.

Kennedy said the documents show that the CIA hasn’t cracked strong-grade encryption, but that it has made a concerted effort to go after endpoints and mobile devices in order to circumvent encryption and eavesdrop on communications.

It also shows a number of methods for how they deployed implants, went after security technology and more. It appears they had vast methods for getting around the top security products out there to evade detection including more targeted approaches to EMET and more direct exploits.

We’ll update this story as details continue to unfold.

Follow @NakedSecurity
Follow @BillBrenner70

 

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/H3OaJkiLAts/

Your daily round-up of some of the other stories in the news

Streaming via Kodi probably not illegal

We all know it’s illegal to torrent copyright material, but is it illegal to use tools such as Kodi to stream pirated content? Probably not in European Union countries, thanks to a ruling in June 2014 when the Court of Justice of the European Union ruled that it’s not illegal to create temporary copies of copyright material on a device.

So why revisit this decision now? That’s because in the UK local authorities have recently been cracking down on the sale of TV streaming devices that have a modified version of Kodi installed that allows users to stream copyright content: it remains illegal to create pirate copies of copyright material and to upload such content, including seeding torrents.

Trading Standards officers in Cornwall warned at the end of February that it was “keeping a close eye” on the sale of devices on which Kodi is pre-installed, for example, as has Derbyshire County Council. However, Derbyshire explicitly told the Derby Telegraph: “Accessing premium paid-for content without a subscription is considered by the industry as unlawful access, although streaming something online, rather than downloading a file, is likely to be exempt from copyright law.”

It’s a subtle distinction, but an important one. However, we’d remind you that if you do torrent content, that’s a good way to end up with at best, unwanted software on your device, and at worst, malware.

Spielberg to direct whistleblower movie

Back in the day before Wikileaks, whistleblowers had to leak actual paper documents to reporters and couldn’t cover their tracks with encryption, secure drops and Tor.

One of the biggest leaks by a whistleblower was the 1971 leak by military analyst Daniel Ellsberg of what became known as the Pentagon Papers, a secret US Department of Defense study of US involvement in Vietnam between 1945 and 1967.

Now Tom Hanks and Meryl Streep are set to star in a movie about how the Washington Post challenged the government for the right to publish the Pentagon Papers, reports Deadline.

Steven Spielberg will direct the film, according to Deadline, which will join the classic 1976 film All The President’s Men in the canon of movies about how the Washington Post broke major stories from whistleblowers. Given today’s news of the latest dump from Wikileaks, this new movie feels very timely.

Robots set to surge in warehouses

Robots are increasingly taking over from humans in warehouses, with some 40,000 units shipped in 2016, but rising demand means that by 2021, more than half a million robotic units will be shipped, according to a new report from market intelligence firm Tractica.

The report says that by 2021, 620,000 units a year will have shipped, with a value of $22.4bn, up from an estimated $1.9bn in 2016.

The report comes as legislators start to get to grips with what the growth of robotics technology means for humans and society, and as warnings come that the current crop of robots are worryingly lacking in security. However these issues play out, it’s clear that the world of work will be very different in the years to come.

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/jf1r5wL8gBc/

WikiLeaks has dumped online what appears to be a trove of CIA documents outlining the American murder-snoops’ ability to spy on people.

The leaked files describe security exploits used to hack into vulnerable Android handhelds, Apple iPhones, Samsung TVs, Windows PCs, Macs, and other devices, and remote-control them to read messages, listen in via built-in microphones, and so on. The dossiers discuss malware that can infect CD and DVD disc file systems, and USB sticks, to jump air-gaps and compromise sensitive and protected machines – plus loads more spying techniques and tools.

Yes, government surveillance has a chilling effect on freedom of expression. But, no, none of this cyber-spying should be a surprise. Meanwhile, tech giants keep putting exploitable microphone-fitted, always-connected devices into people’s homes.

The tranche of CIA documents – a mammoth 8,761 files dubbed “Year Zero” – accounts for “the entire hacking capacity of the CIA,” WikiLeaker-in-chief Julian Assange boasted today. He said the documents show the intelligence agency had lost “control of its arsenal” of exploits and hacking tools, suggesting they were passed to the website by a rogue operative.

“‘Year Zero’ introduces the scope and direction of the CIA’s global covert hacking program, its malware arsenal, and dozens of ‘zero day’ weaponized exploits against a wide range of US and European company products, [including] Apple’s iPhone, Google’s Android, Microsoft’s Windows and even Samsung’s TVs, which are turned into covert microphones,” the WikiLeaks team said in a statement.

“The archive appears to have been circulated among former US government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive,” it added.

We’re still poring over the files. So far, from what we can tell, these “zero days” are said to affect older versions of Android and iOS. In any case, WikiLeaks wants to spur public debate over the CIA’s capabilities:

By the end of 2016, the CIA’s hacking division, which formally falls under the agency’s Center for Cyber Intelligence (CCI), had over 5,000 registered users and had produced more than a thousand hacking systems, trojans, viruses, and other ‘weaponized’ malware. Such is the scale of the CIA’s undertaking that by 2016, its hackers had utilized more code than that used to run Facebook. The CIA had created, in effect, its ‘own NSA’ with even less accountability and without publicly answering the question as to whether such a massive budgetary spend on duplicating the capacities of a rival agency could be justified.

When NSA techie Edward Snowden leaked documents from his agency, he got journalists to screen and, where necessary, redact portions of his vast PowerPoint slide dump. For today’s Vault 7 leaks, WikiLeaks said it had done this work itself:

WikiLeaks has carefully reviewed the ‘Year Zero’ disclosure and published substantive CIA documentation while avoiding the distribution of ‘armed’ cyberweapons until a consensus emerges on the technical and political nature of the CIA’s program and how such ‘weapons’ should be analyzed, disarmed and published.

WikiLeaks has also decided to redact and anonymize some identifying information in ‘Year Zero’ for in-depth analysis. These redactions include tens of thousands of CIA targets and attack machines throughout Latin America, Europe and the United States.

Despite these stated precautions, WikiLeaks is likely to come under fire. The general public will probably quickly lose interest in the spying tools; the code is more likely to pique the interest of shady software developers, who can exploit any remaining unpatched bugs uncovered by the CIA to develop spyware.

One silver lining is that this demonstrates that it is so difficult to crack today’s end-to-end encryption apps, such as Signal and WhatsApp, that spies have to drill into the underlying devices and computers to snoop on people. That’s a lot of effort, cost, and risk, compared to tapping into communications over the wire, which strong end-to-end cryptography comfortably thwarts. Agents are therefore forced to carry out targeted snooping rather than mass blanket surveillance.

Meanwhile, some folks are speculating that the source of the leak could be the Russians, and its true purpose is to derail the CIA for political gain.

Year Zero is the first part of a larger release of information codenamed “Vault 7” by WikiLeaks, and is touted as the largest-ever publication of confidential documents on the intelligence agency. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/07/wikileaks_cia_cyber_spying_dump/

Threat and vulnerability management is a foundational technique that every security professional should embrace. Here’s why.

 

What are my vulnerabilities? What threats am I exposed to? Where are they? How can I mitigate them? How can I measure how secure I am? 

These are fundamental questions virtually every CISO or IT Security manager asks. Answering these critical questions is essential to the viability of any organization, and failure to have a comprehensive understanding of the cyber risks to which your organization is exposed will result in catastrophic consequences.

Having a deep and current understanding of vulnerability and threat exposure is foundational to the security of any enterprise. In other words, vulnerability and threat assessment is as critical as any currently deployed security technology, including the firewall.

Unfortunately, few organizations are capable of measuring their cyber risk exposure in an accurate and thorough way. Evidence of this is provided by the recent IDC IT Security MaturityScape Benchmark Report, which indicates that 84% of companies surveyed across APAC are either ad-hoc or opportunistic in their overall security practices. 

By establishing a detailed threat and vulnerability management (TVM) program organizations can better understanding and measure their risk exposure from active threats and vulnerabilities, 

There are five key elements to any TVM program: 

● Asset Discovery – finding all assets that exist within the infrastructure.

● Threat Detection – finding indicators of compromise.

● Vulnerability Detection – finding weaknesses in all assets within the infrastructure.

● Threat and Vulnerability Analytics – leveraging a platform that is capable of consuming, processing, prioritizing, communicating and tracking threat and vulnerability data.

● Threat and Vulnerability Mitigation – systematically leveraging TVM data analytics to apply appropriate remedies to detected threats and vulnerabilities. 

Most importantly, TVM program must be executed on a continuous basis. Your infrastructure is constantly changing. If you’re not executing your TVM program in a way that can track these constant changes, then you will miss significant data points and events that could have a major impact on your cybersecurity posture.

So, what does all this tell you? Simply put, a properly implemented TVM program describes your overall risk profile, and how that profile may be improved over time. These metrics can be reported to senior management to illustrate how secure the business is as a whole. The same metrics, presented in a different way, can be given to technical staff so that necessary technical steps can be taken to reduce the present level of risk. TVM also provides the ability to identify active threats that are present within your infrastructure, threats that could be exposing you to data theft, undesired surveillance or even complete infrastructure shutdown. 

Threat and Vulnerability Management is a foundational technique that every security professional must embrace in order to know what is secure, what is not secure, and where attention needs to be focused for improvement. It provides tools to report to all levels within the organization accurate security metrics and necessary remediation activities. Without such measurements, you will never know how secure you really are – or aren’t.

Tenable Network Security transforms security technology for the business needs of tomorrow through comprehensive solutions that provide continuous visibility and critical context, enabling decisive actions to protect your organization. Tenable eliminates blind spots, prioritizes threats, and reduces exposure and loss. Transform security with Tenable, the creators of Nessus and leaders in continuous monitoring. 

Article source: http://www.darkreading.com/vulnerabilities---threats/black-hat-asia-2017--threat-and-vulnerability-management-knowing-youre-secure/d/d-id/1328329?_mc=RSS_DR_EDT

In the wake of a recently documented ‘collision’ attack, Google researchers should release a patch for the cryptographic Secure Hash Algorithm 1 sooner rather than later. Here’s why.

The recent announcement from Google that researchers documented a collision with theSecure Hash Algorithm 1 (SHA-1) cryptographic hash function has enormous implications for the IT industry.

Whether it’s file reputation and whitelisting services or browser security, SHA-1 plays a critical role in today’s IT infrastructure. The algorithm allows, for, among other things, unique identification of datasets. Many content and file whitelisting vendors rely heavily on SHA-1 to distinguish between benign and malicious content.

The same is true for file reputation services. Within storage, vendors have used the algorithm to identify duplicate files. The algorithm is also used for digital signatures and file integrity verification, which secure credit card transactions, electronic documents, GIT open-source software repositories and software distribution.

From a security perspective, having datasets hash to the same SHA-1 digest (what’s called a “collision”), undermines the safety of the algorithm. Attackers could potentially create a malicious file with the same hash as a benign file, bypassing current security measures.

Equally alarming, though, is Google’s conduct in this manner. Google researchers say that they will publish the code – not merely a paper – enabling someone to create two PDF files with identical SHA-1 hashes within 90 days in accordance with the vulnerability policy practice by Project Zero, Google’s security and vulnerability research team. They have also released a tool that checks whether a file is vulnerable for collisions.

Time is of the Essence
The scale and severity of the problem may well require more than the 90 days for most vendors to publish patches, and for customers to apply them. SHA-1 is so widely deployed that it will take far too long to make the necessary infrastructural changes across every relevant product in the network.  

Obviously, we don’t know the details of the exact code Google will release in 90 days, but we are concerned that any code could accelerate the creation of a successful SHA-1 attack. Currently, most hackers are unlikely to reproduce the attack, if only because of the significant cost of the computational power needed to crack SHA-1.

A vendor’s ability to eliminate SHA-1 support will depend on several factors, including:

• The product architecture
• How the vendor managed the file hash database
• How much the vendor depends on a specific hashing algorithm
• Whether it’s easy to make the code change

This definitely will not be a quick fix for some vendors. While service providers will not face as many challenges as appliance vendors, thanks to the speed of service updates, it is unfair to force enterprises into a race to beat a Google-created SHA-1 countdown clock.

Rather, Google should provide a paper describing the attack in 90 days, and then release the code at a later date. This deviates from Google’s normal practice, but the mere documentation of a SHA-1 collision will be sufficient to accelerate the change to a better hashing algorithm.

“Told You So” is Not the Answer
Google’s blog seems to anticipate some of these issues by pointing out that they’ve long called for the elimination of SHA-1: “For the tech community, our findings emphasize the necessity of sun setting SHA-1 usage. Google has advocated the deprecation of SHA-1 for many years, particularly when it comes to signing TLS certificates,” according to the blog.

In fact, Google is hardly unique in its wish to eliminate SHA-1. In 2005, cryptanalysts first suggested that SHA-1 may not be secure enough for ongoing use, and since 2010 many organizations have recommended its replacement by SHA-2 or SHA-3. Further, Microsoft, Apple, Mozilla and Google have all announced that their respective browsers will stop accepting SHA-1 SSL certificates by 2017.

But the business of IT has always been about prioritizing the here-and-now over tomorrow. Companies try to maximize their resources by bringing products to market – not with every possible feature, but just the right features at the right time. Until now, SHA-1’s theoretical limitations have made replacing the algorithm a “to be” feature rather than an immediate concern. There had not yet been a practical SHA-1 collision, leaving vendors to continue using the algorithm as a hashing function.

What You Can Do
CISOs and their teams should immediately ask security vendors about their plans for replacing SHA-1. They should also implement plans to patch or update their systems to the latest revision.

All network and endpoint security vendors using whitelisting mechanisms for files should rely on a more secure hashing algorithm, such as SHA-256 or SHA-3, not  SHA-1.  Vendors should align their databases with the new hashes respectively.

Finally, enterprises will want to be sure that their vendors do not work with third-party resources, such as reputation services, that rely on SHA-1 or MD5, an even older, more insecure hashing algorithm.

Google has an aggressive approach to teaching vendors about security. We’ve seen this in several of the latest Project Zero publications and we see it in this issue. Google has long advocated for the depreciation of SHA-1; releasing the code now will assuredly achieve that aim.

Related Content:

• Google Researchers ‘Shatter’ SHA-1 Hash
• Three Years After Heartbleed, How Vulnerable Are You?
• End-Of-Life Software Alive And Well On US PCs

 

Elad Menahem is the head of security research at Cato Networks, a disruptive cloud-based enterprise platform with a mission to make networking and security simple again. Elad served in an elite tech unit in the Israel Defense Forces (IDF) Intelligence Corps, and has more than … View Full Bio

Article source: http://www.darkreading.com/googles-sha-1-countdown-clock-could-undermine-enterprise-security/a/d-id/1328337?_mc=RSS_DR_EDT

Leaked data tranche of 8,700 documents purportedly includes tools that bypass encryption on Signal secure messaging app and turn smart TVs into covert surveillance devices.

In what appears to be another major blow against a U.S. intelligence agency, whistleblower website WikiLeaks has publicly leaked 8,761 documents purportedly containing highly confidential information on the Central Intelligence Agency’s (CIA) global hacking capabilities and malware arsenal.

Among the leaked documents are those that allegedly describe numerous zero-day vulnerabilities targeting Android, iOS, and Windows systems, as well as exploits against network routers, smart TVs, and critical components in connected vehicles.

The documents that WikiLeaks has collectively titled Vault 7, were released Tuesday and allegedly come from a high-security network inside the CIA’s Center for Cyber Intelligence facility in Langley, Va.

The data dump represents the largest-ever leak of confidential CIA information and contains several hundred million lines of attack code that the agency has developed over the years for breaking into and spying on adversary systems and networks. The data appears to have been circulating for some time among former government hackers and contractors, and was provided to WikiLeaks by one of them, the website said in a statement.

“This extraordinary collection … gives its possessor the entire hacking capacity of the CIA,” the site boasted.

Several specialized groups within the CIA were allegedly responsible for the collection of hacker tools and malware released in this week’s data dump, according to WikiLeaks.

A group within the CIA’s Center for Cyber Intelligence, called Engineering Development Group (EDG), for instance, was responsible for building and supporting the backdoors, malicious payloads, Trojans, and viruses that the CIA used globally for its covert operations. The group’s management system apparently contains details on around 500 projects involving tools for penetrating, infesting, data exfiltration, and command and control.

Another group dubbed the Embedded Devices Branch developed a tool capable of infesting smart TVs and turning them into covert listening devices even when the owners think the TV has been shut off. A Mobile Devices Branch developed attacks for breaking into Android, iOS and other smartphones, including methods for bypassing the encryption offered by services like WhatsApp, Signal, and other apps, the site claimed.

As part of its activities, the CIA also explored hacks of control systems in smart cars and trucks though the purpose of such efforts is not clear, WikiLeaks said.

The document dump has surfaced some familiar concerns pertaining to the ability of U.S. intelligence agencies to protect their sensitive data against such massive leaks, especially in a post Edward Snowden era.

It has also stirred up concern about WikiLeaks’ motives behind such a leak and its responsibility for any misuse of the leaked data by criminals and opportunistic attackers.

“The size and scope does seem to suggest inside access,” says John Pescatore, director of emerging security threats at the SANS Institute. “That could be a malicious insider or it could simply be a compromised insider machine. But that is just my speculation,” he says.

Following Snowden’s leaks in 2013, National Security Agency director Keith Alexander had suggested one way to mitigate insider risks was to reduce the number of system administrators by 90% and move more application and services to the cloud, Pescatore recalls. All that meant was that the 10% of remaining administrators likely had broader access, because they were fewer of them. “If you don’t improve the vetting and monitoring of privileged users, one going bad with broader access will cause more damage,” Pescatore says.

Brian Vecci, technical evangelist at Varonis, says that without more information it’s hard to say how WikiLeaks might have gotten its hands on the confidential data. A first read suggests the leak was the result of a well-coordinated effort that was likely designed to have maximum public impact.

“I’m personally surprised at the breadth and depth of what’s been revealed so far, because of just how big the implications are for both individual and organizational privacy,” Vecci says. “The detective and preventive controls put in place to protect this information were inadequate, full stop,” he says. “Either no one was monitoring the data, the access rights to that data or the activity against that data. Whether this was done accidentally or purposefully is a separate question.”

Edward McAndrew, the co-chair of the privacy and data security group at law firm Ballard Spahr says the leak exposes the continued inability of U.S. intelligence agencies to secure their most sensitive data, even after the lessons from Snowden’s leaks.

But “Wikileaks’ persistent publication of stolen and highly confidential information raises the specter that it has become an aider and abettor of computer fraud that now impacts US national security,” says McAndrew, a former cybersecurity specialist at the U.S. Department of Justice.

What WikiLeaks has leaked could potentially be used to commit criminal acts against victims ranging from individuals to large corporations. “The release of intelligence-grade hacking tools into the wild of the Internet will significantly increase the cybersecurity risks for organizations of all types,” he says. “If there is a bright side, it may be that corporate information security departments also can – but now must – access and deploy defenses against these tools.”

Related stories:

• Election 2016 WikiLeaks: Bad, But Not Your Worst Nightmare
• ‘Snowden’ May Help Explain Your Job To Your Family
• Former NSA Director Reflects On Snowden Leaks

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/entire-hacking-capacity-of-cia-dumped-on-wikileaks-site-claims/d/d-id/1328339?_mc=RSS_DR_EDT

We often worry about how online services like Facebook and their advertising partners track our every move, but let’s not forget the information that internet service providers collect.

These organizations get to see what you access online, when you access it, where from, and what device you’re using, among many other things. It’s a treasure trove of user data. Last week, the US government stopped a ruling designed to give users control over it, the day before it came into force.

US ISPs have historically been able to sell this sensitive information to online brokers interested in knowing more about their customers. Those brokers could in turn use it for advertising and targeted marketing. In October, the FCC moved to regulate that with a contentious privacy rule that introduced a privacy framework for ISPs.

Under the rule, broadband providers couldn’t do anything with sensitive data unless the consumer gave them explicit permission first, by opting in. Sensitive data includes things like geographic location, app usage history and communications content (including, for example, your web browsing history).

The rule let ISPs do what they wanted with non-sensitive user data, but users could still stop them by opting out and telling them not to. It also called on ISPs to take reasonable security measures to protect customer data.

Broadband service providers were against the rule, and in late January telco and online advertising lobbyists called on Congress  to hold off on it under the Congressional Review Act.

A major irritation for them is the switching regulation that happened two years ago. Back then, the FCC reclassified ISPs as telcos under Title II of the Telecommunications Act. This also enabled the agency to preserve net neutrality, but also reclassified ISPs as telecommunications services.

Before that, the Federal Trade Commission regulated ISPs. The FTC’s approach to privacy regulation focuses mainly on private settlements. “Edge” internet services such as Facebook and other social media networks fall under this purview. The telcos prefer the FTC’s regulation to the FCC’s approach, and lobbyists asked for the same treatment.

If you read the ISPs’ own privacy principles, though, which the National Cable and Television Association reaffirmed as it was asking Congress to stay the rule, it looks like the FTC offers a similar kind of regulation. From those principles:

ISPs will continue to: (i) follow the FTC’s guidance regarding opt-in consent for the use and sharing of sensitive information as defined by the FTC; (ii) offer an opt-out choice to use non-sensitive customer information for personalized third-party marketing.

If the FTC also wants opt-in consent for data, then what’s the big deal? The issue revolves around what constitutes sensitive data. The FCC casts a wide net when classifying data as sensitive, including all of a customer’s web browsing data. The FTC has a tighter focus. Only certain web sites in areas such as health would be considered sensitive. For more on this, here’s a Federalist Society podcast where people from both sides of the debate weigh in.

ISPs wanting the same kind of regulation as edge service providers needn’t worry because Republican FCC chair Ajit Pai just came to their rescue. The Trump appointee was against the privacy rule when working as an FCC commissioner. He has been busy reversing the work of his Democrat predecessor Tom Wheeler, calling instead for “light-touch” regulation that would allow businesses to innovate.

The FCC’s privacy rule is his latest unpicked stitch. He called an FCC vote on staying the rule that passed on March 1.

This rule has been contentious from the beginning, with the FCC’s commissioners and chair tending to vote along party lines. Now that Pai has the tiller, it’s unlikely that the standoff will be resolved any time soon. So what does this mean for broadband customer privacy in the US?

There don’t seem to be much in the way of consent options for users when dealing with ISPs in the US for the time being. US users could always try paying for privacy, though. Comcast has floated the idea with the FCC in the past, asking for it to “allow business models offering discounts or other value to consumers in exchange for allowing ISPs to use their data”. ATT’s GigaPower broadband plan already implemented this in the past.

In the US, it seems that everything really is for sale. If you’re not interested in playing that game, then there’s always Tor, we suppose.

Follow @NakedSecurity
Follow @dannybradbury

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/v5N9gVZok1U/

Thanks to Dorka Palotay of SophosLabs for her behind-the-scenes work on this article.

Last month, we received a few queries asking about a strain of ransomware going by the name of Satan.

Those queries were along the lines of, “What do you detect it as?”

The simple answer is Troj/Ransom-ECZ, which is what we replied back then, but there’s a backstory to the Satan malware family that we thought was worth covering, too.

Cybercriminals have long used themes like the devil, the occult and what you might rather loosely call “the dark arts” as inspiration for malware names: Dark Avenger, Necropolis, Mydoom, Natas (which is Satan backwards) and SatanBug are just a few examples

But there’s one aspect of the Satan ransomware that isn’t old-school, and that’s what we’re looking at in this article: its business model.

In its own words, the malware part of Satan is simply explained:

Satan is a ransomware, a malicious software that once opened in a Windows system, encrypts all the files, and demands a ransom for the decryption tools.

But Satan is also an online crimeware service:

As you can see from the welcome screen on Satan’s website, which you access using Tor via a .onion address on the dark web, this ransomware is backed by a cloud service you sign up for.

Satan has brazenly copied the business model of many legitimate online services such as iTunes and eBay: joining up is free, but you pay-as-you-go on a percentage basis when you put business through the site.

The Satan service claims to:

• Generate a working ransomware sample and let you download it for free.
• Allow you to set your own price and payment conditions.
• Collect the ransom on your behalf.
• Provide a decryption tool to victims who pay up.
• Pay out 70% of the proceeds via Bitcoin.

The service (we’ll use that word without quotation marks, but you may infer them if you wish) even supports optional two-factor authentication based on a public-private key pair, just like SSH, and a CAPTCHA to make automatic mass signups more difficult:

Once you have a login, you can begin to generate ransomware samples, tailored to your own price point.

You can choose an initial ransom, starting at BTC 0.1 (about $125 on 2017-03-07), the number of days you want to keep the price at its starting point, and a “ramp up” factor by which the ransom will increase after the initial period:

Once you’ve created a sample, you can not only download it to start attacking potential victims, but also generate a series of supporting files that will help you to use it in an attack.

Notably, the Satan website helps you create scripts in both Powershell and Python that will scramble your ransomware samples using an XOR encoding algorithm.

That way, the files you publish online for your victims to download won’t look obviously like Windows programs (EXE files):

Of course, once you have scrambled your ransomware files, you can’t just send the files or links to your victims and expect them to work, because the files will arrive in scrambled form and won’t run.

The Satan service helps you over that step, too, by creating either an HTML page or a Microsoft Word macro to do the job of downloading, unscrambling and auto-launching the decoded malware.

Then, you can:

• Set up an innocent-looking web page that does the dirty work, and entice your victims to visit it; or
• Embed the generated Word macro into a Word document that you send as an attachment, and entice your victims to open it.

If you do manage to infect a prospective victim, they’ll be instructed to pay the ransom you specified, but into a bitcoin wallet operated by the crooks:

You’re then expected to trust the crooks to be honest about all the payments they receive, and to cough up 70% of every ransom payment into a bitcoin address you supply them.

What to do?

We shouldn’t have to say this, but the answer is dead simple: DON’T.

Deliberately sending out malware in the hope of infecting victims is illegal in most jurisdicitions; actually infecting them just makes a bad thing worse; and demanding money with menaces after infecting them is worse still.

If you try this and get caught, don’t expect too much sympathy from the court.

LEARN MORE

As always, the best defence against ransomware of any sort is not to get infected in the first place, so we’ve published a guide entitled How to stay protected against ransomware that we think you’ll find useful:

You might also enjoy our Techknow podcast Dealing with Ransomware:

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/IakZyHp8arI/