STE WILLIAMS

The Dutch banking industry is doing a terrible job of online security, according to the company that runs the country’s .nl internet domains.

In a new report published Tuesday, the internet registry SIDN was surprised to find that just six per cent of banks using .nl internet addresses have the security protocol DNSSEC in place to protect their digital assets and their customers.

“Banks should be the main users of DNSSEC security,” said SIDN CEO Roelof Meijer, “but they scored – for the second time in a row – the worst of all investigated domains.”

He also pointed out that with online banking becoming ever more important, it was contingent on the industry to adopt the latest security standards. “With the closing of physical bank branches and a reduction in the number of ATMs, the online front door of the banks is becoming increasingly important,” said Meijer. “Moreover, of all companies, they suffer the most from phishing and spoofing, something DNSSEC in conjunction with DKIM and DMARC can protect against.”

SIDN looked at just over 7,000 .nl domains owned by a range of industries from government to business to banking and telecoms to determine whether they were using the security protocol.

Top of the list, unsurprisingly, came the internet infrastructure industry, with 64 per cent of internet addresses secured by DNSSEC. But government came an impressive second with 59 per cent – something SIDN says is a direct result of policy.

DKIM Dotcom

Last year, the Dutch interior minister directed all local government websites to adopt DNSSEC by the end of 2017, and new security standards that build on top of DNSSEC for email (STARTTLS and DKIM) have also encouraged take-up.

Business has a passable take-up of 30 per cent (up from 23 per cent in 2014) and the internet/telecom industry was surprisingly low with just 25 per cent take-up.

While there has been a significant pick-up in the use of DNSSEC, it is still below what internet engineers want to see – although it is still doing much better than IPv6.

If a domain name is secured with DNSSEC it makes it much harder for criminals to misdirect people to a different address, as the DNS system itself checks on its validity.

The technology has been a long time coming and was, initially at least, very expensive and complicated to install. It is still far from simple or cheap, but internet infrastructure companies have been working with it for some time, and most recently ICANN determined that all new internet registries would have to work with DNSSEC, giving the protocol a boost.

Partly as a result of the recent take-up, DNSSEC has started to become a foundation on which other applications are being built, securing both communications and email: examples being DKIM, SPF, DANE and DMARC.

“It’s hard to think of any good reason for not implementing DNSSEC protection,” Meijer argued. “We believe that it’s now up to the big internet service providers to act.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/22/dutch_banking_industry_security_bad/

Netflix has released the source code of a web application called Stethoscope for evaluating the security of mobile and desktop computing devices.

The software, covered by the Apache 2.0 license, intended for employees of organizations that use a device management service. Netflix hopes that employees using the toolkit will learn from it and apply the app’s recommendations to personal devices that are not under active management.

Stethoscope relies on a Python backend, a React frontend, and a Nginx foundation for serving static files. Ready to run in a Docker container, it’s designed to collect security-related information from devices when the user visits the application web page.

Device information is used to query data sources involved in device management, such as Google MDM (for mobile devices), JAMF (for Macs), and LANDESK (for Windows). Support for osquery, an open-source framework for device analytics, is being developed.

In essence, Stethoscope provides a security checkup that spans multiple device management services. After accessing the web app, device users will be presented with specific security-oriented recommendations having to do with disk encryption, firewall configuration, automatic updates, update installation, or other things.

The app can also serve as an interface for presenting and responding to notifications, such as device access warnings designed to alert users to logins from unexpected IP addresses or locations.

Netflix engineers Jesse Kriss and Andrew White suggest the app’s advice for managed devices can help employees make better decisions with their personal devices, thereby making Netflix more secure.

“It’s important to us that people understand what simple steps they can take to improve the security state of their devices, because personal devices – which we don’t control – may very well be the first target of attack for phishing, malware, and other exploits,” the pair said in a blog post. “If they fall for a phishing attack on their personal laptop, that may be the first step in an attack on our systems here at Netflix.”

Netflix’s approach to device security involves working with employees on security rather than against them. Stethoscope thus offers low-key security guidance instead of heavy-handed policies that restrict device usage or require IT department intervention.

The project reflects Netflix’s focus on what it calls “User Focused Security.” As Kriss explained in a presentation about Stethoscope at ShmooCon in January, “We want our employees to be secure, not just the endpoints.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/22/netflix_treats_security_ills_with_stethoscope/

Sophos Security Chet Chat – Episode 258 – Feb 16, 2017

Join Sophos security experts Chester Wisniewsi and John Shier for the latest episode of our regular security podcast.

Chet and John recorded this podcast live at the recent RSA Conference 2017, so tune in to hear their inside track direct from the expo floor.

If you enjoy the podcast, please share it with other people interested in security and privacy and give us a vote on iTunes and other podcasting directories.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/5lbXgZ3t2D0/

US Department of Homeland Security staff returning to work on Tuesday after the Presidents’ Day holiday have apparently had a tough time getting computer systems to function.

DHS staff say they weren’t able to log into computer systems at their offices in Washington DC, when clocking on this morning. Staff in at least four buildings, including US Citizenship and Immigration Services, are thought to be affected.

The problem occurred, at least one worker claims, with the personal identity verification cards used by employees as a form of two-factor identification, but it’s not clear if this is the sole cause or just a symptom.

The timing of this outage is slightly concerning. A long weekend is the traditional time for IT to roll out new updates and fixes (and pick up some sweet overtime moolah), and these may have caused a problem.

However, long weekends are also a great time for hackers to make progress without being spotted. As we saw in the $81m Bangladesh bank hacking heist, the attackers picked their time so that the target and the banks needed to flag up money transfers were either away for the weekend or celebrating Chinese New Year.

It’s a common enough tactic, and the DHS is a top target for foreign hackers. Luckily however, our computer systems are soon to be protected by President Trump’s pick to head up cybersecurity, Rudy Giuliani. Judging from his website we’ll be OK, after a long while and some updates.

The DHS had no comment at time of publication. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/21/us_dhs_computer_access_down/

One of the world’s oldest programming styles, the ladder logic that runs on industrial programmable logic controllers, remains dangerously vulnerable to attack, according to boffins from Singapore and India.

The researchers – Naman Govil of the International Institute of Information Technology, Hyderabad; and Anand Agrawal and Nils Ole Tippenhauer of the Singapore University of Technology and Design – explain that for all the attention paid to attacks like Stuxnet, there’s a dearth of work looking at what’s going on at the control logic level.

They write that while industrial control systems are getting better protection from malicious or buggy firmware, the ladder logic that controllers run is less defended.

In the systems they tested, from Rockwell, firmware updates were protected by digital signatures, but not the ladder logic. That runs on the assumption that only trusted people will have access to insert programs: “there were absolutely no checks/verifications performed to ensure that logic updates being pushed onto the programmable logic controller (PLC) are coming from authorised sources.”

To demonstrate this, Tippenhauer and his collaborators wrote what they call “ladder logic bombs” (LLBs) with a focus on stealthy behaviour that’s difficult for human operators to notice if they’re validating what’s running on their PLCs.

The payload types the trio tested included:

They note it’s very easy to conceal commands that will go as far as bricking the PLC, using legitimate instructions to fool around with arrays or create stack overflows (the latter is pure simplicity: create a recursive subroutine that calls itself).

Defences proposed by the Tippenhauer paper are, thankfully, also simple. First, companies should centralise their PLC software storage into a single location, with all engineers submitting what they call “golden samples”, and PLCs only take updates from those samples. Second, operators should (preferably automatically) run periodic checks that validate the software on PLCs with the central logic store. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/22/how_to_stop_the_next_stuxnet/

Aerospike NoSQL server DBAs, make sure you’ve rolled out version 3.11.1.1, because the vulnerabilities it fixes have been made public.

Cisco Talos made the three-vuln disclosure after the fix landed, including one denial-of-service and two code execution bugs – all easy to trigger by sending crafted packets.

In the DoS bug, designated CVE-2016-9049, the crafted packet makes the server process crash by dereferencing a null pointer.

In CVE-2016-9051, a crafted packet sent to a listening port triggers “an out-of-bounds write which causes memory corruption that can lead to remote code execution”.

The same approach applies to CVE-2016-9053, because of an “out-of-bounds indexing vulnerability in the RW fabric message particle type of the Aerospike Database Server”. The crafted packet makes the server fetch a function table outside the bounds of an array.

Aerospike released the updated version on February 15. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/22/aerospike_vulnerabilities/

When music first reached the Internet it wasn’t always by licensed means – the Google Plays and iTunes of the world – but also through illegal file sharing networks. Napster, Kazaa and other services would scour people’s hard drives for music and share them on a P2P (peer-to-peer) basis.

Things moved on and the original P2P services gave way to BitTorrent and the network of torrent sites like The Pirate Bay from which .torrent files are publicised.

If the publisher owns the copyright and the torrent is genuine, all this sharing is fine; unfortunately this isn’t always the case.

Tackling piracy one site at a time hasn’t worked though, so the UK’s Intellectual Property Office has come up with a new tactic. From 1 June 2017 the major search engines Google and Bing will attempt to de-prioritise unlawful sharing sites, pushing them further down their search results.

The new initiative aims to make it difficult for people to find materials that infringe copyright. The concern is twofold; first, artists want to be protected, and second, links ostensibly to pirated games, video and software can contain malware.

Lee Munson, security researcher at Comparitech.com, said:

“While not every pirate site hosts or links to misnamed files, Trojan-laden porn or malware-infected movie files, many do and, even though security software should be in place, we all know that a great many people do run into trouble on these sorts of sites.

That’s not to say that this new initiative will make malicious files a thing of the past though – the determined will still find the websites they need, however far down the search engine results pages they may fall, and the sharing of such files between family and friends will no doubt carry on unabated.”

The new demotion of pirate sites will also cover illegally streamed sporting events and is a voluntary code of conduct that will work alongside rather than replace any other initiatives.

Liam McMonagle, intellectual property partner at legal firm Thorntons, queried the efficacy of self-regulation:

“Effectively it is asking the various parties to co-operate and agree not to do certain things. It is unlikely there will be serious financial legal consequences for non-compliance – most probably search engines will promise to correct any oversights or mistakes that slip through and act on complaints.

However, getting to this point has taken some time and it will be welcomed by rights owners who might just be frustrated it doesn’t go far enough. As with other cases of self-regulation, if this doesn’t work there is the possibility of more robust legislation via the Digital Economy Bill or new legislation. That might not be straightforward to enact.”

For more on the malware hidden on torrent sites read our article Will a visit to The Pirate Bay end in malware?

Follow @NakedSecurity
Follow @GuyClapperton

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/jHzqoq86eyM/

Your daily round-up of some of the other stories in the news

EU still has concerns about Windows 10

The EU remains concerned about the privacy of Windows 10 users despite Microsoft’s January announcement of a web-based privacy dashboard for its flagship product.

The EU’s Article 29 Working Party wrote to Microsoft last year to ask about its processing of personal data and to express concerns about the lack of control that Windows 10 users have over their data.

In a statement to Reuters the Working Party said:

…even considering the proposed changes to Windows 10, the Working Party remains concerned about the level of protection of users’ personal data

Hacks cost Yahoo $350 million

Ars Technica reports that Verizon and Yahoo have agreed a price tag of about $4.48 billion for the beleaguered internet giant. The $350 million cut is the result of Yahoo’s recent disclosure of not one but two enormous security breaches.

The breaches compromised 1.5 billion user accounts and the investigation that followed (three years later) led forensic experts to express concerns that users’ accounts may also have been accessed using forged cookies.

Those suspicions were confirmed last week when the company began warning some users that: “We believe a forged cookie may have been used in 2015 or 2016 to access your account.”

PHP gets Libsodium

The team behind PHP, the web’s most popular programming language, has voted unanimously to include the modern cryptographic library Libsodium into the next version of the language.

PHP is used on countless projects from basic websites to huge projects like Wordpress and Facebook.

The author of the RFC, Scott Arciszewski, told Bleeping Computer that adding Libsodium to PHP

…is the most logical and straightforward way to get better security in the hands of developers who wouldn’t have the time or cryptography experience to build something as secure on their own

Libsodium will appear in upcoming 7.2 release of PHP.

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @MarkStockley

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/i_rZzWNZ93A/

Cybercrime group RTM is deploying complex malware based in the Delphi programming language to target Remote Banking Systems (RBS), a type of business software used to make bulk financial transfers.

The problem was severe enough to warrant an advisory from FinCERT, a Russian CERT responsible for fighting cybercrime targeting Russian financial institutions in late 2016.

RTM is using its malware to spy on victims in a variety of ways such as monitoring keyboard strokes and smart cards inserted in the system, according to security software firm ESET. Malicious software allows all-time monitoring of banking-related activities as well as the possibility to upload files from the compromised system to its Command and Control (CC) server.

“The malware actively searches for export files common to popular accounting software mainly used in Russia,” said Jean-Ian Boutin, a malware researcher at ESET.

The targeted files – associated with a popular accounting software called “1C: Enterprise 8” – are likely to be of interest since they can contain details of bulk transfers, an intermediary step in RBS execution of payment orders. These text files can be tweaked by the criminals to modify recipient account details in order to trick victims into sending funds to an account maintained by (likely low-level) members of the gang.

RTM, which ESET reckons has been active since 2015, is not the first group to pursue this method of attack. Others like Buhtrap and Corkow have also targeted RBS users in the past, slowly building an understanding of the network and building custom tools to steal from corporate victims.

RTM is another manifestation of a trend in cybercrime involving specialised criminals mounting targeted attacks against financial institutions’ clients. RTM’s victims are largely located in Russia and surrounds but other groups using similar tactics are active in Western Europe.

“The growth in capabilities and methodology of groups like these, which are primarily targeting Russia at the moment, suggests that businesses in other parts of the world, vulnerable to similar attacks, are likely to be their next targets,” Boutin warned.

Last summer, MELANI, a Swiss reporting and analysis centre for information assurance, issued a newsletter warning companies against hacker groups targeting offline payment software using the Dridex malware.

ESET released a white paper (summarised in a blog post here) on RTM’s nefarious activities on Tuesday. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/21/russian_hackers_target_business_bank_transfers/

Over 50 human rights and civil liberties groups, nearly 100 law professors and security experts, and lawmakers have launched a campaign against digital searches at the US border.

An open letter condemns recent comments by Homeland Security secretary John Kelly in which he proposed requiring selected non-citizens entering the US to provide the passwords to their social media accounts.

The letter has been signed by, among others, the American Civil Liberties Union, Center for Democracy Technology, Consumer Technology Association, Electronic Frontier Foundation and Internet Society, as well as a wide range of law professors, internet engineers and security experts, including Bruce Schneier.

“Demanding passwords or other account credentials without cause will fail to increase the security of US citizens and is a direct assault on fundamental rights,” the letter argues.

It warns that the approach would not only invade people’s privacy – including those of US citizens – but also discourage travel to the United States as well as set a dangerous precedent that would likely see other countries institute similar entry requirements for US citizens.

“The first rule of online security is simple: Do not share your passwords,” the letter concludes. “No government agency should undermine security, privacy, and other rights with a blanket policy of demanding passwords from individuals.”

At the same time as the letter was published, others have published posts outlining the dangers of providing passwords and what consumers can do to avoid most of them.

New law

The issue has also attracted the attention of Senator Ron Wyden (D-OR), who sent a letter to Secretary Kelly saying he was “alarmed” by reports of Americans being detained by border agents and being pressured into handing over their smartphone PINs.

“These reports are deeply troubling,” Wyden noted, “particularly in light of your recent comments suggesting that CBP [US Customs and Border Protection] might begin demanding social media passwords from visitors to the United States.”

He continues: “Circumventing the normal protections for such private information is simply unacceptable. There are well-established legal rules governing how law enforcement agencies may obtain data from social media companies and email providers” – rules that require warrants or court orders.

He then asks five questions of Kelly, digging into the legal authority that the Department of Homeland Security (DHS) feels it possesses to demand passwords, and asks for stats on how often it has happened.

Wyden also writes that he will introduce legislation designed to “guarantee that the Fourth Amendment is respected at the border by requiring law enforcement agencies to obtain a warrant before searching devices, and prohibiting the practice of forcing travelers to reveal their online account passwords.”

Travel ban 2.0

On the same day as the outcry, the DHS published two memoranda covering immigration that Kelly noted would supersede previous policies.

Those memos are largely focused on deporting illegal immigrants currently living within the United States, although it also looks at detaining individuals attempting to enter the country and promises to hire many more customs and immigration officials in the coming year.

President Trump’s controversial travel ban remains in limbo, with the administration giving conflicting information about how it intends to respond to a decision by the Ninth Court of Appeals to temporarily block it. Meanwhile, people such as British Muslims, are being turned away from America.

President Trump is reportedly planning to issue a revised executive order this week that is designed to withstand legal challenge and will continue to cover the seven Muslim-majority countries in the original travel ban order, but only block those arriving without a visa or who have never entered the country previously. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/21/campaign_against_digital_border_searches/