STE WILLIAMS

A Russian-speaking miscreant dubbed “Rasputin,” who potentially hacked into the US Election Assistance Commission and sold access to the system, has struck again, it is claimed.

Rasputin has allegedly infiltrated database servers within 60 organizations, US government agencies, and international universities. These victims include top universities NYU and Cornell in the US, and Oxford and Cambridge in the UK; the US city governments of Springfield, MA, Pittsburgh, PA, and Alexandria, VA; US state government of Oklahoma; the Fermi National Accelerator Laboratory; and the US Department of Housing and Urban Development.

The cyber-fiend has also been selling access to these vulnerable systems since December, claims Recorded Future, a computer security threat intelligence biz. The company, based in Massachusetts, says it has alerted the aforementioned victims after monitoring Rasputin’s little crime spree.

Apparently, Rasputin – named after the legendarily well-endowed mad monk – used a “proprietary SQL injection (SQLi) tool” to penetrate the databases. These data stores likely contain significant numbers of users and their personal information, which can be sold on to criminals for profit.

SQL injection has been around since databases first appeared on the internet. When a web app allows someone to pass data straight into database queries without that input being rendered safe through sanitization and filtering, that’s a SQLi vulnerability right there. This kind of bug can be exploited to command the database to do things – such as cough up all of its contents – that the web application should prevent from happening.

El Reg has sometimes likened this process to playing a Jedi mind trick on computers, instructing them to do something they’re not supposed to do.

SQLi flaws are too easy to exploit: you usually just need to twiddle the parameters in a URL to find a chink in the app’s armor, and then exploit this to get into backend databases. Free tools – such as Havij, Ashiyane SQL Scanner, SQL Exploiter Pro, SQLI Hunter, SQL Inject Me, SQLmap, SQLSentinel, SQLninja, and so on – automate the identification and exploitation of vulnerable websites, turning hacking into a “point and click” process that’s not reliant on any coding skills.

Rasputin is apparently using a custom tool he or she may have developed himself, marking the miscreant out as potentially more skilled than your average script kiddie. The villain could have bought the software off a real hacker, of course.

“Cyber criminals continue to find, exploit, and sell access to vulnerable databases, targeting web applications by industry vertical, as demonstrated by Rasputin’s latest victims,” concludes Recorded Future in a statement. “Even the most prestigious universities and US government agencies are not immune to SQLi vulnerabilities.

“This well-established but easy-to-remediate problem (though often costly), continues to vex public and private sector organizations. Economics must be addressed to fully eradicate this issue. Despite the government’s penchant for employing sticks to modify behavior, perhaps it’s time to offer financial carrots to address and fully eradicate this issue.”

The Register is also in the process of contacting the dozens of attacked organizations named by Recorded Future. Finally, please, do us all a favor, and audit your code for exploitable SQLi bugs. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/15/rasputin_hacker_sqli_rampage/

This is the third in a four-part series about SophosLabs’ 2017 malware forecast, released this week at RSA Conference in San Francisco. Part 1 looked at malware targeting Linux and Internet-of-things (IoT) devices. Part 2 examined malware targeting Android. Today’s installment is about malware designed for macOS.

Though Mac malware is comparatively rare, Apple computers are not immune, as this year’s SophosLabs malware forecast shows. Mac malware is often technically sneaky and geared towards harvesting data or providing covert remote access to thieves.

What follows are two examples: OSX/KeRanger-A, and OSX/PWSSync-B.

OSX/KeRanger-A

The first official Transmission app (version 2.90) infected with OSX/KeRanger-A was discovered in early March 2016. A couple days later the infected version was removed and placed in a hard-coded KeRanger check that was part of version 2.92.

Attackers essentially copied the ransomware formula that had served them so well on Windows. They set out to:

• Trick users into opening a file they were inclined to trust;
• Install and run the ransomware program;
• Call home to one of a list of control servers for an encryption key;
• Scramble files in the user’s home directory and on currently mounted volumes, adding the extension .encrypted each time; and
• Put a file called README_FOR_DECRYPT.txt in every directory where a file was encrypted.

Victims get the following message:

To prevent getting infected, Sophos at the time recommended the following actions:

• Consider running a Mac anti-virus that can automatically scan the files you download before you run them for the first time, and that can check out the websites you try to access before your browser gets to them.
• Make regular backups and keep a recent backup copy offline, and preferably also offsite. OS X’s Time Machine backup software can create encrypted backups, so even if the disk they’re stored on is stolen, your backup is safe from prying eyes. That means you can safely exchange backup disks with a friend or family member on a regular basis, so that you each provide the other’s offsite storage.

OSX/PWSSync-B

Another example of trouble for Mac users came in August, when a bogus version of Transmission 2.92 was uploaded that contained malware known as OSX/PWSSync-B. Ironically, the main feature added when 2.92 was released was a malware removal utility for MacOS ransomware OSX/KeRanger-A.

A similar hack applied to the Transmission app occurred that same month. The hacked Transmission program itself contained only a tiny change: a small snippet of code added at the start that loads a file called License.rtf that is packaged into the application bundle. (Last time, the sneaky extra file was General.rtf.)

The file License.rtf sounds innocent enough – what software doesn’t include a licensing document somewhere? – and opening it seems equally reasonable.

Except that this license isn’t what it seems.

It was actually an MacOS executable (program file) that:

• Configures itself as an OS X LaunchAgent so that it runs automatically every time you reboot or log on;
• Steals passwords and other credentials from your OS X Keychain, the Mac’s built-in password manager; and
• Calls home to download additional scripts to run.

Those affected:

• Have a Mac running OS X.
• Downloaded the Transmission 2.92 BitTorrent client on August 28 or 29 2016.
• Actually ran the booby-trapped Transmission app you downloaded.

The bad guys gained enough traction with these attacks for SophosLabs to expect more in 2017.

Coming tomorrow: Microsoft Word Intruders stepping outside Office

Follow @NakedSecurity
Follow @BillBrenner70

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/DPi_XFc2DgU/

Kremlin-linked spies have been blamed for cooking up malware called Xagent, which targets victims running macOS to steal passwords, grab screenshots and exfiltrate iPhone backups stored on the Mac.

Preliminary analysis by security software firm Bitdefender has uncovered links to the APT28 cyber-espionage group, elsewhere identified as a Russian military intelligence (GRU) unit blamed from last year’s infamous attack on the US Democratic Party, an earlier attack on the German Bundestag, and many more. The latest malware features the same dropper/downloader and similar command and control centre URLs, as well as the same artefacts hardcoded in the binary files as had been seen in previous strains linked to APT28 (AKA Fancy Bear).

Analysis of Xagent reveals the presence of modules that can probe the system for hardware and software configurations, grab a list of running processes and run additional files, as well as taking desktop screenshots and harvesting browser passwords.

The most important module from an intelligence-gathering perspective is the one that allows the operator(s) to exfiltrate iPhone backups stored on a compromised Mac.

Bitdefender’s previous research into APT28 can be found here [PDF]. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/15/russian_spies_blamed_mac_spyware/

Security researchers have uncovered a flaw in conference phone systems from Mitel that create a means for hackers to listen in on board meetings.

Boffins at Context Information Security managed to gain root access and take full control of a Mitel MiVoice Conference and Video Phone, potentially enabling them to listen to meetings without alerting the room’s occupants. The flaws also created a way to plant a remote backdoor on to an enterprise network.

“Conference phones are ubiquitous in modern offices and are often found in less secure areas such as meeting rooms where they are privy to sensitive discussions, whether hosting a call or just sat on the table,” said Neil Biggs, head of research at Context. “They also present an interesting attack surface, often in segregated VLANs that aren’t visible to an infrastructure penetration test so may get overlooked. It’s possible that organisations with a mature security posture might overlook the security of these kinds of devices, but it’s important to have them tested.”

The Mitel phone runs Android 2.3, which has known vulnerabilities and lacks security protections found in later versions of the operating system.

By taking advantage of the device’s automatic configuration process, security researchers were able to abuse the “Ethernet Debugging” feature and start exploring with the Android Debug Bridge (ADB) over the network.

Once in, they uncovered several weaknesses that allowed the team to escalate the attack, most of which stemmed from the firmware being in a development/testing state. These flaws included the use of publicly available Android test-keys for signing system applications.

Context reported these issues to Mitel at the end of last year, along with a remote exploit that caused the device to reboot. The manufacturer responded by coming up with a series of interim mitigations (disabling Ethernet debugging, configuring a strong admin password to prevent access to the admin menu etc) and longer-term fixes.

In response to queries from El Reg, Mitel dismissed the severity of the flaws.

The integrity of our customer systems and data is a high priority for Mitel. We are aware of vulnerabilities in the MiVoice Conference Phone/MiVoice Video Conference Phone (also known as the Mitel UC360) that may potentially introduce security risk to customers. Working in co-ordination with Context Information Security, an independent cybersecurity research firm, Mitel RD has published clear steps to fully mitigate the vulnerabilities on mitel.com. As of now, there are no known customer security breaches associated with this vulnerability.

Mitel’s advisory can be found in its security centre here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/15/mitel_boardroom_phone_hack_risk/

NSS results are based on incomplete and materially incorrect data, CrowdStrike CEO George Kurtz says.

A security vendor’s failed attempt to prevent a report containing details on its product’s capabilities from being released at the RSA conference in San Francisco this week has focused attention on the need for more widely accepted testing and validation services for security technologies.

The report is from NSS Labs, a company that bills itself as an independent security product-testing firm, which also sells its own threat protection platform.  NSS recently conducted security tests on Advanced Endpoint Protection (AEP) products from 13 vendors and released the results of its testing at RSA this week.

Each of the products, according to NSS, was tested against multiple attack threat vectors for their resilience against evasion techniques, their tendency to generate false positives, and other metrics. The products were then graded for their overall security effectiveness and total cost of ownership per protected endpoint agent and assigned a rating of “Recommended,” “Security Recommended” or “Caution”.

Security vendor CrowdStrike, one of two vendors in the report to garner a “Caution” rating filed a lawsuit in federal court in Delaware last week seeking to prevent NSS from releasing the report at RSA. In a legal brief, CrowdStrike claimed that NSS’ analysis of its Falcon advanced endpoint protection technology was based on incomplete testing conducted via illegally obtained access to its software and against CrowdStrike’s specific instructions to stop.

The court dismissed CrowdStrike’s request for a temporary restraining order and preliminary injunction against NSS Labs on the grounds that the company had failed to show how it would suffer irreparable harm from the report becoming public. It will now decide whether NSS acted illegally when conducting its tests on CrowdStrike’s Falcon technology.

George Kurtz, president and CEO of CrowdStrike says his company’s dispute with NSS has to do with the incompetent manner in which the tests were initially conducted and the fact that the results are based on incorrect and materially incomplete information.

CrowdStrike first hired NSS last year to conduct private testing on Falcon but quickly put a halt to it over concerns about the competency of the testing and the methods used, Kurtz says. As one example he pointed to NSS flagging legitimate software such as Skype and Adobe as malicious, during testing.

Even after paying a total of $150,000 for two private tests on Falcon, CrowdStrike was left with no confidence about NSS’ abilities and decided not to participate in a subsequent public test of advance endpoint protection products by NSS.

NSS however, proceeded to conduct public tests on Falcon anyway, using access it obtained illegally via a reseller. When CrowdStrike discovered what was going on the company immediately pulled NSS’ access to Falcon. So any subsequent conclusion that NSS made about Falcon’s effectiveness were based on incomplete and materially incorrect information and without all product features being turned on, Kurtz says.

“This is not about trying to silence independent research,” Kurtz says. “We welcome open, fair, transparent and competent testing. We didn’t necessarily see it here. This isn’t the Consumer Reports of cybersecurity. It’s bad tests, bad data and bad results.”

The episode shows why it is important to have more standard processes and organizations for testing the effectiveness of security products, he says. While companies like NSS Labs purport to be independent and unbiased, he says they have a for-profit business model and make money selling test reports and their own security platforms. “Unfortunately, there is no Underwriters Laboratories or testing house for security products,” Kurtz says.

Vikram Phatak, CEO of NSS Labs expressed regret over CrowdStrike’s stance. “We obviously disagree and are disappointed with Crowdstrike’s characterization of NSS,” he said in emailed comments.

Though Crowdstike’s request for a temporary restraining Order and preliminary injunction were denied by the federal court, the lawsuit itself is still pending.  “So we are limited in what we can say,” Phatak said. “Whether or not it is their intent, their suit has the effect of keeping us from debating the facts publicly.”

Such disputes over product testing and validation are not unusual says Pete Lindstrom, an analyst with IDC. Still, it is slightly unsettling when companies get as aggressive as CrowdStrike did in its dispute with NSS Labs, he says.

Technology buyers generally understand the limitations of product testing and know how difficult it can be for testers to replicate actual real world conditions when assessing the effectives of security products, Lindstrom says.

“In my mind security vendors should be looking for ways to get more information about the efficacy of their products out into the market,” he notes. “Anyone confident in their solution, should be willing to do that even within the limitations of testing.”

As long as all the circumstances of the testing are described fully and vendors have a chance to rebut claims, users are well served, Lindstrom said. An enterprise buyer that is already interested in CrowdStrike for instance is unlikely to view the company negatively based on one report, especially if all details are fully available.

 “These reports are generally used for confirmation rather than negation,” he says.

Related Content:

• What to Watch ( Avoid) At RSAC
• Darkness Hope On Display At RSA Conference Keynotes
• National Security, Regulation, Identity Top Themes At Cloud Security Summit

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: http://www.darkreading.com/endpoint/crowdstrike-fails-in-bid-to-stop-nss-labs-from-publishing-test-results-at-rsa/d/d-id/1328154?_mc=RSS_DR_EDT

RSA Conference: Brad Smith also says the world needs a “Digital Geneva Convention” to establish the international rules for nation-state cyber conflict.

RSA CONFERENCE – SAN FRANCISCO – Amid a cacophony of discussions about retaliation for nation-state cyberattacks here, Microsoft president and chief legal officer Brad Smith, today, took a different tack – urging the global tech industry to stay politically neutral, regardless of where they’re headquartered.

“Instead of nation-states being met by other nation-states, they are being met by us,” the cybersecurity and tech sector, Smith said. “We are the first responders.

“Even in an age of rising nationalism, we need to be a neutral digital Switzerland,” Smith said. “We will assist and protect customers everywhere. We will not aid in attacking customers anywhere.”

The world needs to retain its trust in technology, he said, and every government, regardless of its policies, needs a government IT that it can trust.

Smith also proposed a “Digital Geneva Convention” to set the international laws and procedures for cyber conflict, as well as the establishment of a new and independent oversight organization with the international credibility to monitor and attribute cyber attacks. 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/microsoft-president-says-tech-industry-should-be-neutral-digital-switzerland/d/d-id/1328157?_mc=RSS_DR_EDT

At RSA Conference, BAE Systems Vice President of Cyber Security Strategy Colin McKinty discusses businesses’ wide challenges of understanding and responding to the threat landscape.

Article source: http://www.darkreading.com/new-bae-systems-study-digs-into-defense/v/d-id/1328162?_mc=RSS_DR_EDT

At RSA Conference, Mike Wyatt, Managing Director of Deloitte Advisory Cyber Risk Service, discusses the identity management landscape and its growing importance, from “least privileges” to identity-as-a-service.

Article source: http://www.darkreading.com/deloitte-tackles-identity-management/v/d-id/1328163?_mc=RSS_DR_EDT

At RSA Conference, Hugh Njemanze, CEO of Anomali talks about threat intelligence and the benefit of bi-directional information sharing with government agencies, as well as the benefit of free software.

Article source: http://www.darkreading.com/anomali-talks-threat-intelligence-and-info-sharing/v/d-id/1328164?_mc=RSS_DR_EDT

At the RSA Conference, Pete Chestna, Director of Developer Engagement at Veracode, discusses the persistent challenges of both continuous delivery and relentless attacks on the application layer.

Article source: http://www.darkreading.com/veracode-tackles-app-sec-and-the-pace-of-devops/v/d-id/1328165?_mc=RSS_DR_EDT