STE WILLIAMS

Researchers in Europe have developed a way to exploit a common computer processor feature to bypass a crucial security defense provided by modern operating systems.

By abusing the way today’s CPUs manage system memory, an attacker can discover where software components, such as libraries and RAM-mapped files, are located in virtual memory. With these locations in hand, malicious code can find and use particular instructions and data within these components to start hijacking a computer system.

Specifically, the researchers have shown how to defeat address space layout randomization (ASLR). This is a mechanism provided by operating systems – from Windows and Linux to macOS and the BSDs – that randomly places each application’s dependencies in their virtual memory spaces. This makes it tough for attackers to run exploit code that expects widgets of code and data in specific spots in memory. Without the base addresses for these components, attackers are blindfolded and their hack attempts usually fail.

If naughty code – such as JavaScript running on a malicious webpage – can discern where these libraries and other objects are positioned at runtime, a follow-up exploit on the page can use this leaked information to reliably attack browser bugs and move onto the next stage of the intrusion: usually this involves performing system calls to spawn new processes, download payloads, and gain control of the host system.

Dutch researchers Ben Gras, Kaveh Razavi, Erik Bosman, Herbert Bos, and Cristiano Giuffrida of Vrije Universiteit (VU) in Amsterdam have come up with clever JavaScript that, while running silently on a webpage, can observe the processor’s memory management unit (MMU) in operation by measuring precise timings between memory accesses, work out where key data and code is mapped in memory, and render ASLR protections ineffective.

The MMU – present in desktop, mobile and server chips – is programmed by the operating system kernel to control where objects in virtual memory are held in physical memory. The time it takes for the unit to look up a physical address from a virtual memory access can be used, when performed over and over, to gradually leak the location of components.

The team has been able to write a proof-of-concept demonstration of the security weakness entirely in JS, and they say the code works on multiple architectures – including Intel and AMD x86 chips, and ARM-compatible cores.

“The memory management unit of modern processors uses the cache hierarchy of the processor in order to improve the performance of page table walks. This is fundamental to efficient code execution in modern processors,” the team explained today.

“Unfortunately, this cache hierarchy is also shared by untrusted applications, such as JavaScript code running in the browser.”

This, the VU team says, is what makes this vulnerability so significant. An attacker could embed the malicious JavaScript code in a webpage, and then run the assault without any user notification or interaction.

Because the assault does not rely on any special access or application flaws, it works on most browsers and operating systems. The researchers say that when tested on up-to-date web browsers, the exploit could fully unravel ASLR protections on 64-bit machines in about 90 seconds.

Infecting a system does not end there, of course: it just means ASLR has been defeated. The next step is to use this memory location information to launch a viable and reliable attack on bugs within the browser. Without this location information, the follow-up exploit would be fumbling in the dark. With the information, it’s easier to fully exploit the browser bugs. Below is a video of the JS code working in Firefox on a 64-bit Linux machine.

Youtube Video

The researchers conclude that developers should not rely on ASLR as a strong security protection, and they should implement other measures to harden their browsers against exploits. Apple has already done just that, and acknowledged the VU researchers in its latest WebKit update – see the final note on that page.

For normal folk, the VU team suggests the best defense for now is to block untrusted JavaScript from executing with the use of a browser plugin such as NoScript. Future editions of browsers could come with builtin measures to potentially thwart MMU timing attacks.

Fully eliminating the vulnerability, however, will be difficult, and the group suggests effective protections may not be feasible until next-generation processors feature hardware mechanisms to defeat MMU side-channel snooping. The vulnerability is similar to the jump-over-ASLR technique we reported on in October.

We asked the Amsterdam team if their MMU timing vulnerability, dubbed AnC, is, honestly, practical to exploit. A lot of these types of flaws can be leveraged easily in a research lab, where conditions are quiet, controlled and ideal for attackers.

However, in the real world, computer systems are far more noisy, with CPU cores accessing all kinds of patterns of data, and processes being switched in and out of context as the user does their thing. That randomness tends to mess up timing-based attacks by introducing unexpectedly large latencies.

“There is no doubt that this side channel attack works and is practical on everyday browsers,” Gras told The Register. He continued:

Most previous work on side-channel attacks assumes that the attacker is running in a different process or virtual machine but on the same machine. Further, they usually attack cryptographic operations, something that the average Internet user does not usually do. The difference with AnC is that it runs from JavaScript and targets something that every Internet user relies on for security, namely ASLR.

The attack is also quite practical: it runs on any architecture that we tried and can quickly break 27 bits of entropy within a few seconds. As a reference, Microsoft Windows only provides 24 bits of entropy for its heap.

The prototype implementation was implemented it on normal browsers on normal Linuxes. The video on the AnC projects page visualizing the attack in Firefox is real and not cherry-picked. Just for completeness sake however, this does not mean the prototype is ready to be deployed as an in-the-wild attack – our goal is to prove that it is possible to use this work in a realistic attack, not to actually do it. The Chrome version relies on a feature that is still being standardized and not enabled by default (Javascript Shared memory), but is on schedule to be in the future. Also, the scope of this work is that we are breaking ASLR and therefore an additional memory corruption bug is needed to complete an exploit chain. This greatly reduces the burden on the attacker however, who would normally need another bug to leak ASLR information.

“We are confident that with additional engineering effort, this work can be part of a realistic attack,” Gras concluded. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/14/aslr_busting_javascript_hack/

Rumors that President Donald Trump’s aides are using an encrypted messaging app called Confide has landed the software firmly in the spotlight – and under the security microscope.

The Washington Post on Monday mentioned that Confide, built by a startup in New York City, is used by some White House staffers to gossip in private. The app was billed by the newspaper as “a secret chat app – that erases messages as soon as they’re read.” The aides, fearful of being accused of leaking to the press, turned to Confide in an attempt to cover their tracks and stay off the radar.

This is not the first time Confide has appeared in the national news conversation. In 2014, the app was pitched to big biz in the wake of the Sony Pictures network intrusion as a safe means to communicate without being bothered by hackers. What was missing from Confide’s pitch, however, was much in the way of details about how the application delivered on its promise of secure auto-destructing end-to-end encrypted messaging.

Given that foreign spies, as well as Uncle Sam’s own snoops, will now definitely be all over this thing like a sore rash, The Register asked Confide for more info: how does the encryption work, what is done to thwart eavesdroppers, and so on.

And we were told the software, available for iOS and Android, basically uses the OpenPGP standard to perform public-private cryptography, uses AES for ephemeral per-message encryption, and exchanges public keys between users via TLS connections with certificate pinning. To us, this sounds like the public keys travel through Confide’s servers: if so, it means the app maker can, or be forced to, eavesdrop on conversations by substituting keys mid-exchange. It does mean, though, that it’s tricky for others to intercept and successfully crack messages.

“Confide uses public/private key cryptography with ECDH for key agreement and per-message AES keys to encrypt the message payloads,” Confide cofounder and president Jon Brod told El Reg on Tuesday evening.

“In addition, we use recommended best practices to ensure the security of network connections, such as using TLS 1.2 with certificate pinning to prevent against man-in-the-middle attacks.”

Using OpenPGP and TLS cert pinning is a solid start, although we weren’t told the key lengths. The app’s methods are better than the questionable home-brew crypto used in some other chat applications. The software appears to use OpenSSL 1.0.2j, which means it contains any security bugs patched since September 2016 and it isn’t FIPS 140-2 validated.

“The encryption appears to operate like most other end-to-end encrypted apps, where public and private keys are generated,” said computer forensics expert Jonathan Zdziarski, who studied the Confide app earlier today.

“In the case of Confide, an ephemeral key seems to be in play to encrypt messages themselves with a symmetric cipher. What seems different about this encryption is that it appears to regenerate the public key under certain circumstances. It’s unclear why, but unlike Signal and WhatsApp, which consider it something to alert you about if your public key changes, Confide appears to consider this part of its function.

“Key exchange is always the most difficult part of good encryption routines. Depending on whether or not Confide is able to detect this and warn the user, it’s possible – although not confirmed – that the application could be susceptible to the same types of man-in-the-middle attacks that we’ve seen theorized in WhatsApp (if you leave the alerts off) and iMessage.”

Zdziarski continued: “This one’s a tough call … Ultimately, the application warrants a cryptographic review before I could endorse its use in the White House. If I were the White House’s CIO, I would – other than hate my life – not endorse any third-party mobile application that didn’t rely on FIPS 140-2 accepted cryptographic routines, such as Apple’s common crypto.

“OpenSSL is very clear about not being FIPS validated, and ultimately it would be up to the manufacturers of Confide to have each individual version of their software validated under FIPS. Nonetheless, as difficult as the FIPS validation process is, should the application not have been validated, it has no place in government, in my opinion.

“The app at least attempts to do what it says it does, and I don’t see any obviously gaping holes. That doesn’t mean its perfect, and obviously has at least a few disagreeable functions – such as retaining undelivered messages. On the whole, it may be fine for personal conversation, but I would recommend a more proven technology, such as Signal, if I were to have my pick of the litter.”

A spokesperson for the White House was not available to comment on the rumors. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/15/white_house_drama_and_confide_app/

Let’s start with the “calm down” part of the article: yes, LogicLocker is ransomware designed for programmable logic controllers, but no, the cyber-geddon isn’t upon us.

LogicLocker is a proof-of-concept written by David Formby, Srikar Durbha and Raheem Beyah of Georgia Tech (Formby and Beyah also disclose an affiliation with a low-profile startup called Fortiphy Technology).

The software’s scope, as described in the researchers’ paper (PDF), is limited for now: “LogicLocker uses the native sockets API on a Schneider Modicon M241 to scan the network for known vulnerable targets, namely Allen Bradley MicroLogix 1400 PLCs [programmable logic controls – Ed] and Schneider Modicon M221 PLCs”.

If it finds those two specific devices, it bypasses their “weak authentication mechanisms”, locks out legitimate users, and plants a logic bomb to “dangerously operate physical outputs”.

In other words: the work paradoxically highlights how fragmented APIs confine attackers to specific devices. The authors note this is “the first” cross-vendor worm targeting PLCs.

In a nod to the world’s “first cyber-attack” on industrial control infrastructure (a Queensland water treatment plant attacked by an insider with admin rights), the researchers posted this demonstration video to YouTube:

Youtube Video

We note that the Georgia Tech researchers’ targets have a record of problems:

Only a relatively low number of users turned up in the authors’ Shodan scan: 1,429 MicroLogix 1400 systems and 250 Schneider Modicon M221s.

The Register notes that while sending dangerous commands to industrial kit is a terrifying thought at first sight, a factory operator has the option to shut the plant down and restore the original firmware. The paper says a response plan “could involve keeping backups of critical programs on the premise and having personnel trained in how to reflash and restore PLC programs quickly.”

As for the company affiliation in the paper: Fortiphyd Logic seems new, with only a placeholder web presence, and a Twitter account with nothing to say except that Fortiphyd “secures industrial control system networks against nation-state level attackers”.

We’ve asked the researchers for more detail on the company, and will update this story when we get a response. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/15/logiclocker_scada_ransomware/

Ransomware attacks shifted focus last year to the industries most likely to pay up, such as healthcare, government, critical infrastructure, education and small businesses.

Phishing volume grew by an average of more than 33% across the five most-targeted industries, according to a study released by phishing defense company PhishLabs last week.

Phishing is, by far, the most prevalent way for ransomware to latch on to organizations’ files and encrypt them, holding them ransom until a) the victims pay for a decryption key, b) the victims pay for a decryption key that never comes because crooks took the money and ran, or c) until victims snub crooks’ demands and their data winds up destroyed.

PhishLabs noted that ransomware has had a high infection rate but a low rate of success, given that a “small fraction” of victims pay the ransom. It’s growing in popularity nonetheless, given that it’s simple, it’s profitable, and it’s viable. From the report:

Ransomware allows attackers to effectively utilize one configuration for all targeted users. It also allows for instant monetization – there are no credentials to sell, no fraudulent transactions to initiate, and no further social engineering is required.

In addition, cryptocurrency’s injection into the mainstream economy has meant that crooks aren’t sticking their necks out by relying on credit card payments or prepaid cards: old-school payments that don’t keep criminals as anonymous as their now preferred payment mechanisms, such as Bitcoin.

Simon Reed, SophosLabs Guru, agrees that it’s good business for the bad guys. He says:

Ransomware has been the most dominant and most successful commercial malware attack of recent times. Cyber-criminals have succeeded in developing a viable and sustainable commercial business against the unprotected or unprepared.

Another key to ransomware’s viability and profitability has been a shift away from targeting individuals and instead going after companies that have little option but to pay.

Hospitals are a prime example. Hollywood Presbyterian was held to ransom a year ago and coughed up $17,000 to get back its vanished EMRs, access to X-ray and CT scan info and ability for employees to turn on their computers again, after a week of shutting off computers and relying on fax machines and paper records.

Multiple studies have shown that healthcare is attacked more than any other industry, and it’s easy to see why: simply put, because that’s where the money is.

The profit can come through ransomware payments or by selling extremely profitable medical records.

According to account monitoring company LogDog, coveted Social Security numbers were selling on the Dark Web for a measly $1 as of last February – the same as a Facebook account. That pales in comparison with the asking price for medical data, which was selling for $50 and up.

Healthcare IT is just like every other kind, except it’s more critical. Law enforcement is one industry that can say no to paying ransom … and lose years’ worth of digital evidence in a ransomware attack, as happened earlier this month to a Texas police department.

That was a mess, but nobody’s life was lost. In contrast, lives are always at stake when it comes to access to healthcare IT, making the possibility of ransomware payments far more likely.

With regards to crooks focusing on businesses instead of individuals, PhishLabs says the crooks’ targeting schemes are maturing. Rather than broadcasting attacks, as the year went on, there was a shift toward targeted spear-phishing campaigns that focused on small businesses, schools, government agencies, critical infrastructure facilities, and medical facilities.

They’re prime targets for a few reasons cited in the report:

• They have valuable data. Data availability is paramount to the day-to-day operations of these organizations and in many cases, they’re willing to pay a ransom to restore access quickly.
• They often have small budgets for IT staffing and may not be adequately prepared to protect their IT assets or respond to an incident.
• Such organizations are often subject to regulations that can complicate their ability to create and store backups. In such cases, paying a ransom may be the only means to recover the encrypted data.

Future trends in ransomware

It’s nasty enough now, but there are already new trends beginning to develop. For example, PhishLabs notes that a large percentage of ransomware targets Windows users, but it’s starting to see some malware authors begin to create samples targeting other platforms, and it’s expecting to see more sophisticated malware targeting OS X, Linux, server operating systems, and mobile platforms.

Other developing trends include increased attacks on the Internet of Things (IoT). Not surprising, given the state of security in these proliferating connected gadgets, far too many of which are vulnerable due to being designed without adherence to the information security principle of least privilege.

PhishLabs says that attackers are also likely to seek expanded functionality. Whereas ransom messages have long threatened public disclosure, recent ransomware samples have actually included exfiltration functionality to allow such threats to be acted upon.

The company’s also seen ransomware samples enrolling computers in botnets, stealing bitcoin wallets, purposefully destroying data, and harvesting email addresses and login credentials.

Simon Reed adds:

Now we see the cyber-criminals optimizing the business model and focusing on increasing their return-on-investment by being more selective, going deeper to achieve a successful attack and widening the range of IT assests being targeted.

What to do?

We regularly offer advice on preventing (and recovering from) attacks by ransomware and other nasties.

Here are some links we think you’ll find useful:

• To defend against ransomware in general, see our article How to stay protected against ransomware.
• To protect against JavaScript attachments, tell Explorer to open .JS files with Notepad.
• To protect against misleading filenames, tell Explorer to show file extensions.
• To protect against VBA malware, tell Office not to allow macros in documents from the internet.
• To learn more about ransomware, listen to our Techknow podcast.

---

LISTEN NOW

(Audio player above not working? Listen on Soundcloud or access via iTunes.)

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/xflTG_BtrlQ/

The new unlimited data plan from Verizon isn’t bad. But “free?” For one year? Only in scam tweets and your dreams!

Following a couple of Superbowl ads from competitors Sprint and T-Mobile that made fun of it for the taxes, fees, rates, and lack of unlimited data it inflicts on its customers, Verizon gave up and joined the unlimited data party with an $80 plan (on down to $45 for each of four lines: here are the details).

Since last week, when the new unlimited plan was announced, various fake Verizon Unlimited Twitter accounts have appeared, and phishers have likewise been sending out bogus offers to upgrade. All you have to do is retweet the offer, or click and go fill in your details…

Oops! Data plan scammer time!

Product Reviews captured one fake Twitter account that was offering Verizon Unlimited “FREE for 12 months” in exchange for retweets. The @VZUnlimited account, which wasn’t verified but bore Verizon’s logo and was named Verizon Unlimited, has since been suspended, as have other scam accounts.

Verizon has been warning customers about a variety of phishing email scams, providing a list of scam samples that goes back to 2014.

The most recent addition to that list was a phishing message dated this past Sunday.

Coming from an email account name of “Verizon Online”, the message told recipients that Verizon would be replacing its “Classic” version of email service with a new, updated version as of Monday. Or, as the poorly copyedited phish put it, on “Mondaya”.

Monday February 13, is the same day that the Unlimited Data plans went live.

Don’t fall for it!

Verizon’s advice:

• Don’t respond to the email in any way.
• Don’t click on any links.
• Don’t open any attachments.
• Don’t provide any data to any web sites mentioned.

Beyond Verizon’s advice, we often offer our own on how to protect against phishing attacks. These steps can help:

• Pick proper passwords. Even though strong passwords don’t help if you’re phished (the crooks get the strong password anyway), they make it much harder for crooks to guess their way in.
• Use two-factor authentication whenever you can. That way, even if the crooks phish your password once, they can’t keep logging back into your email account.
• Consider using Sophos Home. The free security software for Mac and Windows blocks malware and keeps you away from risky web links and phishing sites.

Here are more tips to help you recognize, and steer clear of, phishing links.

And just because it’s funny, here’s Sprint’s Superbowl ad, advising Verizon customers not to fake their own deaths to get out of paying fees!

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/cF1dgic0PVc/

Your daily round-up of some of the other stories in the news 

Dubai set for flying taxis ‘in July’

Flying cars are all the rage: yesterday we reported on the promise by a Dutch company to ship its first vehicles next year, but if you can’t wait that long, head for Dubai this summer and you might be able to try out a flying taxi.

The city’s Road and Transport Authority said at the World Government Summit that Dubai hoped to have pilotless drones, which can carry 100kg plus “a small suitcase” and will have a range of 30km “available starting July 2017”.

Dubai is planning to use the Chinese-made EHang 184, according to Associated Press, which will transport its passenger between fixed points. The passenger will pick a destination within the craft’s 50km, half-hour range from a touchscreen and be flown there at a speed of around 100kph.

Britain hit by 188 ‘high-level’ cyberattacks in three months

The UK is facing dozens of cyberattacks a day from state-sponsored hackers, the head of the National Cyber Security Centre has warned, and suffered 188 “high-level” attacks in the past three months.

Ciaran Martin’s warning came as the Queen officially opened the NCSC’s headquarters in London on Tuesday. The centre, whose parent organisation is GCHQ, has been set up “as a bridge between industry and government, providing a unified source of advice, guidance and support on cyber-security, including the management of cyber-security incidents”, according to its report introducing its work.

Over the weekend Martin pointed to a “step-change” in what he described as “Russian aggression in cyberspace”. He added: “Part of that step-change has been a series of attacks on political institutions, political parties [and] parliamentary organisations.”

That was underscored by Philip Hammond, the chancellor of the exchequer, who said ahead of the opening: “The cyberattacks we are seeing are increasing in their frequency, their severity and their sophistication.”

Huge payouts led Googlers to quit Waymo

Google’s program to develop self-driving cars has been so successful that staffers have been leaving the project, now known as Waymo. The reason? They were earning so much money they didn’t need the job any more, according to Bloomberg.

That’s down to “an unusual compensation system”, Bloomberg reported, that awarded staffers such huge payouts that not only could some of the early employees leave, they could launch their own start-ups, some of which have gone on to become competitors to Waymo.

Some early staffers left to set up a self-driving trucks company called Otto, which in turn was snapped up by Uber for $680m in August last year. Alphabet, Google’s parent company, has apparently walked back on that payments structure, perhaps unsurprisingly.

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/JyOOEW0ieUM/

DDoS attacks more than doubled in the last quarter of 2016 compared to the same period the year before.

Although the infamous Mirai IoT botnets accounted for many of the most severe attacks, the biggest single assault came from a different zombie network, according to a new study by Akamai out Tuesday.

Attacks greater than 100Gbps increased 140 per cent in Q4 2016 compared to Q4 2015. The largest DDoS attack in Q4 2016, which peaked at 517Gbps, came from Spike, a non-IoT botnet that has been around for more than two years. Seven of the 12 100Gbps-plus attacks from the end of last year can be directly attributed to Mirai.

Martin McKeay, senior security advocate and senior editor at Akamai, commented: “Perhaps the attackers in control of Spike felt challenged by Mirai and wanted to be more competitive. If that’s the case, the industry should be prepared to see other botnet operators testing the limits of their attack engines, generating ever larger attacks.”

Akamai tracked 25 DDoS attack vectors in Q4 2016, the top three were UDP fragment (27 per cent), DNS (21 per cent), and NTP (15 per cent). The number of DDoS attacks decreased by 16 per cent even as the volume and severity of the most potent attacks increased.

The number of web application attacks in Q4 2016 was down 19 per cent on Q4 2015.

Akamai’s State of the Internet/Security Report uses data gathered from the Akamai Intelligent Platform to provide analysis of the current cloud security and threat landscape, as well as insight into seasonal trends. The report can be downloaded here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/14/akamai_worst_of_botnets/

IT admins hoping to get out of the office early for Valentine’s Day have received some potentially welcome or heartbreaking news from Microsoft, depending on how they’re set up.

The Windows slinger says it will hold back its usual monthly release of software security patches while it irons out some last-minute problems with February’s bundle.

“This month, we discovered a last-minute issue that could impact some customers and was not resolved in time for our planned updates today,” Microsoft said. “After considering all options, we made the decision to delay this month’s updates.”

This is a departure from Microsoft’s traditional second-Tuesday-of-the-month schedule for security updates. Microsoft did not say what the exact cause was for the delay – just that today’s release isn’t happening. That will be rather annoying for people waiting for a fix for the SMB link-of-death bug, we can imagine.

Meanwhile, Adobe – it’s always Adobe – says it will push out three updates to address dozens of CVE-listed vulnerabilities in Flash Player, Digital Editions, and Adobe Campaign.

For Flash Player on Windows, Mac, Linux and ChromeOS, the update will address 13 security vulnerabilities, all of which are remote code execution flaws. Users can get the patches by updating Flash Player to version 24.0.0.221. Newer browsers including Chrome and Microsoft Edge will get the updates automatically.

For those using the Adobe Digital Editions e-reader software, Adobe has released updates for nine vulnerabilities, one allowing remote code execution and eight leading to memory leaks.

Finally, anyone running Adobe Campaign on Windows and Linux should update the marketing software to version 16.8 (Build 8757 or later) in order to get fixes for two security flaws allowing security feature bypass or cross-site-scripting attacks. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/14/microsoft_patch_tuesday_delayed/

RSA USA Representative Michael McCaul (R-TX), head of the US House Committee on Homeland Security, seemed a tad off-message today at the RSA USA security conference.

He told an audience in San Francisco this morning that his committee had examined proposals to demand mandatory backdoors in encryption products and software to help crimefighters snoop on people – and rejected the idea outright. It was not in American interests to weaken security we all depend on, he said.

“I believe creating backdoors into our platforms would be a huge mistake,” the Republican warned. “It would put our personal data at risk and provide the perfect platform for intrusion.”

These views are somewhat at odds with President Donald Trump, who has said technology companies should be backdooring their products to help the Feds and police. FBI director James “adult conversation” Comey won’t be amused by McCaul’s conclusions, either.

There is a problem with criminals “going dark” using encryption, McCaul accepted, so he and others are trying to put together an official commission to investigate the best way forward, using the finest minds in the security industry and government.

McCaul also clashed with official policy by saying that the US needs more skilled immigrants if it is to secure its online borders. America’s doors “must stay open,” he said, and while the H-1B system needs to be “streamlined,” we need to recruit the top talent to the US’s side.

That said, America needs to make sure it’s nurturing its own talent. The government cybersecurity scholarship scheme was bearing fruit, he said, and he was also working on raising salaries for government IT staff so that the state isn’t losing talent to private industry.

McCaul said there was “no doubt in my mind” that Russians hackers tried to influence the last election, and that his committee had been briefed on the matter. He said he was “disappointed” in the reaction of both political sides of Congress to the hacking, saying that there was a worrying lack of enthusiasm for action.

“We had the information to stop the 9/11 attacks but didn’t connect the dots, and now we’re in the same place on cyber,” he said. “We’re fighting 21st century threats with 20th century technology and a 19th century bureaucracy.”

The US must reserve the right to strike back when hacked, he said, particularly where such incursions were an attempt to disrupt the democratic process. That was a “red line” that mustn’t be crossed, he opined. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/14/republican_homeland_security_committee/

Windows computers may allow cybercriminals to spread the Mirai infection by searching for other vulnerable devices.

Cybercriminals are turning to Windows computers to help the Mirai botnet find more devices to infect and expand their target list, says Forbes. Their intention is to allow the infection to spread further and faster.

The Mirai botnet, which was responsible for last year’s crippling attack on sites like Amazon, Twitter and Netflix, can carry out large-scale Distributed Denial-of-Service (DDoS) attacks on Internet of Things (IoT) tools and infect exposed devices. Through Windows computers, hackers can further their goals by using the Mirai malware to scan other network ports for more vulnerable devices and infect them, too.

Forbes adds that when it targets Windows machines, Mirai malware can show more malice than just infecting others. It can alter the Windows registry, create and delete files, and cause damage to SQL databases.

Click this link for details.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/windows-can-help-mirai-botnet-spread/d/d-id/1328138?_mc=RSS_DR_EDT