STE WILLIAMS

Hewlett Packard Enterprise Buys User And Entity Behavioral Analytics Firm

Integration expected to boost HPE’s Intelligent Edge strategy for better protection against next-gen attacks.

Hewlett Packard Enterprise has acquired Niara, a behavioral security analytics firm, which will become part of HPE Aruba.

HPE said it will integrate Niara’s technology with Aruba’s ClearPass portfolio for more “complete visibility and attack detection system.”

Niara is regarded as forerunner in the User and Entity Behavior Analytics (UEBA) security market section and expected to boost HPE’s security strategy in wired and wireless network infrastructure for IoT.

Gartner describes UEBA as offering “profiling and anomaly detection based on a range of analytics approaches, usually using a combination of basic analytics methods and advanced analytics.”

Once Niara discovers a security incident, ClearPass can be used to isolate the exposed network, according to HPE.

“Integrating Niara’s advanced behavioral analytics with ClearPass is a natural extension that will now deliver network-wide, real time visibility and predictive assessment of potential risks inside the enterprise,” says Sriram Ramachandran, CEO and co-founder of Niara.

Terms of the deal were not disclosed.

Read details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/endpoint/hewlett-packard-enterprise-buys-user-and-entity-behavioral-analytics-firm/d/d-id/1328038?_mc=RSS_DR_EDT

  • 02/02/2017
  • adm

10 Essential Elements For Your Incident-Response Plan

The middle of a DDoS attack or ransomware infection is hardly the time to start talking about divisions of labor, or who should do what when. PreviousNext

Image Source: Wikimedia Commons, courtesy of PH1 Terry Cosgrove

Image Source: Wikimedia Commons, courtesy of PH1 Terry Cosgrove

Failing to plan, as we know from Zen masters and MBA lecturers, is planning for failure. So when things go off the tracks with networks, servers, or your data, you need to have a plan, even if it’s super-basic or seems gratuitous. Some back-of-the-envelope notes won’t do the trick, nor will trying to recall hazy remnants of conversation from that night you and a coworker discussed incident response over a couple beers.

The middle of a DDoS attack or ransomware infection is not the time to be talking about divisions of labor or who should do what, crisis communications experts remind us, and they’re right. Have an incident response plan, even if you don’t follow it to the letter, or are forced to improvise more pieces of it than you’d like. You can minimize the improvisation and come out the other side in better shape if your incident response plan incorporates many of these steps. You can also recover more quickly and get on with the business of serving customers and making money.

 

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain’s New York Business, Red Herring, … View Full BioPreviousNext

Article source: http://www.darkreading.com/10-essential-elements-for-your-incident-response-plan/d/d-id/1328017?_mc=RSS_DR_EDT

  • 02/02/2017
  • adm

Netherlands Opts For Manual Vote-Count Amid Cyberattack Fears

Ballots will be counted by hand in the March 15 election after doubts surface over the safety and security of electronic system.

The March 15 parliamentary elections to be held in the Netherlands will not rely on electronic vote tally and instead ballots will be counted by hand, reports Reuters. The decision was made by the Dutch government after security experts voiced concerns that the electronic tallying system used was not secure and could be manipulated by interested parties – possibly Russia.

“Now there are indications that Russians could be interested, for the following elections we must fall back on good old pen and paper,” Interior Minister Ronald Plasterk told broadcaster RTL.

He does not expect the manual count to take longer than normal.

Voting in the country is done through paper votes and local votes are counted by hand. However, regional and national votes are tallied electronically through a system that involves installing software on outdated Internet-connected computers through CD-ROM.

Netherland’s decision comes as France and Germany too prepare for elections amid concerns that foreign state-sponsored hackers could manipulate election results.

Read Reuters for details.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/netherlands-opts-for-manual-vote-count-amid-cyberattack-fears/d/d-id/1328037?_mc=RSS_DR_EDT

  • 02/02/2017
  • adm

Bring out your dead! Firm wants to pay big bucks for old bugs

Security firm Zimperium will spend US$1.5 million buying hacks targeting flaws in three-year-old Android KitKat and ancient versions of iOS.

The California threat detection company internet arms dealer will splash cash acquiring private exploits against public patched vulnerabilities dating back to at least the 2013 Android platform that was in March overtaken as Google’s most popular mobile operating system.

It explicitly does not want zero day exploits.

The snapping up of exploits for existing vulnerabilities is a rather novel concept given that subscription hack brokers such as Vupen and Zerodium pay elephant bucks for exclusive zero day.

Old exploits, however, are the highly effective bread and butter of black hat hacking. Zero days are harder to find and use.

Zimperium founder Zuk Avraham says the exploits will be handed to its private list of mobile phone clients including major carriers and manufacturers like Samsung and Blackberry. Subscribers will have between one and three months to brew patches or apply available fixes before the exploits are revealed online, unless the disclosing researcher objects.

The exploits, which require proof-of-concept demonstrations, will also help train the company’s internal threat detection systems it sells to clients.

“We will provide ZHA (mobile phone) partners between one to three months advanced notice, before releasing the exploit publicly, unlike most exploit acquisition programs,” Avraham says.

“We would like to encourage security researchers to provide proofs for exploitation of known vulnerabilities … multiple ZHA partners explained to us that without proof of exploitability, it’s hard to convince the security teams to allocate resources needed for a complete patch cycle, even for known issues.

“We hope this program will encourage more researchers to look into monthly security updates, and promote better patching.”

‘Beautiful’ and remote exploits will be paid more than local hacks, with figures determined by Zimperium’s respected hacker crew.

Information disclosure and other vulnerability classes are eligible for payment and crediting.

Android’s diverse ecosystem features dozens of versions and variants. That makes it hard to keep up and means telcos and handset-makers seldom push updates to users.

Only Apple devices and Google’s Nexus and Pixel lines receive immediate patching. All other devices that sport modified Android operating systems must wait for reluctant manufacturers to push patches into their platforms. That effort often takes months, if it happens at all.

This diversity can be an odd security boon since it means exploits that sometimes need to be tweaked to target different handset models. Attackers don’t have unlimited resources either, so even when they know about a bug they must decide which ‘Droids to target. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/02/zimperium_bug_buy/

  • 02/02/2017
  • adm

Wanna protect your data center? Take tips from the US Secret Service

Usenix Enigma 2017 Data center managers should take some tips from the US Secret Service when protecting vital servers from hackers, says someone who has been through a White House lockdown.

In a presentation at Enigma 2017, Nathaniel Gleicher – a former director for cybersecurity policy at the National Security Council and now head of cybersecurity strategy at Illumio – reckons the same principles for protecting the president could be applied to key servers in a data center.

The grounds of 1600 Pennsylvania Avenue, in Washington DC, are surrounded by nothing more than an iron fence, which is easy to hop over with a small ladder or a willing accomplice, he said. However, once inside the perimeter, the intruder is stopped almost immediately. Control of the threat environment is something some people in the IT industry could learn from, he suggested diplomatically.

From a data center perspective, managers need to take the same approach. The number of server interconnects is huge and that provides plenty of scope for an attacker to run wild. In a sample data center running 3,500 servers, he found over 37 million open pathways between systems. Under 1 per cent were actually in use for normal operations.

Just as the secret service blocks off entrances and exits to funnel people past checkpoints, data center managers need to block off unused pathways to key servers and lock down data traffic. This drastically reduces the attack surface available and forces an intruder to use heavily monitored data pathways.

In other words, if a particular application server doesn’t need to interact with the NoSQL database servers, for example, firewall that off. Don’t let attackers move through a network unheeded: limit access, compartmentalize, and so on. This might be advice from the Department of Bleedin’ Obvious, but we live in an age when people don’t test their backups so every little helps. Obviously, clusters of boxes that are assigned different workloads dynamically complicate things; however, intelligent on-the-fly network partitioning isn’t impossible.

“The average time that an attacker spends in a server center before being discovered is 146 days,” Gleicher noted. “It’s unusual for an attacker to last 46 seconds before being collared by the Secret Service, because they control their environment.”

Yeah, we thought that was an apples and pears comparison, too. When The Reg asked Gleicher how feasible this total network mapping and lockdown was for the average data center manager, he acknowledged it was a massive undertaking.

“I think understanding the environment is the first challenge and often it takes a really long time,” he said.

“The key is not just trying to map out the network but trying to map the hosts, the servers, and how they are connected and how they are talking to each other. Because these are the communications hackers are most likely to use, and they are the communication paths you should care most about securing.”

Nevertheless, there is a lot of sense in trying to lock down data centers as much as possible. The payoff could be very handy at cutting down the amount of time an attacker can romp through your systems and wreak havoc. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/02/protect_data_center_take_tips_from_us_secret_service/

  • 02/02/2017
  • adm

Netherlands reverts to hand-counted votes to quell security fears

The Netherlands has decided its vote-counting software isn’t ready for prime time, and will revert to hand-counted votes for its March 15 election.

The voteare’s security came under question when Dutch security bod Sijmen Ruwhof told local newscaster RTL Nieuws that the average iPad is more secure than the electoral software, called OSV.

He warned that Windows XP is still used for some installations of the system, and in his own blog notes that known-to-be-dud SHA-1 was also employed. He also claimed that unsecured USB sticks would be used to move electoral data.

In a letter sent to the House of Representatives, Minister of the Interior Dr. Roland Plasterk says votes won’t even be entrusted to USB keys: they will be counted at polling stations, with paper reports passed up to the municipality level, then on to aggregating locations, and finally to the country’s Electoral Council.

“I said that can not exclude the government that state actors can benefit from influencing political decisions and public opinion in the Netherlands and purpose deploy resources to try also to achieve influence”, Plasterk’s letter says.

Plasterk’s letter says until this decision was made, the software had been used to count votes for all steps after the polling station counts.

Using the software in the March election would “lead to the persistence of publications about the reliability of the software” and erode trust in the election result.

The government has asked Fox-IT to review the software for vulnerabilities. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/02/netherlands_reverting_to_handcounted_votes_to_quell_security_fears/

  • 02/02/2017
  • adm

Home-pwners: Cisco’s Prime Home lets hackers hijack people’s routers, no questions asked

Cisco is advising ISPs and other service providers using its Prime Home system to install a security update immediately – to squash a serious remote execution bug.

Switchzilla says the flaw, which was given a 10.0 CVSS score, could allow an attacker to log into the software as an administrator and remotely take control of thousands upon thousands of customers’ home routers, broadband gateways and similar boxes.

“An attacker could exploit this vulnerability by sending API commands via HTTP to a particular URL without prior authentication,” Cisco said today. “An exploit could allow the attacker to perform any actions in Cisco Prime Home with administrator privileges.”

Note that “administrator” was italicized by the networking giant. Super serious.

Cisco pitches Prime Home as a “solution” for ISPs and connected device vendors, allowing companies to control devices such as ISP-issued cable modems, routers, and set top boxes in subscribers’ homes from afar. It uses “Broadband Forum’s TR-069 suite of protocols to provision and manage in-home devices.”

That means that a successful attack on an ISP’s installation of Prime Home would allow a criminal to take administrator-level control of the Prime Home GUI and meddle with all the devices connected to that particular service. As there are no workarounds or mitigations for the bug, Cisco is recommending that administrators install the update as soon as possible.

“Administrators can verify whether they are running an affected version by opening the Prime Home URL in their browser and checking the ‘Version:’ line in the login window,” Cisco says.

“If currently logged in, the version information can be viewed in the bottom left of the Prime Home GUI footer, next to the Cisco Prime Home text.”

All versions of the software – from v6.3.0.0 to below – should be updated. The bug is designated CVE-2017-3791 and CWE-287.

The alert from Cisco comes as researchers and criminals alike are paying increased attention to network appliances and IOT devices. Earlier this week, researchers disclosed a pair of serious security flaws present in more than 30 models of Netgear home routers. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/01/cisco_remote_access_hole_in_prime_home/

  • 02/02/2017
  • adm

WordPress fixed god-mode zero day without disclosing the problem

Last week’s WordPress patch run fixed a then-secret zero day bug that let remote unauthorised hackers edit or delete WordPress pages.

The remote privilege escalation and content injection hole hits WordPress versions 4.7 and 4.7.1 and allows all pages on unpatched sites to be modified, redirecting visitors to exploits and a myriad of attacks.

WordPress slipped in the fix, but didn’t reveal it in the hope hackers would not exploit a flaw they didn’t know about.

WordPress, the world’s most popular content management system (CMS), used on millions of websites, pushed update 4.7.2 last week in a patch run that shuttered SQL injection vulnerabilities.

Security researcher Marc-Alexandre Montpas (@MarcS0h) informed the CMS giant on 20 January about the undocumented vulnerability.

WordPress tipped off security firms including SiteLock, Cloudflare, and Incapsula along with WordPress hosts over the nine days between disclosure and patch.

Security firms did not report live attacks under the rule sets they cooked while hosts worked closely with WordPress security to patch installations.

Core contributor Aaron Campbell says the disclosure was delayed to give web admins time to update.

“We believe transparency is in the public’s best interest … in this case, we intentionally delayed disclosing this issue by one week to ensure the safety of millions of additional WordPress sites,” Campbell says.

“Data from all four WAFs and WordPress hosts showed no indication that the vulnerability had been exploited in the wild.

“As a result, we made the decision to delay disclosure of this particular issue to give time for automatic updates to run and ensure as many users as possible were protected before the issue was made public.”

Campbell says millions of WordPress installations were automatically patched against the then-undisclosed bug in the few hours after the patch was issued.

Montpas described the bug in detail, rating the flaw critical.

“Due to [a] type-juggling issue, it is then possible for an attacker to change the content of any post or page on a victim’s site,” Montpas says.

“From there, they can add plugin-specific shortcodes to exploit vulnerabilities that would otherwise be restricted to contributor roles, infect the site content with a search engine optimisation spam campaign, or inject ads, etcetera.

“Depending on the plugins enabled on the site, even PHP code could be executed very easily.”

Akamai principal threat researcher Ryan Barnett says it has not detected exploit attempts and will continue to monitor for the likely attacks that will surface once news of the bug spreads. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/02/last_weeks_boring_sqli_wordpress_patch_hid_fix_for_godmode_zero_day/

  • 02/02/2017
  • adm

Spam Now Makes Up Nearly Two-Thirds Of All Email

Spam spikes, and nearly three-fourths of all organizations worldwide have suffered adware-borne infections, according to Cisco’s annual cybersecurity report.

Spam now accounts for 65% of all email worldwide, and up to one-fifth of spam is malicious, according to new data from Cisco Systems.

Massive spamming botnets such as Necurs are behind this recent spike in junk and malicious email, Cisco found and noted in its 2017 Annual Cybersecurity Report published this week. Why the revival in spam campaign volume? It’s becoming more of a commercial business enterprise, which in part is driving its explosion, says Cisco vice president and CISO Steve Martino.

“There are organizations building tools and technologies that let other people use and build spam campaigns without knowledge of how to build a spam campaign. As a service model, it’s proliferating and allowing more people with less technical skills participate and leverage the technical skills of somebody who has” those skills, Martino says.

Cisco found that the DNS-based blackhole list, the Composite Blocking List, shows spam volume reaching the record highs last seen in 2010. The Necurs botnet, which has been used to spread Locky ransomware as well as the Dridex banking Trojan, is the main driver of the spam spike: around June of last year, Necurs added over 200,000 IP addresses in under two hours after a brief respite in the wake of a cybercrime crackdown of the Lurk Trojan in Russia.

“New antispam technologies, and high-profile takedowns of spam-related botnets, have helped to keep spam levels low in recent years,” Cisco said in its report. That is, until Necurs started to change the game with more malicious activity.

Another relatively old-school cybercrime method had a big year in 2016: adware. Some 75% of organizations have been infected via adware, according to Cisco. “Sadly, this is not a big surprise. We have seen a proliferation and move to malvertising” on legitimate websites, says Franc Artes, architect for Cisco’s Security Business Group. There are plenty of malvertising development kits available to would-be criminals that, like spam kits, make it easy for a non-technical bad guy to spread malicious adware.

Malicious adware is used for so-called click fraud to make money off of online ads, and is also used as an initial vector for other attacks. Of 130 organizations across various industries, Cisco found 80 different adware variants that conducted everything from ad injection to malware download duties. Three-fourths of those organizations had been hit by an adware infection.

Driving malvertising attacks are so-called “bad bots” that pose as real humans. “The environment is changing and bots are getting more and more sophisticated as more tools are out there to detect them,” says Edward Roberts, director of product marketing at Distil Networks. “Across the board, there are silent victims across industries.”

Even so, malvertising and spam are nothing new. “We’re seeing a return, I think, to the classics. What was old is new again, using techniques we’ve forgotten about because they were low-profile and are [now] becoming high-profile,” Cisco’s Martino says.

“Where the attackers can maximize profits, they collaborate with each other, buying and selling services like we sell cloud services. This is giving them opportunities to move faster and to leverage various experts to attack organizations,” Cisco’s Martino says.

Meanwhile, 44% of security alerts are ignored, according to Cisco’s findings. The study found that security pros say they can only investigate 56% of the security alerts they receive each day. About half of those they investigate are real issues (not false alarms), and some 46% of legitimate alarms investigated get fixed. Nearly 45% of security operations managers say they receive some 5,000 security alerts per day.

Cisco’s Artes says there are several reasons why SOC managers can’t keep up with security alerts. For 35% of those in the study, budgets are the biggest obstacle, he says. “Some 55%  of respondents have anywhere from six to 50 different security vendors [products],” which can complicate proper correlation and alarms, he notes.

“In every breach that I’ve seen or looked at or know about, there’s been more than one alert. More than one piece of data – had someone seen it or if the system had been able to react, it would’ve deterred that particular attack,” Martino says.

Time to detection is a big issue for organizations today, notes Julien Bellanger, CEO and Co-Founder of Prevoty. “The time to detection is critical. The more relevant the intelligence that’s coming from security tools at the network, the endpoint and the application, the faster that detection can happen,” he says. “A lot of information is generated, but too little is correlated to other events to make sense and be actionable.”

Then there’s the business fallout of missing that needle in the haystack. According to the Cisco report, nearly half of organizations say they lost “substantial” business opportunities after a breach: one in five lost customers and 30% lost revenue.

Related Content:

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: http://www.darkreading.com/cloud/spam-now-makes-up-nearly-two-thirds-of-all-email-/d/d-id/1328034?_mc=RSS_DR_EDT

  • 02/02/2017
  • adm

Netgear Addresses Password Bypass Vulns In 31 Router Models

Company has made patches, workarounds available to mitigate password bypass threat that potentially impacted 1 million devices, Trustwave says.

A warning this week about security vulnerabilities in more than two-dozen models of Netgear routers has once again focused attention on the broad threat posed to consumers and enterprises from insecure home routers.

In an alert Monday, security vendor Trustwave said it had found two vulnerabilities in several Netgear routers that give attackers a way to either discover or to bypass any password on the devices.

The flaws, which are present in 31 different Netgear models, allow attackers to take complete control of vulnerable devices and to change their configurations, upload rogue firmware on them, or turn the devices into remotely controlled bots.

Anywhere from 10,000 devices to potentially one million Netgear routers have the vulnerabilities in them, according to Trustwave.

Routers provide a large attack surface and can offer a number of options for the hacker to take advantage of, says Jon Clay, director of global threat communications at Trend Micro, which this week issued a warning of its own about growing attacks against the devices.

Router vulnerabilities can be exploited to attack the systems behind the router or they could be used to turn the devices into bots for use in distributed denial-of-service attacks, Clay says.  “Due to the lack of experience in IT security of the consumers who use these routers, many are not set up properly and can be hacked.”

Concerns over router security have grown following the massive Mirai botnet-enabled distributed denial-of-service attacks against DNS provider Dyn and numerous others last year.

The attacks were demonstrated how easily adversaries can take advantage of vulnerabilities in ordinary network-connected consumer devices such as routers, and webcams and turn the devices into bots for attacking other systems.

With consumers expected to connect tens of billions of such devices to the Internet over the next few years, many expect the problem to get a lot worse soon.

Simon Kenin, author of the Trustwave alert and a security researcher with the company’s SpiderLabs team, said the vulnerabilities in Netgear’s products can be exploited by a remote attacker if remote administration on the device is set to be Internet-facing.

Even though the setting is usually not turned on by default, anyone with physical access to a vulnerable router—including those at public wireless hotspots such as cafes and libraries—can exploit the vulnerabilities locally, Kenin said.

Netgear has issued patches for most of the vulnerable models or has provided workarounds to mitigate the threat for older models.

This is the second major bug disclosure involving Netgear routers in recent weeks. In December, Netgear reported an arbitrary command injection flaw in 11 of its routers that gave attackers a way to execute arbitrary root-level commands on them.

One reason why routers are popular targets for attackers is because all network traffic goes through them, says Karl Sigler, threat intelligence manager at Trustwave’s SpiderLabs. “If you control the gateway you control all traffic going through it.”

The Mirai attacks have heightened the need for router vendors to ensure their products are not so easily hackable, Sigler says. “I would love to see more routers with automatic updates available,” he says.

“Since routers are usually out of sight, so, out of mind, they often go unpatched even when a patch is available.”

Significantly, there is no big difference in the security between enterprise routers and those meant for consumer and home use, Sigler adds. “I would say they are typically equally vulnerable although enterprise routers, having a dedicated network team managing them, are probably more likely to be kept up to date.”

Related stories:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/netgear-addresses-password-bypass-vulns-in-31-router-models/d/d-id/1328036?_mc=RSS_DR_EDT

  • 02/02/2017
  • adm