STE WILLIAMS

The seizure and search of phones and laptops at the US border is unconstitutional, a judge said Tuesday in a landmark ruling.

Massachusetts district court judge Denise Casper declared [PDF] that the practice breaks the Fourth Amendment on unreasonable search, and that border agents need to have a “reasonable suspicion” of illegal activity before they can search electronic devices.

“The CBP [Customs and Border Protection] and ICE [Immigration and Customs Enforcement] policies for ‘basic’ and ‘advanced’ searches, as presently defined, violate the Fourth Amendment to the extent that the policies do not require reasonable suspicion that the devices contain contraband for both such classes of non-cursory searches and/or seizure of electronic devices,” Casper declared.

As such, she noted, “the non-cursory searches and/or seizures of Plaintiffs’ electronic devices, without such reasonable suspicion, violated the Fourth Amendment.”

Despite ruling that such searches are unconstitutional, the judge declined to issue an injunction that would require border agents to get a warrant before probing such devices or to have “probable cause” before searching a device. That means border agents will continue to be able to search devices at the border, though will have to justify doing so.

A senior lawyer at the Electronic Frontier Foundation that fought the case, Adam Schwartz, told The Register that he is confident the decision will have a real-world impact on what happens at the border.

“There are all kinds of checks if there is a requirement for reasonable suspicion,” he noted, in large part because a judge would throw out any evidence in a subsequent trial if there wasn’t found to be reasonable suspicion when a device was searched. Equally, if innocent people had their phones searched without reasonable suspicion they could file a lawsuit claiming injury.

Frontline officers can expect to have a supervisor “look over their shoulders” if they decide there is in fact a reasonable suspicion that someone has “digital contraband” on their devices.

A big win

The decision is a huge win for privacy advocates and the 11 plaintiffs that brought the case back in 2017. Ten of the plaintiffs are US citizens and one is a permanent resident. It’s not clear whether the ruling will apply to all visitors to the United States or just citizens and permanent residents, but Schwartz argues that the “logic should be” that all visitors are given equal protections.

(Bear in mind, if you show up on a visa, you can be turned away for whatever reason, realistically speaking.)

The judge addressed the point on citizens and immigrants briefly. She notes that nothing presented by the government makes the case that any “evidence would be contained on the electronic devices, particularly of plaintiffs, all US citizens and one lawful resident alien, that would prevent their admission.”

She goes on: “Even as to an alien, where CBP posits that an electronic device might contain contradictory information about his/her intentions to work in the US contrary to the limitations of a visa, there is no indication as to the frequency of same or the necessity of unfettered access to the trove of personal information on electronic devices for this purpose.”

She also repeatedly dismisses the government’s main argument in favor of being allowed to search electronic devices – the possible discovery of child abuse images. “The record of the prevalence of such digital contraband encountered at the border remains unclear.”

“Given the dearth of information of the prevalence of digital contraband entering the US at the border, the Court cannot conclude that requiring a showing of some cause to search digital devices would obviate the deterrent effect of the border search exception.”

All that said, it is a virtual certainty that the case will be appealed to the Supreme Court and the judge effectively acknowledges as much in her lengthy 48-page judgment.

Quote unquote

The judgment falls down very firmly on the side of the plaintiffs in asserting that the search of electronic devices at the border is not justified under the current rules. In reaching that decision, she quotes extensively from other judgments, particularly Supreme Court judgments.

Most integral to her argument is another landmark decision (Riley) by the Supreme Court where it found, unanimously, that the warrantless search and seizure of digital contents of a mobile phone during an arrest is unconstitutional.

Among the many arguments taken from that Riley decision, Judge Casper that it “rejected the notion that searches of electronic devices are comparable to searches of physical items or persons” – a key argument put forward by the government in this case.

As the Supreme Court noted in that case: “Modern cell phones, as a category, implicate privacy concerns far beyond those implicated by the search of a cigarette pack, a wallet, or a purse.”

The judgment extensively picks apart the government’s defense and even throws out a recent change made by the CBP over how it does searches. Thanks in large part to this case, the CBP in January 2018 created two different categories of searches – basic and advanced – in an effort to retain its ability to search any electronic device at its agents’ discretion.

A “basic” search would not require anything more than an agent’s say-so, whereas an “advanced” search, using forensic software, required an additional level of authorization. But the judge refused to accept the distinction and declared that there were effectively the same thing, with both searches breaking the Fourth Amendment.

“Even a basic search alone may reveal a wealth of personal information,” she notes. “Such information can be accessed during not just the forensic searches under the CBP and ICE policies, but also under a basic search.”

Border law

At the same time, the judge goes to some length to reflect other decisions by the Supreme Court highlighted by the government in its case that the border represents a unique place legally. However, she repeatedly makes the same argument: that the government has to balance what is reasonable when it comes to people’s privacy with the risk of damage to national interests.

When it comes to searching people’s phones and laptops, she notes that “there are a number of reasons and ‘a convincing case for categorizing forensic searches of digital devices as nonroutine’: the ‘scale’ and ‘sheer quantity’ of personal information they contain, the ‘uniquely sensitive nature of that information,’ and the portable nature of same such that it is neither ‘realistic nor reasonable to expect the average traveler to leave his digital devices at home when traveling’”.

Harvard freshman kicked out of US over OTHER people’s posts on his social media

READ MORE

In other words, our phones contains so much highly personal and confidential information that any search should be considered highly significant.

In the judgement, the broad range of plaintiffs is used to show the breadth and depth of that information: a journalist’s notes and sources in one; a client-attorney conversations in another; personal pictures offending religious rights in another; business secrets in a fifth; and so on.

The judge stopped short of saying that border agents needed to get a warrant, and she also refused to order the deletion (expungement) of the material that the CBP and ICE have already gathered, although she did note that the plaintiffs have standing to push that point further in the legal process.

In not pushing those issues, and in largely steering clear of First Amendment arguments, it appears clear that the judge was determined to allow the fundamental decision that searches of electronic devices at the border break the Fourth Amendment stand until the case reaches the Supreme Court – something that it is almost certainly destined to do.

In short: another privacy win for the digital era, but a small win in a much larger war that still isn’t settled. ®

Sponsored:
How to Process, Wrangle, Analyze and Visualize your Data with Three Complementary Tools

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/11/12/cbp_device_searches/

Stability of PCI DSS helps companies cope and create more mature security programs, but some parts of the Payment Card Industry’s Data Secure Standard continue to cause headaches.

The share of companies passing their interim security tests under the Payment Card Industry’s Data Security Standard (PCI DSS) — a practice run to help firms meet full compliance — dropped to 37% in 2018, the lowest level in five years, according to Verizon’s “2019 Payment Security Report,” published Nov. 12.

The decline in successful interim security audits is steep. In 2016, more than half of companies — 55% — taking a practice run through the painful compliance process mandated by PCI DSS passed the interim compliance audit. The ability to pass the assessment is a measure of the stability of a company’s compliance processes and security controls, says Ciske Van Oosten, senior manager of global intelligence for Verizon’s Security Assurance Consulting practice.

In the past, companies seemed on a path to improving their processes every year, but after 2016, companies started failing more often, Van Oosten says.

“We thought the growth was going to continue forever,” he says. “But we now see that full compliance needs to be sustainable in the long term and not just at a point in time.”

The news is not all bad. While a smaller share of companies maintained their security controls between compliance tests, the amount by which the average company fell out of compliance remained stable or declined. In 2018, the average gap between full compliance and the interim assessment for companies that failed to pass was about 10%, six percentage points less than four years ago, Van Oosten says.

The quarterly interim testing helps companies identify places where they have fallen out of compliance with security requirements and gives them a chance to fix the issues before the actual compliance testing.

“Organizations are required to not only achieve 100 percent full compliance with the PCI DSS, but also to maintain it,” the report stated. “This means having all applicable security controls continuously in place and functioning as intended.”

The Payment Card Industry’s compliance regime has been a major headaches for companies, requiring significant amounts of investment and resources. Yet with breaches continuing to plague businesses and third-party risk becoming much more of a concern, PCI DSS has become the preferred way to test whether partners and vendors are meeting their security obligations, Van Oosten says.

“We had a lot of attention in the media [in the past], but that is not driving the attention on compliance,” he says. “The driver for PCI DSS seems to be business to business, where a company will not do business with a partner unless they can show that they handle the data correctly.”

The reason for the decline over the past two years in interim compliance is not obvious, says Van Oosten.

The PCI DSS requirements organizations most often failed to maintain include No. 11 (“Test Security Systems and Process”), No. 6 (“Develop and maintain secure systems”), and No. 8 (“Authenticate access”). A third of companies — the largest portion — failed to run regular network and vulnerability scans (requirement 11.2), according to Verizon’s report. Twenty-eight percent of companies failed to protect software components and applications from known vulnerabilities (requirement 6.2), and 27% failed to recheck security control flagged by penetration testing to ensure that issues were fixed (requirement 11.3.3).

“The largest compliance drop occurred against Requirement 6, as organizations struggled to maintain effective vulnerability management, software development and change processes,” the report stated. “It is then perhaps not too surprising that Requirement 11 remained the poorest performer—both in overall compliance and control gap—as organizations struggle to sustain compliance with security testing requirements year after year.”

Van Oosten urged companies to have a security program in place to guide the implementation of necessary security controls. In addition, companies need to have a way of generating metrics to measure their progress in implementing the controls, he says.

“Security controls are all that stand between you and attackers out there on the Internet,” Van Oosten says. “You need to manage PCI-DSS compliance as a program.”

Related Content:

• PCI Council Releases New Software Framework for DevOps Era
• 10 Tips for Building Compliance by Design into Cloud Architecture
• Retail Sector Second-Worst Performer on Application Security
• 4 Payment Security Trends for 2019
• Payment Security Compliance Takes a Turn for the Worse

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “What a Security Products Blacklist Means for End Users and Integrators.”

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/risk/compliance/companies-increasingly-fail-interim-security-test-but-gap-narrows/d/d-id/1336340?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A new Nominet survey shows a familiar disconnect between business and security teams on the matter of cyber preparedness.

Business leaders at many organizations are projecting a rosier picture of their cybersecurity posture than would appear warranted, a new survey shows.

Nominet recently surveyed nearly 300 senior security and IT practitioners, including CISOs, CIOs, and CTOs from the US and UK. The survey sought to assess the level of confidence among executives about their organizations’ cybersecurity posture and readiness to deal with threats.

Seventy percent of the respondents said their organizations use its cybersecurity posture as a selling point to customers and business partners, even though CISOs and others responsible for cybersecurity were far less confident in the security stack.

Over one-third (34%) of the security executives in the Nominet survey, for instance, said they were only moderately satisfied with the effectiveness of their security controls, and another one-third said they were only somewhat or slightly confident. Most, in fact, scored their security stacks as 80% effective or less.

“The disconnect between CISO confidence and the business’ willingness to use its cyber defense as a selling point was most surprising,” says Stuart Reed, vice president of Nominet and the executive in charge of the company’s research and data science group. This suggests a lack in communication or understanding of risk between security teams and the wider business, he says.

The survey shows many CISOs and other security executives are being put in compromising situations by business executives, who have a less-than-complete understanding of their challenges, Nominet concluded.

While it is natural a CISO might be slightly more cautious about claiming the effectiveness of the controls in place, the fact that more than one-third of security leaders are not even moderately confident is a worry, Reed says. “This disconnect in cyber confidence should act as an alarm bell to organizations and potentially prompt some investigation and analysis,” he says.

One reason why CISOs and others feel less than fully confident in their security controls is likely because purchase decisions are not entirely in their hands. In many cases, the final word on a security purchase rests with a combination of business stakeholders and not necessarily security leaders. While security is obviously a factor, purchase decisions are based on other consideration as well, including cost, available alternatives, and ease of integration, Reed says.

“We need to begin looking at what will make our CISOs more confident,” he says. Radware’s survey shows, for example, that 20% of CISOs either don’t test the performance of their security stacks once in place or don’t know whether they have been tested. “Perhaps more investment here could increase confidence,” Reed says.

Nominet’s survey shows CISOs and other security leaders in the US are generally much more upbeat than their counterparts in the UK when it comes to the effectiveness of their security controls. Culture is likely a factor, according to the company, but the bigger reason is a majority of the US organizations represented in the survey are big companies with typically tighter procurement processes.

The vendor discovered a majority of organizations (68%) that had experienced a security breach over the previous 12 months to be somewhat apprehensive about their ability to defend and recover from a second one. Here again, US-based security leaders appear more bullish than their UK counterparts.

“This could be explained by the cultural and contextual differences between the US and UK,” Reed says. “What might reassure a CISO in the US won’t necessarily have the same effect in the UK.” The key to keep in mind is that confidence isn’t necessarily always connected to how well equipped a company is to defend against an attack.

“It is critical that security professionals and the wider business are on the same page when it comes to cyber defense,” Reed notes.

Related Content:

• It Takes Restraint’: A Seasoned CISO’s Sage Advice for New CISOs
• Is 2019 the Year of the CISO?
• Capital One Shifts Its CISO to New Role
• Navigating Your First Month as a New CISO

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Account Fraud Harder to Detect as Criminals Move from Bots to ‘Sweat Shops’.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/operations/while-cisos-fret-business-leaders-tout-security-robustness/d/d-id/1336342?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The flurry of alerts in recent weeks of in-the-wild exploitation of the Windows RDP BlueKeep security flaw did little to change the rate at which people patched their machines, it seems.

This is according to eggheads at the SANS Institute, who have been tracking the rate of patching for the high-profile vulnerability over the last several months and, via Shodan, monitoring the number of internet-facing machines that have the remote desktop flaw exposed.

First disclosed in May of this year, BlueKeep (CVE-2019-0708) describes a bug in the Windows Remote Desktop Protocol that allows an attacker to gain remote code execution without any user interaction. Microsoft has had a patch out for the bug since it was first disclosed.

Over the last week or so, reports came that miscreants were lobbing active exploits for BlueKeep at honeypot systems. These attacks were found to be attempts by hackers to infect machines with cryptocoin-mining software and led to a series of media reports urging users to patch their machines now that BlueKeep exploits had arrived in earnest.

According to SANS, those reports did not do much to get people motivated. The security institute says that the rate of BlueKeep-vulnerable boxes it tracks on Shodan has been on a pretty steady downward slope since May, and the media’s rush to sound alarms over active attacks did not change that.

That means, while plenty of admins and users have fixed up their boxes, the headlines did not spur those lagging into patching up their systems.

With more hints dropped online on how to exploit BlueKeep, you’ve patched that Windows RDP flaw, right?

READ MORE

“The percentage of vulnerable systems seems to be falling more or less steadily for the last couple of months,” noted SANS researcher Jan Kopriva of Alef Nula, “and it appears that media coverage of the recent campaign didn’t do much to help it.”

That doesn’t however, mean that there is no threat of a BlueKeep malware outbreak. While the SANS duo say that BlueKeep machines are decreasing in number, there are still more than enough exposed boxes to make for an attractive exploit target.

“Since there still appear to be hundreds of thousands of vulnerable systems out there,” they point out, “we have to hope that the worm everyone expects doesn’t arrive any time soon.”

Fortunately, this week will be a good time for users and admins to get themselves caught up on patches for BlueKeep and other security fixes that have been posted over the Summer by Microsoft.

With the November edition of Patch Tuesday slated to land tomorrow, users can fire up Software Update and get that and previous security fixes to make sure they are protected from all of the known vulnerabilities. ®

Sponsored:
Your Guide to Becoming Truly Data-Driven with Unrivalled Data Analytics Performance

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/11/11/bluekeep_didnt_boost_patching/

Nearly three months after infosec biz Eclypsium highlighted widespread security weaknesses in third-party Windows hardware drivers, you can now add Intel to the list of vendors leaving holes in their all-powerful low-level code.

In a follow-up report to its August DEF CON presentation, Eclypsium found that not only are those third-party kernel-mode drivers still vulnerable, widely used Intel drivers also contain many of the same holes.

As was noted in that conference talk by Jesse Michael and Mickey Shkatov, vulnerabilities in drivers are a huge risk because the code typically runs at the lowest levels in an operating system, has access to peripherals, storage, and applications, and thus if exploited, will grant miscreants total control over a machine. The drivers are also signed off by Microsoft and are therefore trusted by the operating system.

It is worth noting that these are not remotely exploitable flaws: hackers need to already be running code locally in order to get at the vulnerable drivers.

Now, Eclypsium says that it can detail three more drivers it held back of that original report, all from Intel.

Two of the vulnerable drivers were quietly patched in August by Intel. However, a third driver, Intel PMxDrv, was found to be far more difficult to clean up. On Tuesday this week, Chipzilla was finally able to release a patch, and Eclypsium was cleared to report the bug.

According to the research team, an attacker who was able to access this driver would be able to do everything from injecting code into memory to accessing I/O and PCI controllers – essentially having full reign over the machine at a very low level.

“This level of access can provide an attacker with near-omnipotent control over a victim device,” Eclypsium explains. “Just as importantly, this capability has been included as a staple component of many Intel ME and BIOS related toolsets going back to 1999.”

Users and admins are advised to download and install patched versions of the drivers as soon as possible.

Even after those Intel drivers are updated, the researchers say users will still be at risk from other drivers. One particularly dangerous example they noted was WinRing0, a component included with the OpenHardwareMonitor library. The driver is not only vulnerable to local elevation of privilege attacks, but is also commonly used by developers under more than two dozen different names.

Intel: Listen up, you NUC-leheads! Mini PCs and compute sticks just got a major security fix

READ MORE

Because the driver is trusted and so widespread, admins and users are in a race to patch the software before scumbags exploit it.

“One of the key issues noted above is that there is no universally applicable way to prevent Windows from loading any of the bad drivers that have been identified thus far,” Eclypsium notes.

There is, the researchers say, a long-term solution in the works. Microsoft is rolling out a new security tool called HVCI that will isolate drivers from the system kernel and prevent these sort of EoP attacks. Unfortunately, it will take some time to get put into place.

“HVCI requires a 7th generation or newer processor, new processor features such as mode-based execution control, and is not supported by many 3rd party drivers,” the researchers explain.

“As a result, many devices in use today will not be able to enable HVCI and will not be protected.”

In the meantime, users and admins are advised to protect themselves as best they can by avoiding software from untrusted sources and making sure their firmware and drivers are fully up-to-date and patched. ®

Sponsored:
Your Guide to Becoming Truly Data-Driven with Unrivalled Data Analytics Performance

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/11/12/bad_intel_drivers_eclypsium/

Intel is once again moving to patch its CPU microcode following the revelation of yet another data-leaking side-channel vulnerability.

The same group of university boffins who helped uncover the infamous Spectre and Meltdown flaws say that a third issue, reported back in May under the name ZombieLoad, extends even further into Chipzilla’s processor line than previously thought.

The ZombieLoad hole can be exploited by malware running on a vulnerable machine, or a rogue logged-in user, to snoop on processor cores and extract sensitive information from memory that should be out of bounds. In practice, this would potentially allow an attacker already on the system to lift passwords, keys, and the like from other running software.

When the bug was publicly disclosed earlier this year, Intel said its latest chips – its 8th and 9th generation Core and second-generation Xeon Scalable microprocessors – were not vulnerable to this so-called Microarchitectural Data Sampling (MDS) info leak.

That, the researchers say, is no longer the case. A previously unreported ZombieLoad eavesdropping technique will work even on fully up-to-date processors that feature Intel’s Transactional Synchronization Extensions (TSX) Asynchronous Abort (TAA) mechanism – even on Meltdown and Foreshadow-resistant silicon.

The crew of Michael Schwarz, Moritz Lipp, Daniel Moghimi, Jo Van Bulck, Julian Stecklina, Thomas Prescher, and Daniel Gruss will today reissue their original ZombieLoad paper to say as much. There’s a diff here [PDF].

“In contrast to concurrent attacks on the fill buffer, we are the first to report data leakage of recently loaded and stored stale values across logical cores even on Meltdown and MDS-resistant processors,” they explained. “Hence, despite Intel’s claims, we show that the hardware fixes in new CPUs are not sufficient.”

As it turns out, this issue has been known to both the manufacturer and the eggheads for some time, though was kept secret by both parties so as to give Chipzilla time to develop and release a fix. With the microcode update landing today, which you should install as soon as possible on vulnerable boxes, all involved feel it is OK to emit the details.

Like the Spectre and Meltdown attacks, ZombieLoad exploits the speculative execution technique modern microprocessors use to speed up their operation.

The ZombieLoad exploit lifts data from the CPU store, fill, and load buffers, allowing a snooper to discern sensitive data thought to be walled off by Intel’s security defenses. This does not allow spyware to target specific memory locations: just whatever’s in the buffers. The researchers say the only way to fully resolve the flaw is to turn off speculative execution, a move that will effectively cripple CPU performance.

Running on Intel? If you want security, disable hyper-threading, says Linux kernel maintainer

READ MORE

In this case, Intel is opting to patch the flaw as best it can with a microcode update. The fix only applies to Core and Xeon processors with TSX functionality and previously thought to immune to ZombieLoad. In other words, if you have an older chip, you should already have a ZombieLoad fix, and if you have a newer chip, you need this latest update because the built-in mitigations weren’t enough.

Note that Whiskey Lake, Coffee Lake-R, and Cascade Lake-SP chips are apparently not vulnerable at all because they do not support TSX, which is required for this latest ZombieLoad exploitation.

Meanwhile, Chipzilla acknowledges this release does not fully remedy the problem.

“We believe that the mitigations for TAA and MDS substantively reduce the potential attack surface,” the silicon slinger said. “Shortly before this disclosure, however, we confirmed the possibility that some amount of data could still be inferred through a side-channel using these techniques (for TAA, only if TSX is enabled) and will be addressed in future microcode updates.”

Red Hat, meanwhile, has more technical details here.

It should be noted at this point that, while ZombieLoad and other side-channel attacks make for a good story, are fascinating to study, and do pose a hard-to-remove security vulnerability, they are hardly the most pressing threats out there. There is no known malware out there exploiting CPU design flaws to steal people’s passwords and so on.

Side-channel vulnerabilities are notoriously difficult to reliably exploit in the wild, and require the attacker to have already achieved arbitrary code execution on the target machine, meaning in most cases the victim is already compromised to the point where a side-channel attack is of little necessity. Meanwhile, large businesses are routinely getting ransacked via spear-phishing emails and poisoned Office documents.

Users and admins should definitely test and install Intel’s microcode updates for these and other side-channel attacks, though in the grand scheme of things, don’t forget there are more pressing security threats out there. ®

Sponsored:
Your Guide to Becoming Truly Data-Driven with Unrivalled Data Analytics Performance

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/11/12/zombieload_cpu_attack/

Trusted Platform Modules, specialized processors or firmware that protect the cryptographic keys used to secure operating systems, are not entirely trustworthy.

Boffins from the Worcester Polytechnic Institute and University of California, San Diego, in the US, and the University of Lübeck in Germany, have found that TPMs leak timing information that allows the recovery of the private keys used for cryptographic signatures.

In a paper [PDF] published on Tuesday, “TPM-FAIL: TPM meets Timing and Lattice Attacks,” researchers Daniel Moghimi, Berk Sunar, Thomas Eisenbarth, and Nadia Heninger describes how they successfully conducted black-box timing analysis of TPM 2.0 devices to recover 256-bit private keys for ECDSA (Elliptic Curve Digital Signature Algorithm) and ECSchnorr signatures that are supposed to remain unobserved within the TPM.

Timing measurements represent a side channel attack that can be used to infer the inner workings of cryptographic systems.

“Our analysis reveals that elliptic curve signature operations on TPMs from various manufacturers are vulnerable to timing leakage that leads to recovery of the private signing key,” the paper states. “We show that this leakage is significant enough to be exploited remotely by a network adversary.”

Key recovery

The researchers found that a local attacker can recover the ECDSA key from Intel fTPM in 4-20 minutes, depending upon the available level of access. The technique can also be conducted remotely to obtain the authentication key from a VPN server in five hours or so.

In an email to The Register, Moghimi said the remote attack scenario assumes there’s a VPN configured to use the TPM for authentication and is publicly available on a network.

“A client who is supposed to use the VPN as a service acts as an adversary and steals the VPN server’s private key,” said Moghimi. “As a result, she can impersonate the VPN’s server and compromise the secure communication of other users with the VPN server.”

Moghimi said the attacker would need to conduct multiple authentication handshakes in order to measure the time each takes and then use that time measurement as a side-channel to discern information about the VPN server’s secrets inside the TPM. Such handshakes, he said, look like normal network traffic and wouldn’t be obviously malicious.

“The remote attack takes much longer due to the network’s noise on the timing channel,” said Moghimi. “The faster a network is, the remote attack can be performed better since there will be less timing noise. We tested on a simple 1GB local network which is common in many organizations and companies. I can imagine the remote attack would be faster/easier on a 10GB network or a fiber network.”

True to its name, Intel CPU flaw ZombieLoad comes shuffling back with new variant

READ MORE

The researchers identified flaws in Intel’s fTPM, a firmware-based TPM on computers running Intel’s management engine on PCs and laptops from vendors like Asus, Lenovo, Dell, and HP, and in computers with dedicated TPM hardware made by STMicroelectronics (ST33TPHF2ESPI). These vulnerabilities exist in devices certified FIPS 140-2 Level 2 and Common Criteria (CC) EAL 4+, certifications bestowed on hardware believed to be resistant to side-channel attacks.

The boffins also tested TPMs by Infineon and Nuvoton. The Infineno hardware (SLB 9670) exhibited non-constant time behavior but did not appear to have an exploitable vulnerability. The Nuvoton unit (rls NPCT) showed constant-time behavior for ECDSA, meaning it’s not vulnerable.

The security flaws have been designated CVE-2019-11090 for Intel fTPM vulnerabilities and CVE-2019-16863 for STMicroelectronics TPM chip. The researchers responsibly disclosed their findings to the two companies, and the publication of their work – to be presented at the Real World Crypto 2020 conference in January – coincides with patches from Intel and STMicroelectronics.

Intel addresses the flaws in the INTEL-SA-00241 patch, which covers multiple CVEs. STMicroelectronics did not immediately respond to a request for comment, but the researchers say the biz has issued a new chip that fixes the flaws.

Intel disclosed its patch in a new security blog, noting that it found 22 of 24 flaws related to its management engine.

The now-obligatory vulnerability website, TPM.fail, provides further details. ®

Sponsored:
Your Guide to Becoming Truly Data-Driven with Unrivalled Data Analytics Performance

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/11/12/don/

Patch Tuesday The November edition of Patch Tuesday has landed with scheduled updates from Microsoft, Adobe, and SAP, along with the debut of a new update calendar from Intel.

Scripting bug draws attacks on IE

Microsoft’s monthly batch of fixes addresses 74 CVE-listed security vulnerabilities, more than a dozen of them considered to be critical risks.

One of those vulnerabilities, CVE-2019-1429, is already under attack in the wild. The flaw is a remote code execution vulnerability, specifically a memory-corrupting hole, in Internet Explorer, which also affects Office.

“This vague description for memory corruption means that an attacker can execute their code if an affected browser visits a malicious web page or opens a specially crafted Office document,” explained Dustin Childs of the Trend Micro Zero Day Initiative.

“That second vector means you need this patch even if you don’t use IE.”

Four guest-escape bugs (CVE-2019-0721, CVE-2019-1389, CVE-2019-1397, CVE-2019-1398) were found in Hyper-V. In each case, an attacker in a virtual machine would be able to run a malicious application that could run arbitrary code on the host server.

A remote code execution vulnerability in Exchange (CVE-2019-1373) was attributed to “deserialization of metadata via PowerShell,” and would allow the attacker to run code with the security clearance of the logged-in user: almost certainly an admin if we are talking about PowerShell access.

This month also brings the usual assortment of browser-based attacks with three remote code execution bugs for the Edge scripting engine (CVE-2019-1426, CVE-2019-1427, CVE-2019-1428) and one for VBScript (CVE-2019-1390. Fans of the classic “bad font” attacks will want to take a look at CVE-2019-1419, a remote code execution bug via OpenType fonts handled by Windows Adobe Type Manager Library.

Bonus bug report: 5G hardware vulnerable

If the patch bonanza wasn’t enough, there have also been reports that parts of the new 5G wireless broadband system could be vulnerable to attacks. Researchers from the University of Iowa and Purdue University say a malicious base station could be used to trick devices into handing over location info or send out fake emergency alerts.

For Office, two of the more serious bugs include a remote code execution flaw (CVE-2019-1448) and a security bypass bug (CVE-2019-1457) in Excel.

Finally, Microsoft has released guidance on security issues in Trusted Platform Modules. More on that here.

Intel opens the doors on its own Patch Tuesday plan

It seems our Patch Tuesday coverage is only going to be getting larger, thanks to the first of what looks to be many monthly security fix drops from Intel.

Chipzilla says that it too will make the second Tuesday of the month a scheduled security patch day for customers, and to kick off the fun it has dropped a set of patches addressing a total of 77 vulnerabilities, the majority of them in the Intel Management Engine, BMC firmware, and ethernet controllers.

Intel also posted its microcode fix for the newly-disclosed ZombieLoad side-channel attack variant.

Adobe drops four fixes for November

For Adobe it was a rather light Patch Tuesday, as the creative media giant posted fixes for three remote code execution bugs in Illustrator, a privilege escalation flaw in Animate CC, five information disclosure bugs in the Adobe Media Encoder, and two information disclosure vulnerabilities in Bridge CC.

SAP drops updates

Those running SAP software in their business will want to make sure they check for updates, as the enterprise giant has posted its own set of security fixes.

According to an analysis of the patches from security company Onapsis, some of the more pressing flaws include authorization bypass issues in SAP Internet Pricing Configurator, information disclosure bugs in Business Objects Business Intelligence Platform, and a missing authorization component in the ECATT framework. ®

Sponsored:
Your Guide to Becoming Truly Data-Driven with Unrivalled Data Analytics Performance

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/11/12/november_2019_patch_tuesday/

Cybercriminals tried to take the Labour Party’s digital platforms offline weeks before the election on December 12.

The UK’s Labour Party has confirmed a distributed denial-of-service (DDoS) attack targeted its Web services weeks ahead of a national election on December 12, party and security officials report.

Adversaries overwhelmed Labour’s digital platforms with malicious traffic, according to Britain’s National Cyber Security Centre, which was notified following the incident, Reuters reports. The incident was not successful, a spokesman says, and the matter is now closed. Party officials say the DDoS attempt failed due to its “robust security systems” and no data breach occurred.

It’s tough to attribute DDoS attacks to a specific individual or group, and this case is no different. A source with knowledge of the investigation reports there is no evidence so far connecting a foreign state with the attack on the Labour Party. That said, officials have expressed concern to see this type of incident taking place with elections fast approaching.

Read more details here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Account Fraud Harder to Detect as Criminals Move from Bots to ‘Sweat Shops’.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/ddos-attack-targets-uk-labour-party-weeks-ahead-of-election/d/d-id/1336330?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The ubiquitous Caller ID hasn’t changed much over the years, but the technology to exploit it has exploded. That may be about to change.

Fraud and abuse in the form of robocalling, and more specifically illegally spoofed calling, is the No. 1 consumer complaint to the Federal Communications Commission (FCC). Robocalls make up nearly half of all phone calls, so frustrated consumers simply don’t answer incoming calls and businesses can’t get through to customers when they need to reach them.

At the root of the problem is the ease of spoofing caller IDs. Anyone can spoof their outbound Caller ID by using an online service like Spooftel or SpoofCard. These services are meant to protect the caller’s number from being displayed and claim they aren’t intended for malicious purposes, but the fact that they exist indicates the breadth of the problem.

For cybersecurity professionals, Caller ID spoofing is a particularly pernicious problem. To gain the trust of their intended victim, hackers hide behind a friend, company, or institution associated with their target’s information. Typically, they will find a trusted number and spoof it.

Caller identifications are determined during the second ring of a call. In this short period, spoofers use frequency shift keying to alter the binary format of the number, a process that can be automated. Current Caller ID technology was developed without any consideration that it could be used nefariously and hasn’t changed much, while the technology to exploit it has exploded.

The FCC Steps in with SHAKEN and STIR
FCC chairman Ajit Pai challenged the telecommunications industry in November 2018 to adopt a caller authentication system to combat this growing nuisance or face regulatory intervention. This has spurred the telecommunications industry to develop a framework of interconnected standards called SHAKEN (Secure Handling of Asserted information using toKENs) and STIR (Secure Telephony Identity Revisited) that defines how telephone service providers should work together to ensure calling numbers have not been spoofed.

As with many secure platforms on the Internet, digital identity certificates that leverage public key infrastructure (PKI) will make it possible to verify that the Caller ID information is accurate and can be trusted. SHAKEN/STIR shifts responsibility for identity verification from the call originator to the originating telephone company routing the call. At a high level, each telephone service provider will obtain its digital certificate from a certificate authority that is trusted by other telephone service providers. The certificate technology enables the called party to verify that the calling number is accurate, as asserted by a trusted source.

As shown in the framework diagram below, telecommunication service providers must implement a certificate management system to create and manage the public and private keys and digital certificates used to sign and verify Caller ID details. The private keys are used by the service provider to sign calls. The public key is then used by other service providers to verify that the signature was actually created by the private key associated with a trusted provider.

Also Applies to Enterprise VoIP
Although SHAKEN is a carrier-centric framework that sets out a standard way to implement STIR on the Internet Protocol-based network-to-network interface (IP-NNI), it will also affect enterprises that have their own Voice over IP (VoIP) infrastructure. In the next several years, such enterprises will be expected to set up call authentication through the SHAKEN/STIR delegation feature. Carriers can delegate authority for telephone numbers assigned to enterprises, making them a participant in the SHAKEN/STIR ecosystem.

For this ecosystem to work, the industry — technology infrastructure, telecommunications, enterprises, and government entities — needs to work together to ensure call identities are universally trusted. As this technology standard evolves and starts to be deployed, security will be required at every level of SHAKEN/STIR implementations. The players involved need to educate themselves on the many places where things can go wrong, including bad policies, lax security controls, and weak operational practices. Bad actors will absolutely try to subvert this security to initiate “validated” calls.

The telecommunications landscape is vast and diverse, with players ranging from massive corporations to virtual telcos that aggregate services and service providers serving niche clients or small geographies. For SHAKEN/STIR to accomplish its goal of re-establishing trust in the phone system, every provider will need to come up to speed on the nuances of setting up a PKI correctly.

Chances are, however, that not every provider will have the necessary expertise in-house but may decide to forge ahead on their own. When that happens, things invariably will go wrong; all it will take is one weakness in a PKI implementation for spoofers to get back in the game. As more telcos implement SHAKEN/STIR, the value on the underground of having a provider’s certificate in a compromised state is significant. All of a sudden, robocallers with a validated Caller ID can start making spoofed robocalls again after everyone has started to trust Caller IDs again. There is a large financial incentive for robocallers to identify weaknesses and exploit them for financial viability.

A Long Slog Ahead
Although the FCC wants to accelerate the timeline for SHAKEN/STIR implementations across the industry, the reality is that it’s going to take time. Rather than rushing ahead, a far better approach will be to invest the time and resources necessary to ensure that the system is implemented properly and highly secure. Things are moving ahead with the all-important role of Secure Telephone Identity Policy Administrator (STI-PA) being awarded to iconectiv in May 2019. In this role, iconectiv is responsible for applying and enforcing the rules defined for the SHAKEN/STIR framework.

The certificate policy will be published soon. It will lay out the rules of engagement, but without it there is significant uncertainly. Do you have to have an audit? If so, what does that audit look like? And what does it have to look at? What requirements do organizations have for security? What about availability, background screening, and training?

While these pieces are coming together, I would encourage everyone in the ecosystem to proactively line up the necessary resources and expertise to implement SHAKEN/STIR in the most secure way possible. If in-house know-how is lacking, companies should track down experts who can help get the PKI implemented correctly and address problems such as cloud vs. on-premises deployment and scalability. There’s no time to waste: The integrity and trust of the telephony system depends on getting this right.

Related Content:

• 8 Ways Businesses Unknowingly Help Hackers
• Fighting Back Against Mobile Fraudsters
• How to Hang Up on Fraud

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Account Fraud Harder to Detect as Criminals Move from Bots to ‘Sweat Shops.”

Mark B. Cooper, President and Founder of PKI Solutions, has been known as “The PKI Guy” since his early days at Microsoft. Mark has deep knowledge and experience in all things public key infrastructure (PKI), including Microsoft Active Directory Certificate Services … View Full Bio

Article source: https://www.darkreading.com/endpoint/shaken-stir-finally!-a-solution-to-caller-id-spoofing/a/d-id/1336285?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple