STE WILLIAMS

Despite recent revelations that the process by which the FBI and NSA gain approval for spying on US citizens is open to abuse, the US Congress is again planning to reauthorize the USA Freedom Act that gives those measures their legal foundation.

This week, the House of Representatives unveiled HR 6172, which will reauthorize the programs. But, despite a growing consensus that there needed to be systemic changes, the bill simply reaffirms the status quo with a few additional provisions that experts say will not only fail to fix the problems but may make them worse.

The situation is similar to two years ago, when a group of senators fiercely opposed the reauthorization of another flawed spying program without significant reforms, but were defeated when it was attached to an end-of-year spending bill: something critics characterized as “an end-run around the Constitution.”

This time there is another, slightly larger, coalition of lawmakers that are arguing against reauthorization without proper reform and they might have the president’s ear for the simple fact that Trump’s presidential campaign in 2016 was targeted under the very rules that Congress now wants to set in stone.

The House Freedom Caucus, which comprises conservatives and libertarians, has put out a statement condemning the bill and at least one member has publicly urged President Trump to refuse to sign it.

“Members of the Freedom Caucus have long called for reforms to FISA [Foreign Intelligence Surveillance Act],” the statement reads. “Recent revelations that FISA was severely and repeatedly used to spy on a presidential campaign are beyond the pale – if the government can misuse this system to spy on a presidential campaign, they can surely do it to any other American citizen.”

Carter Page issue

At the heart of that issue was the targeted surveillance of one of the Trump campaign’s key figures, Carter Page, whom the FBI feared was collaborating with the Russian government. A subsequent review of the process run through to authorize and then renew surveillance on Page revealed that FBI agents had purposefully misled judges at the secret court that approves such measures and even doctored documents in order to keep the surveillance going.

Due to an almost entirely opaque process in which there is rarely an opportunity for counter-arguments, critics have long warned that the process is wide open to abuse. Efforts by civil liberties groups to even find out what the process is have been met with years of procedural delays and obfuscation.

But with pressure from the White House driving a review of FISA over the Page case, the flaws were formally exposed. As such the House Freedom Caucus wants to see real changes: “Anything short of significant and substantive reforms would betray the trust of the American people,” its statement reads.

It also derides the changes that have been made to get lawmakers on board. “Enhanced penalties for abusing the system are insufficient to gain our support particularly when no one has been charged with a crime for previous abuses,” it notes, adding: “A proposal for additional scrutiny when elected officials and candidates are the target of investigations similarly misses the point: politicians don’t need more protection from government spying than their fellow citizens.”

It’s not just the House Freedom Caucus opposed to the bill either. Unlikely bedfellows the American Civil Liberties Union (ACLU) are also opposed and have sent a letter to lawmakers urging them not to vote for it.

Broken

“Congress has had over four years to consider provisions of the Patriot Act set to expire on March 15, 2020. Despite this, H.R. 6172 is being jammed through without any opportunity for amendments, no markup, and limited debate,” it notes. “Indeed, a prior markup of the bill in the House Judiciary Committee was cancelled after it became clear that efforts to improve the bill would likely have prevailed.”

The letter argues that it has “become abundantly clear that many of our surveillance laws are broken”, citing the Inspector General report into the Carter Page case. “Despite the secrecy around FISA proceedings, the Page episode offers a window into the abuses that predictably follow from giving the government extraordinary powers with minimal checks and no meaningful due process,” it argues.

It then lists a number of flaws with the current bill. That it:

• Fails to require that individuals receive appropriate notice and access to information when FISA information is used against them.
• Fails to fully address deficiencies with the FISA court that have led to illegal surveillance – most notably allowing a representative to argue against the government’s case in front of the court.
• Fails to limit the types of information, the standard for collecting information and length of time for retaining the information that can be collected under Section 215 of the Patriot Act – this particular program having recently been exposed as an enormous waste of time and money.

It’s not clear if the protestations will have any effect, however. The security services have repeatedly proven themselves extremely adept at getting lawmakers on side, and of playing the political game better.

The Attorney General has already signalled that he believes the bill should pass and the changes made to it are sufficient to fix the flaws exposed by the Inspector General’s report. And while President Trump has made it plain he doesn’t trust the intelligence services, he is also one of the main beneficiaries of the information that they gather. Whether he is willing to veto legislation that will likely be passed by Congress, despite its flaws, is an open question.

The only bills – six so far – that President Trump has vetoed have covered foreign affairs. He has yet to strike down any covering domestic affairs.

On Thursday the President issued a statement via his favorite medium to clarify his position. ®

Many Republican Senators want me to Veto the FISA Bill until we find out what led to, and happened with, the illegal attempted “coup” of the duly elected President of the United States, and others!

— Donald J. Trump (@realDonaldTrump) March 12, 2020

Sponsored:
Quit your addiction to storage

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/12/us_congress_spying_law/

Microsoft has released an out-of-band emergency patch for a wormable remote-code execution hole in SMBv3, the Windows network file system protocol.

On Thursday morning, Redmond emitted the update to Server Message Block 3.1.1 to kill off a critical flaw word of which leaked out inadvertently this week.

Designated CVE-2020-0796, the bug can be exploited by an unauthenticated attacker to execute malicious code, at administrator level, on an un-patched system simply by sending the targeted system specially crafted compressed data packets. A hacker thus just needs to reach a vulnerable machine on the internet or network to fully compromise it.

Windows 10 32 and 64-bit systems running Windows 10 v1903, Windows 10 v1909, Windows Server v1903, and Windows Server v1909 need to get patched right now. This flaw is wormable, in that once a box has been hijacked, it can automatically seek out more victims to infect and spread across the globe.

“While we have not observed an attack exploiting this vulnerability, we recommend that you apply this update to your affected devices with priority,” Microsoft says of the update.

Stuck at home? Need something to keep busy with? Microsoft has 115 ideas – including an awful SMBv3 security hole to worry about

READ MORE

The SMB bug fix was a late addition to Microsoft’s March edition of Patch Tuesday – after the security hole was accidentally disclosed by the Cisco Talos research team in a blog post recapping this month’s updates: Cisco thought Microsoft had fixed the bug this week as part of March’s Patch Tuesday, and alerted the world to the bug’s presence to get people to install their updates. In reality, Microsoft hoped to patch the hole later this year, no patch was available, and now everyone knew there was a hole in the compression part of the SMBv3 code.

The revelation sent Microsoft scrambling to post a fix for the flaw just hours after it had emitted updates for 115 other CVE-listed security vulnerabilities.

Designed to allow shared access to files, printers, and hardware ports, SMBv3 is a network protocol included in desktop and server editions of Windows. The bug was particularly nasty as it did not require user interaction and thus could have been exploited by a worm to spread over an entire network.

“If you are running Windows 10, versions 1903/1909 or Windows Server, version 1903/1909 and have automatic updates enabled, you are automatically protected and do not need to take any further action,” Microsoft said.

“If you are managing updates on behalf of your organization, you should download the latest updates from the Microsoft Security Update Guide and apply those updates to your Windows.” ®

Sponsored:
Quit your addiction to storage

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/12/smb_patch_microsoft/

A vulnerability in Microsoft’s Server Message Block protocol prompted concerns of wormable exploits when it was disclosed this week.

Microsoft has patched a critical remote code execution vulnerability in its Server Message Block (SMBv3) protocol and is urging organizations to deploy updates for the flaw as soon as possible.

CVE-2020-0796 exists in the way SMBv3 handles certain requests. An attacker who successfully exploits the flaw can gain complete control over a vulnerable system and execute arbitrary code within the context of the application. To exploit this vulnerability against an SMB server, an unauthenticated attacker could send a specially crafted packet to a target SMBv3 server. To exploit it against an SMB client, they would need to configure a malicious SMBv3 server and convince a user to connect, Microsoft officials wrote in a Patch Tuesday advisory.

This vulnerability was not part of Microsoft’s monthly patch roundup; the company did not explain why. Its advisory was posted after details were inadvertently released and there was no patch available, which prompted concerns of a wormable exploit. The advisory advised businesses to disable SMBv3 compression to defend systems from unauthenticated intruders.

Today’s patch, issued in a tight turnaround after the advisory was published, fixes the problem by correcting how the SMBv3 protocol handles the specially crafted requests an attacker would use to exploit the vulnerability. There has so far been no evidence this flaw has been exploited in the wild; however, Microsoft notes that exploitation is more likely.

Read more details here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “Keys to Hiring Cybersecurity Pros When Certification Can’t Help.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/microsoft-patches-leaked-remote-code-execution-flaw-/d/d-id/1337301?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

COVID-19 means many people are doing their jobs from outside the confines of the office. That may not be as easy as it sounds.

So, you’re working from home …

For a while.

You’ve probably worked remotely before, and you’re thinking, “I’ve got this!”

Odds are, you’re mistaken. You don’t have this. That’s OK; this is an opportunity to learn new skills.

You can think of working from home much like someone moving into an entirely new environment. Your patterns of work might be optimized for working in an office, and they might not quite fit at home. You can think of this post as moving you from accommodating yourself to including yourself — reducing the friction that misspends your energy just to exist.

Now it’s time to adapt. You need to adapt, your workday needs to adapt, and your environment needs to be adapted. So what can you do? Below is some advice — take it in the spirit of unsolicited advice on self-improvement. Some of these things will work for you; some of them won’t. Many of these ideas work for me or people near me; they might or might not work for you. Give them a try, and be willing to learn and adapt.

Your Workspace
Maybe you’ve been getting by with sitting on the couch or on the floor in the corner of your bedroom. Those might be all the choices you have, but you should consider some changes:

• Use an external monitor. One of the biggest productivity gains comes from useful screen real estate, so finding a way to get more is incredibly helpful to you. Paired with an external keyboard and mouse, you’re also on your way to better ergonomics.

• Use a desk and a chair. Sitting on a couch for a long period is probably not healthy in a lot of ways. Can you fit in a sit/stand desk? Maybe you do need a different ergonomic choice, but make it deliberately.

• If you can dedicate a workspace, that’s ideal. If you can’t, consider a space that you can set up at the start of the workday, then tear it back down in the evening — so you have clearly delineated boundaries of when you’re “in the office” instead of just chilling.

• Even if you can’t dedicate a workspace, make a conscious effort to not take a meal (be it lunch, dinner, etc.) from where you are working. If you have a dedicated workspace, leave it and go to your kitchen, another room, or, if possible, outside for your meal. This should be time to mentally recharge as much as physically recharge. If you don’t have a dedicated space, still take the time to close your laptop and do something that is not work. Your brain (and your similarly stressed co-workers) will thank you.

• Do you have a headset with a microphone to take meetings with? Gaming headsets can be an affordable and high-quality solution, or possibly Bluetooth earbuds. Anything is an improvement over just using your laptop’s speakers. But also think about how your ears might feel after multiple hours using a device you’re not familiar with. Maybe change between earbuds and a headset … or even just take a long break from videoconferencing.   

• Wired Ethernet makes an enormous difference for videoconferencing — and for many of our other tools. Even if the cable has to get unplugged when you roll up your desk at the end of the day, this can be worth the trouble.

Your Family
There’s a good chance you’re sharing your space with other people — a partner, some children, maybe roommates. Their needs will matter, too, and it’s better for you to plan ahead with your schedules so that no one is disappointed.

• Do you have to homeschool small children? What does your plan look like for that, and how are you trading it off with your partner?

• Do you need to add daily household meetings to identify any issues?

Your Commute
You might be really excited about not having to waste time getting to the office because you can just hit work running. But take a moment to think about what you also do during your commute. Are you thinking about your schedule for the day? Working on a hard problem? Thinking about your kids? That’s valuable mental time, which you should consider how to keep in your day so that you can gracefully transition between parts of your life.

• Can you go for a walk around the block (or further)?

• Can you set aside quiet time at the start and end of your day, before you dive into email?

• Make sure you take time for lunch. This might make a good time to check in with your colleagues in your co-working space or take quiet time for yourself. You might want to think about planning for those lunches to make sure you’re making healthy choices rather than just grabbing whatever is available.

• Make a hard break. “Bye, kids, I’m headed to work!” can be a really powerful boundary to set.

Your Meetings
Meeting culture is very location-centric, especially when that location is your headquarters. Some of that is a product of enterprise tools (many video solutions makes it hard to see more than a few participants at once, and the slight added latency over the Internet interacts with the human desire to jump in as the next speaker), some is a product of our organizations (meetings where 80% of the attendees are physically in one place), and some is a product of habit (sitting in a circle, which then excludes the video participants). This is an opportunity to work on more-inclusive meeting structures.

• Consider nonverbal cues for meeting participants to use to call for attention. If everyone is visible, that can be a raised hand; if that’s not the case, then a chat backchannel can help.

• Work more on pauses between speakers. There is rarely a need to jump in instantly, and that’s often seen as a behavior that is exclusionary anyway, so this is a good opportunity to evaluate it. Past three people, a moderator helps enormously — perhaps defaulting to whomever called the meeting or wrote the agenda.

• Consider working off a shared document with an agenda and notes so that some information flows can be faster-than-verbal. This might rely on everyone having more screen real estate.

• Think about the lighting. You should be able to clearly see your face, which generally means lights and windows should be in front of you, not behind you. It’s always possible to learn from one call and revise or improve for the next one.

• Thirty-minute blocks are not fundamental to the universe. You can meet for 5 minutes or 15 — and jumping from chat to a video call for 5 minutes can unlock great work for you or your colleagues.

• As a last resort, disabling video can improve audio distortions, jitter, and latency in meetings.

Your Physical Wellness
When working from home, it can be really easy to fall into a rut with no physical activity. Perhaps you roll out of bed, grab a quick bite, and hop on a call. For a day, that’s only a little bad, but that’s a bad long-term pattern. Schedule your exercise time.

• Maybe take that long walk at the start of your day or after lunch.

• If you’re fortunate enough to have a treadmill or stationary cycle in your house, maybe you take a walking meeting with a colleague.

• Look at how you can keep your body from stiffening from a lack of movement or poor ergonomics. Take stretch breaks. Take a 20-second break every 20 minutes and look out at something at least 20 feet away to prevent eyestrain. Consider how to incorporate physical wellness into your everyday routine.

(Story continues on next page.)

Andy Ellis is Akamai’s chief security officer and his mission is “making the Internet suck less.” Governing security, compliance, and safety for the planetary-scale cloud platform since 2000, he has designed many of its security products. Andy has also guided Akamai’s IT … View Full Bio

Article source: https://www.darkreading.com/careers-and-people/working-from-home-these-tips-can-help-you-adapt/a/d-id/1337300?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A CASB isn’t a WAF, isn’t an NGF, and isn’t an SWG. So what is it, precisely, and why do you need one to go along with all the other letters? Read on for the answer.

As IT operations began to move from on-premises installations to the cloud, organizations looked for ways to bring security and access controls from internal data centers to cloud operations. One of the tools they found was the CASB — Cloud Access Security Broker. Now, a decade on from their introduction, CASBs are common parts of the enterprise security infrastructure. But for many individuals, knowing precisely what a CASB does — and why it’s different than a next-gen firewall — is still something of a mystery.

Let’s look into the CASB and find out where it came from — and what it’s evolved into.

(Image: leowolfert VIA Adobe Stock)

The original purpose of a CASB was to provide visibility into all the cloud services in an enterprise infrastructure. In the war against “shadow IT” and its use of unapproved cloud services, the CASB was one of the first purpose-built weapons. Deployed at the network edge and using a variety of proxy types, the CASB could identify every call to or connection from a cloud service, whether or not the cloud was approved.

In the early days of CASB, they were frequently deployed as physical appliances in the customer data center. Now, they can still be deployed as appliances, but are much more likely to be deployed as cloud services themselves, applied in a “security-as-a-service” model. In both cases, today CASBs use both proxies and APIs to identify the greatest possible range of cloud services and to act on the additional functions products are now capable of.

Knowing about the presence of cloud services isn’t the same as doing something about securing them (or enforcing security controls against specific services), so CASB began to evolve to do more for security teams. As it did, the category developed to include what Gartner calls the “four pillars” of CASB — labels taken up by much of the industry: Visibility, Compliance, Data Security, and Threat Protection.

The four areas of function are important in the shared responsibility cloud security model, in which the cloud provider is responsible for the protection of their infrastructure while the cloud customer is responsible for the security of their applications and data.

So what do each of these four pillars really mean, and how can they be used in securing an enterprise cloud? Let’s look at each one.

Visibility

A CASB should let you know all the horribly insecure cloud services employees insist on using while on your network. While necessary and frightening, it’s not all the visibility a modern CASB can provide. Given the ways that a CASB can seek out and monitor traffic to and from cloud services, it can also tell the security team which employees are using cloud services and how they’re getting to them. This can be useful information when having the “you’re personally destroying our security plan” conversation with rogue workers.

Compliance

As CASBs have evolved — and especially as they moved to use APIs rather than proxies to increase visibility into cloud activity — they gained the ability to look at the data being moved from one cloud to another, and between on-prem infrastructure and the cloud. In addition to providing security teams with a better picture of an organization’s cloud infrastructure, this allowed the teams to see the data being stored on and processed in the cloud.

Many aspects of regulatory compliance depend on knowing where and how data is stored. Aside from external regulations, many organizations have internal rules on how particular types of data must be stored and treated. A CASB can allow security teams visibility into the state of cloud-bound data so that cases of employees storing — or moving — data outside of policy can be detected and corrected.

Data Security

With visibility into the state of data in the cloud, a CASB can take the next step toward protecting that data. Acting through the API controls that allow the CASB visibility into transactions (such as those between cloud services) that never enter the enterprise network, CASBs can enforce policies like data encryption or obfuscation, specific requirements for authentication and access controls, and other parameters to insure that data is stored in a safe manner.

Threat Protection

“Access” is written into the very name of a CASB, and products in the category can provide threat protection by enforcing access and authentication controls for data and applications in the cloud. In many cases the CASB will monitor activity and enforce policies by interacting with existing single-sign-on or identity as a service tools. That ability to integrate with existing security infrastructure is one of a CASBs strengths, along with another that separates a CASB from other tools.

While next-gen firewalls, web application firewalls, and other security tools are generally considered complex to set up to greatest advantage, the CASB has traditionally been a tool that is relatively easy to configure and deploy, even for less experienced security teams.

Related content:

• SSRF 101: How Server-Side Request Forgery Sneaks Past Your Web Apps
• What’s In a WAF?
• All About SASE: What It Is, Why It’s Here, How to Use It
• How Enterprises Are Attacking the Cybersecurity Problem – 2019
• Assessing Cybersecurity Risk in Today’s Enterprise

 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/theedge/casb-101-why-a-cloud-access-security-broker-matters/b/d-id/1337302?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Two malware modifications, when combined, can snatch cookies collected by browsers and social networking apps.

Who stole the cookies from Facebook’s jar? Researchers found a culprit in the so-called “Cookiethief” malware, a new strain of Android malware that could give cybercriminals the means to steal cookies collected by the browsers and apps of social networking platforms.

Kaspersky Lab researchers have found two Android malware modifications. When combined, they aim to secure root rights on a target device and transfer cookies from the browser and Facebook app to a command-and-control (C2) server. Researchers have not determined how the Trojan lands on target devices but say the cause is not a flaw in Facebook or the browser itself.

Websites use cookies to store unique session IDs so users can revisit the same Web services without having to log in multiple times. Someone who steals a cookie could use it to appear as a person and abuse their account for malicious purposes, explain Kaspersky Labs antivirus analyst Anton Kivva and security research Igor Golovin in a blog post about the malware discovery.

Cybercriminals aim to do this by creating two Trojans with similar codebases, both controlled by the same C2 server. The combination lets them take over social accounts, without alerting Facebook, and send malicious content. It’s unknown what the attackers’ ultimate goal is; however, a page on the C2 server advertises services for sending spam on social networks. It’s believed the attackers want account access so they can launch spam and phishing campaigns.

The first Trojan, researchers explain, gains root rights on the target device, which lets the attackers send cookies to servers they control. Researchers note that sometimes an ID number alone isn’t sufficient to let an adversary take over a social media account. Some websites, Facebook included, have protective measures meant to block suspicious logins — for example, when a user who was active in New York reappears moments later in London.

This is why attackers created the second Trojan, which they call Youzicheng and is presumably from the same developers. It is a malicious application that can run a proxy server on a target device to bypass security measures of the social network. The second Trojan lets the attackers request access to a website while appearing as a legitimate account holder.

“These threats are only just starting to spread, and the number of victims, accounting to our data, does not exceed 1,000, but the figure it growing,” researchers explain.

They have linked Cookiethief malware with widespread Trojans including Sivu, Triada, and Ztorg. This type of malware, they say, is planted in the device firmware before it’s purchased. Attackers can also leverage vulnerabilities in the operating system to put the malware in system folders, where it can download different applications onto the system. This is how programs like Cookiethief and Youzicheng can land on a target device, the researchers say.

Related Content:

• CASB 101: Why a Cloud Access Security Broker Matters
• Assessing Cybersecurity Risk in Today’s Enterprise
• 7 Cloud Attack Techniques You Should Worry About
  
• Back to the Future: A Threat Intelligence Journey

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “Keys to Hiring Cybersecurity Pros When Certification Can’t Help.”

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/new-android-malware-strain-sneaks-cookies-from-facebook/d/d-id/1337304?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Microsoft announced on Tuesday that it was in on the busting-up of Necurs: one of the world’s biggest, baddest, busiest botnets.

Some consider Necurs to be the largest botnet ever, with estimates from 2017 indicating that, at the time, it consisted of more than 6,000,000 infected computers. It’s metastasized in the last three years: Microsoft said that the malware has now infected more than nine million computers globally.

The majority of infected computers looked like they were in India, but almost every country in the world seemed to be affected. Necurs has been used to pump out multiple flavors of nastiness worldwide, with the notable exception of Russia: the malware deliberately avoided infecting computers set up to use a Russian keyboard.

Up until it temporarily went offline around December 2016, it was inflicting malware that included Locky ransomware. It got its wind knocked out for a few months, but when Necurs came back in March 2017, it started belching out a huge pump-and-dump scam.

In its blog post, Microsoft said that, along with partners, it’s been spending the past eight years tracking and planning to knock the knees off Necurs. Microsoft says that coordinated legal and technical steps to disrupt the network of zombified computers will…

…help to ensure the criminals behind this network are no longer able to use key elements of its infrastructure to execute cyberattacks.

LEARN MORE: How botnets and zombies work ►

Microsoft says its Digital Crimes Unit, along with BitSight and others in the security community, first observed the Necurs botnet in 2012. Besides Locky and the pump-and-dump scam, Necurs has also been used by crooks to distribute the GameOver Zeus banking Trojan; fake pharmaceutical spam email and Russian dating scams.

Unsurprisingly, given that it’s tiptoed around computers using Russian keyboards in the past, Necurs is thought to be operated by Russian crooks. Besides the ransomware and the spam, the botnet has also been used as an attack dog, sent to jump on other computers on the internet and to steal credentials for online accounts, people’s personally identifiable information (PII), and other confidential data.

Microsoft says that Necurs’ operators also sell or rent access to their zombie computers to other crooks – what’s known as a botnet-for-hire service. The botnet has also been used to distribute financially targeted malware and cryptomining. It also has the capability of being used to launch a distributed denial of service (DDoS) attack. Its operators haven’t flipped the switch on that – yet. They could activate that capability at any time, Microsoft says.

Necurs has been a powerful force of yuck: Microsoft says that during one 58-day period, its staff watched as one Necurs-infected computer sent a total of 3.8 million spam emails to over 40.6 million potential victims.

How did they castrate that bull?

The trick was to grab it by its algorithm. Microsoft says it’s been heading up activities that will keep the crooks behind Necurs from registering new domains to execute attacks in the future – a feat that was accomplished by analyzing how Necurs systematically generates new domains through an algorithm.

From its post:

We were then able to accurately predict over six million unique domains that would be created in the next 25 months. Microsoft reported these domains to their respective registries in countries around the world so the websites can be blocked and thus prevented from becoming part of the Necurs infrastructure. By taking control of existing websites and inhibiting the ability to register new ones, we have significantly disrupted the botnet.

Microsoft also had help from the courts: on 5 March, the US District Court for the Eastern District of New York issued an order enabling the company to seize the US-based infrastructure Necurs uses to distribute malware and infect computers.

The next step is to partner with ISPs to scrub Necurs malware off of victimized computers: an effort that also involves partnering with law enforcement, government Computer Emergency Response Teams (CERTs), ISPs and government agencies. Microsoft says it’s working with domain registries, government CERTs and law enforcement in Mexico, Colombia, Taiwan, India, Japan, France, Spain, Poland and Romania, among others.

Want to make sure you’re free of malware? Microsoft suggests you head over to its Safety Scanner: a tool that helps to remove malware from Windows systems. Sophos also has its free Virus Removal Tool, as well as free tools for protecting both Windows and Mac systems.

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/n5i_1GFyjUY/

A popular analytics platform has been secretly installing root certificates on mobile devices so it can suck up users’ data from its 20 or more ad-blocker and virtual private network (VPN) mobile apps, according to a BuzzFeed News investigation.

Both Google and Apple have hosed down their app stores to cleanse them of at least some of the apps from the company, Sensor Tower, which is used by developers, venture capitalists, publishers, and others to track the popularity, usage trends, and revenue of apps – analytics that you can sample in its Twitter postings.

The apps, which have more than 35 million downloads, neither let users know about their connection to Sensor Tower nor reveal that their data is being gobbled up by its products.

Some of the apps are no longer available, but BuzzFeed News said it recently traced a handful of apps in the Google Play store to Sensor Tower, including Free and Unlimited VPN, Luna VPN, Mobile Data, and Adblock Focus. Two of the apps – Adblock Focus and Luna VPN – were also available in Apple’s App Store. After BuzzFeed News contacted Apple, the company removed Adblock Focus. Similarly, Google removed Mobile Data after getting a heads-up. Both companies have said that their investigations are ongoing.

BuzzFeed News says that it managed to hunt down the apps’ owner after discovering code authored by developers who work for Sensor Tower. One clue was an online résumé belonging to a Sensor Tower developer that says he built “Android apps to power the Sensor Tower analytics platform.” His GitHub username shows up in the code of multiple apps. Another Sensor Tower developer says, on his personal site, that he’s…

Working on awesome top secret iOS Projects.

So much for trying to block ads

After they’re installed, the VPN and ad-blocker apps prompt users to install a root certificate so that the certificate issuer can access all traffic and data passing through a phone. Sensor Tower says it only collects “anonymized” usage and analytics data that it integrates into its products.

If that sounds like a consolation, think again: a recent study showed that it’s even easier to identify people from their anonymized data than was previously assumed. That’s saying a lot, given that we’ve known for years that surprisingly accurate inferences can be made about shoppers, even from their extremely vague purchasing data.

Randy Nelson, Sensor Tower’s head of mobile insights, told BuzzFeed News that the company kept its ownership of the apps hush-hush “for competitive reasons.” He says that Sensor Tower is now taking steps to make its connection to the apps “perfectly clear.”

Nelson said that the “vast majority” of the apps cited in the investigation are now defunct, while a few are “in the process of sunsetting.”

Sure, many are now defunct – mostly because their policy violations got them yanked. Apple removed a dozen from its App Store, an Apple spokesperson said. The company removed Adblock Focus after BuzzFeed got in touch and said that as of Monday, it was still investigating Luna VPN.

Installation of root certificate privileges is restricted by both Google and Apple, given the security risks they pose. BuzzFeed News says that Sensor Tower’s apps bypass the root restrictions by prompting users to install a certificate through an external website after an app is downloaded.

There’s no such thing as a free lunch

We’ve posed, and answered, this riddle in the past: When is a VPN not private?

Usually, when you’re not paying for it.

Granted, maybe that’s not true all the time – Opera, for example, brought back its free VPN service to its Android browser a year ago.

But we’ve seen “free” VPNs make money off users in other ways. In the case of Hotspot Shield, that meant being required to look at ads or having at least some of your personal data – location, browsing habits, purchasing history, etc. – collected and sold to third parties for marketing. In August 2017, such practices led to a complaint being issued against the company with the US Federal Trade Commission (FTC) over “unfair and deceptive trade practices”.

As well, in May 2019, the US Department of Homeland Security (DHS) warned that foreign adversaries are interested in exploiting VPN services. In other words, foreign spies might be hiding in your VPN.

We’ve said it before, and we’ll say it again. In the words of Naked Security’s Paul Ducklin, there’s nothing magical about VPNs:

A VPN doesn’t magically improve security. All it really does is to make your VPN provider into your new ISP – your “first hop” on the internet. That first hop is the one place where a single provider gets to see all your traffic, whether it’s encrypted or not. You need to trust your VPN provider. A lot.

Swap the phrase “ad-blocker app” or “any supposedly free app at all” for “VPN,” and the equation resolves, once again, to “beware.”

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/7d51vt2qIGw/

Intel’s March security updates reached its customers this week and on the face of it, the dominant theme is the bundle of flaws affecting the company’s Graphics drivers.

There are 17 of these all told, including six high-severity flaws, starting with CVE-2020-0504, a buffer overflow leading to a denial of service flaw whose CVSS score of 8.4 suggests the need for urgent attention.

Intel doesn’t offer much detail on the individual flaws beyond the fact they allow the usual trio of privilege escalation, information disclosure and denial of service, all of which require local access.

Beyond this lie fixes for another 11 flaws affecting product lines including SmartSound, BlueZ, the Max 10 FPGA, the NUC firmware, and the Programmable Acceleration Card (PAC) N3000.

However, the star flaw of the month is CVE 29, the Load Value Injection (LVI) weakness (CVE-2020-0551) publicised this week by a diverse group of mainly academic security researchers.

Following in the footsteps of a series of chip-level flaws with impressive names (Spectre, Meltdown, Fallout, ZombieLoad, RIDL, CacheOut), this one is what might light-heartedly be called a ‘NOBWAIN’ (Not a Bug With an Impressive Name).

According to the researchers, LVI is unlike previous side-channel processor attacks:

Instead of directly leaking data from the victim to the attacker, we proceed in the opposite direction: we smuggle – ‘inject’ – the attacker’s data through hidden processor buffers into a victim program and hijack transient execution to acquire sensitive information, such as the victim’s fingerprints or passwords.

Reported to Intel last April, it’s a novel technique which could, for example, be used to steal data from Software Guard eXtension (SGX) enclaves, a secure memory location inside post-2015 Intel processors used to store things like encryption keys, digital certificates, and passwords.

There is no simple fix for LVI, researchers claimed, but Intel said it would, from this week, release mitigations for the SGX platform and software development kit from this week. Beyond that, it downplayed the issue:

Due to the numerous complex requirements that must be satisfied to successfully carry out the LVI method, Intel does not believe LVI is a practical exploit in real-world environments where the OS and VMM are trusted.

The full list of affected processors can be found on Intel’s website, essentially all processors that come with SGX.

For now, because LVI is a theoretical exercise, it isn’t an issue the average Intel user needs to worry about. There are no known exploits of this, or any of the previous hardware flaws found since Spectre and Meltdown were made public more than two years ago.

However, it’s clear that chip designers have some work on their hands building defences against these attacks into future hardware. These days, buyers largely upgrade to achieve higher processor performance. It now looks as if security might soon be just as compelling a reason.

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/GYICQRoeTDQ/

Just a month after shipping version 73 of its Firefox browser, Mozilla has released version 74 with a range of privacy and security enhancements. These include a privacy tweak to the way it handles the WebRTC multimedia streaming protocol.

Mozilla had promised some of its changes months or even years ago, but an unexpected addition is mDNS ICE, which improves privacy in peer-to-peer communications.

ICE stands for Interactive Connectivity Establishment, and it’s a technique used in VoIP and peer-to-peer connections within network address translation (NAT) environments. NAT boxes remap IP address spaces between networks. They enable you to use addresses on your local network (like 192.168.1.100) that don’t clash with those on the wider internet.

ICE uses ‘candidates’ that provide alternatives for connections in a NAT environment. These candidates, which contain IP address and port information, increase the chance of successful connections on unmanaged networks by helping the other party find its way to the right computer behind a NAT connection.

The problem with that, as this IETF draft explains, is that ICE candidates expose private IP addresses to web applications by default, creating potential privacy issues. This applies to WebRTC, which is a browser-based peer-to-peer real-time communications standard. You can use WebRTC for video conferencing or monitoring IP cameras without needing to install separate applications.

Firefox 74 fixes the problem by using multicast DNS (mDNS) with ICE to create a random ID that cloaks a computer’s IP address. That makes WebRTC communications more private.

Another big change concerns sideloading. This is the practice of automatically installing extensions without users taking action. In Firefox 74, users must manually install the extensions that they want, and they can also remove previously sideloaded extensions using the add-ons manager (although they’ll have to do this manually). Developers will still be able to push updates to previously-sideloaded extensions, Mozilla said.

The company explained that this doesn’t apply to those pushing out their own Firefox distributions, such as some Linux distros. Neither will it apply to Firefox Extended Support Release (ESR). Enterprises can continue to sideload extensions in Firefox browsers managed by policies.

Firefox 74 also officially deprecates versions of TLS before 1.2. Mozilla vowed to nix TLS 1.0 and 1.1 in Firefox back in 2018 and is delivering on schedule. TLS 1.0 turned 21 years old in January and has some shortcomings. According to the IETF, versions 1.0 and 1.1 don’t support current recommended cipher suites, leading some governments to ban them for applications altogether. The IETF has recommended v1.2 since 2008, so it’s probably about time that we ditched the others.

If a website tries to use a pre-1.2 version of TLS, Firefox 74 will now show an error page. If you’re intent on dealing with an insecure web page, though, you can go ahead because there’s an override button – for now.

The latest version of Firefox brings a handful of other changes including the addition of an allowlist to the browser’s Facebook Container. This extension isolates Facebook, allowing people to contain their activity on the social media site without letting it track them via other websites that they visit. Sometimes they might want another site to talk to Facebook about them, if it’s connected to their Facebook site as an app. This change lets people add custom sites to a list of exceptions.

Mozilla also fixed 12 security flaws in the browser, all with a severity rating of high or less.

Given that this release comes four weeks after the last, it now seems that we can’t call the Firefox release date ‘fortytwosday’ anymore, in line with its past 42-day release cycle and, of course, in honour of Hitchhiker’s Guide to the Galaxy (which is 42 this month). Don’t Panic – we’ll think of something. How about 28 Days Later?

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Yu3KcALHXzw/