STE WILLIAMS

When you’re in the kitchen and throw pasta against the wall, it might stick so that you can tell whether it’s cooked. When you’re in computer security and you throw things against a target’s “wall,” they might do nothing … they might blow up the wall. Or they might land you in a different place entirely. That’s the allure — and the danger — of “fuzzing” as a research tool.

To understand what fuzzing is and why it’s so valuable, we go back 30 years to “An Empirical Study of the Reliability of UNIX Utilities,” a paper written by lead author Barton P. Miller, the “father of fuzzing.” In that paper, and in its 1995 follow-up “Fuzz Revisited,” Barton and his co-authors present the technique of throwing unanticipated input at utilities and programs to see what happens.

In the original paper, Barton wrote that the idea of fuzzing was born in line noise from a dial-up network connection. When random characters in the exchange caused a program to crash, it led researchers to wonder whether a tool generating random input strings could be valuable when looking at application security and reliability. As it turns out, it can be quite valuable — and the method can aid in discovering a host of vulnerabilities and errors.

What Can Fuzzing Discover?
The errors and vulnerabilities that fuzzing can discover tend to fall into four broad categories: invalid inputs, memory leaks, assertion failures, and incorrect results or connections. A separate area of fuzzing is used in credential stuffing attacks. Each can result in its own form of insecurity for the application or system owner.

Invalid input: In almost every application that accepts user input, the program expects the input to be in a particular format. But what happens if, for example, a text string is entered into a date field? What happens if a series of emojis is entered into a name field? In both cases, type-checking functions should throw away the input and issue an error, but rushed developers don’t always include robust type-checking in their code. That’s when the vulnerabilities begin.

Memory leaks: Memory leaks — when applications use memory for instructions and data, they’re supposed to clean up after themselves, releasing the memory to be used again and keeping everything within the nice, neat, logical boundaries that computers love. Unfortunately, some programmers don’t follow best practices and some programming languages thwart the best memory management efforts. Because of this, over time, memory becomes cluttered with stray data, information is stored where it shouldn’t be, and havoc ensues. Stuffing excessively large input into applications can speed up the process if good input-validation isn’t in place, and fuzzing can help figure out where those opportunities for mayhem reside.

Assertion failure: Many applications assume that you’ve followed a logical path to get to a given point. That tends to mean that qualifications have been met and states set before you do what you’re doing now. But what if those states haven’t been set and those qualifications haven’t been met? If you’re still allowed to proceed, then an assertion failure has occurred — something the program was expecting hasn’t yet happened. Fuzzing is a great way to see if you can “skip the line” and get somewhere you shouldn’t be.

Unexpected connections: Fuzzing can help answer the question, “What if, instead of my first name, I entered a SQL command here?” Or, “What if I entered a URL where the application was expecting something else?” In each of these cases, if anything but a discarded input and error message result, then a vulnerability has been discovered.

Credential stuffing: Report after report show that human beings tend to rely on a handful of common, easily typed passwords for online accounts. And organizations tend to use a handful of formats for generating email addresses for employees. Attackers (or pen testers) can then try all of the common password types with each possible email address — statistically, they’ll get at least a few successful logins for each organization. Of course, running through all of the permutations can take time, unless the attacker is using an automated tool for fuzzing credentials.

Fuzzing Tools
In order to truly explore each type of vulnerability, a researcher must try a variety of different possibilities for each targeted input field. It would take far too much time to do this manually, so a variety of different automated tools have been developed to make the process faster and easier.

There are a number of free tools available for fuzzing. Among them are:

• American Fuzzy Lop
• honggfuzz
• libFuzzer

While not a simple fuzzing tool, Google OSS-fuzz is used by many researchers and can be a valuable tool for learning a complete research process around fuzzing. And it’s important to note that Barton has maintained a web page about fuzzing, including a link to download all the software, definitions, and targets in his original research, at the University of Wisconsin-Madison.

Related Content:

• War on Zero-Days: 4 Lessons from Recent Google Microsoft Vulns
• Bug Bounty Awards Climb as Software Security Improves
• AI Poised to Drive New Wave of Exploits
• 53 Bugs in 50 Days: Researchers Fuzz Adobe Reader
• 5 Emerging Trends in Cybercrime

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/edge/theedge/fuzzing-101-why-bug-hunters-still-love-it-after-all-these-years/b/d-id/1335672?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Omer Tene, VP, International Association of Privacy Professionals (IAPP), also contributed to this article.

By any measure, this summer has been a busy time for privacy news. It started with a flurry of enforcement activity in Europe, including announcements from the UK privacy regulator of fines in the amount of $230 million against British Airways and $125 million against Marriott. It continued with a high-stakes standoff in Europe’s highest court between Max Schrems (a prominent privacy advocate), Facebook, and the Irish Data Protection Commissioner, which could jeopardize the future of transatlantic data flows. Finally, it ended with a big bang, with news publicly released to the humdrum of a summery Friday afternoon of the FTC’s $5 billion fine against Facebook in connection with the Cambridge Analytica scandal.

The message resonated loud and clear in corporate boardrooms from Silicon Valley to London: Privacy has become a first-order media and regulatory concern.

How should businesses respond to this new drumbeat of privacy outcries and enforcement actions? The risks of data mismanagement — measuring hundreds of millions of dollars and including security breaches, inappropriate information sharing, and “creepy” data uses — are no longer an acceptable cost of doing business, making it abundantly clear that society cannot experience the full benefits of a digital economy without investing in privacy.

The good news is that the public has recognized the gravity of the problem. Breakthroughs in healthcare, smart traffic, connected communities, and artificial intelligence (AI) confer tremendous societal benefits but, at the same time, create chilling privacy risks. The bad news is that we’re hardly ready to address these issues. As Berkeley professors Deirdre Mulligan and Kenneth Bamberger wrote in Privacy on the Ground: Driving Corporate Behavior in the United States and Europe, it’s one thing to have privacy “on the books,” but it’s quite another thing to have privacy “on the ground.”

According to research by the International Association of Privacy Professionals (IAPP), more than 500,000 organizations have already registered data protection officers in Europe. Yet only a fraction of those roles can actually be staffed by individuals who are trained on privacy law, technologies, and operations. To rein in data flows across thousands of data systems, sprawling networks of vendors, cloud architectures, and machine learning algorithms, organizations large and small must deploy highly qualified people, technologies, and processes that are still in the early developmental stage.   

First, the people who will serve as foot soldiers of this army of professionals must be modern-day renaissance persons. They have to be well-versed on the technology, engineering, management, law, ethics, and policy of the digital economy. They need to apply lofty principles like privacy, equality, and freedom in day-to-day operational settings to disruptive tech innovations such as facial recognition, consumer genetics, and AI. They need to not only understand the logic underlying black box machine learning processes but also the mechanics of algorithmic decision-making and the social and ethical norms that govern them. Unfortunately, existing academic curricula are siloed in areas such as law, engineering, and management. Government, academic, and accreditation bodies should work to lower the walls between disciplines to ensure that lawyers and ethicists talk not only to each other but also with computer scientists, IT professionals, and engineers.

Second, researchers and entrepreneurs are building a vast array of technologies to help companies and individuals protect privacy and data. Just last week, OneTrust, a privacy tech vendor, raised $200 million at a valuation of $1.3 billion, making it the first privacy tech unicorn merely three years after its launch. Some of these new technologies help organizations better handle their privacy compliance and data management obligations. Others provide consumers with tools to protect and manage their own data through de-identification, encryption, obfuscation, or identity management. Over the next few years, governments and policymakers should give organizations incentives to innovate not only around data analytics and use but also around protection of privacy, identity, and confidentiality.   

Third, organizations should deploy data governance processes and best practices to ensure responsible and accountable data practices. Such processes include privacy impact assessments, consent management platforms, data mapping and inventories, and ongoing accountability audits. With guidance from regulators and frameworks from standard-setting bodies, such as the National Institute of Standards and Technology, procedural best practices will develop for both public and private sector players.

Like so many complex societal issues, privacy concerns require a matrix of responses. We certainly need strong laws and effective enforcement, but organizations should also embrace their stewardship of data and invest in the processes and technologies to better manage their data stores. Importantly, we need to continue to educate and train professionals with the knowledge and skills to make ethical, responsible decisions about how data is handled. To facilitate innovative data uses and unlock the benefits of new technologies, we need privacy not only in the books but also on the ground.

Related Content:

• 6 Actions That Made GDPR Real in 2019
• ‘Phoning Home’: Your Latest Data Exfiltration Headache
• The California Consumer Privacy Act’s Hidden Surprise Has Big Legal Consequences

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Fuzzing 101: Why Bug-Finders Still Love It After All These Years.”

As president and CEO of the International Association of Privacy Professionals (IAPP), J. Trevor Hughes leads the world’s largest association of privacy professionals, which promotes, defines and supports the privacy profession globally.  Trevor is widely recognized as a … View Full Bio

Article source: https://www.darkreading.com/risk/privacy-2019-were-not-ready/a/d-id/1335621?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Thousands of Android set-top boxes of the sort used by people to stream media from Hulu, Netflix, and other services have been infected with malware and become part of a growing botnet of similarly compromised devices.

Internet of Things (IoT) security vendor WootCloud, which discovered the threat, has dubbed it the ARES ADB botnet. The botnet is being used as a launchpad to trigger multiple attacks such as brute-force password cracking, denial-of-service attacks, and cryptomining.

In a report this week, WootCloud described the botnet as targeting Android Debug Bridge (ADB), a management component on Android devices that enables debugging and remote management operations.

The ADB service is often left open and unauthenticated on many Internet-connected Android devices, giving attackers a way to access them and take full administrative control. “Accessing the device through TCP port 5555 results in obtaining shell which allows remote command execution, uploading/downloading of custom applications, data access,” and other activity, WootCloud warns.

The ARES botnet is the latest sign of attackers targeting vulnerable non-computer IoT devices to build botnets for a variety of malicious purposes. Following the Mirai botnet attacks of 2016, attackers have been actively targeting home routers, security cameras, DVRs, smart TVs, and other Internet-connected devices, which often have weak to no security protections. Many of these devices often provide unauthenticated remote access or are protected only with default passwords and cannot be easily patched or updated. Though many of the devices individually have little computing power, attackers are often able to infect tens of thousands of them at the same time to build botnets capable of doing considerable damage.

With the latest threat, attackers are actively exploiting the ADB configuration issue to install the ARES bot on Android-based set-top boxes from several vendors, including HiSilicon and Cubetek. Once the bot gets installed on a device, it starts scanning for other set-top boxes with similarly misconfigured ADB interfaces and then installs payloads for triggering additional attacks.

Most infections so far have been in South Asia and the broader Asia-Pacific region. The command-and-control servers with which infected devices have been communicating have been observed at multiple locations, including North America.

Potentially Major Impact
Srinivas Akella, founder and chief technology officer at WootCloud, says the ARES botnet poses a potentially major threat to the growing number of other Android-based set-top boxes that consumers and enterprises are using. “This botnet has the potential to affect smart TVs and other IoT devices that have a misconfigured ADB,” he says.

With standard Android images, the ADB is not enabled by default. However, several set-top boxes that are available today are running customized versions of the Android OS, which have been rooted and have ADB enabled by default, he says.

To protect against the ADB being misused in cases where it is left enabled, routers can be configured to block the ingress and egress network traffic to TCP port 5555, which is the port that ADB uses.

Enterprises should also configure their network policies to restrict ingress and egress network traffic to IoT devices. “Restrict the ADB interface on the IoT devices to authorized IP address space,” he says. “Monitor the ADB interface traffic originating from unknown resources, including the network traffic originating from these devices.”

Organizations should also ensure that interfaces on IoT devices such as telnet and SNMP are properly protected with strong passwords to prevent unauthorized access, Akella says.

Home users of vulnerable set-top boxes may have a slightly harder time mitigating the risk. A lot depends on the design of the set-top box and whether the vendor provides an option to disable ADB functionality. When the option is not available, “home users will need to have technical acumen to disable the ADB functionality either by setting up their routers to block traffic,” Akella says, “or by logging in to the device and disabling ADB services on the command prompt.”

Related Content:

• Unsecured IoT: 8 Ways Hackers Exploit Firmware Vulnerabilities
• Securing Our Infrastructure: 3 Steps OEMs Must Take in the IoT Age
• New IoT Security Bill: Third Time’s the Charm?
• Consumers Urged to Secure Their Digital Lives

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Fuzzing 101: Why Bug-Finders Still Love It After All These Years.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/new-botnet-targets-android-set-top-boxes/d/d-id/1335688?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Google Cloud today released the public beta version of Managed Service for Microsoft Active Directory (AD), a move intended to help admins manage AD-dependent workloads in the cloud.

More apps and servers dependent on Microsoft AD are moving to the cloud, complicating processes for IT and security teams required to meet latency and security goals while also configuring and securing AD Domain Controllers. Managed Service for Microsoft AD was first debuted at the company’s Next 2019 conference in April.

The idea is to make it easier for admins to handle AD workloads, automate AD server maintenance and security configuration, and connect on-prem AD domains to the cloud.

Google Cloud’s service runs real AD Domain Controllsers so admins can use standard AD features such as Group Policy, as well as Remote Server Administration Tools and other tools to manage the domain. It’s automatically patched and has default security configurations in place. Admins can connect on-prem AD to Google Cloud or use a standalone domain for cloud-based workloads.

Read more details here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Fuzzing 101: Why Bug-Finders Still Love It After All These Years.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/google-cloud-releases-beta-of-managed-service-to-microsoft-ad/d/d-id/1335687?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Bug bounties continue to rise as more companies take part in crowdsourced challenges to attract security-minded freelancers and hackers to analyze their code, but the opportunities to profit typically fall to only a very small fraction of participants, according to security-program management firm HackerOne.

In its latest annual “Hacker-Powered Security Report,” the company found the average bounty paid to bug finders jumped to $3,384 for critical vulnerabilities, a 48% increase over the previous year’s average, with cryptocurrency and blockchain companies paying the most — $6,124, on average. In the past 12 months, more than 30,000 security issues were reported to HackerOne’s clients, which awarded vulnerability researchers with more than $21 million. 

Yet of the more than half-million hackers that have signed up for a HackerOne-managed challenge, only about 5,000 are really doing well, says CEO Marten Mikos.

“We have this enormous hacker community of half a million who are engaged and trying and competing,” he says. “It is a very small minority that rises to the top, and that is intentional.”

The report underscores the success of the bug-bounty model as a way to catch vulnerabilities in products and services. More than 1,400 organizations use HackerOne’s service and “hundreds” more use the crowdsourced security service of rival Bugcrowd. More than a quarter of HackerOne’s programs are for Internet and online services, and another 20% consist of computer software firms. However, financial services and media companies make up a significant part — more than 7% each — of the market.

Yet for the vast majority of interested researchers, the contest model does not work out. HackerOne boasts a half-dozen participants who have made more than $1 million on its platform, and another seven who have hit more than $500,000 in lifetime earnings — a tiny fraction of the more than 500,000 people who have signed up.

Mikos compares the winnowing of the competitive field to the struggle of becoming a movie star in Hollywood or going pro in basketball.

“Everyone plays basketball after school, but not everyone makes it the NBA,” he says. “We need to have the broadest community to find those very few unique individuals who have the curiosity, the aptitude, the interest, the discipline to succeed.”

The overall rise in bug bounties comes as no surprise. In its own report, crowdsourced-security firm Bugcrowd saw payouts for security issues through its own programs rise 83%, with bounties for critical vulnerabilities up 27% to $2,670. The most lucrative payouts in Bugcrowd’s analysis were from Internet of Things manufacturers, which paid an average of $8,556 per critical vulnerability.

Part of the reason for the rise is that companies are paying more to find more difficult classes of bugs, according to HackerOne. 

“Looking at the data, 4 out of 5 of the top VRT (vulnerability rating taxonomy) classes for 2018 revolve around vulnerabilities that are difficult, if not impossible, for any machine to find,” the company states in the report.

Both Microsoft and Google have recently raised their bounties. In July, for example, Google raised the maximum payouts for several classes of vulnerabilities in its services and products, with the maximum baseline reward jumping to $15,000 from $5,000. And earlier this year, Zerodium, which sells exploits to governments to allow them to surveil citizens, raised its reward for an exploit chain, which strings several vulnerabilities together to compromise a particular program or operating system, to $2 million for Apple’s iOS operating system.

Yet those rewards are only for finding the most lucrative vulnerabilities. Only 7% of issues found in HackerOne programs were critical, with another 18% considered to be of high severity. The vast majority of vulnerabilities — 75% — were of low or medium severity. While the average bounty across the HackerOne platform rose 65% in the past 12 months, finding those vulnerabilities are far less lucrative. 

The four industries that paid the highest bounties were cryptocurrency and blockchain companies, which paid $6,124 for critical issues; Internet and online service firms, which paid $4,973; aviation and aerospace firms, which paid $4,500; and electronics and semiconductor firms, which paid $4,398.

While rewards for most bugs continue to be low, the lure of bug-bounty competitions could play a significant role in attracting better talent to cybersecurity, which is in need of more personnel. 

“Out of that 500,000, maybe 50,000 will keep hacking, maybe 5,000 will become security professionals, and, out of that, maybe 500 will become CISOs,” he says. “The nice thing is it will happen automatically. We are driving it by making it very attractive to young people to learn in our ranks.”

Related Content:

• Bug Bounties Continue to Rise as Google Boosts its Payouts
• Planning a Bug Bounty Program? Follow Shopify’s Example
• Bounty Hunters Find 100K+ Bugs Under HackerOne Program in 2018
• Bug Bounty Awards Climb as Software Security Improves
• ‘Hack the Marine Corps’ Bug Bounty Event Held in Vegas

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Fuzzing 101: Why Bug-Finders Still Love It After All These Years.”

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/vulnerability-management/bug-bounties-continue-to-rise-but-market-has-its-own-1--problem/d/d-id/1335689?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Google is upping its security game with the launch of a new Developer Data Protection Reward Program (DDPRP) and the significant expansion of the Google Play Security Reward Program (GPSRP).

According to the company, GPSRP will now include all Google Play apps with 100 million or more installs. The significant change is that all of these apps will be eligible for bug-bounty payment, even if the app publisher doesn’t run its own bug-bounty program. For those apps from publishers that do have existing bug-bounty programs, the GDSRP will now pay bounties in addition to those paid by the publisher.

The new DDPRP is being done in collaboration with HackerOne. The program is aimed at data-abuse issues in Android apps, OAuth projects, and Chrome extensions. The program, Google said in an announcement, is intended to reward any researcher providing “verifiably and unambiguous evidence of data abuse.”

Google noted that it is particularly interested in situations where user data is being sold unexpectedly or repurposed in an illegitimate manner without user consent.

For more, read here and here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Fuzzing 101: Why Bug Hunters Still Love It After All These Years.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/google-announces-new-expanded-bounty-programs/d/d-id/1335690?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple