STE WILLIAMS

Cybercriminals are initiating more attacks using low-bandwidth techniques, but the tactics expand the gray area between DDoS attacks and popular methods of mass scanning.

Cybercriminals are increasingly targeting corporate networks, websites, and online services with low-bandwidth distributed denial-of-service (DDoS) attacks that exploit weaknesses in application infrastructure to disrupt business, Internet infrastructure firm Neustar stated in an August 14 threat report.

In its “Q2 2019 Cyberthreats Trends” report, Neustar found that DDoS attacks using less than 5 Gbit/s make up a greater share of packet floods, with more than 75% of all attacks using less than 5 Gbit/s in the second quarter of 2019, up from less than 70% the previous year. The average attack consisted of a 0.99 Gbit/s stream of packets, so small that most companies may not notice the impact, says Michael Kaczmarek, vice president of product for Neustar Security.

“People think DDoS is going away,” he says. “They think it is this unsophisticated brute-force attack, but by no means is it gone; it has just morphed.”

Overall, DDoS attacks increased by 133%, more than doubling, according to Neustar’s report. The trend is a reversal from last year, when security firms had documented a decrease in attacks for most of the year. The average attack also showed greater complexity, with 82% of attacks using two or more different threat vectors.

The different vectors aim to find a vulnerable spot in a company’s infrastructure and abuse the weakness, Kaczmarek says.

“The attackers are getting more sophisticated in what they are targeting,” he says. “They are going after not the most vulnerably guy, but the most vulnerable component of the infrastructure.”

Most companies seem to have a pretty good response to attacks, however, with a quarter initiating DDoS mitigation within a minute and another 62% within five minutes. Only 11% of companies actually take longer than 5 minutes to respond to a DDoS attack.

In addition, companies are likely to detect multivector attacks, with only 14% of firms very unlikely or somewhat unlikely to notice smaller attacks.

Neustar argues in the report, however, that any response aside from “very likely to detect a smaller attack” is a security failure. “Fewer than 3 in 10 organizations are very likely to notice smaller multi vector attacks, suggesting that greater awareness would be beneficial,” the company states in the report.

The study raises questions about what exactly can be defined as a distributed denial-of-service attack. The inclusion of much smaller attacks, of which seven in 10 companies are not certain to detect, suggests that DDoS attacks are merging with the standard tactic of scanning for vulnerabilities in security companies’ lexicons. (The report appears to use a standard definition of DDoS as an attack that denies service.)

“The basic form and composition of the DDoS traffic may not have changed much, but the ability to precisely target these attacks has evolved markedly,” the report states. “DDoS attacks can now be directed at specific services, gateways, applications, and Application Programming Interfaces (API), and as the target becomes smaller, less traffic is required to bring it down.”

Most companies would likely, however, detect an interruption of service to some part of their infrastructure. Most of these attacks fall in the area of application-layer attacks, and not just denial of service, according to Kaczmarek, who included both credential-stuffing and SQL injection scans as potential examples.

“It could be the attack is targeting a specific resource that you were not aware of,” he says. “It could be a billing app that is out there, or an API that is doing a communication between you and the bank. [Finding these attacks is] going to require a deeper investigation.”

The upshot is that attackers are no longer focused on just denying service but on a range of goals that can be accomplished with scans, packet floods, and application attacks. For that reason, Internet infrastructure-security companies have followed suit with defenses.

“It goes back to the idea of what is valuable versus what is vulnerable,” Kaczmarek says. “I may not notice these attacks immediately, but in the end, even the smaller ones will have a large impact overall.”

Related Content

• DDoS Attacks Up in Q1 After Months of Steady Decline
• Huge DDoS Attacks Shift Tactics in 2019
• Europe and Asia Take on More DDoS Attacks
• Why Size Doesn’t Matter in DDoS Attacks

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/attackers-try-to-evade-defenses-with-smaller-ddos-floods-probes/d/d-id/1335522?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Far too often, there’s a new breach in the headlines. Companies need to start learning some obvious lessons.

Week after week, data breaches continue to make news headlines. Despite this, companies are reluctant to make the changes to their IT environments and security practices that would help them respond to various threats, making them susceptible to having their data compromised. Even when these security adjustments are relatively simple, such as installing software updates on endpoint devices, some companies still fail to take the necessary steps.

Let’s take a look at why companies are reluctant to learn from their peers’ mistakes and what they can do to avoid similar fates.

Why Companies Won’t Change

· Lack of knowledge and expertise: IT security professionals must continue to develop their skills in order to keep pace with the rapid evolution of technology. One of the biggest challenges for companies is finding qualified individuals who can help them to protect their sensitive data. According to (ISC)² research, the shortage of cybersecurity professionals is now 2.93 million globally. 

· Lack of resources: While companies need to reserve funds for general IT purposes, they must also invest in the proper tools and technologies that can protect them against modern threats. Unfortunately, organizations typically have large sunk costs associated with prior investments into on-premises infrastructure, which can make them more reluctant to spend the extra funds needed to adopt additional, necessary security solutions as they migrate to the cloud.

· Fear of change: Some organizations are set in their ways and might underestimate the need to adopt relevant security tools and practices in the cloud. While on-premises tools and best practices are necessary in the vast majority of organizations, the misguided impression that they extend perfectly to cloud and bring-your-own-device (BYOD) environments can be very costly. The truth is that leveraging the cloud is a fundamentally different way of doing business and requires different security solutions. 

· Illusion of safety: Some organizations have a misguided belief that they are not likely to be a target for hackers and consequently assume that they don’t have to worry about cybersecurity. There is a misconception that larger or more widely known organizations represent a more lucrative target and that hackers are more likely to focus on them. However, companies that have inadequate protections are prime targets for hackers, no matter how “under the radar” they may believe themselves to be.

Lessons Learned
Organizations can no longer have a lax cybersecurity posture if they want to defend sensitive data such as their customers’ personal information and accounts. Below are seven steps that companies can and must take in order to prevent data breaches: 

1.  Hire the right talent: Ensure that the IT security professionals you hire have the right knowledge and skills to meet the security needs of your company. Having an IT team that has no experience in protecting data in cloud environments is not prudent because the majority of applications used in the modern enterprise are now cloud-based. 
2. Stay on top of critical software updates and patches: Far too many breaches are caused by outdated or flawed software for which patches and updates are readily available. 
3. Perform regular vulnerability assessments: Organizations must be aware of their vulnerabilities and prioritize fixing them ahead of time. For companies that leverage infrastructure-as-a-service platforms, this involves using tools to identify and address misconfigurations in cloud environments that can expose data.
4. Educate all employees: One of the best tactics companies can leverage to strengthen security is to adopt a “security first” mentality across the entire organization. This needs to stem from the top, with the C-suite emphasizing how everyone in the company is responsible for helping to protect sensitive data, and must encompass regular training on topics such as how to spot phishing emails and how to share data securely. 
5. Employ best-practice security tools: For all organizations, there are certain tools that are considered essential for adequate cloud security, including data loss prevention, user and entity behavior analytics, searchable encryption, and multifactor authentication (MFA). “Step-up MFA” is also a useful tool — additional authentication is required in real time if suspicious activity occurs.
6. Be proactive: It’s far easier to prevent data breaches than it is to recover from one. Make sure your security policies and practices reflect a proactive approach rather than a reactive one. 
7. Securely enable new tech: Employees are quick to adopt any technology that boosts their productivity and makes doing their jobs easier; however, this often happens even when their companies have not yet sanctioned the use of said technology. This is particularly true of BYOD environments and cloud applications. Organizations are far safer if they get ahead of the curve and enable these types of technologies responsibly and securely. 

Organizations have witnessed the aftermath of data breaches and the costs associated with failing to keep sensitive data secure. They regularly see their peers face hefty fines, lawsuits, loss of revenue, and damaged reputations. Thinking “this could never happen to my company” is inaccurate and dangerous. Breaches can be the result of misconfigurations, malware attacks, phishing, malicious insiders, and countless other threats — any of these can cause massive damage to companies and their stakeholders. It’s time for organizations to heed the warnings in the news and take a more proactive approach to cybersecurity.

Related Content:

• The State of IT Operations and Cybersecurity Operations
• Inside Incident Response: 6 Key Tips to Keep in Mind
• It’s (Still) the Password, Stupid!
• Yes, FaceApp Really Could Be Sending Your Data to Russia

Check out The Edge Dark Reading’s new section for features, threat data and in-depth perspectives. It’s like a Sunday magazine in a daily newspaper with a variety of value-add content. Today’s edition features You Gotta Reach ’Em to Teach ’Em.

As Chief Technology Officer of Bitglass, Anurag Kahol expedites technology direction and architecture. Anurag was director of engineering in Juniper Networks’ Security Business Unit before co-founding Bitglass. He received a global education, earning an M.S. in computer … View Full Bio

Article source: https://www.darkreading.com/cloud/why-companies-fail-to-learn-from-peers-mistakes-(and-how-they-can-change)/a/d-id/1335486?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Four men will be serving prison terms plus lifetimes of supervised release after having produced and distributed imagery of theirs and others’ sexual abuse of children; and/or run multiple services for producers and consumers of child abuse imagery – services that they mistakenly thought were hidden away on the Tor anonymizing network.

The Department of Justice (DOJ) on Monday announced the sentencing of the four men, who had all previously pleaded guilty to conducting what the department called a worldwide child exploitation enterprise.

Chief US District Judge Waverly D. Crenshaw of the Middle District of Tennessee handed down these sentences to these convicts:

• Patrick D. Falte, 29, of Franklin, Tennessee, was sentenced to 35 years in prison for engaging in a child exploitation enterprise, three counts of advertising child abuse imagery, and three counts of distributing child abuse imagery.

These remaining three men were all convicted of engaging in a child exploitation enterprise:

• Benjamin A. Faulkner, 28, of Ontario, Canada, who was sentenced to 35 years in prison.
• Andrew R. Leslie, 24, of Middleburg, Florida, who was sentenced to 30 years in prison.
• Brett A. Bedusek, 35, of Cudahy, Wisconsin, who was sentenced to 20 years in prison.

Giftbox Exchange

The DOJ says that in July 2015, Falte created a website called the “Giftbox Exchange” as a Tor hidden service, meaning it could only be accessed by users through the Tor anonymity network. He used Bitcoin to pay for it – another tactic typically used by criminals trying to hide their tracks.

At the time that law enforcement shuttered the site in November 2016, it had over 72,000 registered users and 56,000 posts. The DOJ says that besides running the site on the Tor network in order to mask the IP addresses of its users, Falte and his co-conspirators also used other techniques to thwart law enforcement, including file encryption and cryptography.

The DOJ’s press release quoted US Attorney Don Cochran for the Middle District of Tennessee, who said that the four men’s sentences mean they’ll all be locked away where they can’t hurt children anymore:

The sentences imposed on these despicable individuals should ensure that they never have another opportunity to abuse another child. With all that we have, we will continue to hunt down the evil and abominable like-minded individuals who delight in abusing children and will bring them to justice.

Tor doesn’t hide all the tracks

This case is just the latest of a long string of reminders that in spite of the anonymity provided by the dark web’s clever encryption, you can still be tracked down. There have been many criminals who have thought pretty highly of their own skills at covering their tracks, including putting faith in the Tor network to keep them anonymous… yet still left tracks that investigators followed to their computers.

Tor is short for “The Onion Router. It provides online anonymity by encrypting network traffic and bouncing it around among a number of relays, also known as nodes, in the Tor network.

Instead of coming from your own IP number, traffic routed via Tor appears to come from the last relay (the exit node) in the randomly-chosen chain of Tor relays used for your connection.

According to the Tor Project, Tor relay operators have “no records of the traffic that passes over the network and therefore can’t hand over information about its origin.”

There are ways to get around the anonymity provided by Tor, however. The FBI infamously cooked up one such, planting police malware onto a dark web site called Playpen that was dedicated to child sex abuse. The FBI took it over and ran it for 13 days, planting a so-called network investigative technique (NIT) – what’s also known as police malware – onto the computers of those who visited.

The NIT forced more than 8,000 computers to cough up their IP addresses, MAC addresses; open ports; lists of running programs; operating system types, versions and serial numbers; preferred browsers and versions; registered owners and registered company names; current logged-in user names; and their last-visited URL.

It was a massive haul of evidence, and it led to the arrests of nearly 900 people worldwide. However, the courts ultimately decided that the underlying search warrant was, in fact, unconstitutional.

Another crook who used Tor, slipped up and didn’t get off was Ryan S. Lin: a then-25-year-old who pleaded guilty in April 2018 to seven counts of cyberstalking, five counts of distribution of child abuse imagery, nine counts of making hoax bomb threats, three counts of computer fraud and abuse, and one count of aggravated identity theft.

Lin, a computer science graduate from Rensselaer Polytechnic Institute, was savvy enough to use a two-pronged approach to protecting anonymity: both a virtual private network (VPN) and an anonymizing service to mask his true IP address. He was also smart enough to know that VPNs keep logs.

Fortunately for the FBI, he did a terrible job at hiding his tracks in spite of all his supposed tech smarts. When investigators got access to Lin’s Gmail account, they found that he’d sent himself two screenshots of what looked to be his iPhone. The images showed what apps were installed, including several apps for anonymous texting, encrypted email, and free burner telephone numbers.

Lin thought the IP address-anonymizing Tor service would protect him. He thought VPNs would hide him. He also seemed to put his faith in anonymous overseas texting services and overseas encrypted email providers that don’t respond to law enforcement and/or don’t maintain IP logs or other records.

In October 2018, he was sentenced to 17.5 years in jail.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/W3IQrFPLq9A/

Targeted phishing attacks, it is often said, can be difficult for even the wariest organisations to defend themselves against.

But how difficult?

This week’s detailed post-incident analysis of a recent, highly targeted attack on cryptocurrency exchange Coinbase by its chief information officer Philip Martin offers a glimpse into how good these attacks can be.

We’ll start with the punchline – Coinbase successfully resisted the attack, something we could already have guessed when the company tweeted the news in June that it had come under attack.

That snippet also mentioned that the attack deployed two Firefox zero-days, something that immediately grabbed the interest of news reporters as well as Firefox, which issued patches for CVE-2019-11707 and CVE-2019-11708 after Coinbase reported their use by cybercriminals.

Fending off an attack using a combination of two zero-days is already unusually challenging but, according to Martin, the sophistication of the attack didn’t stop there.

It seems the campaign began on 30 May when around a dozen Coinbase employees received an email from someone claiming to be Gregory Harris, a Research Grants Administrator at the University of Cambridge.

This email came from the legitimate Cambridge domain, contained no malicious elements, passed spam detection, and referenced the backgrounds of the recipients.

The approach was so convincing that even as more emails were received over a two-week period, “nothing seemed amiss.”

Until 17 June at 6:31am (PT), that is, when a new email tuned up that contained a boobytrapped link designed to launch the zero days in Firefox.

One of the small number of individuals who received this became suspicious, which led to a scan of that computer that turned up signs of malevolent activity.

Phishing 101

That one of the zero-days was only possible after a Firefox update on 12 May underlines how quickly attackers can find and “weaponize” vulnerabilities (the fact that researcher Samuel Groß discovered one of the flaws in April was, apparently, coincidence).

The most alarming aspect of this attack is surely in how the attackers were able to communicate with the Coinbase employees they set out to socially engineer, for weeks, without raising any red flags.

This saw the attackers select only five targets to use the zero-day exploit against from the 200 they initially targeted.

The emails looked legitimate, as the attackers appear to have either compromised or created two legitimate University of Cambridge email accounts, cloning elements of the University’s website to build their own phishing domain.

The involvement of zero-day exploits might make this campaign sounds like a phishing outlier.

But it’s likely that other almost-as-good campaigns try the same set of tricks against a huge number of companies. It’s unreasonable to expect defenders to keep out every one of them but it is clearly possible with the right culture to minimise the risk.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/USzrlHhxRxk/

16-year-old Fortnite player Kyle “Bugha” Giersdorf, recent, $3 million winner of the inaugural World Cup Solo finals, was swatted Sunday night while live streaming his game play, Kotaku reports.

He was live streaming on Twitch.TV, which means that the video recording captured the arrival of the police. Yet again – this isn’t the first time live streamers have had their game play interrupted by police banging at the door – the recording was interrupted by Giersdorf’s father telling him that there were armed police at the door.

“Did he just leave?” one of the players asked, incredulous, as the sound of the game’s gunfire continued and Bugha’s character slumped to the ground.

Yes, he did leave, because there were guns IRL.

After about 10 minutes, Bugha returned, telling his buddies that he’d been swatted. “That was definitely a new one,” he said.

They come in with guns, bro. They literally pulled up, holy sh*t.

He was lucky, Bugha said: it all ended quickly and peacefully, likely due at least in part to the fact that one of the officers was a neighbor:

I was lucky because the one officer, yeah, he lives in our neighborhood.

The situation was far more harrowing for Joshua Peters, a gamer who got swatted while live streaming RuneScape in 2015. His Twitch.TV video showed him just moments after armed police stormed his house, pointed their guns at his 10-year-old brother who answered the door, and forced the gamer himself to lie face down on the floor in yet another swatting incident in the gamer community.

In the US and other countries, hoax bomb threats fall under the genre of crime called SWATting, which takes its name from elite law enforcement units called SWAT (Special Weapons and Tactics) teams. It’s the practice of making a false report to emergency services about shootings, bomb threats, hostage taking, or other alleged violent crime in the hopes that law enforcement will respond to a targeted address with deadly force.

Convicted SWATters such as Tyler Barriss will tell you that their intention isn’t to have anybody shot or killed. It is, rather, to shock or cause alarm. It doesn’t matter what Barriss’s “intention” was – it won’t buy back the life of 28-year-old Andrew Finch, whom police shot to death in December 2017 when responding to Barriss’s hoax call.

In March 2019, Barriss was sentenced to 20 years in prison for making the hoax call that cost Mr. Finch his life.

Fortunately, no deaths resulted from the prankster’s SWATting call that looked to victimize Bugha and whatever family or friends were in his home at the time. Thankfully, police kept cool and asked questions before things escalated and resulted in injury and/or death.

It’s to law enforcement’s immense credit when they can thwart these juvenile efforts to shock, which are made without concern as to whether the prank calls will get anybody killed. Kudos to police who are well aware that there are those who will put innocents’ lives on the line just for the lulz. Here’s to staying calm instead of allowing yourself to be used as the pistol in these games of Russian roulette.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ViohltBx3bo/

Microsoft’s Patch Tuesday bought some very bad news yesterday: more wormable RDP vulnerabilities, this time affecting Windows 10 users.

CVE-2019-1181 and -1182 are critical vulnerabilities in Remote Desktop Services (formerly Windows Terminal) that are wormable – similar to the BlueKeep vulnerability that people have already created exploits for. Wormable means that the exploit could, in theory, be used not only to break into one computer but also to spread itself onwards from there.

These new vulnerabilities, which Microsoft found while it was hardening RDS, can be exploited without user interaction by sending a specially-crafted remote desktop protocol (RDP) message to RDS. Once in, an attacker could install programs, change or delete data, create new accounts with full user rights, and more. CVE-2019-1222 and -1226 also address these flaws.

Unlike BlueKeep, these new RDP vulnerabilities affect Windows 10, including server versions, as well as Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

Microsoft said that these vulnerabilities haven’t yet been exploited in the wild, but urged customers to get ahead of the game by patching quickly:

It is important that affected systems are patched as quickly as possible because of the elevated risks associated with wormable vulnerabilities like these, and downloads for these can be found in the Microsoft Security Update Guide.

Computers with network level authentication (NLA) are partly protected, because crooks would need to authenticate before making a request, meaning that an attack couldn’t spread without human interaction on NLA-enabled systems.

Microsoft also fixed several other critical bugs in this Patch Tuesday, including a remote code execution (RCE) vulnerability in Internet Explorer’s scripting engine (CVE-2019-1133 and -1194). Attackers can exploit the bug via a specially crafted website or by sending a malicious ActiveX control marked “Safe for initialization” to any MS Office program that uses the Internet Explorer rendering engine.

Edge users didn’t get away scot-free either. There’s a similar bug (CVE-2019-1131, -1139 to -1141, and CVE-2019-1195 to -1197) in that product’s Chakra Scripting Engine. It allows for remote code execution in the current user context, and it’s exploitable via malicious websites.

Microsoft fixed a critical RCE bug in its Hyper-V hypervisor (CVE-2019-0720), which exploits poor input validation in the Hyper-V Network Switch and could be exploited by a malicious application running in the guest OS. There are also some related denial-of-service (DoS) bugs patched in Hyper-V.

CVE-2019-0736, -0965, and -1213 are RCE bugs in the Windows DHCP server that an attacker can exploit by sending malicious DHCP responses to a client, while CVE-2019-1188 is a flaw in the way that Windows processes files with a .LNK extension. LNK files point to executable files, but improper processing enables remote code execution. Attackers could exploit this bug via removable drives or remote shares.

Flaws in the way that Windows processes fonts (CVE-2019-1145, and -1149 to -1152) allow an attacker embedding maliciously crafted fonts in a website or file to execute code remotely on the system.

There were also some bugs in Microsoft Office. A flaw (CVE-2019-1199-1200) in the way that Outlook handles objects in memory means that an attacker could execute code remotely using a malicious file delivered via email or a website. Outlook’s preview pane is an attack vector there, as it is for a bug in Microsoft Word (CVE-2019-1201 and -1205) that allows for remote code execution from maliciously-crafted Word documents.

The final critical bug in the bunch was CVE-2019-1183, which is a flaw in the Windows VBScript Engine that allows malicious websites or ActiveX objects to trigger remote code execution on the target system. However, Microsoft is in the process of getting rid of browser-based VBScript and has now turned it off by default in Internet Explorer 11 in this round of updates.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Bu9rFB1i64g/

On Tuesday, Netflix, working in conjunction with Google and CERT/CC, published a security advisory covering a series of vulnerabilities that enable denial of service attacks against servers running HTTP/2 services.

HTTP/2, like earlier versions, governs the application layer of the internet stack; it runs atop the transport layer (TCP), the network layer (IP), and data link layer of the internet. The eight CVEs disclosed do not allow information disclosure or modification, but they could be employed to overload servers.

“Today, a number of vendors have announced patches to correct this suboptimal behavior,” the media streaming biz said in its post. “While we haven’t detected these vulnerabilities in our open source packages, we are issuing this security advisory to document our findings and to further assist the Internet security community in remediating these issues.”

Seven of the flaws were identified by Jonathan Looney of Netflix, and the eighth (CVE-2019-9518) which was found by Piotr Sikora of Google.

Netflix, which characterized the severity of the flaws as “high,” did not name the vendors affected by vulnerable HTTP/2 implementations but CERT/CC has.

Microsoft is one of them: It patched five of the eight CVEs, each rated “important” in terms of severity, in its security fix today.

So too is Apple, which released five fixes of its own for its SwiftNIO HTTP/2 project, and Akamai and Cloudflare

“If any of our customers host web services over HTTP/2 on an alternative, publicly accessible path that is not behind Cloudflare, we recommend you apply the latest security updates to your origin servers in order to protect yourselves from these HTTP/2 vulnerabilities,” said Nafeez Ahamed, a security engineer at Cloudflare, in a blog post.

Other affected vendors and products include: F5’s NGINX, Go 1.12, Netty, Apache, node.js 11.11.0 + libnghttp2 1.35.1, gRPC C 1.21.0, gRPC Java 1.21.0 (Netty), gRPC Go 1.21.0, Twisted 16.3.0-19.7.0, Envoy prior to 1.11.1, proxygen, H2O project and Istio.

Amazon, Facebook and Ubuntu also appear to be affected, according to CERT/CC, with about two hundred other vendors listed as status unknown.

The vulnerabilities have to do with the design of HTTP/2, which includes parameters that can be abused. That possibility is touched on in the Security Considerations section of the HTTP/2 spec, RFC 7540: “An endpoint that doesn’t monitor this behavior exposes itself to a risk of denial-of-service attack.”

As Netflix explains, “Many of the attack vectors we found (and which were fixed today) are variants on a theme: a malicious client asks the server to do something which generates a response, but the client refuses to read the response. This exercises the server’s queue management code. Depending on how the server handles its queues, the client can force it to consume excess memory and CPU while processing its requests.”

The CVE summaries provide further detail:

• CVE-2019-9511 “Data Dribble”: The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
• CVE-2019-9512 “Ping Flood”: The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
• CVE-2019-9513 “Resource Loop”: The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU, potentially leading to a denial of service.
• CVE-2019-9514 “Reset Flood”: The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
• CVE-2019-9515 “Settings Flood”: The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
• CVE-2019-9516 “0-Length Headers Leak”: The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory, potentially leading to a denial of service.
• CVE-2019-9517 “Internal Data Buffering”: The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
• CVE-2019-9518 “Empty Frames Flood”: The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU, potentially leading to a denial of service.

In the absence of a patch, Netflix suggests disabling HTTP/2 services, though that may not be practical in some cases. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/14/http2_flaw_server/

Two infosec researchers found 27 million personal data records, including a million people’s fingerprints, exposed to the public along with plaintext admin credentials for the Suprema Biostar 2 system they were associated with.

The database powering South Korean company Suprema Inc’s Biostar 2 biometric access control system – which controls entry and exit to secure areas in buildings around the globe, including “1.5 million installations worldwide” – was “unprotected and mostly unencrypted”, according to a internet privacy researchers who found the flaws.

Noam Rotem and Ran Locar, two noted Israeli security researchers, told the Graun they’d discovered the database while port-scanning in the hope of finding “familiar IP blocks”. Having found the database, they were then able to “manipulate the URL search criteria in Elasticsearch”, in the newspaper’s words, to uncover plaintext passwords of admin accounts.

From there, the duo were able to change data and add new users, Rotem told the Guardian, as well as performing all the other tasks an admin-level user could perform.

Biostar 2 is used for monitoring who goes in and out of secure sites and buildings, such as offices and warehouses. The biometric system allows employees and visitors to those sites to use traditional RFID cards as well as fingerprints as a means of gaining recorded access to certain areas.

The brochure for Biostar 2, downloadable from Suprema’s website, states: “This system safely stores all information about each user including the user’s name, ID, PIN, access rights and fingerprint data by storing it on a single device.”

Rotem and Locar’s research was carried out in association with VPNmentor, one of NordVPN’s trading names. A blog post published on VPNmentor’s website today goes into more detail, including how they were able to access “client admin panels, dashboards, back end controls, and permissions”, users’ mugshots, employee security clearance levels, home addresses and contact information – and unencrypted plaintext passwords for user accounts.

“We were easily able to view passwords across the Biostar 2 database, as they were stored as plaintext files, instead of being securely hashed,” wrote Rotem and Locar. “Instead of saving a hash of the fingerprint (that can’t be reverse-engineered) they are saving people’s actual fingerprints that can be copied for malicious purposes.”

The hole was plugged yesterday, allegedly after the duo encountered difficulties getting Suprema to pay attention to their findings. The Register has asked the company if it wishes to comment on Rotem and Locar’s discoveries.

In April this year, Rotem and Locar uncovered the exposure of 80 million US households’ personal details online, while Rotem himself found a glaring vulnerability in airline tech firm Amadeus’s passenger reservation system. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/14/biostar_2_suprema_database_exposed_27m_records/

As threats continue to evolve and cybercriminals become more sophisticated, organizations that lack a mature security awareness and training program place themselves at serious risk.

More than half (53%) of all C-suite executives say data breaches in their organizations are due to accidental loss by an external party or human error, according to “Shred-it’s Ninth Annual Data Protection Report.” In addition, 96% of Americans hold negligent employees as least partly to blame for data breaches at major US companies, the report found.

These types of mistakes have been costly, anywhere from thousands to millions of dollars, and the price tags keep growing. For example, the city of Riviera Beach, Fla., recently paid $600,000 to hackers to decrypt their files after one of its employee accidentally clicked on a phishing link that delivered ransomware to its computer systems. And Moody’s recently estimated that the Equifax data breach — caused by the —  will cost it about $400 million in cybersecurity expenses and capital investments this year and next.

As threats continue to evolve, and cybercriminals become more sophisticated and targeted in their attacks, organizations that lack a mature security awareness and training program place themselves at serious risk. That security awareness managers need rethink the ways (emphasis on the plural) they inform and educate employees about potential cyberattacks is nearly an understatement.

It’s not all bad news, though. While awareness and training still has a long way to go, organizations are slowly coming around, and industry leaders are working hard to move the needle. Here’s what some of them have to say about the latest trends in security awareness.

Awareness Is Not Training
To start, practitioners need to understand that awareness and training are not the same. “Just because I’m aware doesn’t mean that I care,” wrote Perry Carpenter, chief evangelist and strategy officer at KnowBe4, in his recently published book, “Transformational Security Awareness.”

The point is one echoed in the Certified Security Awareness Practitioner course taught by Lisa Plaggemier, chief evangelist at the InfoSec Institute. “Processes and policies are fine, but if you’re not winning hearts and minds and gaining buy-in from employees, it’s probably a non-starter,” she says.

Awareness is about providing information. Training is the act of engaging participants for the purpose of changing behavior. “A sign that says, ‘Lock your car door before leaving so that your things don’t get stolen’ is awareness,” says Alexandra Panaretos, EY Americas’ cybersecurity lead for security awareness and training development. “Training is, ‘This is why your car is a target from a criminal’s perspective.'”

Reframing the Way Employees Feel about Security Awareness
Organizations have come to realize (and take seriously) that human error and social engineering are all too often the root of data breaches. Security awareness as part of an annual check-the-box computer-based training no longer cuts it.

“I can’t think of any other industry that sees people as the problem quite as much as ours,” Plaggemier says. “That’s actually pretty sad when you think about it. I see technology as enabling humanity, not humans as ruining technology.”

Informing and educating employees must be a business priority, and not doing so is a risk that the business should be held responsible for. Fortunately, industry influencers have started to transform the way enterprises think about security awareness, and organizations are catching on to the fact that people are constantly learning, so awareness and training need to be ongoing. 

“Many times over, practitioners have seen that training in general is not effective,” EY Americas’ Panaretos says. “Micro-learning and point-in-time learning are really changing how the workforce works.”

“It’s important to understand how people naturally think, behave, express preferences, make choices, and adopt new beliefs if you ever want to be effective in shaping their security-related thoughts and actions,” KnowBe4’s Carpenter says.

Awareness and training has to be more than a regulatory requirement. For a program to be really effective, security has to be a part of the corporate culture. In addition, the content offered needs to be non-intrusive so employees don’t feel the training interrupts their business responsibilities.

Whether it’s putting out a security tip of the week that goes into some other briefing that employees have to read to do their job, or delivering a quick, humorous video, the key to successful awareness and training is making it relevant to the audience you are trying to reach. “Build it into the life of that person so that it’s not seen as an extra duty,” Panateros says.

Establishing the Role of Security Awareness Manager
Part of the reason why security awareness programs have not been successful is no one person or team of people has been charged with the task of informing and educating employees across the organization.

Even the roles that do exist aren’t clearly defined, as Lance Spitnzer, director of SANS security awareness, pointed out in a May 21 blog post. Despite the NIST NICE Framework that is intended to define the roles of the cybersecurity workforce, Spitzner says he could not find a consistent title or an adequate description for the role.

SANS took on the task of cross-referencing the different job titles and duties to establish a singular one, the “security awareness and communications manager,” that encompasses the various tasks currently assigned to myriad individuals who have a hand in security awareness and training.

“This is someone who is specifically responsible for selling the concept of cybersecurity to the workforce,” Spitzner says. “In this role, their goal is to create secure behaviors throughout the organization and ultimately enable a security driven culture.”

Security Programs that Work for Humans
Revamping an existing program or even starting a new one from scratch begins by talking to employees, Panateros says. “Ask them what they like and don’t like about training in general — not just information security training, but training as a whole,” she says.

Security awareness providers also need to work hand in hand with their human resources and training teams and be open to the idea that the current content isn’t working. Accept that people might not like what is being offered and see that as an opportunity to get creative.

Carpenter advises companies to compile different strategies to store in what he calls the “security awareness leader’s toolbox.” The toolbox should include fresh and engaging content that ranges from videos to learning modules and microlearning, posters, newsletters, and even swag. And it all should be delivered through storytelling with a cultural connection that folks can take home with them

“All these stories contribute to the story — the larger story of how your program is making a difference in the lives of your employees and to the overall risk posture and resilience of your organization,” Carpenter says.

Related Content:

• 7 Tips for an Effective Employee Security Awareness Program
• Securing DevOps Is About People and Culture
• What Every Security Team Should Know About Internet Threats
• Back to Basics with Log Management, SIEMs MSSPs

Image Source: Julien Eichinger via Adobe Stock

 

Kacy Zurkus is a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition’s security portfolio. Zurkus is a regular contributor to Security Boulevard and IBM’s Security Intelligence. She has also contributed to several publications, … View Full Bio

Article source: https://www.darkreading.com/edge/theedge/you-gotta-reach-em-to-teach-em/b/d-id/1335491?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

With faster application deployment comes increased security considerations.

Containers, microservices, and APIs work together as the pillar for modern application development. While the shift to microservices provides unparalleled adaptability, adopting the new framework comes at a cost: keeping each piece of the puzzle secure.

With DevOps, constant change is the reality. Because all services and APIs talk to one another over HTTP and new applications are cropping up online constantly, web application security must adapt.

The new microservices framework — the process of breaking down an application into a set of services — is a hot topic, with over half of the respondents in a December 2018 O’Reilly report saying that more than 50% of new development in their organization uses microservices. As a result, developers can create and deliver applications at a much faster rate, offering reduced business cycles from original idea to production. With a microservice approach, the need to more easily orchestrate microservice communication arose, so service mesh — a new infrastructure — was created.

The results are clear. The same O’Reilly report states that microservices have evolved from a fad to a trend, with the architecture being used in over half of software projects across North America, Europe, and Asia. More than 15% of respondents stated that they have seen “massive success” as a result of the framework. 

But with faster application deployment comes increased security considerations. Teams that deploy microservice architectures are already spread thin, and due to the framework’s complex distributed design, teams now must defend against a larger volume of attacks because of the increased number of entry points. As organizations shift to microservices, their legacy web application firewalls (WAFs) can’t keep up with the rise in microservices. However, new security tools are built to handle the evolving IT infrastructure.

For example, OFX, an international financial transfer platform based in Sydney, Australia, processes over $22 billion in transactions each year through its web application. (Note: OFX uses Signal Sciences to implement a WAF, a service also offered by other companies.) After migrating to a cloud-first microservices infrastructure, OFX sought to increase its visibility and protection against attacks documented by the Open Web Application Security Project (OWASP) and authentication abuse.

To maintain this workflow, OFX’s partners need to seamlessly interact with the platform. They use APIs that connect to microservices within the OFX network; however, when interfacing with legacy WAF solutions, this can be a major challenge. OFX leveraged new technology and web application security solutions to provide transparency into authentication requests, therefore allowing a greater level of authentication defense and visibility for penetration testing.

Not all companies are keeping pace with microservices, though. Application security is one of the biggest gaps in microservice architecture overall. Because most microservices run over HTTP, security concerns include data injection attacks, cross-site scripting, and privilege escalation to command execution. These systems become vulnerable to business logic attacks, which, without effective monitoring practices, might not be detected.

Below are five things to consider when securing a microservice architecture:

· Ensure full coverage across the infrastructure: Breadth in coverage is essential in order to make sure web application defense can keep up with the changes that organizations face. Because applications on a microservice architecture have been decomposed into smaller services and components, the defense needs to be spread to those same delivery stacks. When you evaluate defensive tools, look for use in major cloud providers, container platforms, hardware and web servers, and platform services.

· Prevent account takeovers (ATOs): ATOs continue to be a major concern for organizations. A WAF with ATO capabilities to protect your microservices can protect against unauthorized account access.

· Gain insight into attacks: Microservices are often composed of dozens or even hundreds of individual services that can be running in different languages and in many containers. Granular attacks can be discovered at the microservices level, including where and how your microservices are being attacked.

· Choose a WAF that requires little tuning: A WAF can take a lot of time to get configured, set up, and running properly for each microservice. Choosing a WAF that blocks malicious attacks by default without interrupting your microservices or lengthy tuning periods will provide immediate coverage. Although you want a WAF to work right away, it should be flexible enough to customize to the specific needs of microservices.

· Think cross-deployment: There are several ways to install a WAF: on-premises, a module, a content delivery network, or as a Runtime Application Self Protection (RASP). The best protection is one that can be easily integrated into your DevOps workflow. This can be accomplished by either using a library integrated into your application, a module on the web server, or as a reverse proxy. This allows for the greatest adaptability to your microservices needs. With microservices, service meshes, API gateways, and more, it’s best to use a firewall that offers the same protection, rules, and no-tuning required across all deployment models.

Knowing that dynamism is a fixture in DevOps, it’s important to not fall behind. Microservices are not just a fad, so if you’re not eyeing a change, it’s time to get moving. To keep pace with business growth and increased workflow in an increasingly fast-moving space, businesses have to adapt. For now, adapting to a microservice architecture — and keeping it secure — is the way forward.

Related Content:

• The State of IT Operations and Cybersecurity Operations
• How to Build a Cloud Security Model
• Is Machine Learning the Future of Cloud-Native Security?
• Mitigating the Security Risks of Cloud-Native Applications

Jonathan DiVincenzo, Head of Product at Signal Sciences, the fastest growing web application security company in the world, brings his engineering background together with a passion for taking mere ideas and turning them into products. He has experience working in both large … View Full Bio

Article source: https://www.darkreading.com/cloud/microservices-flip-app-security-on-its-head/a/d-id/1335483?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple