STE WILLIAMS

Organizations hit with destructive malware can lose more than 12,000 machines and face $200 million or more in costs, IBM X-Force reports.

Businesses around the world are experiencing a rise in destructive malware attacks, which are designed to shut down information access and obliterate system functions on victim machines.

New data from IBM X-Force Incident Response and Intelligence Services (IRIS) shows organizations hit with destructive malware can experience a total cost of $200 million and lose more than 12,000 devices in an attack. Large multinational companies incur an average cost of $239 million per incident, researchers report, citing analysis of publicly disclosed cyberattacks. The cost of remediation, equipment replacement, lost productivity, and other damage makes destructive attacks far pricier than typical data breaches, which average $3.92 million each, according to estimates from the Ponemon Institute.

“When you think about a destructive attack compared to a data breach, that attack process is very similar,” says Christopher Scott, global remediation lead for IBM X-Force IRIS. “You have to get in the environment, expand access, get to what you want … and act on that objective.” But unlike a traditional data breach, which typically targets intellectual property or other valuable information, a destructive malware attack aims to shut down a target’s corporate environment.

Destructive malware, including ransomware that employs a “wiper” element, is on the rise: X-Force IRIS incident response teams helped organizations with 200% more destructive malware cases in the first half of 2019 compared with the second half of 2018. Ransomware packing destructive elements also spiked as new strains of LockerGoga and MegaCortex entered the landscape. Ransomware calls to X-Force IRIS’ emergency response line spiked 116% in the first half of 2019.

“While not all ransomware attacks incorporate destructive malware, the simultaneous increase in overall ransomware attacks and ransomware with destructive elements underscores the enhanced threat to corporations from ransomware capable of permanently wiping data,” researchers write in “Combating Destructive Malware: Lessons from the Front Lines.” They predict criminals’ use of destructive ransomware will increase over the next five years.

Half of destructive malware cases targeted the manufacturing industry; other popular targets were in the education or oil and gas sectors. Most attacks the X-Force IRIS team observed targeted victim organizations in the United States, Europe, and the Middle East.

Detecting and Addressing Destructive Attacks
A destructive malware attack can start with a phishing email, credential stuffing, or watering hole attack. Once inside, attackers can elevate credentials and poke around until they have administrative access. “This gives them freedom to move across the environment as they want and plan out their attack,” Scott says. Researchers found attackers are often present on a device, asset, or network for weeks or months before they launch a destructive malware attack. In some cases, they dwell for more than four months, taking time for internal reconnaissance.

Access points and key infrastructure are valuable in this phase. With access to critical systems, attackers can keep control of their location for as long as possible. The slow approach lets them do maximum damage, but it also gives businesses an opportunity to locate them beforehand. While PowerShell remains popular for lateral movement, many attackers are targeting privileged accounts and services so they can move throughout the network unnoticed.

The time to remediate varies depending on the severity of an attack. X-Force IRIS incident responders spent an average of 512 hours remediating a destructive malware attack; however, that number can stretch to 1,200 hours or more for significant incidents.

Not Just for Nation-States
Destructive malware has mostly been used by nation-state actors to harm geopolitical opponents by destroying systems or harming key industry organizations. From 2010 to 2018, it was primarily intended to further state interests. Now it’s growing popular among cybercriminals.

Researchers hypothesize criminals may be adopting this form of malware to put pressure on ransomware victims: if they don’t pay, attackers could irreparably destroy their data. They may also impulsively launch a destructive attack to “lash out” at uncooperative victims.

“By going destructive or even partially destructive, you are even more motivated to pay a ransom,” Scott explains. “That way they can recover and get back to business faster.” If a cybercriminal wants payment immediately, they can destroy part of the target’s environment to show what the damage could potentially be if they don’t send the requested payment.

As these attacks continue to increase, businesses are advised to ensure they’re prepared by testing their response plan under pressure. X-Force IRIS recommends using a tabletop exercise to determine whether your team knows exactly what to do in critical moments of response.

Organizations should also consider segregating and minimizing privileged accounts and ensuring the same account cannot be used to access every critical system. They should also baseline internal network activity and monitor for lateral movement; alert on unexpected PowerShell callouts; and have, test, and keep offline backups of their systems. If an attacker can destroy a company’s backups, paying the ransom is the only way a victim can get its information back.

Related Content:

• 8 Head-Turning Ransomware Attacks to Hit City Governments
• Capital One: What We Should Learn This Time
• Why Every Organization Needs an Incident Response Plan
• Cisco Pays $8.6M in First False Claims Suit for Vulnerabilities in Security Product

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/endpoint/destructive-malware-attacks-up-200--in-2019/d/d-id/1335444?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The authors of MegaCortex appear to have traded security for convenience and speed, say researchers at Accenture iDefense.

The authors of MegaCortex, a ransomware tool that was used recently in costly attacks against organizations in North America and Europe, have tweaked the malware to make it even more dangerous.

Researchers from Accenture iDefense this week said they have spotted a new version of the ransomware with features that make it harder to detect and easier for attackers to deploy on compromised networks.

Like the first version of MegaCortex that surfaced earlier this year, the new one is designed for use in manual, post-exploitation, targeted attacks. However, the authors have made some changes to the malware that suggest they have traded security for automation and ease of use, according to a report from Accenture iDefense.

For instance, the original MegaCortex malware required a password in order to decrypt and load the final payload. Attackers needed to install the ransomware on a compromised network via a series of manual steps and use a custom password that would become available only during a live infection.

This made it very hard for security researchers to analyze and reverse engineer the malware. “The password was heavily encoded and encrypted. Thus, brute-forcing the password to run the malware was not a feasible approach,” says Leo Fernandes, senior manager of the Accenture iDefense Malware Analysis and Countermeasures (MAC) team.

At the same time, the password requirement also limited the ability for attackers to deploy MegaCortex widely, Fernandes says. With the second version, the malware authors have removed the need for a password for installation and have instead hard-coded a password in the binary. “The new version executes directly with one single command. No additional password or interaction is necessary,” he says.

Additionally, the malware authors have incorporated a range of anti-analysis features within the main malware module itself. Some examples of these features include crypters, packers, and other obfuscation capabilities; use of anti-disassembly and debugging features; sandbox and virtual machine detection capabilities; and system-specific requirements for loading the malware, Fernandes says.

With the first version, attackers had to manually execute such capabilities as batch script files on each host. “The lack of a password requirement for installation and the embedded functionality to kill/stop security software and services can allow attackers to deploy the malware faster through automation once access to a network has been established,” Fernandes says.

Security researchers first spotted MegaCortex earlier this year targeting enterprise organizations in the US, Canada, and Europe. During one stretch in May, researchers at Sophos counted 47 targeted attack attempts to install MegaCortex in a 48-hour period. Organizations that have been hit by the malware have faced ransom demands ranging from a relatively modest $20,000 to a stunning $5.8 million.

The changes in the new version do not make MegaCortex any easier or harder to detect because the attack still happens only after a network has already been compromised via other means, Fernandes. Even so, the hard-coded passwords allow those doing the reverse engineering to retrieve the final DLL file from memory for further analysis, which was not readily feasible before, he says. “However, deeper analysis still takes lots of experience and time,” Fernandes says.

Targeted Attacks
For enterprise organizations, MegaCortex is another reminder — if one were needed — of the major threat that ransomware continues to pose. The steady declines in ransomware attack volumes that several security vendors have reported in recent months have all been on the consumer side.

Attacks on private, public, city, and local government organizations of all sizes have only increased over the past year. In many instances, attackers have first gained access to targeted networks, conducted reconnaissance and identified high-value systems before installing ransomware on them to maximize disruption.

Many security researchers fear that recent reports of multiple city governments and other organizations making substantial payments to attackers to get their data back after a ransomware attack are likely only going to fuel more attacks.

Ransomware like MegaCortex continues to pose a high threat to enterprises and government organizations worldwide, Fernandes says. “The criminal organization behind MegaCortex appears to be experienced professionals capable of targeting and infiltrating corporate networks, cause havoc, and huge financial losses,” he warns.

Related Content:

• ‘Matrix’-Themed Ransomware Variant Spreads
• Destructive Malware Attacks Up 200% in 2019
• LockerGoga, MegaCortex Ransomware Share Unlikely Traits
• 8 Head-Turning Ransomware Attacks to Hit City Governments

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/ransomware-used-in-multimillion-dollar-attacks-gets-more-automated/d/d-id/1335446?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The UK’s Maritime and Coastguard Agency (MCA) is coughing up just shy of a million quid to see how drones could help with sea rescue and surveillance operations.

Interested parties have until 19 August to put in a bid and will need to be ready to go by 1 September.

The invitation to tender aims to improve MCA operations while reducing risks to staff.

The tender is valued at £990,000 and will be awarded to one project, but smaller companies are free to form partnerships or groups to make a bid.

It lays out a variety of tests such as searching for objects of interest within a five by five nautical mile box and searching a ten by one nautical mile box with a last known position at one end.

Drones should be larger than 7kg and capable of a minimum of three hours of unsupported flight. They will be used both for searching for missing or “overdue” people or vessels and for identifying and tracking said vessels or other objects of interest.

The key deliverable described by the MCA is “to address and remove regulatory issues and barrier to Beyond Visual Line of Sight flight in unsegregated and uncontrolled UK airspace”. The winning bidder is expected to deal with regulators like the Civil Aviation Authority and National Air Traffic Systems to make this possible.

Cheekily, the MCA also suggested bidders might like to offer resources beyond the value of the contract because of the potential for a significant later contract.

The contract will run until March 2021 or until enough information has been gathered – there is no minimum number of flights set. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/05/uk_gov_offers_cash_for_coastguard_drones/

Black Hat It’s that time of year again and the world’s white, grey and the occasional black-hat hackers descends into the fetid hell that is Las Vegas in August for a week of conferences, community conflabs and catching up with old friends.

What started as a bunch of friends hanging out in a cheap hotel has grown into the largest assembly of computer security talent in the world. The conference space of five hotels is going to be filled with exhibitions, hawkers and hackers, all trying to pull stuff down or push it across in the 40˚C+ (100˚F+) Vegas heat.

It’s a brutal conference schedule and one that punishes the unprepared, so we’ve polled old attendees for their advice on how best to ride out summer camp.

There are three overlapping shindigs this week – Bsides LV, Black Hat and DEF CON – and all cater to slightly different groups. The biggest, by attendance, is Black Hat, which has morphed and swollen from its original incarnation to become a five-day training and conference session. While the quality of the talks is usually good, it’s increasingly a vendor show – give it a few more years and Black Hat could end up as RSA with hookers.

Black Hat was founded by Jeff Moss – aka Dark Tangent – in part to pay for DEF CON, which is the largest gathering of non-corporate hackers in the world. You won’t see suits at DEF CON; the talks are generally more advanced and edgy, and the space is littered with specialist villages for lockpickers, aviation and car hackers, and social engineering zones.

But just like Black Hat, DEF CON has metastasized and has tens of thousands of visitors and now sprawls over three different hotels, leading to some say it’s just become too big. So if you want the DEF CON as was, then head to the first conference of the week, Bsides. It’s held at the much smaller Tuscany venue and is strictly limited by size, but there are some fascinating talks and it’s a very friendly and open crowd.

Keen hackers tend to book Bsides (Tuesday to Wednesday) and then move to DEF CON, which runs from Thursday to sometime around the start of the week (depending on how long booze supplies hold out). Black Hat, or at least the training sessions it runs, kicked off on Sunday but the main briefing sessions are held on Wednesday and Thursday.

Am I going to get hacked?

It’s part of the mythology of the week that everyone has to be hyper-aware of the dangers of being hacked. But the truth is you’re probably going to be fine.

It’s really only DEF CON where people are actively going to be scanning for unsafe machines and flagging them, and even then it’s considered very bad form to get malicious about it. Yes, some details about vulnerable systems are displayed on the infamous Wall of Sheep, but that’s about the limit of it.

In 10 years of hacker camp attendance I’ve only had one minor case of someone trying to attack another email to my account, and I suspect that was down to accidentally logging onto the main conference Wi-Fi network without the proper precautions. Bsides is even better, and while the main network comes with a warning just in case, this hack hasn’t heard of anyone getting hit.

Attendees trying to hack each other at Black Hat hasn’t really happened for years; the last incident that got people expelled was nearly a decade ago and was largely harmless, if annoying. Now there’s a massive effort to keep the network clean and it appears to be working.

Some insist on bringing burner kit to the conferences, but an unofficial straw poll suggests that these are more for the over-cautious. And you can always spot the overly paranoid – they are the ones who cover off their USB ports. Seriously, just don’t leave your hardware unattended.

In the traditional security tradeoff between convenience and good sense I’d recommend avoiding the main networks, making sure you never auto-connect to a network. Instead rely on a hotspot and VPN, keeping your phone off or in airplane mode until needed, shutting down Wi-Fi unless you need it, and avoiding Bluetooth. That’s probably overkill for Black Hat and Bsides, but may be underdoing it for DEF CON.

Don’t take a shoeing, or sickness

The geography of the shows are such that you’re going to spend a lot of time on your feet and veterans are almost unanimous in the need for good footwear.

Pick your routes between venues carefully as the Vegas sun is crushingly hot at this time of year so walk as little as possible. Taxis are a very mixed bag – the Strip can be snail-like at rush hour and you need to allow a lot of time for shifting between venues. There is a bus service but it’s as slow as a taxi, although cheaper.

At Black Hat there are three floors and an exhibition space to navigate. You spend a fair amount of time lining up and if you think those fancy leather loafers are going to cut it you could be heading for a blistery hell. Heels for women are also ill advised.

At DEF CON the queues are worse – much worse – and the distances greater, and opportunities to sit down outside of sessions are few and far between. Bsides is the easiest show on the feet, but oddly one of the more confusing to navigate, given the warren-like venue.

Sneakers (or trainers in UK-speak) seem to be a good compromise, and I’ve seen some people swear by boots. I’ve also seen a lot of people swear at sandals, usually by day three when the blistering really kicks in.

You might think that with the heat that sandals would be the thing to go for but most of the time attendees are in air-conditioned halls. These are warm (thanks to body heat) in crowded sessions like keynotes, but for less-crowded sessions it can get chilly.

This shifting between blazing sunshine and chilly halls isn’t great for the body and then you have to factor in the mixing of thousands of people from around the world. Unless you take precautions like layering up, good hygiene and lots of hand washing then you’ll be heading for a ripe case of conference cough.

Above all, hydrate. All of the venues have frequent water coolers and make sure you use them. And try to bring your own water bottle to save on the use of the crappy plastic glasses the hotels are still favouring.

Planning prevents poor performance

Frankly, you’re never going to get to see everything you want to at these shows.

At Black Hat you’re looking at seven or eight different talks every hour or so. DEF CON typically had four main tracks but a host of other talks, and Bsides has a very busy schedule. Once you factor in travel time between rooms then stuff is going to get missed.

On the plus side, DEF CON and Bsides video most presentations and put them online later in the year. That way if you’re really jonesing to see something you can catch up on it later. Black Hat has a similar service but charges for it.

So work out what you really want to get to and focus on that. This works well for Black Hat and Bsides but DEF CON has now grown so large that you’ll have to start lining up early. At keynote and popular sessions you’ll need to be in line at least half an hour, or preferably double that, to get in.

That said, if you can’t get into your chosen talk DEF CON is the best conference to just mooch around in. Go and visit some of the Villages to learn something new, check out side events, or just hang out in the bar area and talk to people. It’s amazing who you can meet.

And remember, hacker camp is a sprint, not a race. Try to do too much and you’ll burn out quickly. Slow and steady wins this race. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/05/black_hat_survival/

The first step toward identifying and preventing mobile fraud threats is acknowledging that mobile security requires a unique solution.

Merchant and e-commerce organizations are no strangers to the struggles of fraud protection. Amazon, a recent target, noted that its merchants were hit by “extensive” fraud over six months in 2018. Hackers stole thousands of dollars from hundreds of merchant accounts by redirecting money to their own bank accounts. In addition, knowing that global digital commerce sales are forecast to skyrocket in 2020 and consumers are increasingly turning to mobile to make purchases and online transitions, businesses must consider the unique fraud threats they face on mobile devices.

Why Mobile Fraud Must Be Treated Differently
Businesses often approach mobile fraud prevention with the same tactics, technology, and mindset they use for traditional desktop e-commerce. The transactions that happen on mobile and the nature of the data captured are quite different than those that happen on desktop, which means merchants should consider a different fraud solution for each channel. For example, mobile orders can be purchased in various ways through a consumer’s personal mobile device, website, or app. It is important for businesses to see where the transaction is made in order to identify fraudulent activity correctly.

One way they can do this for mobile is by taking a closer look at the consumer’s device ID and geolocation, which provides a unique identifier for each individual, such as the type of phone they use, mobile carrier, and even the default language that’s set on the phone. For example, if a consumer has never traveled abroad but has been making purchases internationally, this identifier helps catch fraud in the early stages. While it is possible for fraudsters to spoof a device ID, it is a less-common fraud method.

The Root of an Attack
While fraudsters continue to generate more sophisticated attacks, one of the most common types of mobile fraud is account takeover (ATO). ATO often results when people reuse usernames and passwords across multiple online accounts. If their login information is stolen in a recent breach, that username and password combination is often sold to any number of fraudsters who then test it across the Web until they are given access.

Combating Fraud with Mobile Fraud Prevention Technologies
One of the most targeted victims of mobile fraud are bank customers. A recent report from Javelin found that at least 1.5 million victims of existing account fraud had fake accounts opened by cybercriminals.

While mobile banking makes it easier for customers to access their bank accounts, this also makes them more susceptible to mobile fraud. Mobile banking is an appealing target for fraudsters because of the ease of access to customer information and the speed of electronic wire transfers to an outside bank account. Whether the customer falls for a phishing scam or downloads a malicious app, there are various schemes fraudsters use to infiltrate customer bank accounts. Financial institutions without the proper security measures in place risk putting their customers in the front lines of ATO or identity theft — issues that can be prevented with fraud prevention technologies.

Many financial institutions smartly require customers to go through multifactor authentication (MFA) in order to access their bank accounts. MFA reduces the chances of mobile fraud by putting multiple authentication and verification methods in place that require customers to approve every transaction made. This may include asking the customer for additional verification methods such as inputting their PIN, SMS text verification, answering security questions, or using biometric authentication, such as their fingerprints.

Other fraud prevention solutions include machine learning and artificial intelligence that predict the user’s actions as well as behavioral biometrics that identifies how users behave with their mobile devices. These technologies help businesses identify and prevent fraudulent threats from occurring before it happens.

Whether you manage a mobile commerce platform or a financial institution, acknowledging that mobile security requires a unique solution is the first step toward identifying and preventing mobile fraud threats. And implementing the right fraud prevention technologies ensures that your business and customers are out of harm’s way.

Related Content:

• The State of IT Operations and Cybersecurity Operations
• 9 Things That Don’t Worry You Today (But Should)
• CISOs Must Evolve to a Data-First Security Program
• Security Considerations in a BYOD Culture
• Why You Need a Global View of IT Assets

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

DJ Murphy is the Editor-in-Chief, Security Portfolio, at Reed Exhibitions, where he oversees all content. He also leads programming for CNP Expo, a leading event for the card not present and fraud prevention industry. He manages a staff of content producers dedicated to … View Full Bio

Article source: https://www.darkreading.com/mobile/fighting-back-against-mobile-fraudsters-/a/d-id/1335384?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Microsoft has invited security experts to ‘come and do their worst’ to mimic cybercriminals in the Azure Security Lab.

BLACK HAT USA 2019 – Las Vegas – Microsoft today launched the Azure Security Lab and doubled its top Azure bug-bounty reward in an effort to further strengthen cloud security.

The Azure Security Lab is a set of dedicated cloud hosts designed for security researchers to test attacks against infrastructure-as-a-service (IaaS) scenarios while isolated from Azure customers. This isolation protects the Azure framework from malicious activity and gives approved researchers a place to analyze, and an attempt to exploit, the vulnerabilities they find in Azure.

Microsoft wants security experts to “confidently and aggressively test Azure,” and it has already invited a group of hackers to “come and do their worst” to emulate cybercriminals in the lab.

Due to the limited number of hosts, security pros who want to participate in the Azure Security Lab must apply. Accepted researchers will have access to quarterly campaigns for targeted scenarios, regular recognition, and exclusive swag, writes Microsoft’s principal security PM manager, Kymberlee Price, in a blog post. In addition to a secure testing space, the lab will let researchers work with Azure security experts as they explore vulnerabilities in the cloud.

Scenario-based challenges in the Azure Security Lab give researchers an opportunity to earn awards up to $300,000. The top-paying scenario is a virtual machine escape, in which researchers can demonstrate a functional exploit enabling an escape from a guest virtual machine to a host or to another guest VM. Demonstration of denial of service to the Azure host will earn $50,000.

In other incentive-related news, Microsoft is doubling its top bounty reward for Azure bugs to $40,000 as part of the Azure Bounty Program, which offers rewards from $500 to $40,000. In total, the company has paid out $4.4 million in bounty rewards over the past 12 months.

Microsoft today also formalized its two-decade commitment to the principle of Safe Harbor, Price adds. This initiative lets security experts pursue vulnerability research and report the problems they find without worrying about legal consequences.

Related Content:

• 8 Head-Turning Ransomware Attacks to Hit City Governments
• Black Hat: A Summer Break from the Mundane and Controllable
• DARPA to Bring its Smart Ballot Boxes to DEF CON for Hacking
• Cisco Pays $8.6M in First False Claims Suit for Vulnerabilities in Security Product

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/cloud/microsoft-opens-azure-security-lab-raises-top-azure-bounty-to-$40k/d/d-id/1335441?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Researchers have discovered a botnet (and the database it feeds on) dedicated to extortion schemes.

Cofense Labs has published a database of more than 200 million accounts that it says are compromised and being targeted in a “sextortion” scam. The company says that it is publishing the account information with the goal of allowing potential victims and their employers to deal with the threat proactively to minimize damage.

According to Cofense, their researchers discovered a botnet for hire in June — a botnet primarily used to send emails with messages threatening embarrassing exposure if extortion payments are not made.

Cofense reports that its analysis shows the extortionists are recycling email and addresses exposed in data breaches going back at least 10 years in the hopes of wringing new value out of old criminal assets.

Individuals and companies can check to see whether domains or specific addresses are on the exposed list on this form.

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/database-of-200m-plus-potential-sextortion-victims-published/d/d-id/1335442?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Users of FileZilla, the popular open source FTP client, may have noticed a rather serious looking bug described in the change log for the latest update:

Filenames containing double-quotation marks were not escaped correctly when selected for opening/editing. Depending on the associated program, parts of the filename could be interpreted as commands.

Fixed in version 3.43.0, the flaw is one of seven separate security bugs whose discovery is credited to a bug bounty program run by the European Union, of all things.

The EU’s bureaucratic tentacles reach into many things, but a bit of freeware from an area when cover CDs were a thing still seems an odd place to find them.

Explaining why requires a brief trip down memory lane…

Eric S. Raymond’s seminal work on open source, The Cathedral and the Bazaar, taught us that “given enough eyeballs, all bugs are shallow”.

The idea being that the more people who are actively involved in developing, debugging and testing your code, the easier, faster and cheaper it is to find and fix bugs in it.

It’s an idea that’s central to the success, longevity and robustness of sprawling, noisy, open source projects like the Linux kernel. The development process for Linux, and the many other open source projects propping up our internet ecosystem, is entirely transparent, conducted before a potential audience of billions of eyeballs.

The “many eyes” idea is also important symbolically, as part of the meritocratic culture of open source. However, like a lot of good ideas, we’re prone to over-rely on it and our collective understanding of what “many eyes” meant drifted, over time.

Some time between 1997 and 2014 we developed a bit of a collective blind spot, conflating “many eyes” with “transparency”. For most projects, getting “many eyes” on the codebase requires transparency, but transparency itself doesn’t guarantee any eyes at all.

The scales fell from our eyes in 2014, with the discovery of Heartbleed, a critically serious data leak in the open source cryptographic library, OpenSSL. The bug allowed attackers to quietly plunder the private cryptographic key material required to unpick the encryption keeping them at bay.

OpenSSL was a critical piece of infrastructure whose open source code was relied upon by numerous high profile projects. So how had a flaw that undermined it so wholeheartedly lingered, unnoticed, for years?

Because, relative to its popularity, almost nobody was looking at the code. The notion that transparency alone leads to shallow bugs was thoroughly disabused.

Some projects, like the Linux kernel, are interesting, exciting and well known enough to attract many eyes, but most are not. The discovery of Heartbleed woke us up to the fact that the world’s vast collection of important but unsexy open source projects was going to need a better way to make their bugs shallow.

A few different models emerged.

Looking at OpenSSL specifically, Google and OpenBSD settled on making the project easier to maintain by slimming down the codebase. Although they each succeeded in doing that, the result was fragmentation – two incompatible forks of OpenSSL in the forms of BoringSSL and LibreSSL.

Mozilla, the organisation behind the Firefox browser, established its SOS (Secure Open Source) fund.

The fund makes bugs shallow not with many eyes, but a few very good ones – by paying for security audits. Its focus is projects that are actively maintained and vital to the continued functioning of the internet. Audits are thorough but that thoroughness comes at a cost: SOS has only managed 19 audits in three years.

In the EU, German researcher and MEP Julia Reda established FOSSA (the Free and Open Source Software Audit). The project began in 2014 by establishing an inventory of software used by the EU. In 2016, it funded expert evaluations of the KeePass password manager and the Apache web server, along the lines of the SOS project.

In January 2019, it got new teeth, in the form of about a million dollars worth of bug bounties spread across fifteen separate software projects, including FileZilla.

The idea of bug bounties fits neatly into the rich open source tradition of developers doing what they feel like doing. Beyond some rules about what counts as a security flaw and how flaws should be reported, bug hunters are free to choose where they spend their energy. The bounties act as an inducement to draw them to areas they might otherwise not be attracted to, and as an alternative source of cash to the underground market in vulnerabilities.

Managed via HackerOne, bounties are paid to anyone who finds and reports security flaws in the listed projects, with bonuses available for fixes.

The results, as the latest FileZilla changelog attests, are encouraging. Also on the list of eligible software, alongside FileZilla, was the popular VLC media player. In June it received the biggest security update in its history, thanks to EU-FOSSA bug bounties.

Not content with audits and bug bounties, FOSSA now wants to run hackathons, and Reda wants to see Free Software Security added as a permanent item in the EU budget.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/wYKtm5ow4zI/

Receive any strange SMS text messages recently?

If you live in the US, there’s a small chance you might have received an SMS with the following text in the last few days from someone called ‘j3ws3r on Twitter’:

I’m here to warn the masses about SMS email gateways. Please look up how to disable it on your phone or call your provider and ask.

Judging from responses on Twitter, the chances of receiving one of these is currently low, although it’s also possible some phone users either ignored the message or deleted it out of habit.

(The text also begins with a promotional link to controversial YouTuber PewDiePie, a clue to its origins which we’ll get to shortly.)

Of the few recipients who took to Twitter to ask about the message, most seem concerned about how the senders got hold of their mobile number.

In fact, they didn’t have to because according to Wired the whole campaign was generated by writing a script that generates every possible mobile number between 1111111 and 9999999 and bolts these to a list of every US area code.

How were the texts sent?

It seems that a single Unix command was used to send the messages to the email-to-SMS gateways used by all 26 major US carriers, which in theory will have forwarded them to legitimate numbers.

More likely, most of them filtered the messages out but the fact that some got through is the whole point of the campaign’s attempt to raise the issue of how easy it is to abuse these gateways.

And yet SMS gateways are everywhere, used legitimately by organisations to send their users marketing and service information straight to their phones.

It’s a mostly hidden industry that makes a tempting target for hyper-intrusive companies and criminals alike, as well as hackers looking to capitalise on – and warn of – weak security.

According to Simeon Coney of Adaptive Mobile Security, quoted by Wired:

Many of the SMS gateways have broadened their offerings to support scripted interaction, with a range of interface API’s supported.

Showing how this can be abused is intended as a warning of an issue the carriers are allegedly turning a blind eye to, according to the SMS:

I decided to just do this [as] an automated way of warning everyone, and hopefully promoting change from these companies.

Printing PewDiePie

It’s the latest act of a small group of individuals who last December hijacked weakly-secured printers to spew propaganda on behalf of contentious YouTuber, PewDiePie, and to hack vulnerable Google Chromecasts.

Those, too, were intended as warnings, albeit more mainstream ones that too many individuals and organisations connect printers and Chromecasts to the internet without thinking about their security.

Is it even possible to disable SMS gateways? As far as we can tell, short of turning SMS off completely this needs to be done either by talking to the carrier or, possibly, by changing a setting in a carrier’s management app.

On balance, we’d hesitate to do that because it might also disable useful texts such as bank balance alerts and possibly 2FA one-time codes which utilise SMTP-to-SMS gateways.

Undoubtedly, SMS gateways deserve closer attention – the spam text problems confirms this surely – but perhaps not in this way.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/AeqxEVgRJLM/

Apple and Google have announced that they will limit the way audio recorded by their voice assistants, Siri and Google Assistant, are accessed internally by contractors.

Let’s start with Apple.

Apple’s privacy hump began a week ago when The Guardian ran a story revealing that contractors “regularly hear” all sorts of things Apple customers would probably rather they didn’t, including sexual encounters, business deals, and patient-doctor chats.

Despite Apple’s protestations that such recordings are pseudonymised and only accessed to improve Siri’s accuracy, the whistleblower who spoke to the newspaper was adamant that in some cases:

These recordings are accompanied by user data showing location, contact details, and app data.

Apple now says it has suspended the global programme under which voice recordings were being accessed in this way while it conducts a review.

It’s not clear how long this will remain in force, nor whether the company will adjust the time period it keeps recordings on its servers (currently between six months and two years).

By interesting coincidence, Google finds itself in a similar fix. Germany’s privacy regulator recently started asking questions after Belgian broadcaster VRT ran a story last month on contractors listening to Google Assistant recordings. Google’s privacy fig leaf:

We don’t associate audio clips with user accounts during the review process, and only perform reviews for around 0.2% of all clips.

Nevertheless, Google now says it has also suspended access to recordings in the EU for three months.

It was Amazon which started this ball rolling in April when a Bloomberg report reported that revealed that – yes – recordings stored by its Alexa voice assistant were being accessed by contractors.

Spot the pattern?

There are a tangle of issues here, the first of which is the way these companies explain how they store and access voice recordings.

They say they only access fractions of a percent of the recordings stored on their servers, but that could still be a lot of recordings. Despite what companies say, it’s also not clear that these recordings are always as anonymised as they claim.

Perhaps the fundamental issue is that the only way to improve the accuracy of voice assistants is to manually tune how they understand what users are asking them to do, or not to do.

That requires company staff – including contractors – to access real voice interactions taken from a growing range of devices, including smart speakers, smartphones, and Apple’s Watches.

It’s an inherent part of developing this type of device and there’s no obvious way around an issue that was always likely to catch tech companies out at some point.

The most likely response from Apple, Google and Amazon is some kind of re-drafting of how they explain all of the above to a public that is growing more sceptical about the ethics of grabbing lots of personal data on the assumption that companies will pay attention to privacy.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/6WDIUcUa8Ns/