STE WILLIAMS

Virtual private networking is poised to become more automated and intelligent, especially as endpoints associated with cloud services and the IoT need protection.

Market consolidation, transparent operation, greater intelligence: If this were Jeopardy, here’s where you’d say, “What’s the future of the VPN market look like?” Then you’d be on to Technology Forecasts for $500.

What isn’t in question is that virtual private networking technology will remain critical to protecting users, organizations, and their data. What is changing, according to industry experts, is the degree of automation and intelligence in VPN technology, not to mention the degree to which VPN functionality resides less in the hands of users (consistently cited as secure networking’s weakest link) and more on the back end of the network. But continued growth of cloud services and the Internet of Things (Iot) means secure connectivity will still be needed.

Indeed, VPN revenue is poised for tremendous growth, according to Global Market Insights, which forecasts it to exceed $54 billion by 2024, up from $17 billion in 2018.

But how VPN technology gets deployed will change. Whereas VPNs used to rely on remote users remembering to turn on their VPN client software (or off), VPN authorization and access functions are getting subsumed into the network itself and are transparent to users. However, that’s still several quarters down the time line.

In the meantime, consolidation has been reshaping the VPN market in the past year, according to Chase Cunningham, an analyst with Forrester. “The broader topic is the death of the VPN,” he says, adding that $250 million worth of acquisitions in the past 12 months are intended to get rid of VPN technology as a discrete market.

“Security people are good with security technology … the general population is not,” Cunningham says. “Exploitation occurs on the user side of the equation with bad passwords, logins, etc.”

In tandem, a market shift is underway that seeks to make security “impossible to gripe about or cause problems,” he adds, which translates to circumventing the end user. Traditional VPNs will be replaced by a software-defined perimeter and virtualization to make user connections secure – and automatic, Cunningham says. While IPsec tunneling technology that underpins most VPNs won’t go away completely, he also predicts some hybrid of tunneling, encryption, and software-defined networking (SDNs) will emerge.

Martin Musto, senior consultant at Optiv, agrees that the VPN market is poised for greater automation and transparency. But he also draws a distinction between site-to-site VPNs and client-to-site VPNs. And it’s the latter that needs to change

“IPsec is a complicated protocol to set up, and a tenuous one. And there are a lot of moving pieces in setting up a site-to-site VPN,” he says. Client-based VPNs are simpler but more porous. “The billion-dollar winner is the company that figures out how to make this automated, transparent, and [can] manage the endpoint remotely,” Musto says. “They have to make it as low touch as possible for the user.”

One emerging alternative to conventional VPN connectivity is a cloud-based VPN. Service behemoths like Facebook, Google, McAfee, and Symantec are starting to offer different kinds of proprietary VPNs that promise all the security and less complexity.

In parallel, the explosion of cloud services, in general, along with big growth in IoT endpoints means many new devices requiring VPN connectivity, Musto explains. The security risk of those devices is not well understood at this point, but what is clear is that if a cloud or IoT device gets compromised, then the attacker has the same access as the device or end user does.

The real push in the future is to closely tie the VPN with the user’s activity. Musto anticipates smarter applications that are VPN-aware. “Right now, if you’re on an enterprise network and an app is talking to another company, there’s no way to know if that app is talking to a client on a VPN,” he explains. “The app itself doesn’t tell you — only the VPN app can tell you.”

These pieces of technology are critical to the functioning of the enterprise. Without a secure transport layer, the enterprise fails. And without security for remote workers, it also fails because suddenly their data is available to anyone who can be on the same wire on with them.

Related Content: 

• VPN Vulnerabilities Point Out Need for Comprehensive Remote Security
• 6 Tips for Getting the Most from Your VPN
• New Zombie ‘POODLE’ Attack Bred from TLS Flaw 
• CERT, CISA Warn of Vuln in at Least 4 Major VPNs 

(Image: Adobe Stock)

 

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain’s New York Business, Red Herring, … View Full Bio

Article source: https://www.darkreading.com/edge/theedge/vpns-future-less-reliant-on-users-more-transparent-and-smarter/b/d-id/1335163?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Do you travel to dangerous places, like Information Security Conferences?

Created by J4vv4D: Original link

Article source: https://www.darkreading.com/edge/theedge/travel-security--from-j4vv4d-/b/d-id/1335302?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The 787 Dreamliner, WhatsApp, and Windows 10 are all subjects of cutting-edge Reverse Engineering talks at this year’s August event.

Come out to Black Hat USA in Las Vegas next month and hone your reverse-engineering skills by checking out some Briefings on the Reverse Engineering track, which offer expert insight on everything from vulnerability discovery to advanced exploitation techniques via the reverse engineering of hardware, software, and protocols.

After all the headlines about Boeing’s 787 Dreamliner jet, Arm IDA and Cross Check: Reversing the Boeing 787’s Core Network is a can’t-miss Briefing. This talk will provide the first public analysis of the Boeing 787’s core network, revealing previously unknown vulnerabilities that would allow an attacker to compromise the security of the original design. The talk will also elaborate on the additional implications of these security flaws.

Reverse Engineering WhatsApp Encryption for Chat Manipulation and More will give you a unique look at how security researchers successfully decrypted WhatsApp message traffic by reverse-engineering the messaging app’s source code. This is a big deal since encrypted communication is one of WhatsApp’s primary selling points. Attend this Briefing and learn three possible attacks that exploit this vulnerability, giving attackers immense power to create and spread misinformation from what appear to be trusted sources.

If you’re more concerned about security holes in Microsoft products like Outlook and Exchange check out Hunting for Bugs, Catching Dragons, a Briefing about possible (scripting-free) exploits in these products. It’s a rare opportunity to learn about the latest security holes in bugs in some of the most common tools used in business today, direct from the team at Microsoft.

Paging All Windows Geeks – Finding Evil in Windows 10 Compressed Memory will reveal details of memory compression implementation in Windows 10, and explore the undocumented structures and algorithms involved in the process. Using what you learn in this Briefing you’ll be able to access to data in the newly introduced (and undocumented) virtual store, which should help you prevent malware from evading detection during memory forensic analysis.

Black Hat USA returns to the Mandalay Bay in Las Vegas August 3-8, 2019. For more information on what’s happening at the event and how to register, check out the Black Hat website.

Article source: https://www.darkreading.com/black-hat/black-hat-usa-offers-inside-look-at-boeing-787-security-flaws/d/d-id/1335319?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Vital clues on how to exploit the notorious Windows RDP bug, aka CVE-2019-0708 aka BlueKeep, and hijack vulnerable boxes, emerged online this week.

The growing number of hints can be used by folks to develop working code that attacks Microsoft’s Remote Desktop Services software, on Windows XP through to Server 2008, and gains kernel-level code execution without any authentication or user interaction. You just need to be able to reach a vulnerable RDP server across the network or internet.

Such an intrusion would give an attacker full control of a machine. So far, publicly available proof-of-concept exploit code mostly crashes vulnerable systems, rather than commandeer boxes. It’s feared that publicly shared, working, and reliable remote code-execution exploits, built from the aforementioned hints and tips, will be used to create a worm that can move from machine to machine, infecting them via BlueKeep as it goes, while stealing information or rolling out ransomware.

Microsoft issued free patches for BlueKeep in May, though not everyone has installed them.

New details

Earlier this week, a researcher using the handle 0xeb_bp created a GitHub repository including a written in-depth analysis of the flaw, and incomplete proof-of-concept Python code that targets Windows XP.

BlueKeep is a use-after-free() vulnerability in Remote Desktop Services’s kernel driver termdd.sys. There are more technical details here, by the Zero Day Initiative, however the summary is: it is possible to open a connection to a vulnerable RDP server, open a channel called MS_T120x00 through this connection, send a payload of malicious code, and then terminate the connection. That will trigger the bug, and with the right voodoo, cause the smuggled code to execute.

In order to do this, you need to pull off something rather tricky: spraying the Windows kernel’s heap memory pool with data just right to achieve code execution. While the concept of heap spraying is understood by exploit developers and security engineers, it hasn’t been publicly explained within the context of CVE-2019-0708 – until now.

Rust in peace: Memory bugs in C and C++ code cause security issues so Microsoft is considering alternatives once again

READ MORE

0xeb_bp’s PDF write-up in their GitHub repo details these vital steps, and how to overwrite the pool successfully. Although industry folks are aware of heap spraying, particularly in the context of browser exploitation, using the technique against the Windows kernel’s nonpaged pool of memory is non-trivial. For CVE-2019-0708, though, a walk-through on how to do just that is now public, and a video of it all working can be found here.

You may be relieved to hear the PDF deliberately omits certain details, such as the essential shellcode needed to commandeer a box. Also, it focuses on Windows XP, and the technique may not work on later editions of the operating system. However, along with exploitation tips detailed in a Chinese-language slide deck that appeared online two days ago, the difficult parts of a viable working exploit are now public, paving the way for someone to finish off the work and share it.

“The information here is already available within the Chinese hacker community,” 0xeb_bp pointed out.

WannaCry breaker and noted security researcher Marcus Hutchins, who is awaiting sentencing in the US for his role in developing banking malware, said this extra info will make it easier for white and black hats to exploit BlueKeep. “They provided the code to actually do the actual pool spray,” the Brit said, adding we’re probably now a week away from someone completing a working public exploit.

This should give admins who have yet to install Microsoft’s patches that last bit of motivation they need to get the bug walled off once and for all. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/24/bluekeep_code_release/

VLC is said to be once again vulnerable to remote-code execution – meaning a malicious video opened by the software could potentially crash the media player, or joyride it to run malware on the host machine.

However, the developers of the open-source application, which has been downloaded literally billions of times and used by countless netizens, have disputed this claim, and say it is not possible to exploit the programming blunder.

The US government’s NIST this month documented a “critical” heap-based buffer overflow, designated CVE-2019-13615, which is said to be present and unpatched in the most recent official version of VLC, 3.0.7.1. It is, it is claimed, possible to trick a victim into opening a booby-trapped video using VLC that triggers a coding cockup leading to either a harmless crash or rather nasty code execution. The flaw is, we’re told, present in the Linux, Unix, and Windows builds of the player.

According to NIST:

VideoLAN VLC media player 3.0.7.1 has a heap-based buffer over-read in mkv::demux_sys_t::FreeUnused() in modules/demux/mkv/demux.cpp when called from mkv::Open in modules/demux/mkv/mkv.cpp.

While Germany’s CERT and NIST have both logged the flaw in their databases as dangerous and exploitable, the developers of VLC are pumping the brakes on panic over the vulnerability.

In a bug-tracking ticket discussing CVE-2019-13615, VideoLAN lead developer Jean-Baptiste Kempf noted that he was unable to recreate the crash using a proof-of-concept .MP4 video, provided by a security researcher four weeks ago, that’s supposed to knacker the latest version of VLC, 3.0.7.1. Nor was he able to crash the older 3.0.6 and work-in-progress releases, such as 3.0.8, he reported.

“This does not crash a normal release of VLC 3.0.7.1,” added Kempf. “Sorry, but this bug is not reproducible and does not crash VLC at all.”

VLC developer Francois Cartegnie was more blunt earlier today: “If you land on this ticket through a news article claiming a critical flaw in VLC, I suggest you to read the above comment first and reconsider your (fake) news sources.”

It’s 2019 and you can still pwn an iPhone with a website: Apple patches up iOS, Mac bugs in July security hole dump

READ MORE

Crucially, however, when The Register tried playing the proof-of-concept .MP4 in VLC version 3.0.7 Vetinari (3.0.7-0-g86cee31099) on Linux, the player crashed with a segmentation fault. So there is confusion over what Kempf meant by “does not crash” – because it surely does crash – and whether by “the bug is not reproducible,” he meant remote-code execution is impossible or possible.

It appears the crashy .MP4 was generated as a result of an automated bug-hunting fuzzer running against VLC. El Reg has asked VLC developers at VideoLan for additional comment on the matter, and will update the story when we hear back.

No patch is available yet, though one is said to be coming.

Whether the flaw can be confirmed or not, the clash should serve as a reminder to users and admins that media plugins and players such as VLC can and do contain security vulnerabilities, and should regularly be updated to thwart attempts by hackers to exploit bugs within the code.

Earlier this year, veteran Apple security researcher Patrick Wardle explained how VLC and other legacy applications could be used by attackers as entry points for attackers looking to get around newer macOS security protections. In that scenario the software itself is not vulnerable, but rather has privileges associated with it that could allow a malicious plugin to get at sensitive system components. The media player’s maker also just recently patched a bunch of flaws in VLC by releasing version 3.0.7.1. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/23/remote_code_flaw_vlc/

Analysis If the cops and Feds can’t read people’s encrypted messages, you will install backdoors for us, regardless of the security hit, US Attorney General William Barr has told the technology world.

While speaking today in New York, Barr demanded eavesdropping mechanisms be added to consumer-level software and devices, mechanisms that can be used by investigators to forcibly decrypt and pry into strongly end-to-end encrypted chats, files, and calls. No ifs, no buts.

And while this will likely weaken secure data storage and communications – by introducing backdoors that hackers and spies, as well as the cops and FBI, can potentially leverage to snoop on folks – it will be a price worth paying. And, after all, what do you really need that encryption for? Your email and selfies?

“We are not talking about protecting the nation’s nuclear launch codes,” Barr told the International Conference on Cyber Security at Fordham University.

“Nor are we necessarily talking about the customized encryption used by large business enterprises to protect their operations. We are talking about consumer products and services such as messaging, smart phones, email, and voice and data applications.”

If you’re not the military nor in big business, you’ll just have to suck it up, and use that backdoored encryption system for your personal communication and commercial dealings, Barr argued. Otherwise, he claimed, criminals, who are able to chat privately outside the grasp of the law, would have a free hand at the expense of society. And again, over what? Encrypted sexts and selfies? Get real, nerds.

Cryptography expert Matt Blaze likened Barr’s line – that citizens’ personal and business information isn’t worth protecting with top-notch encryption – to “flat Earth bizarre” thinking. “I don’t even know where to begin,” the professor added.

The Attorney General also insisted that investigators accessing people’s private data via backdoors – with a suitable warrant, of course – will not be in violation of the US Fourth Amendment, which protects “persons, houses, papers, and effects, against unreasonable searches and seizures.” It’s one thing to respect people’s privacy, but the people also expect crimes to be investigated, he said, and that’s not always possible when unbreakable encryption shields evidence and suspects.

“The key point is that the individual’s right to privacy and the [police’s] right of access are two sides of the same coin,” Barr said.

“The reason we are able, as part of our basic social compact, to guarantee individuals a certain zone of privacy is precisely because the public has reserved the right to access that zone when public safety requires. If the public’s right of access is blocked, then these zones of personal privacy are converted into ‘law-free zones’ insulated from legitimate scrutiny.”

Barr said legislation mandating backdoors in software may be avoided, though he refused to rule it out because a terror attack or some such may conveniently swing the population toward outlawing strong cryptography. “A major incident may well occur at any time that will galvanize public opinion on these issues,” he said.

It’s hardly a novel approach, piggybacking on a tragedy to push for backdoor access to private conversations, as we saw with the Obama administration’s handling of the San Bernardino shooting aftermath.

Clueless

Barr echoed the familiar refrain that criminals were using encryption to “go dark,” and frustrate officers and agents’ efforts to catch them. If this were true, we’d be seeing an explosion or at least some rise in crime here in America. However, that’s simply not the case – quite the opposite in fact:

Crime rates are dropping as law enforcement goes dark. Barr’s claim that they are raising is even less true that his claim the Meuller report totally exonerates his boss. pic.twitter.com/DFr4nFHrRy

— Robᵇᵉᵗᵒ Graham (@ErrataRob) July 23, 2019

Barr cited three possible methods for providing the cops and Feds with the ability to beat “warrant-proof encryption,” all of which have been mooted before, and none of which work.

His first example was previously suggested by British spies at GCHQ, and it involves putting “virtual crocodile clips” on encrypted apps. Specifically, the intelligence services would be allowed to silently enter encrypted chat groups or calls as an extra participant without anyone else in the session being aware of this intrusion and subsequent eavesdropping.

The proposal would force software developers to quietly implement such sneaky access, and Australia has already passed a law making such backdoors mandatory. The plans have been dismissed as unworkable by experts.

Jon Callas, cofounder of the PGP encryption software and the Silent Circle secure messaging and phone systems, has done an excellent in-depth analysis of why such a system is impossible to set up at scale in such a way that only law enforcement could use it. It’s a basic problem with backdoors of this kind – they are easy to set up, and impossible to control so that only officers and g-men can use them.

This kind of special secret access has already ended in disaster, as we saw in the case of Juniper’s firewalls. Persons unknown, presumably the NSA though the whole shambles remains highly classified, silently introduced backdoors into the vendor’s ScreenOS firmware. Then everyone found out about the hardcoded password and weakened VPN technology in ScreenOS, and could abuse them to slip into corporate networks, or snoop on VPN traffic, via Juniper’s vulnerable gateways. It’s not known how long the backdoors were in there, though what we do know is that someone found them and used them against targets to steal sensitive data.

More pie-in-the-sky

Barr’s second proposal was one touted, and patented, by ex-Microsoftie Ray Ozzie – who, while a smart dude, has very little in the way of security expertise. Ozzie’s idea, which is for smartphones only, would involve a return of the infamous Clipper chip that was dropped more than 15 years ago ago.

Ozzie’s proposal is for a key escrow system that involves a dedicated piece of hardware holding encryption keys that would be accessible to investigators and no one else. The only problem is no one has any idea how to create such a thing at scale that will remain secret.

The third suggestion was an old idea from ex-GCHQ analyst Matt Tait involving layers of encryption that would allow law enforcement access to the underlying private information. It’s a cute idea, and no one has a clue how to do it:

8. Barr goes on to claim that there are many proposals for encryption backdoors on the table. He gives three. They’re the same three we always get.

1. A (hardware, phones only) proposal by Ray Ozzie.

2. A proposal to tap chat groups by GCHQ.

3. An ancient article by Matt Tait.

— Matthew Green (@matthew_d_green) July 23, 2019

Barr also said software companies use keys and certificates to sign automatic software updates, which are then pushed to users. If these keys can be kept safe, surely keys to cryptography backdoors can be stopped from falling into the wrong hands, right?

“Providers design their products to allow access for software updates using centrally managed security keys,” he said. “We know of no instance where encryption has been defeated by compromise of those provider-maintained keys. Providers have been able to protect them.”

Obviously Barr hasn’t been paying attention. This is exactly how the NotPetya ransomware that crippled businesses worldwide spread: via poisoned software updates using fake keys. Also Stuxnet used on stolen digital keys to cryptographically sign itself so that it looked like legit software. Microsoft lost control of some of its secure boot system’s golden keys. The list goes on.

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/23/us_encryption_backdoor/

As BEC continues to drive record-high losses, cybercriminals devise new tactics for swindling corporate targets out of millions.

Business email compromise (BEC) continues to evolve as a prominent enterprise threat as cybercriminals adopt new tactics to manipulate employees into sending funds their way. They’ve learned from their mistakes to become more advanced and harder to detect.

The number of reports describing BEC incidents has rapidly grown from a monthly average of nearly 500 in 2016 to more than 1,100 in 2018, the Financial Crime Enforcement Network (FinCEN) says in its July 2019 Financial Trend Analysis. The total value of attempted BEC threats climbed from an average of $110 million per month in 2016 to $301 million per month in 2018.

In a July 2018 advisory, the FBI’s Internet Crime Complaint Center (IC3) dubbed BEC “the 12 billion dollar scam” and cited a 136% increase in identified global exposed losses (including actual losses and attempted thefts) between December 2016 and May 2018. Indeed, the domestic and international exposed dollar loss between October 2013 and May 2018 totaled $12.5 billion.

As the losses climbed, so too did attempted BEC scams. The average daily volume of BEC emails reached 128,700 in the first quarter of 2019, a 50% year-over-year increase from 85,816 in 2018, Symantec says in a new blog post detailing modern BEC threats. An average of 6,029 organizations were targeted each month between July 2018 and June 2019; marking a slight decrease from the 6,089 businesses targeted in the 12 months prior, researchers found.

But that doesn’t mean cybercriminals are holding back — they’re simply getting smarter about how they craft BEC messages and who receives them. Here is an updated look at modern BEC threats:

Who They’re Targeting
Manufacturing and construction firms were the top targets for BEC fraud in 2017 and 2018, when they made up 25% of all BEC incidents, with an average transaction amount of $53,728. Commercial services such as landscaping, retail, and lodging were up 6%, more than other industries, while financial firms dropped from 16% in 2017 to 9% in 2018. At the same time, real estate services increased as a target, going from 9% of incidents in 2017 to 16% in 2018.

Construction may seem an odd choice to outsiders but an appealing one for scammers. Manufacturing firms regularly interact with overseas suppliers, which may require wire transfers for payment, and they display publicly available client information. The US was the top BEC victim region with 39% of all threats, Symantec reports, followed by the UK (26%).

Real estate is growing as a target due to frequent high-dollar transactions and a growing market. Still, industries common in a specific state are the more frequently targeted in that state: finance firms are often hit in New York, manufacturing and construction in Texas.

Data shows attackers are shifting strategies as awareness of their schemes continues to grow. One-third of BEC scams in 2017 involved fake emails impersonating the CEO or president of a company; this fell to 12% in 2018. Now that leaders are wary of threats like these, attackers are looking for more lower-level employees who they can manipulate into fulfilling their requests.

“It’s expanding to new people that are targeted, but also new schemes of getting money from them,” says Candid Wueest, senior principal threat manager at Symantec. Now they’re going after personal assistants in the finance, accounts payable, and human resources departments.

How They’re Targeting
Fraudulent vendor or client invoices made up 30% of incidents in 2017 and 39% in 2018, FinCEN found. Part of the reason is financial gain: The average transaction amount for BECs impersonating an invoice was $125,439, compared with $50,373 for impersonating a CEO. BEC fraud using a fake invoice accounted for 30% of total transactions but 41% of total transaction amounts — the highest among the different types of BEC scams that FinCEN observed.

“That’s a spin-off that isn’t targeted against CEOs but could target anyone out there,” Wueest says. If attackers can break into a corporate email account and obtain a copy of an invoice, they can copy it, add their own banking details, and send it the following month a few days earlier than the company would typically receive it. “Those are very convincing,” he adds.

Gift cards are another increasingly popular way for BEC scammers to gain funds, Symantec says. Scammers request potential victims to purchase physical and electronic iTunes gift cards, Amazon gift cards, and generic gift cards for clients and partners. Victims receive a spoofed email, call, or text from a person of authority requesting they buy the cards to distribute to employees.

Those who take the bait send the cards back to the attackers, who resell them online for profit. Gift cards require less setup, Wueest explains, and can’t be linked to the perpetrators. “They’re not using it themselves because, of course, those vouchers have a serial number that can be traced. If they did use it themselves, there’s the risk they might be shut down or prosecuted.” Wire transfer requests remain popular for their financial gain, but they require more work.

Scammers are also building on previous interactions, chatting with employees, and doing their homework. “One of the things that definitely stood out to me was it’s no longer just about transferring the money and doing wire transactions, as it has been in the past,” says Wueest. “We can see they do a lot of social engineering and don’t put everything in the first email.”

Today’s BEC scammers start small: “Hey, I need a favor” or “Hey, are you at your desk?” are common openers, he notes. Attackers appear casual at first to build trust. After a few back-and-forth emails, they have a better sense of whether an employee will do what they ask. Some ask for the victim’s phone number so they can follow up to send payment details via text.

Wueest recommends businesses double-check suspicious emails, especially if they come from free accounts on Gmail, Yahoo, or AOL. They should also create an environment in which employees aren’t afraid to verify emails containing popular BEC keywords — “Urgent,” for example, and anything related to payments — or ask leadership if they’re legitimate.

Related Content:

• How Cybercriminals Break into the Microsoft Cloud
• Mirai Groups Target Business IoT Devices
• BitPaymer Ransomware Operators Wage Custom, Targeted Attacks
• 8 Legit Tools and Utilities That Cybercriminals Commonly Misuse

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/business-email-compromise-thinking-beyond-wire-transfers/d/d-id/1335325?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

But gaining a foothold on the LAN via vulnerabilities on Internet-facing assets is becoming harder, Rapid7 found in its real-world pen tests.

A new analysis of data from 180 real-world penetration tests in enterprise organizations suggests that cybercriminals who manage to get a foothold on an internal network have an opportunity to then gain domain administrator access in more than three in four cases.

But attacks on Internet-facing assets actually result in some kind of internal access only about 20% of the time because of the security controls that many organizations have implemented at the network perimeter. Attacks on Web applications are likely to result in site-wide compromise even more rarely (3%) of the time, the study by security vendor Rapid7 showed.

“Organizations are already doing an okay job of shoring up that porous border between internal and external networks,” says Tod Beardsley, research director at Rapid7. Many companies have moved out their external infrastructure to cloud-hosting providers – creating a gap of sorts between their internal and external assets, he says.

“Companies are spending less on their own rack space, so this separation is creating a pretty good boundary,” Beardsley notes. “It’s unlikely, now, that an external Web application compromise will lead directly to an internal LAN compromise.”

Rapid7’s report is based on an analysis of data from internal and external penetration tests the company conducted at client sites between Sept 2018 and May 2019.  

For the external tests, Rapid7’s researchers probed an organization’s Internet-exposed assets including Web applications, VPN concentrators, and file transfer systems. Internal tests were focused on finding vulnerabilities in things like Active Directory domains, printers, and IoT integrations. The analysis included data from electronic and physical social engineering exercises aimed at gaining access to an organization’s IT assets.

Rapid7’s research showed that penetration testers are almost always (96%) able to find at least one major vulnerability that impacts data confidentiality or data integrity. Seventy-two percent of the tests resulted in at least one password being compromised—often because the passwords were known defaults or easily guessed ones.

Most of the flaws on the internal LAN tend to be Microsoft-centered and have an impact on data integrity. The biggest problems here have to do with SMB relaying: a failure to apply critical patches and credentials being stored in cleartext. In 11% of the client sites, Rapid7 found organizations had not deployed patches even for very old vulnerabilities and for extremely critical flaws like EternalBlue, which was exploited in the WannaCry ransomware attacks of 2017.

Unlike prior years, penetration testers were able to use SMB relaying as a viable attack only about 15% of the time, suggesting organizations are much more aware of the need for SMB signing and are getting rid of SMB clients that don’t support signing, Beardsley says.

Rapid7’s penetration testers discovered that certain Windows remote administration technologies like Windows Management Instrumentation (WMI) and PsExec continue to provide attackers with avenues for lateral movement. PowerShell restrictions are becoming increasingly common in enterprises, however, making it harder for attackers to misuse the long-abused feature.

“There’s a lot of incident management around PowerShell and a lot of endpoint security solutions are optimized to spot suspicious PowerShell usage,” Beardsley says.

External Vulnerabilities

Meanwhile, the most common external network vulnerabilities the 

[Continued on Next Page]

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/penetration-test-data-shows-risk-to-domain-admin-credentials/d/d-id/1335324?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Can a stream of data intended for network performance monitoring be the basis of network security? One company says the answer is ‘yes.’

Network control and management components communicate with one another through flows — information generated and collected in data’s passage through the routers, switches, and other network components scattered throughout the network. Now, a company is putting flow information to a new use: protecting the network.

Netography has launched the open beta of a service it’s calling Distributed IPS (Intrusion Prevention Service). The service uses multiple forms of flow data, including Sflow, NetFlow, and VPC flow, to analyze and act on network activity. “Switches, routers, and others are flow services,” says Barrett Lyon, Netography’s CEO. He explains that the flow data such items have generated traditionally has been telemetry data used for activities such as bandwidth management. “When we looked at it, you saw the you could use the information in there for other things,” Lyon says.

Flow Begins
The first flow format was NetFlow, introduced by Cisco in the mid-1990s to allow network administrators to analyze traffic sources and destinations, along with performance conditions and congestion causes. Roughly a decade later, the technology entered the IETF standards process. The standards-based flow is known as Internet Protocol Flow Information Export (IPFIX). IPFIX is used by a number of different network infrastructure vendors.

There are other flow services on the market, many of them proprietary services supported by a single vendor. One notable exception is Sflow, which is supported by more than two dozen vendors, including several — such as Cisco — that also have their own, proprietary flow formats.

Distributed IPS can be used to act on network flow information in several ways. “There are four ways you can do stuff with flow data,” says Lyon. “As we analyze it, we can trigger against different anomalies. That can go into an API that DevOps developers can develop actions around,” he says, checking off the first two. “You can subscribe to your blacklist feed via BGP or BGP flowspec, or subscribe to one of the other blacklists,” and then compare network traffic sources and destinations to the entries on those lists, Lyon continues.

Resolution Questions
Distributed IPS is able to detect distributed denial-of-service attacks, botnets, data extraction, login attempts, and other illicit network activity. The flows are collected and analyzed by Netography’s cloud-based engine, with actions then taken through APIs available through Netography or developed by (or on behalf of) the customer.

There are observers, though, who have questions about whether the technology developed for network control can be adequate for security. “The challenge with NetFlow is that it is very low resolution,” says Chris Morales, head of security analytics at Vectra, a company that uses artificial intelligence as the basis for its cybersecurity detection. “Think of trying to repaint the ‘Mona Lisa’ from a 1970s Polaroid photo. The resolution is too low to detect hidden threats with high efficacy.”

Flow Actions
Lyon says that one of the bigger problems Distributed IPS is hoped to solve is more human-based than technological. “A lot of companies have developed their own orchestration layers similar to this, but many of those were developed by individual developers who then moved on, taking details of how the layer works with them,” he says. That leaves the organization with a “black box” that can be difficult to update and impossible to patch or improve.

There seems little question that those black-box solutions can be less than perfect answers to security problems, and even off-the-shelf IPS products have wide differences in what they can provide for customers. “The usefulness, and thus the effectiveness, of current IDS/IPS technology varies greatly by vendor and rulesets,” says Terence Jackson, CISO at Thycotic. “The idea of a Netography’s Distributed IPS is intriguing, as it turns non-security appliances into a source of telemetry and threat intelligence. I think the idea could be a good one, but that depends on how the data will be used to work with current firewall technology on-premises and in the cloud.”

“The need for intrusion detection is absolutely real,” says Morales. And he agrees that “NetFlow seems like an obvious fit due to its ability to scale for size.” The question is whether the combination of flows that Distributed IPS ingests will provide the fine-grained resolution necessary for network security. The open beta period should help both Netography and its customers answer those very real questions.

Related Content:

• Why You Need a Global View of IT Assets
• The State of IT Operations and Cybersecurity Operations
• Cloud Security and Risk Mitigation
• Security Considerations in a BYOD Culture
• 20 Questions to Ask During a Real (or Manufactured) Security Crisis

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/analytics/new-ips-architecture-uses-network-flow-data-for-analysis/d/d-id/1335327?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Most of us can recognise most spam when we see it – emails we didn’t ask for from companies we’ve never heard of selling us products we aren’t interested in at price points we simply couldn’t care less about.

Having said that, a lot of spam isn’t simply unwanted email – it’s dangerous, too, because it contains not only links or attachments you don’t want but also content that deliberately tries to put you in harm’s way.

One of the most prevalent types of outright scammy spam is phishing, for which the simplest definition we’ve come up with is this:

Phishing is the word used when a cybercriminal sends you some sort of electronic message to trick you into doing something insecure.

The “fishing” metaphor, of course, refers to the idea of getting you on the hook and then reeling you in.

Phishing gets its curious spelling from a 1970s crime known colloquially as phreaking. Hackers figured out how to make free calls using a variety of illegal tricks to “freak out” the telephone system, for example by playing special musical tones down the line. Freaking the phone system morphed into phreaking, and by analogy, fishing for passwords and other personal data became known as phishing.

One of the best-known flavours of phishing doesn’t bother trying to sneak malware onto your computer, but instead gets you to submit personal information from your computer.

Typically, this means tricking you into visiting a website that ultimately leads you to a login page that looks just like one you see often, where you enter your username and password to go further…

…only to realise, too late, that you just put your very own login credentials into an unknown and untrusted website.

As with spam in general, however, lots of people assume that these password-stealing phishing emails are more of an annoyance than a danger, because they’re often very obvious.

The “obvious” features people look out for in password-leeching emails include:

• Mistakes of spelling and grammar. Phishing emails often look unprofessional, unlike the genuine emails they are pretending to be.
• Incorrect or vague greetings. Phishing emails often say “Dear Sir/Madam” or “Dear Customer” because the crooks don’t actually know who you are, something a genuine email sender would know.
• Errors in regional usage. Phishing emails may use the wrong currency symbols, an unusual date format or an unexpected word that a genuine sender would get right.
• Incorrect or unlikely web links. Phishing emails generally rely on getting you to click through to a web domain that’s different from the genuine site.

Not all phishers make mistakes

But not all phishers make all these mistakes, so that if you rely heavily on the presence of obvious mistakes to make phishes obvious, you’re more likely to get caught out.

That’s because crooks don’t have to gain fluency in your language, learn your business jargon or understand your culture to come up with simple and unexceptionable phising messages.

Here’s a real-world example of keep-it-pretty-normal phishing campaign that showed up many times recently in our personal account as well as in SophosLabs spamtrap email accounts:

By sticking to plain-and-simple English and relying on the sort of stripped-down message templates that many automated message delivery systems use, crooks can surprisingly easily create messages that pass the regional usage test, pass the customer greeting test, and pass the spellos-and-typos text.

In this case, there’s an extra bit of trickery aimed at distracting you from the incorrect web link, too.

The dodgy link that the crooks want you to click, plus an official-looking logo, is added as an HTML attachment, rather than included inline in the email.

Opening the attachment feels innocent enough, because it’s supposedly just the document itself – presumably a mostly-harmless image file such as a JPEG or a PNG.

What you get, however, is a request to login to Sharepoint to view the image via the cloud:

Your warning bells ought to go off loudly here, because the appearance of a login screen – what’s known in the jargon as an interstitial page, which is just a fancy pseudo-Latin way of saying “sitting between A and B” – is not precisely what was promised in the original email.

The email implied that the attachment contained the actual image, but instead it contained an indirect way of getting to the image.

Of course, the cloud has trained us to expect exactly that sort of thing – we regularly talk about “sending” and “receiving” images and documents via email even when we’re not sending the files themselves, but instead handing out links where we’ve dumped them into cloud sharing services.

Note that in this phish, there is no easy way to see the dodgy link that the crooks are using to harvest your password:

• The login form is loaded as a local HTML file that’s attached to the email, so it doesn’t have a giveaway external link you can check before you open it.
• Your browser doesn’t show you where your data will go before you click the [VIEW/DOWNLOAD] button.

You can’t hover over the submit button in a web form to show you where your data will get sent.

Yes, that’s bad; and no, we don’t know why browsers don’t show you – it would be great if they did.

What next?

In this campaign, any password you put into the form would end up in the hands of the owners of an ordinary-sounding server name in the top-level domain .XYZ.

The good news is this case is that the crooks didn’t bother to get an HTTPS certifcate for their domain, so they had to use a web link starting http://, which should provoke a warning in your browser about the lack of encryption for submitted data.

Firefox, for example, says:

Watch our for security warnings – even if this were a legitimate email and and a genuine website, you should never put form data – especially passwords – into a non-HTTPS form, because anyone along the way could then sniff out both your password and any authentication reply that comes back.

As well as heeding warnings, it’s also worth learning how to use your favourite browser to check out the HTML that’s being displayed by the form, because that will reveal the server that your data will be sent off to.

In Firefox, for instance, if you right-click on the password field and choose Inspect Element, you will open up the HTML of that field and the FORM of which it’s a part, like this:

Look for the opening tag, which will look something like FORM ACTION=..., where the ACTION text specifies the URL to use when the form’s [Submit] button is clicked – that’s where your data is headed next.

In this case, the form not only has a non-HTTPS link, but also has a server name that doesn’t seem to have any obvious connection with Sharepoint Online.

By the way, once you click [Submit], this phishing site redirects you to a genuine, if only vaguely relevant, Microsoft Sharepoint page, presumably as a rather weak decoy to convince you that you are in nearly, but not quite, in the right place:

What to do?

• Don’t enter passwords into login pages that show up after you click on a link in an email. Bookmark the official login pages of your favourite sites, or type the URLs into your browser from memory.
• Avoid opening attachments in emails from recipients you don’t know, even if you work in HR or accounts and you use attachments a lot in your job.
• Set up an “ask the experts” email address inside your organisation, e.g. [email protected]. That gives your users a quick way to ask for advice about unexpected emails and unsolicited attachments.
• If in doubt, don’t give it out. People do still send faxes, but it’s rare enough that you ought to be suspicious. Stop and think before you connect – ask for a second opinion if you aren’t sure.
• Consider using both email and web filtering, so you can block both incoming links and outbound clicks.
• Don’t ignore browser warnings about insecure sites and data input forms. Unencrypted web pages are typically the sign either of a lazy crook or of a site operator who’s not up to speed on security.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/_GauxhRMdVU/