STE WILLIAMS

Symantec Builds Out Cloud Portfolio to Enforce ‘Zero Trust’

New additions to its Integrated Cyber Defense Platform aim to give businesses greater control over access to cloud resources and applications.

Symantec is beefing up its Integrated Cyber Defense Platform with new controls to secure cloud and Internet access in enterprise environments and support “zero-trust” security standards.

As cloud technology changes the way we work, and as more traffic flows inside and outside organizations, employees need direct and constant access to cloud resources from multiple devices and locations. The zero-trust model assumes all users, inside and outside the network, are untrustworthy, and it shifts access control from the network to a specific user. Authorized users are granted access only to network and cloud resources they need to do their jobs.

Symantec’s latest additions aim to help businesses enforce zero-trust policies for software-as-a-service (SaaS) applications, corporate applications in Internet-as-a-service (IaaS) environments, cloud-based email, and the Internet. Its new capabilities also include visibility and content scanning so businesses can enforce data-loss prevention policies (DLP) on data sent to cloud and Web destinations.

“Users want anytime, anywhere access to the applications and corporate resources that allow them to quickly accomplish their tasks, but IT and security professionals need to protect them, and the corporation, from the business risks associated with enabling a direct-access model,” said Symantec’s Doug Cahill, senior analyst and group director, Enterprise Strategy Group, in a statement.

New capabilities include the CloudSOC Mirror Gateway, which enables CASB security controls for unmanaged devices to control the use of public SaaS applications. The Symantec Secure Access Cloud lets administrators scan content uploaded or downloaded to corporate applications deployed in IaaS and other environments, and lets them inspect with DLP to enforce security policies, and antivirus and sandboxing technologies for threat prevention. The capabilities come from Symantec’s recent acquisition of Luminate Security. They also let admins limit users so they can only access corporate apps and resources they’re authorized to use.

Symantec’s Web Security Service now integrates with Secure Access Cloud so Web sessions, and authenticated user data can be shared to simplify the operation and use of both services. The Email Security Cloud platform can now isolate suspicious email attachments so employees can verify attachments are safe and protect against phishing, ransomware, and account takeover.

Read more details here.

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/symantec-builds-out-cloud-portfolio-to-enforce-zero-trust/d/d-id/1335256?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

US Mayors Commit to Just Saying No to Ransomware

The group of more than 1,400 top elected municipal officials takes the admirable, recommended stance against paying ransoms. However, can towns and cities secure their information technology infrastructure to withstand attacks?

From small towns such as Lake City, Florida, to large metropolises such as Baltimore, Maryland, municipalities have become a major target for ransomware groups. Now, more than 1,400 US mayors have taken a stance against paying out ransoms to the cybercriminals that target their systems and data. 

In a resolution signed at the US Conference of Mayors earlier this month, the top elected officials of every city of more than 30,000 citizens committed to not paying ransoms to the cybercriminals that encrypt data and demand payment to unlock the information. The resolution came just days after Lake City, a town of 12,000, paid $460,000 and weeks after Riviera Beach, Florida, a town of 35,000, paid $600,0000 to regain access to their respective systems.

In the resolution, the US Conference of Mayors estimated that at least 170 county, city and state governments had suffered a ransomware attack since 2013, with 22 of those attacks occurring just this year.

“[P]aying ransomware attackers encourages continued attacks on other government systems, as perpetrators financially benefit [and] the United States Conference of Mayors has a vested interest in de-incentivizing these attacks to prevent further harm,” the group said in its resolution to refuse to pay ransoms.

The pledge to not pay comes as municipalities are being explicitly targeted by ransomware gangs. The list of towns and cities suffering from ransomware include large metropolises, such as Baltimore and Atlanta, and small towns, such as Lake City and West Haven, Connecticut.

While law enforcement officials and security experts have long recommended that ransomware victims do not pay the cybercriminals, they have accepted that some organizations have to pay to recover from a ransomware disaster. As municipalities, counties, businesses, and government agencies have increasingly been successfully targeted, however, some security professionals have accepted that they will eventually need to pay. Analysts have even urged companies to be ready for the eventuality that they will have to pay ransoms

That makes the mayors’ announcement stand out that much more, says Akshay Bhargava, senior vice president of cybersecurity firm Malwarebytes. “I really respect the mayors and cities for taking this stance,” he says. “Victims are going to have to take a stronger position, and this is an important first step.”

Whether or not towns and cities will be able to secure their networks and systems enough to be ready for ransomware is another question. Attackers called on Atlanta to pay $52,000 to unlock systems two years ago. The city refused, and then paid at least $2.6 million to fix its corrupted systems

Yet such will is needed to remove the incentive for attackers to go after specific industries or government agencies, says Monique Becenti, product and channel specialist at SiteLock. “Until every organization can make a pact refusing to pay ransomers, there is always going to be that one organization that will be willing to pay a high-dollar amount to retrieve their stolen data all because they never had a backup,” she says. 

The key to not paying a ransom is to be able to quickly and completely recover after an attack, Mickey Bresman, CEO of Semperis, a provider of identity-based security, said in a statement. “Having the right type of disaster recovery plan, with a cyber recovery first approach, will allow local government to have better ability to bounce back and not be a helpless victim,” he said. “Recovery plans combining clean and validated backups with automation will hopefully make the ransomware crime unprofitable and a thing of the past.”

But even organizations that could recover from a ransomware attack often choose to pay the ransom instead because recovering from secondary storage can take a long time and require a great deal of manpower. To really be ready for a ransomware attack, organizations must have the ability to quickly recover from backups.

“Businesses of every size need to invest in protecting their data from ransomware and other attacks,” Becenti says. “They can do this by implementing a viable backup solution for all internal data that is being collected electronically…. Having solid data backup in place takes away any leverage attackers have over you.”

Still, even organizations that pay ransoms should have a backup solution because ransomware attackers cannot always recover the data that they encrypted, she adds.

The fact that municipalities have committed to not paying ransoms will likely cause others to follow suit, says Malwarebytes’ Bhargava.

“I do think this is a start of a trend, not a one-off,” he says. “More and more, you will see other governments, states, around the globe, and organizations saying, we want to take a strong stance.”

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/us-mayors-commit-to-just-saying-no-to-ransomware/d/d-id/1335255?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

How Attackers Infiltrate the Supply Chain & What to Do About It

With some security best practices, enterprises can significantly reduce the chances that a potential supply chain attack will affect business operations.

Attackers today are getting increasingly creative with how they target organizations, often utilizing the supply chain as a point of ingress — exactly the kind of thing that keep security pros up at night. Rather than attack their targets directly, attackers today are perfectly happy to compromise one of their third-party providers and accomplish their end goal that way.

Whether it’s a hardware provider further down the supply chain, a software provider that the organization outsourced some added features to, or a service provider, all can represent a potential point of entry. This dramatically changes the attack surface for the typical enterprise and, with recent highly publicized breaches such as ASUS and Docker, is negatively impacting once-inherent trust in the supply chain.

Recent attacks have even targeted patching processes and software updates, leveraging the very means by which organizations protect themselves against potential threats. It’s no wonder that organizations are moving more toward a “zero trust” model. Any blind spot becomes a potentially vulnerable attack surface. Infiltrating the target organization by compromising something or someone further down the chain is often an attractive attack vector. And the logical reaction to this type of unknown is to trust nothing — but that mindset is not practical or sustainable.

So, how do we adopt a zero-trust strategy without completely stagnating our business and hamstringing innovation? By accepting the inevitable and prioritizing accordingly.

The truth is, if attackers want to get into your organization they probably can, whether it’s through your supply chain or by other means. Although you should treat your supply chain with healthy skepticism, you can’t refuse to trust anything outside your control. Instead, it’s best to assume there’s a breach and focus your time on mitigating the risk of irreparable damage.

After all, think about the typical attacker’s priorities;

1. Gain access.
2. Move laterally and escalate privileges.
3. Maintain access (depending on the situation).

If we accept that we likely can’t do much to stop attackers from achieving their first goal, we should instead focus on making step two as difficult as possible.

The most basic step to take is limiting the exposure of privileged credentials. Protecting privileged credentials from compromise significantly reduces the opportunities for attackers who may have infiltrated an environment (via the supply chain or other pathways) to accomplish their end goal — expanding access and escalating privileges. Malware getting installed on a workstation for example could theoretically result in an attacker gaining local administrator authority and gaining access to other machines, eventually uncovering server or domain administrator accounts.

Below are three simple steps organizations can take to protect themselves from this type of threat by embracing a realistic zero-trust security strategy that won’t hamstring their business:

1. Layer your defenses. As a defender, one thing to avoid at all costs is putting all your eggs in one basket. Perimeter defenses still serve a purpose, but given all the potential points of ingress for attackers today, it would be the height of foolishness to rely too heavily on maintaining a perimeter that gets wider by the day. It’s best to instead assume a breach and embrace multiple layers of security, establishing a true defense-in-depth strategy. A good starting point is to adopt a risk-based approach to security, investing the most in the security controls that reduce the largest amount of risk.

2. Consistently employ the principle of least privilege. One of the more obvious, but also more helpful, pieces of security advice is to limit any potential points of access for hackers to exploit. Account sprawl is real and carries significant risk for the enterprises. Organizations should be sure to limit the number of user accounts as much as possible. Otherwise, it’s just a potential source of risk with no corresponding reward.

This is particularly true for privileged accounts. Privileged account takeover is the dream scenario for an attacker as it makes a full network takeover easier. However, it’s much harder to move laterally and escalate privileges if there aren’t as many privileged accounts to take over. An obvious best practice therefore is to only grant administrator accounts to those who actually need them and ensure that they are only used for administrative tasks rather than basic day-to-day work.

3. Increase monitoring for privileged credential theft. If an organization is victimized by a supply chain attack, the initial attack by definition took place in a security blind spot and thus the enterprise won’t have detected it. However, by monitoring privileged sessions to detect patterns indicative of credential theft techniques, organizations can increase the chances that they’ll identify if/when the attacker is actually trying to use the access they’ve attained. And if the organization can catch them when they’re trying to escalate, then the threat that the supply chain represents is significantly reduced.

Increasingly, the supply chain and its active participants represent a security weakness that attackers are now adept at exploiting. However, there is significant opportunity to reduce the risk and limit the damage attackers can do. With some fairly simply security best practices, enterprises can significantly reduce the chances that a potential supply chain attack will affect business operations. For many organizations, this means being aware of where privilege-related risk exists, locking that access down and actively monitoring use of privileged accounts to alert on potential anomalies, and spurring action to remediate risk.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Shay Nahari is the Head of Red-Team services in CyberArk and brings more than 15 years of experience in cybersecurity and telecommunications. He specializes in working with global organizations to improve their ability to detect and react to targeted attacks using adversary … View Full Bio

Article source: https://www.darkreading.com/risk/how-attackers-infiltrate-the-supply-chain-and-what-to-do-about-it/a/d-id/1335234?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

FBI Publishes GandCrab Decryption Keys

Publishing the keys should render existing versions of the ransomware far less dangerous for victims.

What happens when malware retires? In the case of ransomware package GandCrab, the whole world learns your secrets. In a July 15 announcement, the FBI shared the decryption keys for multiple versions of GandCrab, rendering future attacks using these versions little more than an annoyance to their victims.

The keys’ release follows a June 1 announcement from GandCrab developers that they were shutting down the criminal network and retiring after earning, they claim, more than $150 million from the roughly 18 months GandCrab was in operation. That’s out of more than $2 billion in claimed earnings from the entire GandCrab network.

While existing strains of GandCrab have been rendered less dangerous with the release of the keys, researchers and law enforcement agencies are warning that new strains, with new encryption keys, are likely to be developed in the future.

For more, read here and here.

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

 

 

 

 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/fbi-publishes-gandcrab-decryption-keys/d/d-id/1335258?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Asian consortium plans blockchain-based mobile ID system

A consortium of Asian companies has agreed to create a blockchain-based service that might actually be useful. They want to use the blockchain to turn your phone into a mobile ID system.

Seven companies have signed the initiative: Korean telcos KT, SK Telecom, and LG Uplus, and banks KEB Hana Bank and Woori Bank, along with financial IT company Koscom, and Samsung.

The idea is to create a mobile ID management system that lets individuals control their own data and present it to institutions when they want to access something. Known as self-sovereign identity (SSI), it’s an alternative to having your identity managed by someone else.

Today, many people rely on the likes of Google or Facebook (whose business depends on selling access to information about you) to sign them into websites or apps. Billions more use government-backed ID systems like India’s Aadhaar, which has suffered from some devastating privacy setbacks. Even using your driver’s license or passport to prove your identity carries risks, because showing it to someone tells them more about you than might be necessary. Why show someone your driver’s license just to prove that you’re able to buy a six-pack of beer?

An alternative

This initiative seems to present an alternative to that. In a statement (translated online), the consortium said:

When an individual has stored his or her information from an organization or company in a secure storage area of ​​a smartphone, they can submit their desired data at any time for proof.

The consortium isn’t giving much away about the technology. We know it’s blockchain-based, and that it works by storing personal information on your phone. We also know that identity information is verified by the participating banks and possibly the telcos too, because they reported signing…

…contracts for mobile electronic certification business based on blockchain.

That makes sense. If people are going to hold their own ID information on the phone, someone needs to testify that it’s legitimate. Banks and telcos are an obvious choice, because of their strong know-your-client rules and control of your mobile phone accounts.

The consortium looks set to open up certification access to others. It added:

Participants expect that ICT companies and financial companies will be able to commercialize electronic certification services.

This could mean that people can use various forms of identity from different institutions:

We expect that it will be possible to prove simpler and more transparent identification both online and offline, and at the same time speed up the era of data self-sovereignty. Using mobile electronic certificates can greatly simplify the issuance and submission of various certificates.

Why use blockchain technology for this? Firstly, it encrypts the identity information. Secondly, it can call on one or more third parties to verify that the information is legitimate without transmitting personal information over a network. The bank or the telco could store the personal information – which they have anyway – and then give you an identifier token for your phone that you can use to prove that you’re you.

The blockchain is the glue that links the identifier token to the sensitive personal data stored at the bank and ensures that neither has been tampered with. We’re not sure that’s exactly how this will work, because information on the consortium’s forthcoming implementation is scant. However, this is what has underpinned other projects in the past like Verified.me, which is supported by the big five Canadian banks.

The consortium hopes that participating organisations will use this blockchain-based identity to grant access to everything from company recruitment systems through to digital banking, student certificates, and a myriad of online services.

What if the phone gets pwned?

The information is protected by Samsung’s Knox feature, which uses security enhancements for Android on top of trusted hardware. Knox has been certified for use by UK and US government departments, but researchers have discovered flaws its security. In 2016, researchers at Israeli company Viral Security Group found three bugs in Knox that allowed attackers to gain total control of the system. Google’s Project Zero found high-severity flaws in 2017.

There are potential technical flaws in any system, but given the way companies manage our existing identities online, these blockchain ID concepts carry considerable promise. 

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/iXlqtuDkCXM/

Ransomware attackers demand $1.8m from US college

Credit where credit’s due: Monroe College, frozen by a ransomware attack since 6:45 a.m. Wednesday 10 July 2019, has seen a silver lining: it’s gone back to ye good old analog, friendlier, more-in-person ways of yore to keep working.

From a statement sent by Marc Jerome, president of Monroe College, a for-profit institution based in the Bronx borough of New York City, to Inside Higher Ed:

Our team is working feverishly to bring everything back online, and we are working with the appropriate authorities to resolve the situation as quickly as possible.

In the meantime, Monroe continues to operate. We’re simply doing it the way colleges did before email and the internet, which results in more personal interactions. As we have done throughout our 86-year history, we are coming together to assure that our students, faculty and staff are well served.

As of yesterday, the college was still relying on what it says is a microsite that it put up last week in response to the outage.

It also sent workaround instructions to students in its latest Tweet, sent last Friday:

Nearly 8,000 students affected

The NY Daily News reports that the attack paralyzed systems at all of Monroe’s campuses in Manhattan, New Rochelle and St. Lucia, where a total of nearly 8,000 students are enrolled.

The attackers told the school that it could get back up and running once it paid 170 Bitcoin. The going price as of Monday for one Bitcoin was US $10,522, putting the total ransom at US $1,788,740.

Will Monroe pay? Or will the college tell the attackers to take a long walk off a short pier, which the US Conference of Mayors last month resolved would be the go-to response for all the government entities that keep getting hit in ransomware attacks?

Jackie Ruegger, executive director of public affairs at the college, said on Friday that Monroe didn’t know who was behind the attack. She didn’t comment on whether the school would be paying the ransom. Ruegger said that the college is working with local law enforcement officials and the FBI.

Attacks keep piling up

As we reported last week, there have been at least three new ransomware attacks against state and local governments since late April, and in Florida alone, we’ve seen three cities get hit over the past few months, including Riviera Beach, which agreed to pay attackers, and Lake City which was hit by Ryuk ransomware, apparently delivered via Emotet. Lake City officials agreed to pay a ransom of about $490,000 in Bitcoin.

But being in good company is no consolation when you’re scrambling to rebuild your network after an attack like this. Monroe, we wish your staff godspeed in recovering.

Unfortunately, we’re reporting on these attacks on a near-weekly basis. They’re likely underreported, at that, given that there’s no centralized government agency to report them to and no legal requirement requiring their reporting.

What to do?

For information about how targeted ransomware attacks work and how to defeat them, check out the SophosLabs 2019 Threat Report.

The bottom line is: if all else fails, you’ll wish you had comprehensive backups, and that they aren’t accessible to attackers who’ve compromised your network. Modern ransomware attacks don’t just encrypt data, they encrypt parts of the computer’s operating system too, so your backup plan needs to account for how you will restore entire machines, not just data.

For more on dealing with ransomware, listen to our Techknow podcast:

(Audio player above not working? Listen on Soundcloud or access via iTunes.)

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/oKJxEjy32uA/

$5b privacy fine against Facebook seen as ‘chump change’

Two people familiar with the Federal Trade Commission’s (FTC’s) 16-month-long investigation into Facebook’s privacy practices – a probe kicked off by the Cambridge Analytica scandal – told the Wall Street Journal that the commission voted last week to approve a settlement worth about $5 billion.

The FTC settlement could end the investigation, which began in March 2018 after reports that Facebook had let the political research firm Cambridge Analytica (CA) access the personal data of up to 87 million Facebook users without their knowledge, which some said violated a 2011 agreement between Facebook and the FTC to improve its privacy practices.

The next stop for the proposed Facebook settlement is the Department of Justice (DOJ), which typically finalizes FTC settlements. It’s rare for the DOJ to nix FTC settlements, though.

The vote hewed to party lines, with the FTC’s three Republicans supporting it and two Democrats voting against it.

$5b worth of sputtering

Democrats are calling the record-setting fine a slap on the wrist. An early Christmas present. A drop-in-the-bucket penalty. Chump change. A mosquito bite.

Rhode Island Congressman David Cicilline, who oversees an antitrust panel in the House:

It’s very disappointing that such an enormously powerful company that engaged in such serious misconduct is getting a slap on the wrist. This fine is a fraction of Facebook’s annual revenue. It won’t make them think twice about their responsibility to protect user data. If the FTC won’t protect consumers, Congress surely must.

Biggest fine in FTC history

Others disagree: they think it’s a pretty big chunk of change. $5 billion is about 9% of Facebook’s annual review, which recorded nearly $56 billion in revenue last year. That makes it more than double the maximum percentage – 4% – of annual revenue that can be imposed as a penalty under the EU’s General Data Protection Regulation (GDPR).

It’s the biggest fine in FTC history, dwarfing the previous record holder, which was the $22 million fine levied against Google in 2012 for misrepresenting to Safari users that it wouldn’t place tracking cookies or serve targeted ads to them. Like Facebook now, that earlier fine against Google was also for being in violation of an earlier privacy settlement with the FTC.

David Vladeck, a former director of the FTC’s Bureau of Consumer Protection who’s now a law professor at Georgetown University, told the Washington Post that this will slap the big boys into shape when it comes to respecting user privacy when handling their data:

It’s quite a substantial amount of money, and it sets a baseline [for] the Googles and Microsofts and Apples and the Twitters of the world.

…though really, the devil’s in the details of the final settlement, which the FTC hasn’t yet revealed. Will there be regulatory comeuppance? Any chance that Facebook could be restructured, as some have called for? Time, and the final settlement, will tell.

The latest chapter in the Cambridge Analytica book

According to multiple whistleblowers, Facebook basically turned a blind eye to CA and other developers scraping away its users’ data.

In a lawsuit against Facebook brought by the tiny, your-Facebook-friends-in-bikinis-centered developer Six4Three – and published during the UK’s Parliamentary probe into fake news and the platform’s privacy practices – Six4Three has alleged that Facebook turned off the Friends data API spigot as a way of forcing developers to buy advertising, transfer intellectual property or even sell themselves to Facebook at bargain-basement prices.

In other words, the user data that it claimed CA wrongly got away with is a bargaining chip, according to the fake news inquiry and the private emails of Facebook staff that it got out of the Six4Three lawsuit and subsequently published.

Six4Three has alleged that the correspondence shows that Facebook was not only aware of the implications of its privacy policy, but actively exploited them. The app company asserted that Facebook intentionally created and effectively flagged up the loophole that CA used to collect user data.

In October, the UK’s Information Commissioner’s Office (ICO) fined Facebook £500K for the CA saga. If $5 billion is a mosquito bite, then £500K is a mosquito crossing its arms and refusing to speak to you for the rest of the night.

It’s the best the ICO could do in pre-GDPR days, though. Those days ended last week when the body handed out what seemed, at least last week, before this $5b bite, to be whopper fines for data breaches at Marriott and British Airways.

Which is it, a bite or a nuzzle?

Investors didn’t break a sweat when news of the FTC fine broke. Facebook’s stock closed nearly 2% higher after news about the FTC’s vote came out. Facebook in April had warned investors that it could be bruised with a US penalty fine as high as $5 billion. It set aside a good chunk of that – $3 billion – during its most recent earnings report, when it announced it earned $15 billion in quarterly revenue.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/xnOc09kvrag/

Bluetooth LE’s anti-tracking technology beaten

Researchers have found a way around the Media Access Control (MAC) address randomisation feature used by Bluetooth Low Energy (BLE) to protect users and their devices from being identified and tracked.

For anyone unfamiliar with the ins and outs of BLE security (see below), the first and most surprising issue confirmed by Tracking Anonymized Bluetooth Devices from Boston University’s Johannes Becker, David Li, and David Strobinski, is that device makers have a lot of leeway in how they implement BLE security, or whether they need to bother at all.

But the team has now confirmed that even software where BLE device privacy is implemented carefully – Windows 10, macOS and Apple’s iOS being the stand-out examples – is a lot less secure than everyone has assumed.

Rabbit hole

The under-appreciated fact about Bluetooth is that behind its friendly ‘turn on, connect, forget’ reputation, the technology has gradually become one of security’s rabbit holes.

That’s mainly because it’s a 20-year-old standard that has evolved in a series of jumps, the most significant of which was the arrival of Bluetooth Low Energy (BLE, formerly Bluetooth Smart) in 2011.

Part of Bluetooth 4.0 (and its successor Bluetooth 5), the headline advance of BLE was its improved power consumption as well as its introduction of a sophisticated security and privacy architecture.

However, an unavoidable weak point was the need for a Bluetooth device to publicly ‘advertise’ itself without encryption to other devices around it without leaking details of that device to snoopers – BLE’s answer to which was something called address randomisation.

The principle is simple enough: instead of sending a single unique hardware MAC address during the unencrypted advertising process, you replace it with randomly generated ones that make each device look like lots of different ones so as to preserve its anonymity.

So how does a nearby device know what to pair with? In addition to the stream of randomised MAC addresses, BLE sends a ‘payload’ of identifying tokens.

This data varies by device and operating system (OS), but has to be consistent over time whilst also being unique to that device.

The researchers’ discovery is that data that fulfils these requirements can be isolated algorithmically to a degree of certainty in a given time period for a specific OS and device such as an iPhone.

But identifying devices temporarily isn’t terribly useful, which is why the team’s address-carryover algorithm…

… exploits the fact that identifying tokens and the random address do not change in sync, to continuously track a device despite implementing anonymization measures.

In other words, once you’ve nabbed the identifying tokens (or even the likely MAC address) you can continue tracking that through subsequent transmissions.

The arrival of Bluetooth 5 also expands the range of an adversary to possibly hundreds of metres from the target.

The main complication for an attacker trying to uncloak the identity of a device is that each device design implements the randomisation in a slightly different way, which means the technique isn’t universal. It probably also requires offline analysis.

Smart watching

The team recommends some simple fixes, the biggest of which is to synchronise the changing of randomised MAC addresses with payload tokens so attackers can’t alternate between the two sets of tracking data to extend tracking indefinitely.

Another recommendation is to start using address randomisation on low-power devices that today tend not to bother to save as much energy as possible. Furthermore, OS makers should be more careful about the patterns in their randomisation which can be used to identify one platform from another.

While a lot of this is simply proof-of-concept research, it’s not hard to imagine a world of the near future where BLE devices, including those using very low power modes, are absolutely everywhere. Thanks to research like this, there is still time to fix the teething problems.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/DdmQTYLA9Eg/

Amadeus! Amadeus! Pwn me Amadeus! Airline check-in bug may have exposed all y’all boarding passes to spies

A now-patched vulnerability in the Amadeus flight reservation system – used by airlines around the planet – could, or may, have been exploited by miscreants to view strangers’ boarding passes.

David Stubley, CEO at UK security consultancy 7 Elements, told us last night he discovered the privacy-busting flaw, which was present in the Amadeus check-in application used by airlines.

Specifically, Stubley explained, when a traveler went to view their boarding pass, Amadeus presented the paperwork on a page with a URL that includes the passenger’s ID number. This ID number could be changed to another number to call up other boarding passes from other Amadeus customers, such as British Airways, Air France, and United Airlines, without any further authentication. Just change the number in the web address bar and hit enter to fetch the pass for that ID number.

This is a classic insecure direct object reference (IDOR) vulnerability, which can be exploited to enumerate through records that otherwise should be off limits. Here is an example check-in URL with the passenger’s ID number in bold:

https://checkin.si.amadeus.net/1ASIHSSCWEBQS/sscwqs/mbp?IFOI=DCSid=300193064ln=enproductIndex=0

Stubley told The Register the flaw could be exploited in both websites and apps for airlines that use Amadeus’s technology to handle their reservations and boarding passes – that’s roughly half of the world’s major carriers.

“Originally it was found when using an airline’s mobile app for check-in,” the CEO said. “Once you have the URL you can then access directly without needing to use the website or mobile app.”

woman waits at airport

Amadeus booking software outages smack airports across world

READ MORE

The bug was privately disclosed to Amadeus and was patched prior to public disclosure, so airlines and their customers are already protected. Still, the disclosure is hardly a ringing endorsement for Amadeus in the wake of the company’s previous infosec gaffes.

The ability to pull up boarding passes would, at best, be a potential disclosure of personal information as a snoop could see things like flight dates and times, and possibly use that to collect other information.

More seriously, the downloaded boarding passes would be valid, meaning a scumbag who printed out the pass, arrived before the actual customer, and was able to somehow get past security could use it to get into restricted areas or a flight.

“It should be noted that additional security controls may restrict the successful use of a boarding pass that has already been used to gain access airside,” said Stubley. “However, those controls are not uniformly deployed across all airports.”

Amadeus sent us the following statement:

“Amadeus recently became aware of a configuration flaw affecting its Altéa Self Service Check-In solution. Our security teams took immediate action and the vulnerability is now fixed. We are not aware of there having been any further unauthorized access resulting from the vulnerability, beyond the activity of the security researcher. We regret any inconvenience this might cause to our customers.” ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/16/amadeus_bug_light_pass/

Personality Profile