STE WILLIAMS

At Black Hat USA this August don’t miss the new Mobile track of Briefings that’s full of cutting-edge insights into the unique weaknesses and strengths of Apple’s hardware.

Look, No Hands! — The Remote, Interaction-less Attack Surface of the iPhone explores the remote, interaction-less attack surface of iOS. In this 50-minute Briefing a Google security engineer will discuss the potential for vulnerabilities in SMS, MMS, Visual Voicemail, iMessage and Mail, and explain how to set up tooling to test these components. You’ll also see two informative examples of vulnerabilities discovered using these methods.

You can also check out Attacking iPhone XS Max for expert insight into how Apple’s implementation of Pointer Authentication Code (PAC) on the A12 SoC comes more into play for exploit mitigations This talk will discuss Apple’s PAC implementation based on tests, introduce an ancient bug in the XNU that is still affecting the latest official release of iOS (i.e. 12.1.4), and elaborate on how to bypass PAC and gain arbitrary kernel read/write. You’ll also learn about post exploitation techniques, including how to make arbitrary kernel function call based on arbitrary kernel read/write.

In All Your Apple are Belong to Us: Unique Identification and Cross-Device Tracking of Apple Devices security experts will show a study of Apple device unique identification and cross-device tracking technologies. Experts will list several approaches (e.g., public APIs and vulnerabilities like CVE-2018-4322) to uniquely identify the Apple device even after a system rebooting or resetting. They’ll also present advanced algorithms and vulnerabilities (e.g., CVE-2018-4321) to associate Apple device through deterministic user IDs (e.g., Apple IDs and phone numbers) and probabilistic data (e.g., device names, coordinate information, and IP addresses). Last, but not least, you’ll discuss feasible solutions (e.g., instrumentation and differential privacy) to prevent unique identification and cross-device tracking.

Black Hat USA returns to the Mandalay Bay in Las Vegas August 3-8, 2019. For more information on what’s happening at the event and how to register, check out the Black Hat website.

Article source: https://www.darkreading.com/black-hat/learn-the-unique-weaknesses-of-apple-devices-at-black-hat-usa/d/d-id/1335209?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A decade or so ago, cloud computing was the hot topic in IT and related business circles. As with any emerging technology, people were skeptical and suspicious, and they had lots of questions about how the cloud worked, whether it was right for their organization, if their data was protected, and so on. As time passed, people became increasingly comfortable with the cloud and began to capitalize on its potential.

One major benefit of the cloud that was understood in its early years is that enterprises can leverage it to get their applications up and running faster, with more manageability, more scalability, less maintenance, and fewer IT resources. Yet despite this recognition — which helped propel the cloud industry beyond the $100 billion mark in just 10 years — there are still lingering misconceptions about deploying applications in the cloud. The most prevalent misconception being that the cloud is a less secure place to deploy applications than deploying them in a private, on-premises data center. Here’s why this notion persists.

While this myth is not grounded in empirical evidence, people connect logically with the idea that things that are under their direct control are more secure than things that someone else controls — in this case, cloud providers. Many enterprises still invest heavily in their own data centers because they believe that running their sensitive business logic and placing their sensitive data in the public cloud means that others — whether rogue employees of the public cloud or other malicious actors — will have an easier time stealing their crown jewels. I get it.

The reality, however, is that the vast majority of the evidence proves the opposite is true. Most of the major system hacks and data leaks in the past few years have not been on data or business logic in public cloud deployments. With the occasional exception of misconfigured public storage buckets, almost all data leaks happen on infrastructure and software managed internally by enterprises, not by cloud providers. But even when presented with this information, the myth of applications being less secure in the cloud continues to hamper business and its subsequent growth.

By not deploying their applications in the cloud, enterprises are missing out on immeasurable advantages. There are obvious cost reductions for most businesses in moving away from owning and operating data centers. There is also significant business value in the flexibility that the public cloud offers enterprises. Public cloud providers significantly reduce the friction, time, and cost of building new functionality and applications, especially complex solutions that employ cutting-edge technologies such as data science, machine learning, artificial intelligence, and blockchain. How can people be made to see the light?

The industry is working hard to educate the masses in this area, but more efforts are required. Validated use cases for regulated sectors such as banking and healthcare are needed; simplification of certifications when building on trusted public cloud building blocks can help as well. Most importantly, a clear blueprint of what cloud-native application security is, and what it enables, is critical so that enterprise customers can have confidence that they are using the right tools and processes to avoid risk.

Additionally, the shift to more cloud-native application technology stacks — such as the move to serverless applications — can accelerate this process to improved application security. Enterprises deploying sensitive serverless applications that have adopted the right approach to minimize risk and maximize security are finding these applications to be the most secure applications they are operating.

Whether an enterprise is using it to deploy applications or store data, the cloud — believe it or not — is simply more secure and more reliable than servers run in-house. Like any other decision when it comes to adopting new technology, enterprises should do their homework when selecting a cloud provider, understand what they’re offering, what their assurances are, and how they provide security. Once your enterprise makes the leap to deploying applications in the cloud, you’ll wonder why it took so long and why you were so worried.

Related Content:

• Attunity Data Leak Exposes Sensitive Files at Ford, TD Bank
• Serverless Computing from the Inside Out
• As Cloud Adoption Grows, DLP Remains Key Challenge
• The Life-Changing Magic of Tidying Up the Cloud

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Hillel Solow is the chief technology officer and co-founder of Protego. Prior to this he was chief technology officer in Cisco’s IoT security group, where he worked on innovative security solutions for new technology markets. View Full Bio

Article source: https://www.darkreading.com/cloud/the-security-of-cloud-applications-/a/d-id/1335157?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Ah, summer. Sweltering days, family vacations, the annual Black Hat and DEFCON conferences, and — more cyberattacks?

In a survey published on July 11, security firm Lastline found that 58% of security professionals believe there is some seasonality in the attacks on their company, and the majority of that portion — about 52% — peg summer as the prime time for breaches. Both phishing and malware attacks are more likely to be encountered during the summer months, according to the survey of 1,000 security professionals, with 47% and 44% of respondents seeing more of each of those attacks, respectively.

The results are interesting and should raise questions for companies, says John DiLullo, CEO of Lastline.

“I don’t claim to know what is going on in the cybercriminal’s mind, but there is some logic to saying that I may get a higher return on my effort during the summer months, especially when my efforts are aimed at individuals,” he says.

The timing of cyberattacks have been an occasional topic of researchers’ investigation. 

A study of 850 attacks in 2017 and 2018 against UK universities found that the attacks often corresponded to the times of the year when students were at school, suggesting that many of the attacks may be initiated by students. The study, by the Joint Information Systems Committee (JISC), found that attacks dropped off significantly during the summer, dropping from an average of one attack a week during the summer months, from up to 60 a week in the fall.

Yet, the feeling among security professionals that summer is high time for sun and cyberattacks persists. A 2017 blog post by former security firm Secdo, bought by Palo Alto Networks in 2018, also argued that summer, with lower staff counts and workers connecting to unsecure Wi-Fi, continues to endanger corporate networks.

“Summer is an opportunity for hackers to take advantage of less staff on call and increased remote access combined with possible ignorance when it comes to the use of public Wi-Fi and mobile network security,” the company stated in an archived blog post.

Lastline’s survey sheds some light on security professionals’ perceptions of the summer bump in cyberattacks. A third of respondents blamed remote working for the increase in seasonal threats, with the largest portion of security professionals — 68% — most worried about employees connecting to unsecured public Wi-Fi hotspots. Other major worries include workers clicking on phishing emails or interacting with spearphishing attacks, leaving their computers unlocked in public locations, and using unapproved applications, according to the report. 

“When people are working from home or working remotely, there is a dynamic that happens that — because they are not behind that perimeter in their office, are working with public Wi-Fi providers and on personal devices — you perhaps don’t have as much endpoint protection as in the office,” DiLullo says.

The other common perception is that a shortage in staffing leads to a slower response time. With security staff on vacation, many companies assume that response time would be slowed. Yet Lastline’s survey found the opposite — more security professionals felt that they would respond more quickly to cyberattacks during summer months. In fact, 36% of respondents thought their response to an incident is faster in the summer than other times during the year. Almost half of respondents thought it would be unchanged, and only 12% thought they would be slower.

Companies should still work to speed their response, says Lastline’s DiLullo. 

“If you don’t have the response process automated, and if you find yourself down 20% of your resources, you can imagine the impact that might have on your capability,” he says.

Whether the perceived summer bump is supported by other data and what is behind any actual increase in attacks during the summer is unclear. In addition, the survey is not without its inconsistencies. While 53% of respondents initially answered that they did see a seasonal change, a later question — on whether they thought it was due to remote work — suggests that 74% assume there is a seasonal increase in attacks.

Lastline’s DiLullo acknowledges that the survey raises more questions than it answers.

“I think it is impossible to know exactly what is at the root of this,” he says. “Even the respondents didn’t necessarily cite hard evidence.”

Related Content

• The State of IT Operations and Cybersecurity Operations
• 6 Security Tips That’ll Keep the Summer Fun
• 6 Security Scams Set to Sweep This Summer
• Why Cyberattacks Are the No. 1 Risk
• Who Gets Targeted Most in Cyberattack Campaigns

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/risk/summer-a-time-for-vacations-and-cyberattacks/d/d-id/1335217?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Monroe College, based in the Bronx, New York, has been hit by a ransomware attack demanding $2 million in Bitcoin to release its encrypted data.

According to police sources, the attack has had an impact on Monroes College campuses and facilities in Manhattan, New Rochelle, NY, and Florida. The attack was reported to the police on June 10.

The college has not released details of the attack, though the school’s website was still offline as of this post. The ransomware attack comes on the heels of significant ransomware events at three small towns in Florida and the city of Baltimore, Maryland.

Read more here.

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/monroe-college-hit-with-ransomware-attack/d/d-id/1335221?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

According to Ernst Young’s Global Information Security Survey 2018-19, over half of organizations fail to make organizational protection a key part of their strategic plans. After soliciting the opinions of approximately 1,400 C-suite leaders, EY concludes that larger firms are somewhat more prone to fall short in this area than smaller ones (58% versus 54%).

Overall, EY reports, a solid 77% of organizations still operate with only lackluster cybersecurity and resilience. They may even lack a clear idea of what their most critical information assets are and where they’re located, never mind having adequate safeguards in place to protect them.

Fortunately, cybersecurity budgets are increasing, though bigger firms are more likely to increase their investments in 2019 (63%) and 2020 (67%) than smaller companies (50% and 66%).

System Outages
Whether it’s because of the convergence of operational technology (OT) and IP-based IT networks or the growing use of cloud computing, corporate reliance on the availability of global IT infrastructure is ballooning. And the consequences are rising as well.

Cyberattacks to disrupt the business are now ranked as the third-biggest threat, after phishing (No. 1) and malware (No. 2). This comes as no surprise because distributed denial-of-service (DDoS) attacks, for instance, can trigger a major service interruption that will bring the business to a standstill. Outages have always been painful, but given the trend toward moving workloads and applications off-premises, and operating revenue-critical platforms, business operations virtually come to a stop if the IP network collapses.

“Importantly, more organizations are now beginning to recognize the broad nature of the threat,” says Richard Watson, EY’s Asia-Pacific cybersecurity head. “One thing that has changed for the better over the past 12 months, partly because of some of those big cyberattacks we’ve seen at a global level, is a growing realization that security is also about maintaining the continuity of business operations — and not only about the security of data and privacy.”

No Room for Russian Roulette
Given this reality, it’s jaw-dropping that many organizations seem to think they shouldn’t beef up their cybersecurity practices or dedicate more money to IT unless they’re hit by a major security incident.

For 63% of organizations, a security breach that results in no harm wouldn’t lead to higher spending (although, typically, seemingly innocuous breaches can cause harm that doesn’t manifest until later). Still, many organizations are unclear about whether they’re successfully identifying breaches and incidents.

These firms are playing with fire. As noted in the EY report, the Ponemon Institute estimates the average cost of a security breach to be $3.62 million per incident.

Tackling Corporate Governance
A mere 18% of organizations say that information security has a regular bearing on business strategic plans, a finding that reveals a basic disconnect between cybersecurity and the C-suite. Over half of the EY survey respondents say that information security only somewhat or does not influence their business strategy.

Today, when the digital age and cybercrime is in full bloom, this is somewhere between unwise and unacceptable. In fact, cybersecurity and business strategy must go hand-in-hand and be a continuing agenda item for all executive and non-executive boards, as many of board decisions will influence how well the organization is positioned to deal with a prospective cyberattack.

That said, increasingly, the ultimate responsibility for information security lies with the people at the top levels of the company. For 40% of organizations, the CIO assumes this responsibility. However, in 60% of organizations, the person directly responsible for information security does not sit on the board.

Some 70% of organizations report that their senior leaders have a thorough grasp of security or are taking positive steps to better their knowledge of it. Without question, this trend will increase as security becomes a key driver of growth. Right now, smaller organizations are better at keeping their board informed about information security matters than larger organizations. That said, larger organizations have made more progress: 73% have at least a limited understanding of information security, compared with 68% of their smaller counterparts.

Swinging in the Dark
Less than one in 10 organizations says its information security function fully meets its needs, and many are concerned that much-needed improvements are not yet underway. Seventy-eight percent of larger organizations say their information security function is at least partially meeting their needs, but that number drops to just 65% among their smaller counterparts.

Overall, 92% of organizations are concerned about their information security capabilities in certain important areas. For instance, resources: 30% of organizations are grappling with skills shortages, while 25% report that their budgets are constrained. Smaller firms are particularly worried; 28% of them say their information security function does not currently meet their needs or must be improved. Just over half (56%) report skills shortages or budget constraints.

A paltry 15% of firms say their information security reporting fully meets their expectations. Among those that suffered an incident in the past year, less than a third say their security team discovered the breach. Smaller companies will need to move particularly quickly to address the security reporting issue: almost a quarter (23%) don’t produce information security reports, in contrast with 16% of larger organizations. Only 5% describe the financial implications of each breach.

Addressing the Skills Challenge
Although the right personnel are critical to solving information security challenges, recruiting said personnel is easier said than done. The ongoing and global IT security skills shortage won’t go away anytime soon. Estimates project a worldwide shortfall of about 1.8 million security professionals by 2024 — some studies even predict as much as 3.5 million cyber vacancies. At least the shortfall is democratic: Everyone across the board is running into trouble finding the expertise they need, even in the most well-resourced sectors. Take financial services. “The best graduates no longer want to work in the industry, which is hampering efforts to recruit across the sector,” says Jeremy Pizzala, EY Global Financial Services cybersecurity leader.

The upshot is that depending on an in-house team to deal with IT security is probably an exercise in futility. Today, firms must think laterally and place much more emphasis on machine learning, automation, and AI to either replace or complement external service providers.

Related Content:

• 6 Security Tips That’ll Keep the Summer Fun
• 20 Questions to Ask During a Real (or Manufactured) Security Crisis
• In Cybercrime’s Evolution, Active, Automated Attacks Are the Latest Fad
• How GDPR Teaches Us to Take a Bottom-Up Approach to Privacy

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across … View Full Bio

Article source: https://www.darkreading.com/risk/most-organizations-lack-cyber-resilience/a/d-id/1335149?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple