STE WILLIAMS

Your server remote login isn’t root:password, right? Cool. You can keep your data. Oh sh… your IoT gear, though?

Not content to be the focus of the geopolitical news cycle, Iran now also finds itself in the middle of two major developments in the security world.

Earlier this week, infosec outfit Recorded Future claimed a Tehran-backed group known as Elfin, or APT33, has been increasingly active in recent months, largely targeting industrial facilities and companies within Saudi Arabia that do business with the US and other Western countries.

Active since 2013 and believed to be connected to Iran’s Supreme Cyberspace Center, the APT33 crew is said to largely rely on commercially-available malware to infect, control, and plunder its targets’ computers. In addition to being cheap and reliable, the use of pre-built malware can make it harder for administrators and security companies to attribute the intrusions to a specific operation.

“Our research found that APT33 or a closely aligned threat actor continues to conduct and prepare for widespread cyberespionage activity, with over 1,200 domains used since March 28, 2019, with a strong emphasis on using commodity malware,” explained members of Recorded Future’s Insikt Group.

“Commodity malware is an attractive option for nation-state threat actors who wish to conduct computer network operations at scale and hide in plain sight amongst the noise of other threat actor activities, thus hindering attribution efforts.”

The aim of the operation, researchers believe, is to infiltrate strategically important Saudi businesses –such as utilities, heavy industry, health care, and media – and lay the groundwork for a larger cyberespionage operation if needed.

Tensions

The report comes amid heightened scrutiny of Iran’s hacking activities from the US government as the two nations have ratcheted up military and political tensions. Earlier this week, Uncle Sam’s g-men claimed Iranian hackers were not only looking to infect more American government machines, but also cripple federal networks by erasing infected computers after the hackers had siphoned data.

At least one attack connected to Iran, however, has turned out to be the work of a European.

Akamai security researcher Larry Cashdollar reported this week that while Tehran’s hackers were actively wiping systems, a second piece of file-nuking malware was also making the rounds, mainly menacing internet-of-things devices.

Known as Silexbot, the malware attempts to infect anything powered by Linux and other Unix-like systems and, as it spreads, makes a point of trashing the storage, network configuration, and operating system of the host as it moves on to a new victim.

The malware will only infect boxes that have neglected to change their password from factory defaults, meaning most servers and PCs are safe – unless you like pointing remote login services at the public ‘net with the username and password combination of root:password active. IoT devices, however, remain by and large set to their well-known factory defaults, and are therefore easy pickings for the software nasty.

“Silex is targeting pretty much any Unix like OS with default login credentials,” Cashdollar explained.

“Doesn’t matter if it’s an Arm-based DVR or an x64 system running Redhat Enterprise: if your login is root:password it could wreck your system.”

Prior to wiping themselves, the infected machines were found to be reporting back to a control server based in Iran.

In this case, however, you can’t automatically blame Tehran. Researcher Ankit Anubhav directed infosec chronicler Catalin Cimpanu to the actual hacker behind the operation: a teenager from Europe who had only been using the Iranian machine as a proxy to control the bots. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/06/27/new_iran_apt_uncovered/

Malware Coming to a Mac Near You? Yes, Say Security Firms

While the password-cracking Mimikatz took top honors, Mac-targeted malware accounted for two of the 10 most detected malware samples, according to WatchGuard.

Malware targeting Apple’s Mac operating system accounted for two of the 10 most popular attacks in the first quarter of the year — the first time Apple’s software took more than a single slot, according to network-security firm WatchGuard Technologies’ quarterly threat report.

While Mimikatz, a credential-stealing tool used by penetration testers and attackers alike, topped the list with 3.7 million detections, a Mac-focused adware dropper was the fifth most detected malware with 300,000 detections, according to data collected from the network devices of WatchGuard customers who opt into anonymized data collection. A Mac Trojan horse claimed a spot as the ninth most detected malware.

Attackers will likely increase their focus on the operating system, but the platform is still far from a popular target, says Corey Nachreiner, chief technology officer at WatchGuard Technologies. Currently, only 3% of WatchGuard’s network devices encountered malware targeting Mac OS.

“I don’t think they would invest in Mac malware too much unless they were getting a return,” Nachreiner says. 

WatchGuard is not the only company to see an increase in malware tailored to the Mac OS. Security-software firm Malwarebyte noted an increase in Mac malware, detecting some 16 million instances in just April, four times more than the previous monthly record over the past year.

“The data does indicate there is a rise in the prevalence of threats,” says Thomas Reed, director of Mac and mobile at Malwarebytes, adding that the rise is likely connected to increasing popularity. “Some recent informal polls I’ve seen on Twitter indicate that Mac market share has grown to more than 30% in certain markets, and those are often the markets malware authors would most like to target.”

For the most part, adware is driving the increase. WatchGuard noted that the most detected Mac malware program installed adware. For Malwarebytes, potentially unwanted programs (PUPs) accounted for the largest category of Mac detections, followed by adware.  

The increase in Mac malware could pose a problem for Apple’s user base, both companies stressed. While Windows is still a far more targeted operating system, Macs are often softer targets, says Malwarebytes’ Reed.

“Mac does have some nice security features, but they’re fairly easy to bypass,” he says. “Between wider adoption and relative ease of infection, Macs are growing in popularity as a target.”

Historically, Apple and its base have assumed a reduced number of attacks against the platform, and that leaves them unprepared, WatchGuard’s Nachreiner says.

“I would say that not only are we hitting the market inflection point where attackers are targeting the platform, but you add to that the weakness that Mac users tend to be less focused on security,” he says. “While Apple does work hard — they do a lot of things with Gatekeeper [Apple’s program for ensuring only legitimate apps are installed] and work to keep it out of the user’s view — it does have issues.”

Because Apple’s platform, by default, often has more strict security settings that result in less subtle attacks, the malware that impacts the Mac OS is often different from the more common Windows strains, Nachreiner says.

“It is possible to have more Mac malware, but to get it on your system, you need to convince the user to do something,” he says, “whereas with Windows software, it’s silent, so you can get infected and not even know it. While we have seen Mac malware, we have not seen a vulnerability be exploited in Mac software in the same way as on Windows.”

While exploits have rarely been the way attackers have compromised Macs, a recent exploit does allow attackers to bypass GateKeeper’s security checks

Microsoft Office exploits, however, have become a major threat. Almost 18% of all WatchGuard customers in its data feed program encountered an exploit for Microsoft Office in the first quarter. In addition, more than 95% of companies received at least two different exploits.

While malware detections increased in the first quarter of the year, network attacks decreased to 990,000 detections, down from 1.2 million, according to the quarterly threat report. An attack that uses a component from the popular penetration tool Metasploit reached into the top 10 for the first time. Most of the other attacks are standard fare from the OWASP Top 10 list, including remote file inclusion, cross-site scripting, SQL injection, and various credential-stuffing attacks.

Related Content

 

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/malware-coming-to-a-mac-near-you-yes-say-security-firms/d/d-id/1335066?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Epyc crypto flaw? AMD emits firmware fix for server processors after Googler smashes RAM encryption algorithms

Microchip slinger AMD has issued a firmware patch to fix the encryption in its Secure Encrypted Virtualization technology (SEV), used to defend the memory of Linux KVM virtual machines running on its Epyc processors.

“Through ongoing collaboration with industry researchers AMD became aware that, if using the user-selectable AMD secure encryption feature on a virtual machine running the Linux operating system, an encryption key could be compromised by manipulating the encryption technology’s behavior,” an AMD spokesperson told The Register last night.

“AMD released firmware-based cryptography updates to our ecosystem partners and on the AMD website to remediate this risk.”

SEV isolates guest VMs from one another and the hypervisor using encryption keys, which are managed by the AMD Secure Processor. Each guest VM has its own cryptographic key, which is used directly with the underlying hardware and Secure Processor to transparently and automatically encrypt and decrypt sections of RAM on the fly as it is accessed.

The goal is to securely shield software and data held in memory from the prying eyes and meddling fingers of the host server’s administrators, hypervisor, and guests sharing the same box. A guest using SEV to encrypt and decrypt its code and data in RAM should be the only one to do so on a machine: no one else can successfully access it.

The technology allows cloud hosting providers to assure their subscribers that their guest VMs, when running on Epyc-powered servers, cannot be accessed or tampered with by unauthorized parties.

Or it would, were it secure. According to Cfir Cohen, a security researcher with the Google Cloud security team, the SEV’s implementation of elliptic-curve cryptography (ECC) is flawed.

What went wrong

When a VM is launched, it generates a key by multiplying points on a curve against the Platform Diffie-Hellman (PDH) key. Typically, the curve would be from America’s National Institute of Standards and Technology’s (NIST) list of curves. In an invalid curve attack, a different curve is used and the results of that computation can be used to defeat the encryption.

“At launch-start command, an attacker can send small order ECC points not on the official NIST curves, and force the SEV firmware to multiply a small order point by the firmware’s private DH scalar,” Cohen explained in a disclosure notice on Tuesday. “By collecting enough modular residues, an attacker can recover the complete PDH private key. With the PDH, an attacker can recover the session key and the VM’s launch secret. This breaks the confidentiality guarantees offered by SEV.”

The data recovered using this attack must be pieced together offline using the Chinese Remainder Theorem to obtain the full key. We’re still investigating how much damage can be done by a rogue guest or administrator with these keys.

Epyc fail? We can defeat AMD’s virtual machine encryption, say boffins

READ MORE

The flaw, disclosed to AMD in February, affects AMD Epyc servers running SEV firmware version 0.17 build 11 and below. AMD made the firmware update available to hardware partners on June 4 to distribute to customers and installations; it can be downloaded directly from here [.zip]. The fix involves restricting key generation to official NIST curves.

According to Cohen’s disclosure, PDH certs created on vulnerable systems are still valid, and that could allow client VMs to be moved from a safe system to a vulnerable one. So VMs should be restarted after the patch is applied.

“Certificates for PDH keys generated on a vulnerable system are still valid,” said Cohen. “This means SEV might still be vulnerable to a migration attack, where a client’s VM is migrated from a non-vulnerable system to a vulnerable one.”

Elliptic curve cryptography dates back to 1985, emerging from the work of Neal Koblitz, professor of mathematics at the University of Washington, and Victor Miller, a mathematician then with IBM. ECC entered widespread use about 15 years ago.

In 2009, the NSA touted the technique, saying ECC has remained strong while other algorithms like RSA and Diffie-Hellman have given ground to attacks. Then in 2015, the NSA reversed course, abandoning its ECC-based Suite B algorithms to push for encryption algorithms better suited to resist the theoretical code-breaking power of future quantum computers. NIST is presently evaluating algorithms for “post-quantum crypto.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/06/26/amd_epyc_key_security_flaw/

Decoding America’s spies: What does the NSA’s cryptic memo really mean? Citizens illegally spied on again

Analysis The NSA illegally gathered a trove of American citizens’ phone and text message records just four months after it promised it had taken steps to literally not do that again.

That’s the upshot of a document [PDF] provided to the American Civil Liberties Union (ACLU) and made public this week. The dossier was supplied by the NSA in response to a long-running legal challenge brought by the civil-rights warriors, who ultimately want Section 215 of the USA Patriot Act, which grants spying powers to Uncle Sam’s snoops via secret courts, ruled as unconstitutional.

There are very few details given about the illegal data harvesting, and the vast majority of the document supplied to the ACLU following a Freedom of Information Act (FOIA) request is redacted. The file is one of a series of quarterly reports produced by the surveillance super-agency for an intelligence oversight board in the United States.

What we do know is that the data slurp happened back in October 2018, that it was the 24th issue of 2018 on which a report was written, and that the NSA didn’t inform the Department of Defense’s senior intelligence oversight official about it until February 1, 2019. This week is the first time anyone outside the intelligence community, and whichever company wrongly sent people’s personal information to Uncle Sam’s snoops, became aware of the issue.

The limited language available, couched in lingo, strongly suggests that the data that was wrongly gathered had resulted from, or led to, targeted surveillance of a specific individual. “Pursuant to UFA [USA Freedom Act], the FISC [Foreign Intelligence Surveillance Court] has authorized the targeted production to NSA of CDRs [call data records] pertaining to certain specific selection terms, and issued secondary orders to certain providers to compel the production of those CDRs,” the document notes.

It goes on: “On or about October 12, 2018, NSA technical analysts examining the targeted production of CDRs observed an anomaly. Specifically, these analysts identified a larger than expected number of [LONG REDACTION]. Further investigation determined that these records were produced by [REDACTED]. On October 12, 2018, NSA requested the provider investigate the anomaly. The provider later confirmed that [REDACTED] has resulted in the creation of CDRs [LONG REDACTION].”

In plain language that means the system the NSA uses to request and gather people’s information from companies like your cellular network provider went wrong and, as a result, the snoops were handed records on US citizens the spies were not supposed to receive.

Time to kill it off?

The fact that this went unreported, and happened just months after the same cock-up led to millions of records being wrongly gathered by the NSA, has led to renewed calls for the spying program to be shut down.

In a letter [PDF] the ACLU has sent to the heads of the House Committee on the Judiciary, the union argues the documents “provide further evidence that the NSA has consistently been unable to operate the call detail record program within the bounds of the law,” and urges them to “end the flawed Section 215 call detail record authority once and for all.”

Although the NSA’s report says the impact of the data gathering was “limited given the quick identification, purge processes and lack of reporting,” ACLU staff attorney Patrick Toomey argued the program is “too sweeping, the compliance problems too many, and the evidence of the program’s value all but nonexistence.” There is, he says, “no justification for leaving this surveillance power in the NSA’s hands.”

group of people in suits look at laptop screens

NSA: That ginormous effort to slurp up Americans’ phone records that Snowden exposed? Ehhh, we don’t need that no more

READ MORE

Just last month, lawmakers in both halves of Congress and in both parties introduced a bill that would end the surveillance program built around Section 215 as well as prevent the NSA from restarting it.

It is worth noting that the current, malfunctioning, system was introduced after a previous NSA data-mining operation was ruled unconstitutional. And that decision only happened after world-plus-dog were made aware of the system thanks to top-secret documents leaked by Edward Snowden.

The old spying system – where the NSA simply vacuumed up all the logs of Americans’ phone calls and text messages – was replaced with one where the NSA has to request information from providers using specific search terms.

But with the program needing to be reauthorized by Congress by the end of the year, with some senators publicly stating their opposition to it, and with the ACLU fighting in the courts to have it struck down, Section 215 has become subject to significant scrutiny. In as far as that it possible.

Earlier this year, in a podcast, a key congressional staffer suggested that the NSA had decided it didn’t want or need the Section 215-based program anymore. A month later, anonymous intelligence officials appeared to confirm the same thing to the Wall Street Journal.

Never what it seems

But as any journo who has attempted to cover the NSA’s spying programs can attest, literally nothing that is said can be taken at face value. Even common words like “inaccurate” are frequently bent to their breaking point in documentation in order to conceal and obfuscate surveillance programs’ inner workings.

While Section 215 has become synonymous in the public’s mind with the mass gathering of innocent people’s phone call logs by the US government, in the Land of the Free no less, in truth those logs now account for just three per cent of the information gathered under that particular program.

It is thought that the remaining 97 percent of information covers things like emails, instant messages, search engine searches, video uploads, and so on. That is possible thanks to the extraordinarily broad wording of the law that allows the NSA to collect “tangible things.”

So while some may feel that a week-long over-supply of call logs from, say, Verizon is not that big a deal, in the grand scheme of things, people are likely to view it differently if it turns out that the provider was Google and the company had supplied every search result from anyone named Jones between October 3 and 12. Under the current system, both are perfectly possible and would be treated the same – with absolute secrecy.

It is very possible that the NSA is flagging its willingness to drop the phone call metadata part of Section 215 because, after Snowden made it plain what the US government has access to, anyone of potential interest started using encrypted apps.

The value of phone call metadata has massively dropped but by saying it will stop gathering it, the NSA can be seen to be listening to privacy concerns. And then it will continue to gather all the information it wants under some other kind of legal formulation.

This week, the NSA unhappily revealed that its systems repeatedly fail, and seemingly always in the direction of over-supply of information. And it only revealed that much because of an ACLU legal battle that is laser-focused on one specific program. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/06/26/nsa_spy_program_aclu/

Hey China, while you’re in all our servers, can you fix these support tickets? IBM, HPE, Tata CS, Fujitsu, NTT and their customers pwned

Fresh details have emerged revealing just how deeply Chinese government hackers plundered HPE, IBM, DXC, Fujitsu, Tata, and others, stealing corporate secrets and rifling through their customers’ networks.

An explosive in-depth report by Reuters today blows the lid off APT10, the infamous Beijing-backed hacking operation that was this week accused of hacking mobile carriers around the world, and has long been believed to be behind raids on corporations and organizations, siphoning off blueprints and databases for the President Xi regime.

The bombshell builds on last year’s revelations that a multi-year operation known as Cloud Hopper had worked its way into the internal networks at HPE and IBM, stealing corporate data and trade secrets along the way, and then drilled into customer systems. The hackers compromised customer servers that were managed by the IT giants, or slipped in via network links between the tech providers and their big-name clients. Hence the name: Cloud Hopper.

Now, word has dropped that another six companies fell victim to APT10 during that same campaign: Fujitsu, Tata Consultancy Services, Dimension Data, NTT, and Computer Sciences Corporation. It is believed most of the hacking took place between 2015 and 2017, though it’s said HP at least had been repeatedly pwned since 2010. (CSC is now known as DXC following its merger with HPE’s spun-off Enterprise Services in 2017.)

The revelations mean that the reach of the Cloud Hopper operation was far greater than first feared. In addition to the tech goliaths themselves, the hackers pushed their way into customer systems from the compromised providers, dramatically increasing the pool of valuable industrial and aerospace data stolen. Beijing’s miscreants had not just access to the internal files of HPE, IBM, Tata CS et al, but also their network-connected customers, putting designs, plans, personal information, and more, at their fingertips. Jackpot.

FBI wanted poster of Zhu Hua and Zhang Shilong

Uncle Sam fingers two Chinese men for hacking tech, aerospace, defense biz on behalf of Beijing

READ MORE

We’re told that APT10 crew would typically find and exploit a vulnerability in an external-facing server to break in, or a spear-phish an employee to gain access to their intranet account.

From there, they harvested additional account credentials from the compromised machine, and used those to access other boxes and services on the network, which were in turn ransacked for more login details, and used further move around the network until the attackers had near complete control over the entire infrastructure. From there, the intruders could siphon off information, and probe network-connected customers, particularly if they gained control of managed or cloud server administrator accounts.

This mirrors the pattern found by researchers at Cybereason, who earlier this month detailed efforts by APT10, or a gang operating just like the Chinese, to compromise ten or more cellular telcos around the world to spy on a few dozen VIPs – think politicians, foreign agents, etc.

Taunts

Given the resources and time afforded to the operation, it comes as no surprise that APT10 was able to so thoroughly pwn their targets. By the end of the HPE operation, it is said that the hackers had such total control over the corporate network that they had begun leaving messages taunting system administrators.

“One hacking tool contained the message ‘FUCK ANY AV’ – referencing their victims’ reliance on antivirus software,” the Reuters team noted. “The name of a malicious domain used in the wider campaign appeared to mock US intelligence: nsa.mefound.com.”

In a statement to The Register, a DXC spokesperson claimed: “DXC has robust security measures in place to actively detect, prevent and alert attacks by actors such as APT10 We also have implemented tools that allow detailed reconstruction of any intrusions attempts, should they happen.

“Since the inception of DXC Technology [in 2017], neither the company nor any DXC customer whose environment is under our control have experienced a material impact caused by APT10 or any other threat actor.”

A spokesperson for HPE told The Register with a straight face: “The security of HPE customer data is always our top priority. As is the case in any breach, the company worked diligently for our customers to mitigate this attack and protect their information. And, we remain vigilant in our efforts to protect against the evolving threats of cyber-crimes committed by state actors.”

The rest – IBM, Fujitsu, Tata CS, Dimension Data, and NTT – couldn’t be bothered to comment. Big Blue previously claimed it found no evidence that hackers had accessed its sensitive corporate data. ®

Bootnote

Props to China for its deadpan comedy bit in response to today’s revelations: “The Chinese government has never in any form participated in or supported any person to carry out the theft of commercial secrets.”

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/06/26/china_apt10_hpe_ibm_dxc_hacked/

Breaking the Endless Cycle of ‘Perfect’ Cybercrimes

A two-step strategy for creating an attack environment that is more complex, less profitable, and more likely to expose the attacker.

Regardless of their methods, hackers are constantly attempting to improve upon what is essentially a perfect crime — a crime that is simple to execute, is performed with near total anonymity, and, most of all, pays off. These have been the hallmarks of successful crimes and criminals for generations, and it’s no surprise that the newest generation of criminals would embrace them as well.

That last component of the perfect crime formula, monetization, has always been the driver, because, after all, crime is almost always about the money. Whether threats take the form of malware, a social attack, or a hack, financial gain serves as the motivation for seven of 10 incidents, according to Verizon’s “2019 Data Breach Investigations Report.” The motivation is clearly working: the Identity Theft Resource Center reported a doubling of the number of records exposed from just under 200 million in 2017 to more than 446 million in 2018. That kind of growth qualifies as a crimewave in any category.

The perfect crime formula has been a consistent predictor of change in the threat space, as attackers apply bottom line business thinking to their strategies: Once profits start declining and/or attacks begin to fail, cybercriminals have evolved their campaigns. As an example, when e-commerce took hold in the 1990s, criminals found ways to steal credit cards and go on shopping sprees. But when card verification codes were introduced to complicate this strategy and reduce the value of stolen cards, ransomware emerged as the go-to option for hackers. The complexity of the crime had gone up, so there needed to be a new, easier attack, and commoditized ransomware fit the need.

Ransomware was a new threat, compromising organizations of all sizes, but with such obvious and catastrophic effects that public notification became common. Ransomware-as-a-service providers arose, attack tools were shared and customized, and widespread attacks became commonplace. When organizations realized the danger, they invested to improve their capacity to recover. As a result, they became less likely to pay the ransom. This reduced the profitability of the crime, and so a newer, more persistent but less obvious attack was needed.

What followed was unauthorized cryptomining (or cryptojacking), which grew 19-fold from March to December 2018 according to Cisco. Since then, interest appears to be on the decline, as sharp decreases in cryptocurrency value have made the crime far less profitable, leading to public events like the shutdown in March of cryptocurrency miner provider Coinhive.

What’s next? Criminals will inevitably come up with something else, and there are several candidates already in play: credential and IP thefts, a resurgence in phishing attacks, and business email compromises, in which cybercriminals impersonate C-suite executives and arrange for fraudulent wire transfer payments. In many of the new attacks, social engineering plays a huge role.

Breaking the Cycle
If the perfect crime formula remains the same regardless of the actual crime committed, so does the fact that hackers are exploiting persistent weaknesses and blind spots within the enterprise. If organizations moved faster to identify and respond to these exposures, they’d create an attack environment that was more complex, less profitable, and more likely to expose the attacker. Here are two classic flaws — and recommendations on fixing them.

Classic Flaw No. 1: A Susceptibility to Dwell Time
Dwell time measures the delay between when a breach begins and when it is discovered. According to the Ponemon Institute and IBM, this currently takes a mean time of 197 days. Attackers are exploiting systems and exfiltrating data for more than half of a year before they are noticed, much less contained.

The Fix: Continuous, Ubiquitous Monitoring
Obviously, preventing breaches in the first place is best, but history repeatedly teaches the punishing lesson that some attacks will get through. To detect and contain these attacks, continuous vigilance is necessary, and continuous obviously means 24/7/365. Blind spots are also prime targets, so visibility carries premium value. Ubiquitous monitoring describes the need to watch over everything. Enterprise protection is like home security in this respect: If cameras are only turned on at night, then robbers will wait until daytime to break in. If cameras can only see what’s happening at our entrances, then criminals will use the back door. Through round-the-clock, pervasive visibility, cybercriminals have no go times or places to hide their crimes.

Classic Flaw No. 2: Ignoring the Unprotected End User
The end user now ranks as the “weakest security link” within a company, according to survey findings from Tech Pro Research. That’s because these systems tend to be less well-protected, and these users tend to be less aware of the dangers. Security teams have traditionally applied themselves to protecting high-value assets and networks, focusing on servers, data centers and the traditional, internal network. Today’s users present a much simpler attack vector because of the growth in the use of cloud technology, mobile devices, and telecommuting, as well as bring-your-own-device and bring-your-own-app programs. Through their activities, end users (whether employees, contractors, supply chain partners, etc.) increase enterprise exposure as adversaries leverage social engineering to exploit them.

The Fix: Expanding Protection to Wherever the End Users Are
To elaborate upon the home security analogy, we can’t solely concentrate on our front and back doors anymore. We need to make sure end users and their systems are safe, wherever they happen to be. This requires improvements in our protection of their systems, 24/7/365 monitoring/visibility of all endpoints, and even user behavior analytics to detect and block unusual or threatening activity from a potentially breached end user account or system.

Fortunately, in the real world, few crimes are perfect. Criminals are tripped up by accomplices and random events. In the cyber world, the bad guys are having more success, given the more deterministic nature of the attack vectors and the victims. Through continuous monitoring, total visibility, and improved end user protection, we can close the gaps that adversaries are seeking to exploit, and break the endless cycle of threats to the enterprise. Protection will never be perfect, but these kinds of improvements will make cybercrime less of a perfect option for criminals.

Related Content:

As SVP, Security, Jack Danahy engages with customers and the industry on company product strategy. Danahy is an innovative security technology leader with proven success creating, delivering, and promoting new security technologies and practices to address critical needs. He … View Full Bio

Article source: https://www.darkreading.com/perimeter/breaking-the-endless-cycle-of-perfect-cybercrimes/a/d-id/1335023?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

McAfee Sues 3 Former Staffers Now at Rival Tanium

Lawsuit alleges sales representatives stole trade secrets from McAfee before joining Tanium.

McAfee has filead a lawsuit against former members of its sales team who left the company for jobs at competitor Tanium in the past year.

The filing, which was first reported by Cyberscoop yesterday, alleges that Jennifer Kinney, Alan Coe, and Percy Tejeda participated in a conspiracy to pilfer McAfee sales secrets and customer strategies in their new positions at Tanium.

Tejeda, former director of finance at McAfee, hired Kinney and Coe to join him at Tanium, according to the suit. McAfee then conducted a forensic analysis of Kinney and Coe’s McAfee computers and discovered they had copied and taken sensitive files from the company before they resigned for their new positions at Tanium. 

Read more here.

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/analytics/mcafee-sues-3-former-staffers-now-at-rival-tanium/d/d-id/1335055?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Developers and Security Teams Under Pressure to Collaborate

The challenges and benefits to getting two traditionally adversarial groups on the same page.

AWS re:Inforce – BOSTON – The path to secure development involves closer collaboration between the security and developer teams, a duo with a traditionally rocky relationship.

Application security, DevOps, and DevSecOps were all terms frequently heard this week at Amazon Web Services’ re:Inforce, its first-ever security conference. AWS has been very developer focused, pointed out Chris Eng, vice president of research at Veracode. It’s positive to see a focus on security’s role in development, which he said has been a growing issue for four to five years.

Looking back 10- to 15 years, there has been a clear way security and development worked: engineers built code and handed it over to security when it was ready. By the time security came back with fixes, developers would be in a time crunch; rarely was there time to address them all. “There was a very rigorous, very structured set of handoffs,” said Brian Riley, Liberty Mutual’s senior director of global cyber risk management. “We’re in a different world now.”

Indeed, the transition to cloud broke down those choke points. DevOps evolved along with the cloud, driving the speed of new software releases and requiring security to review applications more frequently. This caused “a huge adjustment” for those who did application security a long time ago, Eng explained, because it shifted responsibility for security teams who assessed code.

“There’s a tradeoff between depth and speed,” he continued. “If I have a shorter amount of time to review something, there’s a greater chance I’m going to miss something.”

Developers must understand the types of things security will be looking for, he continued. Security, which has a reputation for holding progress back with constant fixes, has to meet the developer teams where they are and try not to disrupt what they’re already doing. Security practitioners are traditionally uncomfortable with accepting risk. As the process of software development continues to accelerate, they will have to learn how to let some things go.

It was the move to cloud that prompted Riley, a former developer to collaborate with the dev team. “It challenged me, as a longtime security professional, to realize I had to get a lot closer to development,” he explained. “I needed to be where the developers were.” It wasn’t – and still isn’t – where security teams operate. Riley cited “drawn-out battles” between security and dev teams: security often says “that’s not controlled;” devs respond with “this could be better.”

“Historically, it’s adversarial,” Eng said of the longtime relationship between developers and security practitioners. “It’s had to move from adversarial to more cooperative.”

Security Champions: Bridging the Gap

Eng pointed to a growing pattern of “security champions,” or developers with an aptitude in security who become an extension of the infosec team. These individuals are trained to conduct code reviews themselves as opposed to sending it off to security. The idea is to shift responsibility and lessen the workload for security teams, which are also focused on tasks outside secure development and often don’t have the number of employees they need.

Of course, the appointment of security champions doesn’t always sit well with security teams, he added. They need to hand off responsibility for code reviews to someone else; however, if something goes wrong, they’re still to blame. Many are afraid of shifting this responsibility.

“There’s a need to be more comfortable with losing a little bit of control,” Eng said. If a dev team can handle 80% of security work, he added, it’s helpful to the development process.

Overall, it also helps when developers have a security background, as it improves understanding between the two teams and, consequently, their working relationship. It’s often not required for developers to have a security background, but it is a plus if they’re interested in the space. Veracoda does quarterly boot camps and exercises to train developers in cybersecurity.

This evolving collaboration signifies growing the decentralization of security, Eng said. Over time, he predicts, the back-and-forth between security and development will be erased.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/application-security/developers-and-security-teams-under-pressure-to-collaborate-/d/d-id/1335063?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

New Linux Worm Attacks IoT Devices

Silex has ‘bricked’ more than 2,000 Linux-based IoT devices so far.

A new Internet of Things (IoT) bricking worm — malware designed to permanently disable the hardware it infects — is hitting Linux-based devices, and it appears the culprit responsible for the attack is 14 years old. 

The new software, dubbed “Silex,” is running across the Internet looking for Linux systems deployed with default admin credentials. Once it finds such a system, it overwrites all of the system’s storage with random data, drops its firewall rules, removes its network configuration, and then restarts the system — effectively rendering the device useless.

Discovered by Larry Cashdollar, a vulnerability researcher and member of Akamai’s Security Incident Response Team, the software is purely destructive; it captures no data and asks for no ransom. Researcher Ankit Anubhav traced the malware back to its origins and found the developer, who uses the online name “Light Leafon.” According to Anubhav, the malware’s author says that additional destructive capabilities are planned for future Silex variants.

More than 2,000 systems have already been damaged by Silex, which is not technically limited to IoT devices. It could attack any Linux system deployed on the Internet with open telnet ports and default admin credentials. Other researchers have noted that the command-and-control servers for Silex have IP addresses linked to Iran, leading some to speculate that political, as well as simply destructive, aims are behind its release.

Read more herehere, and here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/iot/new-linux-worm-attacks-iot-devices/d/d-id/1335065?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Google creates educational tools to help kids spot fake news

Google is on a mission to teach kids how to spot fake news. The company has expanded its internet safety guide for children with techniques and games to help them be more information literate online.

The expansion is part of its Be Internet Awesome (Be Internet Legends in the UK) initiative, aimed at families, educators, and children to help young people be better online citizens and protect themselves.

The initiative, which aligns with educational standards from the International Society for Technology in Education (ISTE) and the American Association of School Librarians (AASL), features an ‘Internet Code of Awesome’ supported by lesson plans that include ‘Share with Care’, ‘Secure your Secrets’, ‘It’s Cool to be Kind’, and ‘When in Doubt, Talk It Out’.

Don’t Fall for Fake

The new activities are listed under another item in the Code: ‘Don’t Fall for Fake’. Google developed them in conjunction with Anne Collier, executive director of The Net Safety Collaborative, and Faith Rogow, PhD, co-author of The Teacher’s Guide to Media Literacy and a co-founder of the National Association for Media Literacy Education.

Google announced the new activities in a blog post written by Amy Mascott, a former high-school teacher who runs parenting and technology website teachmama.com. Technology can enhance life in and out of the classroom, she says, but warns:

That comes with lots of challenges, like learning to communicate responsibly, being kind online and deciphering what is real and what is fake.

The activities, listed in Google’s Digital Safety and Citizenship Curriculum, are:

  • Donʼt bite that phishing hook! Kids study emails and text messages to try and spot phishers.
  • Who are you, really? They practice responding to suspicious messages to verify the sender’s identity.
  • About those bots. Children participate in a QA around spotting and interacting with chatbots.
  • Is that really true? They learn how to use criteria like motive and expertise to establish credibility when evaluating sources.
  • Spotting disinformation online. Students learn techniques including spotting fake URLS and evaluating headlines, and also learn how to apply the lessons they learned in ‘Is that really true?’

Google has bought all these techniques together in an online game called Interland: Reality River, in which you have to answer questions to cross and avoid the phishers (see what they did there?)

Before you ask, yes, Google’s Code also includes an explicit lesson on how kids can configure their privacy settings so that tech giants like Google can’t track everything they do (at least not quite so easily).

The lesson plans primarily target kids aged 7-12, but older children will find them useful too, Google says. It’s something that many adults would also do well to read before they share the next outrageous Facebook link that bubbles up in their feed.

This initiative is part of a broader effort from Google to stop fake news spreading on the internet. Earlier this year, it released fact-checking tools for journalists to tag stories that debunk misinformation. Mozilla also has its own fake news-fighting effort.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/psRkheTDRaU/