STE WILLIAMS

As businesses use the cloud to fuel growth, many fail to enforce data loss prevention or control how people share data.

The cloud is no longer a mystery to today’s companies, which capitalize on its benefits to fuel growth, but securing cloud-based data, applications, and infrastructure remains a challenge.

As part of its most recent “Cloud Adoption and Risk Report,” researchers with McAfee polled 1,000 enterprise organizations around the world and combined their data with insight from billions of anonymized cloud events across their customer base. Most cloud adopters (87%) report business acceleration, and 52% claim to experience better security. A closer look at the numbers, however, reveals a need to better control information and applications in the cloud.

Only 26% of respondents say they can audit infrastructure-as-a-service (IaaS) configurations such as open access to storage buckets. One-third say they can control application collaboration settings. Slightly more (36%) can enforce data loss prevention (DLP) in the cloud. More than 35% of businesses with a cloud access security broker (CASB) are more likely to be able to launch new products and speed time to market — but only one-third of respondents use them.

“It’s a matter of maturity,” says Vittorio Viarengo, vice president of product for McAfee’s cloud unit. Two years ago, security was the main obstacle to cloud adoption as companies hesitated to share data with providers. Now, with providers buckling down on security and business decisions accelerating the transition to the cloud, they’ve grown accustomed to the switch but fail to realize cloud providers don’t cover all security. In some ways, they’re still responsible.

As researchers point out in the report, the one element of security that cloud providers can’t cover for their customers is how their services are actually used, specifically the data that is stored in those services, shared externally, and accessed from myriad devices and locations. For example, say confidential data is stored in an Office 365 file shared with a customer, Viarengo explains. “Of course, Microsoft isn’t going to be responsible for that … that’s user behavior.”

It’s worth noting only 40% of respondents can control access to cloud data for personal devices, meaning 60% have no knowledge of how employees are putting sensitive files on their phones or laptops and taking it out of the organization. Thirty percent enforce the same DLP policies across employee devices, the corporate network, and the cloud, researchers discovered.

The shared responsibility model dictates how businesses are responsible for data. Businesses need to know what data needs to be protected, where it goes, and who can access it based on internal policies and compliance requirements. First, they have to know where data resides.

Sensitive Data: Emerging from Shadow IT
One-third of respondents say they can discover and remediate shadow IT, but Viarengo points out that companies have taken steps to address this problem and officially sanction cloud apps and services. Researchers report only 10% of sensitive company data resides in unsanctioned applications, and the overall risk of sensitive data exposure via shadow IT has diminished.

So, where is sensitive data stored? Sixty-five percent is stored in collaboration and business apps, including Office 365, which holds 31% of sensitive enterprise data. Salesforce holds 16%, and Box and Dropbox together hold 7%. Overall, 25% of sensitive corporate data lives in IaaS platforms, including Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform.

When protecting data in the cloud, researchers recommend starting with apps that hold the majority of sensitive information and working your way down. Whether the business already uses those apps or is planning to launch them, the approach can help maximize risk mitigation.

Related Content:

• How to Build a Cloud Security Model
  
• The Life-Changing Magic of Tidying Up the Cloud
• Cloud Security Spend Set to Reach $12.6B by 2023
  
• Security Pros Agree: Cloud Adoption Outpaces Security
  
  

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/cloud/as-cloud-adoption-grows-dlp-remains-key-challenge/d/d-id/1335000?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

What is it about phishing emails that makes them so enduringly popular with the bad guys?

The standard answer is they exploit fear, alarm and annoyance to persuade users to click on them, which explains the horde of campaigns using fictitious legal threats or warnings about bank accounts to get a foot in the door.

However, a new campaign covered by Bleeping Computer reminds us that there is another psychological impulse that works just as well if skilfully deployed – curiosity.

This one is couched as an email, apparently from Microsoft, alerting the recipient to an encrypted message which must be viewed by accessing OneDrive for Business.

It used to be said that the best phishing attacks gamed their victims in the shortest possible time and the fewest steps but that was before cloud services were invented where, arguably, introducing more steps now aids authenticity.

This one has several, including a faked-up OneDrive-branded email with a blue ‘Open’ button plastered in the middle of it, followed by – of course – a pretend OneDrive login page that asks users to enter their account credentials to download the file.

It’s like being asked to follow a trail of sweets to find out what’s at the end only to discover it’s a pit filled with spikes.

A big giveaway is that Microsoft business accounts should be protected by two-factor authentication (2FA), which this fake login lacks, but it’s possible some users won’t notice its absence if they’re not familiar with it.

You’ve got secure email

Phishing campaigns using the encrypted email content as a lure are nothing new, indeed one might view them as a distant development of the old fake UPS or FedEx parcel messages.

That’s why phishing attacks must continuously evolve new variations on the same underlying ploy, which happens as new templates are added to the shadowy phishing kits that spawn them.

Every time you think the phishers will finally run out of ideas, they come up with a new twist on the same concept.

Recent examples have even included attempts to beat older but still widely used types of 2FA, as was the case in a series of attacks targeting high-value Gmail users.

Or, last week, the fact that a growing number of bogus domains are using TLS certificates and HTTPS connections as a way of making themselves appear more plausible.

In the mobile sphere, phishers have taken to emailing Instagram users with the claim they’ve been added to a “nasty list”.

The inbox frontline

This raises the practical question of how recipients can avoid falling into the clutches of the phishers, short of simply never clicking on anything.

If there was a simple answer to this, phishing attacks would have been squashed years ago but not clicking on anything ever in an email is, in fact, not a bad place to start.

Anything that claims an account of any kind is about to be suspended, suggests users update their account data, or asks the user to delete undelivered emails, is automatically suspicious.

Beyond that it’s about noticing unusual, misspelled domains in the URL, or domains that appear differently when hovering over links. Finding them is a sure sign of something phishy, but their absence shouldn’t be taken as proof that an email is legitimate. It’s also important to study reply addresses carefully while remembering that legitimate addresses are easily spoofed.

How easily? Very easy:

(Watch directly on YouTube if the video won’t play here.)

In the offline world, curiosity is usually seen as a good thing – a sign of initiative. It’s just a shame that for email users, inquisitiveness is more likely to get you into a heap of trouble.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/UlZ_UBDrspc/

The US has been quietly planting malware throughout Russia’s energy networks in response to years of Russian attacks on its own power grid, the New York Times reported on Saturday.

Quoting officials interviewed over the last three months, the paper said that the latest moves represent a turning point for the US policy on interfering with Russia’s electricity infrastructure. Under the Obama administration, the US had used reconnaissance tools to monitor Russia’s electricity control systems. The Trump administration has escalated this activity to an offensive campaign, placing software that could destabilise electrical services within Russia.

The move follows years of provocation by Russia, which has reportedly run recurring cybercampaigns targeting the US energy grid.

In March 2019, the Department of Homeland Security (DHS) reported that Russian hackers had been targeting US infrastructure including not just energy and nuclear facilities, but also water, aviation, and critical manufacturing sectors. The hackers would infiltrate the targets’ trusted partner organizations and use them as staging grounds for their attacks, the report warned.

That report updated a similar warning in October 2017, although that one did not single Russia out for blame.

Most recently, security firm Dragos alleged that Xenotime, a hacking group thought to be linked to Moscow, has been using its Triton (also known as Trisys) malware to explore US power networks in possible preparation for a future attack. It identified…

… a persistent pattern of activity attempting to gather information and enumerate network resources associated with US and Asia-Pacific electric utilities.

This behavior could indicate the activity group was preparing for a further cyberattack, or at minimum satisfying the prerequisites for a future ICS-focused intrusion.

Russian hackers were also thought to be behind separate attacks on the Ukranian electrical grid in 2015 and 2017.

The news that the US has been seeding Russian power networks with malware follows moves by the Trump administration to loosen the reins on the Pentagon, freeing it up to take more offensive measures in cyberspace without explicit presidential approval. Last August, it rolled back Obama-era rules on cyberwarfare, removing a layer of inter-agency bureaucracy that stood in the way of launching offensive campaigns.

Then, a month later, the Department of Defense unveiled a new cyber strategy that authorized the military to launch cyberattacks on foreign nations without authorisation from the National Security Council.

This news may represent a new chapter for the US in its approach to aggressive Russian cyberwarfare tactics, but it isn’t the first time that the US has planned or mounted offensive cyber campaigns. In 2010, it carried out Operation Olympic Games, the codename for the Stuxnet malware operation against Iran’s Natanz nuclear enrichment facility.

President Trump fired back at the New York Times on Saturday, calling the publication of the story an act of “virtual treason” and denying the report.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/tTQSogDf45o/

The forces of extortionist scumbaggery have had the rug pulled out from them yet again: last week, it was Radiohead, releasing 18 hours of music rather than pay up to whoever hacked it away.

This week, it’s American actress Bella Thorne. Her approach: Oh, so you’re threatening to publish nude pics you hacked out of my accounts? Too late – I did it myself.

Thorne posted the images to Twitter on Saturday. She said in the tweet, which included screenshots of text messages with the alleged hacker, that “all of her s**t” got hacked on Friday. Then, she had to put up with 24 hours of threats “with my own nudes.”

I feel gross. I feel watched, I feel someone has taken something from me that I only wanted one special person to see.

Oh, and by the way, the FBI will be at your door shortly, she also said.

By Sunday, Thorne was still angry and hurt, but feeling a bit more compassionate toward whatever nimrod tried to blackmail her. In an interview with Hollywood Reporter, she said that she thinks whoever hacked her is a kid – somebody who made a bad choice and shouldn’t have his life ruined because of it:

This kid sounds like he’s 17, as much as I’m so angry and wanted to [f**k] him up over doing this to people I just wanted to teach him a lesson,. He’s still a kid and we make mistakes, this mistake is a bad one. But I don’t want some 17-year-old’s whole life ruined because he wasn’t thinking straight and [was] being a dumbass.

“If she hadn’t taken them in the first place…”

Yadda, yadda, yadda. We hear it all the time: If she hadn’t taken explicit photos of herself in the first place, there wouldn’t have been anything to hack away and hold over her head in an extortion attempt. That’s always been blame-the-victim thinking, like saying that people who own sexy sexy Bitcoin are just asking to be e-groped, or that people who have the audacity to swipe their cards in ATMs are calling out a come-hither to card skimmers.

The growing sophistication of deepfakes should put a nail in that argument’s coffin. Nowadays, with artificial intelligence- (AI-) generated porn – or strangely well-connected and gorgeous LinkedIn figments of your imagination, for that matter – you don’t actually have to take explicit photos of yourself to be featured in one.

Be that as it may, what’s more important than playing the blame game is good security hygiene. While we applaud Ms. Thorne’s refusal to play into this hacker’s hands, we hope that she’s managed to figure out how she fell into those hands to begin with.

A few, basic security musts

Maybe her login credentials were phished away? If so, has she since learned how to tell the difference between phish and legit?

Another basic security step is to take advantage of multifactor authentication (MFA) – what’s also known as two-factor authentication (2FA) or two-step verification (2SV) – wherever it’s offered. It ensures that even if a hacker gets his hands on your login credentials, he also has to jump the hurdle of providing another form of authentication to get into your account – like, say, a one-time code.

Or has she been reusing passwords? If so, somebody please advise Bella to stop. Password reuse is truly an atrocious idea.

Picking a proper password is one thing, and we’ve got a short, sweet video below that shows you how to do it. Remembering all your unique, strong passwords is another thing entirely. For that, we’re big believers in password managers that can handle the remembering for you.

Come to think of it, those password managers can also handle the unique password generation piece of the puzzle. But for those of us who still aren’t convinced that they want to go that route, here’s a video that walks you through making up your own strong passwords – at least 12 characters long, that mix letters, numbers and special characters.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/-XpPv5rePA4/

A scam ad for Ray-Ban sunglasses has been making the rounds on Instagram.

There are many versions, but they tend to feature the Ray-Ban logo and photos of sunglasses, along with the “whoa, what a crazy deal!” offers of “90% off”. We’ve seen one that dangles the cheap-cheap price tag of £17.65 (that’s US $22.13 – for glasses that typically go for over $100).

And of course, you better hurry, since this offer won’t last – it’s one day only! … And has been for a few weeks!

Not everybody is going to see the fake ads and write them off as being the scams that they are, unfortunately. After all, the ads bear the name of a (self-proclaimed) “official” website. Plus, you’ve likely seen these ads being posted by your Instagram friends.

Don’t fall for it, though. It seems too good to be true, which means it is.

Other fake-ad scams

It’s yet another example of fake ads doing the rounds on social media: we’ve seen an Adidas phishing scam that circulated on WhatsApp, offering “free” (nope!) shoes and money (double nope!). Scammers seem to have a bit of a fancy-footwear fetish: we’ve also seen bogus UGG outlet store scams on Facebook.

We’ve also seen online auctions for cutesy wutesy puppies and kittens that turned from “awww!” to “AAARRRGHHH!!!” in the blink of a scammer’s eye.

Those aren’t really your friends

The crooks behind scams like this often rely on compromised social media accounts to spread their fakery.

So, while it might look like your friends are urging you to take up an offer too good to ignore – it’s more likely to be a scammer who’s cracked their password so they can abuse the trust we place in our friends’ opinions.

That, in fact, is what happened to an Instagram celebrity, Lindsie Comerford, whose account – and then her bank account – was hijacked last year.

Account recovery: it’s like pulling teeth

Actually, recovering a hijacked Instagram – at least until Monday, when Instagram promised to make it easier – is more like painfully trying to pull teeth and then giving up because “72 hours later – still no account recovered!”

Comerford wrote a blog post about her hijacking ordeal.

Well, apparently to get a hacked account back I have got to email support and help 10 times, leave 3 voicemails, and report my account before I could reach a magical help screen that actually guides you towards getting your account back. Getting the help is no easy feat though and honestly it requires sheer digital magic.

Finally I reach Instagram; but only after trying to figure out how to navigate through my email account that has been switched to show only Turkish language.

It took three days of no help and still she didn’t get back her account. She wound up asking an ethical hacker to do it for her. Meanwhile, the crook took full advantage of all that time to first hack her email, and then her bank account, she said.

After a wave of complaints like that, Instagram is finally working on overhauling its kludgy response to hijacks. On Monday, it announced that it’s testing easier ways to get back hacked accounts, even if the attacker has changed a victim’s user name and contact data.

According to the BBC, the trial is of an in-app function through which users submit contact information associated with the account and then receive an access code.

For Android users, it also announced that it’s putting user names on the shelf, keeping them from being claimed for a “period of time” after account changes, whether those changes stem from a hack or the legitimate user doing a legitimate change.

This will hopefully bring much-needed help for users on Instagram, where hijacking has become a bit of an art form. As Vice has reported, hackers have been holding high-profile accounts to ransom for eye-popping prices: they can sell for up to tens of thousands of dollars on underground forums.

What to do?

If you see scam ads like these for Ray-Ban on your friends’ walls, let them know. If they didn’t post them, they’ll need to:

1. Change their Instagram password straight away – to something unique and strong.
2. They should also set up two-factor authentication (2FA) as well.
3. They need to review the access they’ve granted to third-party apps and services and revoke any that they don’t use or look suspicious. Go to Instagram Settings Authorized Apps.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/S1nngnQ-ZEQ/

While netizens and journalists worry about criminals and spies using sophisticated cyber-weapons to hijack Internet of Things devices, basic security protections are being overlooked – and pose a far greater threat.

Miscreants targeting internet-connected devices, especially those found in homes and small offices, won’t need special exploits leveraging code vulnerabilities to break in, because the username and password “admin” will typically get them just as far.

That’s according to eggheads at Stanford University and the University of Illinois at Urbana-Champaign in the US, and Avast Software in the Czech Republic. They’ve concluded IoT security is so completely devoid of basic protections that in many cases an attacker would not even need to resort to malware or complex exploits to compromise a device or network.

For an academic study, seen by The Register ahead of its release online today, the team collected telemetry from 83 million devices via home network scans of 16 million Avast customer volunteers, and found that basic security measures, such as strong passwords or non-default credentials were nowhere to be found.

For example, the study, due to be formally presented at this summer’s Usenix security symposium, noted that 30 per cent of TP-Link routers encountered during the research had an open HTTP port on the local network and used the default admin/admin username-password combination. The researchers also found that 14.6 per cent of all routers had either FTP or Telnet services open, and many of those also used passwords that would be trivial to guess.

At the same time, media coverage and infosec vendors’ marketing hype push the idea that sophisticated exploits and hidden firmware vulnerabilities are the big threats, rather than insecure out-of-the-box configurations and default login credentials.

‘Shiny exploits’

“What we see coverage of are these shiny exploits that go after devices that no one has, no one cares about, that are never going to be used,” said Zakir Durumeric, an assistant professor at Stanford and co-author of the report.

“We should be terrified about the fact that half of these routers have guessable passwords and that there’s no security precautions really sitting between any of these infected machines and these devices.”

Enterprise IoT security sucks so much, it’s made Intel and Arm work together to tackle it

READ MORE

Durumeric went on to note that further danger is posed by many IoT devices continuing to use ancient protocols like FTP and Telnet for their communications, rather than more secure methods of transmission. This is compounded by the use of weak credentials on those connections – for example 9.3 per cent of TP-Link routers studied had an FTP port open to the internet, with 55 per cent also using a weak password.

“We have seen these very old protocols make a return, FTP had been deprecated and these other protocols like telnet have unquestionably been abdicated. There are much more secure protocols that are used today on normal computers,” he said.

“It has not been a priority for these devices to use these more secure protocols.”

Fortunately, Durumeric noted, the study also found reason to believe that tackling the issue may not be as hard as it seems. For starters, the market dominance of a handful of vendors means that just 100 companies account for around 90 per cent of all IoT devices, and in areas like voice assistant boxes just two vendors (Amazon and Google) control 90 per cent.

This means that if these top-tier vendors can clean up their acts and improve the security of their hardware, the strong majority of IoT hardware can become significantly more secure and better protected.

Maybe then, perhaps, we can start to worry about vulnerability exploits. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/06/18/iot_default_security/

Someone in the Parliamentary Digital Service managed to leave a server so completely exposed to the internet that Google indexed the Windows machine’s operating system.

Register reader Chris, who stumbled across this while searching for something related to a Google update, discovered that sizeable chunks of bills.parliament.uk , well beyond what should have been firewalled off from the wider world, were exposed online.

“Looks like they were potentially exposing the entire system drive of the Windows webserver as read-only for some time,” he commented.

The information exposed through Google’s cache (the server itself seemed to have been taken offline) appears to contain large chunks of a Windows OS running, among other things, VMware, cygwin, Sophos antivirus, the Lynx WWW client, Splunk, Perl and the usual suite of Windows services.

While the read-only access provided through Google is merely embarrassing at best, and could provide some clues for black hats determined to break in for whatever reason, it is not known whether the exposure of the server itself was read-only or whether write access was available as well.

The Parliamentary Digital Service (PDS) had not replied to The Register’s enquiries by the time of publication.

If you’re curious to see for yourself what Parliament’s running on its boxen, put this search string through Google: site:bills.parliament.uk

The breach, as well as leaving several eggs on the faces of Parliament’s digital bods, is likely to provoke some pisstaking from the other government IT department, the infamous GDS. A few years ago PDS declared that it was hiring a bunch of techies to revamp its website and didn’t want GDS anywhere near it.

More seriously, two years ago a “sustained and determined” cyber attack saw 90 Parliamentary email accounts compromised by attackers who were not identified by the authorities. Nonetheless, the attack vector appeared to be a brute-force attempt to see if anyone had set any foolishly weak passwords, allowing for further exploitation. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/06/18/parliament_server_os_cached_google_search/

It’s time to reassess your open source management policies and processes.

Unlike commercial software, whose publishers can automatically push fixes, patches, and updates to their customers, open source software offers a pull support model — in other words, you are responsible for keeping track of any patches and updates for the open source software used within your organization. This includes taking care of security vulnerabilities. So, no pressure, right?

The ubiquity of open source usage when coupled with the pull support model provides attackers with a target-rich environment as vulnerabilities are disclosed through a variety of sources such as the National Vulnerability Database (NVD) mailing lists, GitHub issues, and project homepages. Many organizations don’t keep accurate, comprehensive, and up-to-date inventories of the open source components used in their applications. For example, a 2019 staff report by the US Senate Permanent Subcommittee on Investigations noted that Equifax’s lack of a complete software inventory was a contributing factor to its massive 2017 data breach.

The newly released 2019 “Open Source Security and Risk Analysis” (OSSRA) report examines findings from audits of more than 1,200 commercial codebases in 2018. These audits were performed by the Black Duck Audit Services team during the technical due diligence processes associated with activities such as a corporate merger or acquisition. In this context, a codebase represents the source code for an application, library, or service. The results of these audits are then anonymized and used as input data for the OSSRA report.

In the 2019 OSSRA, we found that overall open source usage rose to 60% of the code within a codebase in 2018, up from 57% in 2017. While this indicates 40% of code is proprietary, it’s important to note that 96% of codebases contained at least one open source component. Additionally, the average number of open source components per codebase rose 16% to 298.

By contrast, analysts such as Forrester and Gartner note that over 90% of IT organizations use open source software in mission-critical workloads and that open source makes up to 90% of new codebases. According to the 2019 Red Hat “State of Enterprise Open Source” report, over 69% of the enterprises surveyed felt that their use of open source was at minimum “very important.” With data for the OSSRA report coming from audits of production commercial software versus surveys, we’re looking at actual software composition from companies whose business is building software. For those companies, striking a balance between proprietary code and time to market is critical, and open source usage allows these companies to focus their attention on their unique value proposition.

The Red Hat report notes that security is cited as a major barrier blocking some enterprises from permitting open source use. Interestingly, the same report cites security as one of the top benefits IT decision-makers see in their use of open source. This seeming contradiction reflects the concern that unmanaged open source code can introduce vulnerabilities in both open source and proprietary solutions versus an awareness that proper management of open source — including using trusted sources and automated tools to uncover and remediate security problems — can significantly reduce the potential of open source risk.

Open Source Backbone
Whatever numbers you look at, it’s clear that open source components and libraries form the backbone of nearly every application and spans all industries. Most organizations have thousands of different pieces of software ranging from mobile apps to cloud-based systems to legacy systems running on-premises. That software is typically a mix of commercial off-the-shelf packages, open source software, and custom-built codebases. Vulnerabilities affect all of it.

At the same time, few companies are adequately tracking the open source components they use in their code and haven’t implemented the policies, processes, and tools needed to keep up with the open source component choices made by their developers. As a consequence, all the benefits that come with open source can also bring a variety of risks.

All software, be it proprietary or open source, has weaknesses that might become vulnerabilities, which organizations need to identify and patch. The open source community does an exemplary job of issuing patches, often at a much faster pace than their proprietary counterparts. It’s the act of patching that is often the problem.

An alarming number of companies aren’t applying patches in a timely fashion (for both proprietary and open source software), opening themselves to risk. The reasons for not patching are varied: Some organizations are overwhelmed by the endless stream of available patches and are unable to prioritize what needs to be patched, some lack the trained resources to apply patches, and some need to balance risk with the financial costs of addressing that risk.

Unpatched software vulnerabilities are one of the biggest cyberthreats that organizations face, and unpatched open source components in software add to security risk. The 2019 OSSRA report notes that 60% of the codebases audited in 2018 contained at least one open source vulnerability. In 2018, the NVD added over 16,500 new vulnerabilities. This represents a rate of over 45 new disclosures daily, or a pace most organizations are ill equipped to handle. Given open source components are consumed both in source form as well as from commercial applications, a comprehensive open source governance strategy should encompass both source code usage as well as the governance practices for any software or service provider.

The bottom line is that it’s impossible to patch software you don’t know you have in use. Similarly, it’s a waste of resources to perform scans for network vulnerabilities in software which you haven’t deployed. Effectively, if you can’t say with confidence that the open source components you use in your internal and external applications are up-to-date with all crucial patches applied, it’s time to reassess your open source management policies and processes.

Related Content:

• Real-World Use, Risk of Open Source Code
• Open Source Software Poses a Real Security Threat
• A New Approach to Application Security Testing

Tim Mackey is Principal Security Strategist, CyRC, at Synopsys. Within this role, he engages with various technical communities to understand how to best solve application security problems. He specializes in container security, virtualization, cloud technologies, distributed … View Full Bio

Article source: https://www.darkreading.com/application-security/can-your-patching-strategy-keep-up-with-the-demands-of-open-source/a/d-id/1334947?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

It is possible to crash vulnerable network-facing Linux servers, PCs, and gadgets, or slow down their network connections, by sending them a series of maliciously crafted packets. It is also possible to hamper vulnerable FreeBSD machines with the same attack.

Given that Linux powers an incredible amount of stuff these days, all sorts of gear from network or internet-connected TVs, routers, thermostats, light switches, CCTV cameras, and robot vacuum cleaners, to servers, PCs, smart fridges, dialysis machines, car infotainment systems, tractors, construction equipment, and uranium centrifuges, and so on, can be potentially brought to a halt by miscreants – if vulnerable.

Crucially, in order to remotely crash or knacker your computer or gadget, a miscreant must be able to open a connection to the Linux-powered device: this is possible if the machine is running something like a web server, a SSH daemon, or some other TCP-based service. If your device is not listening on any TCP ports, it will be virtually impossible to exploit.

So, not great, not terrible; it’s an annoyance that could disrupt websites and similar services on the internet if script kiddies start firing off waves of exploits at vulnerable machines.

Patches and mitigations are available, and can be applied by hand if needed, or you can wait for a security fix to be pushed or offered to your at-risk device. A key workaround is to set /proc/sys/net/ipv4/tcp_sack to 0.

SACK-religious

At the heart of the drama is a programming flaw dubbed SACK Panic aka CVE-2019-11477: this bug can be exploited to remotely crash systems powered by Linux kernel version 2.6.29 or higher, which was released 10 years ago.

There are three other related holes: SACK Slowness, aka CVE-2019-11478, which affects Linux kernels pre-4.15, and all versions to a degree; SACK Slowness, aka CVE-2019-5599, which affects FreeBSD 12 using the RACK TCP stack; and Excess Resource Consumption Due to Low MSS Values, aka CVE-2019-11479, which affects all Linux kernel versions.

They were discovered and reported by Netflix security’s Jonathan Looney, and described in an advisory issued here in the past couple of hours.

They basically revolve around an enabled-by-default feature in Linux called TCP SACK. Designed to speed up the transfer of data between computers, SACK (or Selective ACKnowledgement) allows a receiving machine to more precisely tell the sender how much data it has received and what needs to be resent. Ideally this means less data needs to be re-transmitted, and both machines can therefore shift files and other information between themselves faster. Some admins disable the feature for various reasons, one being that it is not terribly well implemented by some operating systems.

With CVE-2019-11477, a string of TCP SACK responses will cause the Linux kernel to unexpectedly hit an internal data structure limit, triggering a fatal panic. The others affecting Linux will force the system to consume resources, thus slowing it down, as Red Hat explained in its technical summary today.

Additionally, CVE-2019-5599 is a bug in the way FreeBSD handles SACK responses: it is possible to fragment an internal data structure that tracks SACKs, causing the kernel to walk long linked-lists, slowing down the system.

Thus far, Red Hat, Amazon Web Services, SUSE, and Grsecurity have all posted advisories or announced plans to soon post fixes for the flaws, with other vendors certain to follow suit in the coming hours and days.

Disabling SACK, for what it’s worth, is a worthwhile workaround for now, but bear in mind it may impact your network throughput. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/06/17/linux_tcp_sack_kernel_crash/

Victims of the latest incarnations of the GandCrab ransomware now have a way to reclaim their files without paying a penny to extortionists, thanks to the release of a decryption tool.

Infosec shop BitDefender said this week it has teamed up with eight crime-fighting government agencies – including the FBI, London’s met Police, and Europol – to develop software that can decrypt documents scrambled by the various flavors of ransomware that circulate under the GandCrab banner. The decryption tools, available for free from the No More Ransom Project, is able to unlock files that had been encrypted by the latest version, 5.2, of the notorious Windows ransomware.

The hope is that, with victims now given the ability to decrypt encrypted files on their own, fewer people will pay the ransom and GandCrab’s masterminds will have less incentive to continue the operation.

That will, however, be a tall order given how ridiculously successful the ransomware has been up to now, and the cat and mouse game that has been going on between GandCrab developers and security companies for almost 18 months now.

“In more than a year of operation, we estimate GandCrab has claimed more than 1.5 million victims around the world, both home users and corporations,” BitDefender noted. “GandCrab operators and affiliates boldly claimed on private underground forums recently that the team behind the malware has extorted more than $2 billion from victims.”

There is also some hope that GandCrab’s operators will indeed live up to their word and shut down the ransomware and its backend network for good as promised. With no new variants being developed and decryption tools supporting the latest versions, GandCrab would, in theory, be headed to extinction.

Even if GandCrab were to be eradicated, though, the ransomware field remains a crowded and lucrative market, so much that some pundits have wondered if companies might not be better off just paying the ransom demands in certain cases. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/06/18/gandcrab_ransomware/