STE WILLIAMS

On the hunt for new cybersecurity tools? Check out the Arsenal at Black Hat USA in Las Vegas this August, where all Black Hat passholders are invited to see live demonstrations of the latest open-source security tools.

For example, you could swing by the Arsenal (located in the Business Hall) and catch a demonstration of Smalien, a security tool for information flow analysis and information leakage detection on Android devices.

Once you give an application to Smalien, it understands the application thoroughly by executing static information flow analysis of Dalvik bytecode files extracted from the application. Smalien performs not only static analysis but also dynamic analysis, implicit information flow detection, and privacy policy enforcement at runtime by parasitizing the application.

You may also want to see a demo of Objection: Runtime Mobile Exploration, a runtime mobile exploration toolkit built with the aim of helping assess mobile applications and their security posture without the need for a jailbroken or rooted mobile device.

Objection allows for many common pentesting tasks to be performed such as disabling SSL inspection, interacting with the applicable platforms keystore/keychain as well as the ability to upload/download files from a device. Additionally, more advanced usages such as code path tracing and live Java object inspection is also possible.

Black Hat USA will also host a smorgasbord of complementary Briefings featuring expert speakers sharing tools and techniques that can help you put these tools to good use. Securing the System: A Deep Dive into Reversing Android Pre-Installed Apps is a good example. This 50-minute Briefing from Google will detail the differences in reversing and analyzing pre-installed Android applications compared to the user-space applications on which most security research focuses.

This will include detecting signals that the pre-installed app may be colluding with other components and be only one piece of the puzzle, and how bad behaviors can change when they are run in the more privileged context of a pre-installed application. You’ll also dive into case-studies of Android pre-installed security issues Google discovered in 2018 and 2019: malware, security misconfigurations, and remote code execution backdoors!

In New Vulnerabilities in 5G Networks you’ll get an in-depth look at the security features of 5G radio networks and new vulnerabilities affecting both the operator infrastructure and end-devices (including mobiles, NB-IoTand laptops). Plus, you’ll see how these new vulnerabilities in the 5G/4G security standards can be exploited using low-cost hardware and software platforms.

For more information about these Briefings and many more check out the Black Hat USA Briefings page, which is regularly updated with new content as we get closer to the event!

Black Hat USA returns to the Mandalay Bay in Las Vegas August 3-8, 2019. For more information on what’s happening at the event and how to register, check out the Black Hat website.

Article source: https://www.darkreading.com/black-hat/find-your-next-favorite-cybersecurity-tool-at-the-black-hat-usa-arsenal/d/d-id/1334974?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In 2019, most organizations are using the cloud. However, many businesses are paying for cloud services without a strategic plan that maximizes productivity and competitive returns while managing security and compliance benchmarks.

Like a new two-car garage that seems attractively spacious and infinitely useful at first (before it’s overrun by tools, workbenches, and projects in progress), most cloud operations would benefit significantly from clean-up, alignment, and organization. It is essential for these companies to have insight into where their data is stored and who has access to what information.

In keeping with pop culture’s recent focus on killing clutter that’s hurting performance and joy, here are a few principles to tidy up and organize how your teams use powerful cloud resources.

1. Organize privileges.
For the sake of speed and cross-training, many companies have “flat” data access controls, giving practically any employee access to assets such as source code, customer data, and sensitive corporate financial info for the sake of multitasking and cross-training. This makes it hard to put reasonable controls on access and prevent unchecked risk, especially given employee turnover. Decide how much granular access controls you need over data. If your business is in retail, for example, your data requires different handling than electronic health records or attorney-client files.

2. Reevaluate risk and number of third parties.
The more partners, the higher the risk — that’s just reality. So, to keep the attack surface/risk surface more manageable, assess which partners are truly necessary. In cases where providers can be consolidated pared them down to those willing to demonstrate a more serious commitment to security.

3. Map cloud usage to tame clutter.
Enterprises can license internal departments and users with cloud accounts to enable their teams to apply additional cloud-powered horsepower and fluidity to their respective missions. But the flip side of this is that cloud use can grow in silos, going astray from centralized oversight and policies. The key for these larger companies is to evaluate how internal teams are using the cloud. Taking inventory of what information is being stored and where it is essential to keep information secure. For example: How is the finance or HR team using Google Drive? How is the help desk or DevOps team using cloud services.

4. Securely dispose of what’s old.
Just like shredding boxes of past bank statements or wiping an old PC’s hard drive brings peace of mind, companies should securely tidy up by discarding any abandoned, orphaned, or partially (indefinitely) uncompleted projects in the cloud or on corporate networks. Developers, business development leaders and marketers often build proof-of-concept apps, databases, or other items that are fed live production/customer data, and that data might not be securely removed or wiped when the project is phased out. Because the cloud is so fluid, it’s easy to securely dispose of these occurrences, once you account for them in policies and planned actions.

5. Organization takes teamwork.
Once you have done the heavy-lifting of cleaning out your cloud/IT footprint, slash the hours and lift upkeep going forward by creating a cross-functional team — for example, the heads of business units relying on the cloud in your organization (sales, IT, finance, developers). Get their commitment to meet regularly over lunch or coffee to talk through their cloud usage needs, priorities, concerns, and lessons learned. When everyone is on the same page, disconnects that cause a lot of duplication, silos, and clutter are eliminated.

In life and technology, organization follows accumulation. Like attics, workshops, and garages, cloud spaces are seized on by technical and business leaders across an organization for the sake of getting things done. Only when assets grow and activity increases does it become apparent that there might be a lot of clutter, waste, or potentially dangerous conditions in different areas. Fortunately for those of us charged with keeping IT organized and humming, automated and process-driven controls can help make tidying up happen every day. This gives SecOps teams more time for security and compliance management.

Related Content:

• The 2019 State of Cloud Security
• ‘Cattle, Not Pets’ the Rise of Security-as-Code
• Security Depends on Careful Design
• How to Build a Cloud Security Model

Kaus Phaltankar is the CEO and Co-Founder at Caveonix. He most recently served as a Senior Vice President for Dell Technologies. Before that, Kaus was Global President of Virtustream Security Solutions, a Dell Technologies company, where he was an evangelist and a technology … View Full Bio

Article source: https://www.darkreading.com/cloud/the-life-changing-magic-of-tidying-up-the-cloud/a/d-id/1334928?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In February 2019, the group behind the Triton attack on oil and gas companies changed their tactics: The group started scanning electric utility companies for vulnerabilities, according to critical infrastructure security firm Dragos.

The switch in targeting is the first publicly known instance of a group behind a specific critical infrastructure attack targeting multiple infrastructures, says Sergio Caltagirone, vice president of threat intelligence for Dragos. The capability to attack more than one target suggests the actors in the group have become more sophisticated and better-funded, he says.

“The challenge is that for as long as we have been tracking industrial threats, the threats have effectively stayed in their own silo,” Caltagirone says. “They have either been geographically focused or sector-specific, and the reason is that it costs so much time and resources to attack one specific sector of industrial that there really hasn’t been any publicly known group that has been able to cross over.”

The problem is that, while attackers have increased their capabilities, defenders still remain stuck with a limited number of tools—both technological and political—to dissuade the attacks on their networks. Most governments and companies targeted by such attacks are left with a single option: Learn about the attackers and then kick them out of the infrastructure. 

“We need a strategic response,” Caltagirone says. “There has to be some sort of recognition that we are all in the same space, and we have to somehow find a way to put pressure on them to stop.”

Critical infrastructure owners have a harder cybersecurity problem than most companies. Creating a reliable infrastructure has always been a priority, and that means not creating chaos with major changes or software updates. For that reason, industrial devices and critical infrastructure are designed to be deployed for decades rather than years, making the standard software security approach of frequent updates more a logistical nightmare, said Tim Mackey, principal security strategist at Synopsys.

“With digital sensors and computing devices within industrial plants having lifespans far exceeding those of commercial devices, a comprehensive patch management strategy designed with a detailed understanding of the software supply chain powering these devices is a critical component of ongoing threat mitigation,” he said in a statement.

For the most part, critical infrastructure companies keep watch on adversaries by passing around indicators of compromise (IOCs) among themselves through information sharing and analysis centers (ISACs). With adversaries changing their tactics frequently, however, they need to do more. 

“We have to get beyond IOCs—we have to, have to, have to,” Dragos’s Caltagirone says. “We have to start monitoring and identifying behavior. Because over time, over a year plus, these adversaries’ (tools) are going to change so many times, it will be nearly impossible to protect yourself.”

On the national level, despite the constant attacks on critical infrastructure, strategic options to dissuade such attacks seem in short supply. In 2018, the U.S. Department of Justice, for example, continued to use legal tools against such attackers, indicting both Russian and Chinese actors for attacking election infrastructure and private industry, respectively. The U.S. has imposed sanctions against both countries as well.

Nations and their critical industries need to go beyond those measures and cooperate on both limiting critical infrastructure attacks and improving defenses against such measures. 

“There has to be a defender that is not just the utility—meaning governments, transnational organizations, industry sharing groups, and so forth,” Caltagirone says. “You can’t have, say, Idaho protect against the Russians and have Mississippi have to do the same—that is an untenable request to make, and we don’t make that request in any other domain.”

For now, the intent of attackers—most of which are likely rival countries—is to find their way into targets of interest, according to Caltagirone. This activity, called “access operations,” teaches attackers a great deal about the targets of interest and what countermeasures the defenders are deploying. 

“What they are doing right now is very intelligent. This is what a mature organizations does—they take the time to figure out what organizations they want to beat,” he says.

Yet, in the end, if we don’t figure out a way to deal with the attackers—whether through technology or policy or both—then the outcome is grim, Caltagirone says. “If we don’t accept that understanding of the world and defend in that way, the adversary is going to walk right through all our defenses,” he says.

Related Content

• Triton Attackers Seen Scanning US Power Grid Networks
• Triton/Trisis Attacks Another Victim
• US Names, Sanctions Russian GRU Officials for 2016 Election Hacks
• Mueller Probe Yields Hacking Indictments for 12 Russian Military Officers
• US Indicts 2 APT10 Members for Years-Long Hacking Campaign

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/utilities-nations-need-better-plan-against-critical-infrastructure-attackers/d/d-id/1334977?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

(Image: Itchaznong – stock.adobe.com)

Anyone watching the cybersecurity market has likely noticed a wave of acquisitions making headlines. The MA activity that remained constant last year has only increased in 2019.

“It’s like something’s in the water right now,” says Hank Thomas, CEO at Strategic Cyber Ventures (SCV), where experts had anticipated growth in the cybersecurity market. “We predicted the ability of the market to do this, and we thought it might be this year.”  

Cybersecurity Ventures reports more than $7 billion in cybersecurity deals during the first quarter of 2019 alone, and the market certainly hasn’t quieted since them. The industry is in a time when large companies are sitting on lots of cash and pondering their security capabilities.

Of course, some technologies are hotter than others. Cloud computing and application security are two notable types ripe for acquisition this year, for example. Service-focused businesses are looking to acquire “as-a-service” companies and wrap their services into their platforms, explains Jeff Pollard, Forrester vice president and principal analyst for security and risk professionals.

He calls this “a bit of an unconventional acquisition scenario, where services companies acquire intellectual properties they can build services around.” An example of this can be seen in NTT Security’s acquisition of WhiteHat Security, a deal confirmed in March. This acquisition also reflects a trend of companies investing in application security, which Pollard also has noticed.

“Applications generate revenue,” he says. The applications companies are building, and the software they’re making, go into products and services. “It’s not that every company is a software company — it’s that every company is making money with software now.” Application security goes to the forefront of their priorities because this is technology they use to protect revenue-generating applications, websites, mobile apps, and other products, Pollard continues.

The cloud is a hot target for traditional and legacy vendors, which are still slow to embrace the cloud and adopt native cloud functionality. Vendors struggle to offer the same experience in the cloud as they do on-premises, a challenge that has led to increased activity in cloud-focused MA, he adds.

These trends are evident in the cybersecurity acquisitions to take place so far this year. Here, we highlight 10 deals that stood out and discuss where the industry is headed. Any transactions you’re not seeing? Feel free to share your thoughts in the Comments section, below.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/cloud/10-notable-security-acquisitions-of-2019-(so-far)/d/d-id/1334973?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Good data on attacker tactics, security incidents, and breaches is key to identifying trends in cybersecurity, but datasets — even among academic researchers — are often not made public and just as often are of poor quality, according to security researchers who presented their conclusions at the annual Workshop on the Economics of Information Security (WEIS) conference.  

In a previous sampling of some 965 papers, a group of researchers from the University of Tulsa found that only 6% created their own datasets and made them public. Yet the value of such data exceeds $663 million just in cost savings to subsequent research efforts, according to a paper presented at the WEIS conference by the same group.

“There is a lot of value there,” says Tyler Moore, one of the authors and an associate professor of cybersecurity at the Tandy School of Computer Science at the University of Tulsa. “Cybersecurity research datasets do create a lot of value by making the data available to other researchers.”

Data is key to a variety of initiatives in cybersecurity. From training machine-learning systems to detect threats to analyzing whether breach regulations actually results in better defenses, researchers and security professionals need more and better datasets. 

Yet sharing of data — even among researchers — does not happen often enough, says Sam Ransbotham, co-chairman of the WEIS 2019 conference and associate professor of the Carroll School of Management at Boston College.

“Everyone wants to use these datasets, but no one wants to create them and release them,” he says. “Companies want to show you all the cool stuff that they have done, but ask for their security data and that is a problem.”

Seven years after their original research into the costs of breaches, a group of researchers from the University of Cambridge pulled together the best data on current breach costs. The data is very scattershot and authoritative information is still not available, but the researchers are doing the best with the information they can obtain, Ransbotham says.

“The problem, trying to get more data, goes throughout all the papers,” he says. “None of this data is perfect. If you look at almost everything they talked about — and this is not negative — it is the current state of uncertainty.”

The value of the data is significant, the University of Tulsa researchers found. In the paper they presented at the WEIS conference, Moore and the other researchers analyzed a collection of cybersecurity datasets funded by the US Department of Homeland Security (DHS) and known as IMPACT; they found that almost 2,300 people have requested data from the system. With the average dataset valued at $291,000 in saved costs, those requests total $663 million. 

“The research community has to decide what our norms will be and what our values are,” Moore says. “There should be a default to make data sets available in order to view research as a scientific contribution.”

In previous research, Moore and other University of Tulsa researchers found that of a sample of 965 research papers, 55% used data in some form. About 44% of those papers using data did not create their own dataset, while 56% did. Yet only 6% of 965 papers both created their own data and publicly shared that data, according to the University of Tulsa research.

That leaves many researchers struggling to find creative ways to use existing data sets to produce new insights, says Boston College’s Ransbotham.

“These are people using trace data in some new and clever ways,” he says. “They are trying to figure out stuff from the data that is leaked out there in ways that are new.”

For many researchers, the problem is that sharing data gives no significant payoff. However, the University of Tulsa team found that a slight benefit: Research papers that included public datasets were cited an additional four times per year, which is small but significant, Tyler says. 

Still, that may not be enough to convince many researchers to share, he acknowledges.

“There needs to be a recognition in the community to share more widely, but how do we get there?” he says. “It would be great to have benefactors because right now you only have a very small amount of money from DHS.”

Related Content:

• Massive Changes to Tech and Platforms, But Cybercrime? Not So Much
• Nation-State Breaches Surged in 2018: Verizon DBIR
• Predicting Vulnerability Weaponization
• Researchers Finds Thousands of iOS Apps Ignoring Security
• Researchers Find Clues for Dramatically Reducing IDS Traffic Volume

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/better-cybersecurity-research-requires-more-data-sharing/d/d-id/1334972?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Security researcher Arminius has discovered a hackable vulnerability and exploit in Vim, arguably the most commonly used text editor among developers, hackers, and system engineers.

Vim is generally included as “vi” in most Unix and MacOS distributions. The vulnerability takes advantage of a vim feature called modeline, which is typically used to create custom settings for the way text or formatting will be handled in a file, for a project, or for all occasions of the editor’s use.

In the exploit, a particular text string can be entered that causes the editor to accept arbitrary code and execute it outside of the sandbox in which most modeline commands are executed, regardless of whether that code has anything to do with the editor. The exploit is possible because, in many implementations, modeline is enabled by default, regardless of whether the system owner is using the feature.

The vulnerability has been patched in Vim patch 8.1.1365 and a Neovim patch (released in v0.3.6), but Arminius recommends that users explicitly disable modeline on their systems.

Read more here and here. 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/application-security/common-hacker-tool-hit-with-hackable-vulnerability/d/d-id/1334975?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple