STE WILLIAMS

Cyberattackers have several vectors for breaking into Web applications, but SQL injection continues to be by far their most popular choice, a new analysis of attack data shows.

For its “State of the Internet” report, Akamai analyzed data gathered from users of its Web application firewall technology between November 2017 and March 2019. The exercise shows that SQL injection (SQLi) now represents nearly two-thirds (65.1%) of all Web application attacks. That’s up sharply from the 44% of Web application layer attacks that SQLi represented just two years ago.

Local File Inclusion (LFI) attacks, which, like SQLi, are also enabled by a Web application’s failure to properly validate user input, accounted for another 24.7% of attacks. Together, SQLi and LFI attacks represented 89.8% of all attacks at the Web application layer over the 17-month period of Akamai’s study.

“The growth of SQLi as an attack vector over the last two years should concern website owners,” Akamai noted. “While every application attack vector is stable or growing, none are growing as quickly as SQLi.”

SQL injection errors and cross-site scripting (XSS) errors have topped, or nearly topped, the Open Web Application Security Project’s (OWASP) list of top 10 Web vulnerabilities for more than a decade. Just this week, in fact, HackerOne published a report showing XSS errors to be by far the most common security vulnerability in Web apps across organizations. Both XSS and SQLi are well understood, and many researchers have catalogued the dangers associated with them for years.

The fact that so many Web apps still have them reflects the relatively scant attention paid to security in the application development stage, says Andy Ellis, chief security officer at Akamai. “It is not that the developers are making errors,” he says. “It is system that we put them into that is dangerous.”

Developers are under pressure to deliver code and are not given clear security guidelines and libraries to work with. “How many people really understand how to write an application that can talk securely with the database in the backend?” he notes. Few developers can understand security so deeply that a security flaw would actually represent a mistake for them, Ellis says.

Akamai’s data shows most Web application attacks originate from inside the US and most targets are US-based as well. Of the nearly 4 billion application-layer attacks that Akamai counted over the 17-month period, some 2.7 billion targeted US organizations. Companies in the UK, Germany, Brazil, and India were also relatively heavily targeted. though nowhere nearly as much as US companies.

Another major takeaway from Akamai’s “State of the Internet” report is the sharp uptick in credential-stuffing attacks, where attackers use large datasets of stolen credentials to try and break into corporate accounts. During its analysis, Akamai counted a staggering 55 billion credential-stuffing attacks targeted at organizations in various verticals. In many cases, Akamai found attackers were launching credential-stuffing attacks using credentials that were stolen from websites via SQL injection attacks.

By far, companies in the gaming industry were the most targeted entities in credential stuffing attacks. Some 12 billion of the attacks that Akamai detected were, in fact, directed against organizations in the gaming sector. Each attack that Akamai counted represented an attempt to access an account to which the threat actor did not have legitimate access.

A lot of the interest in gaming companies appears to be the result of attackers viewing gamers as financially viable targets known for spending money on game-related items, including skins, game currency, and updates. Steve Ragan, a threat researcher from Akamai, says one of the more gratifying takeaways from the report is the fact that many gaming companies have taken measures to address the threats by educating users on issues like phishing and two-factor authentication.

“The takeaway is that credential stuffing is not going away,” Ragan says. But implementing multifactor authentication can slow it down. “If you do just token multifactor authentication or SMS authentication, it is better than having nothing at all,” he says. “Just user names and passwords are not really going to protect you anymore.”

Related Content:

• Cross-Site Scripting Errors Continue to Be Most Common Web App Flaw
• File Inclusion Vulns, SQL Injection Top Web Defacement Tactics
• BEC Attacks to Exceed $9B in 2018: Trend Micro
• 6 Security Scams Set to Sweep This Summer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/sql-injection-attacks-represent-two-third-of-all-web-app-attacks/d/d-id/1334960?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The tools and techniques to create false videos via AI-driven image synthesis are getting easier to access every year, and few people know that better than ZeroFox’s Matt Price and Mike Price (not related). In an email interview with Black Hat’s Alex Wawro, the pair of security experts shared their latest research, which will be presented at Black Hat USA in Las Vegas this summer.

Alex: Why are ‘deepfakes’ important?

Matt: For me personally, I think deepfakes are important because of their potential to change political discourse, and just public discourse in general. We’ve already seen evidence of this, not even with deepfakes, but with people splicing videos and slowing them down. I think deepfakes have a lot of potential to do some good, especially when you think about movies and special effects, but they also have a lot of potential to cause problems.

Mike: Long story short, here at ZeroFox we do a lot of work in terms of analyzing content for security-related issues. We started off as a social media security company, and when I arrived here four or five years ago, most of what we were doing was ‘Hey, is there something bad in this tech? Or, is there something bad in this image.’ So that brought us to the question — what about video?

A couple years ago, when deepfakes appeared on the scene, our research team organically took interest in the topic and we started looking into how they’re created, and how we can develop protections against them. I’ve been working with Matt to really round out not just the offensive parts but also the defensive part: how do you detect these things, and do something against them?

Alex: How good is deepfake tech right now, and how quickly do you think it will pose a significant threat to security systems?

Mike: The research that’s been done by other folks, and the work that we’ve done in understanding what’s going on out there suggests that the tools and the resources required to produce deepfakes are much lower-cost now. Previously, stuff like this didn’t really exist outside of Hollywood studios where they needed to synthesize a person’s image. But now you have these tools where, anybody can download an open-source package and produce a fake video clip pretty quickly. So the cost has been brought down a ton, the complexity has been brought down a ton, so that’s really the main risk factors.

As far as quality goes, from what we’ve seen there’s still a lot of work going on to really perfect this stuff; you have a lot of little hiccups with regards to, for example, getting a variety of different videos, jumping through all kinds of hoops to get the right kinds of source images, and so on. So there are still a lot of hurdles to producing deepfakes that are really dynamic, with many people in the video moving around and changing positions. You see mostly short clips of a single person looking forward; there are still some limitations to what’s easily accomplished with this tech.

But there’s a lot of work going on. The tooling seems to be getting better and better, and people are doing a lot of exploration of different algorithms that may be able to produce better results with less input. So that’s where things stand today. And as far as people using it for nefarious purposes, mostly we’re seeing lots of proof-of-concept videos out there. Nicolas Cage is the guinea pig for a lot of the work being done, and then you see some political examples — like the Obama video.

Alex: Why did you feel it was important to give this talk at Black Hat, and what do you hope attendees will get out of it?

Mike: A lot of people have asked about this subject; I know that in the federal space there are a lot of people thinking about whether this will be an issue in the future. So there’s lots of questions in the air about what deepfake technology is, how it works, how real it can be, that sort of thing. We want to explain all that, and then walk you through what your options are for detecting deepfakes and doing something about it.

Matt: To piggyback off that, I’m mainly interested in the detection side, and I think this talk is important because I’ve seen some quite sensationalist headlines saying there is no solution to deepfakes, which isn’t true. There are detection methods out there right now to detect deepfakes; DARPA’s actually heavily investing in this area as well. So that’s kind of the point, for me. We can detect deepfakes. There are tools to do it; this is just a security problem like any other.

Alex: What are you hoping to get out of Black Hat this year?

Matt: I’m really interested in some of the developments in neural networks and their applications to cybersecurity problems. My role at ZeroFox is mainly to run our data science program, so I’m always interested in the newest and latest tech on that front, and neural networks seems to be one of the hot topics for solving problems that traditionally we’ve had issues solving.

For more information about the ZeroFox Deepfake Briefing and many more check out the Black Hat USA Briefings page, which is regularly updated with new content as we get closer to the event. Black Hat USA returns to the Mandalay Bay in Las Vegas August 3-8, 2019. For more information on what’s happening at the event and how to register, check out the Black Hat website.

Article source: https://www.darkreading.com/vulnerabilities---threats/black-hat-qanda-defending-against-cheaper-accessible-deepfake-tech/d/d-id/1334949?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In 1992, the film Sneakers introduced the term “Red Team” into popular culture as actors Robert Redford, Sydney Poitier, Dan Aykroyd, David Strathairn, and River Phoenix portrayed a team of security experts who hire themselves out to organizations to test their security systems by attempting to hack them.

This was a revolutionary concept at the time — the term “penetration test” didn’t even exist yet, and the idea of a friendly security team trying to break through a company’s defenses wasn’t exactly commonplace. Today, penetration testing is an important part of any cybersecurity system, and both internal and external Red Teams play a critical role in that process.

But they don’t do it alone. Organizations often employ “Blue Teams,” referring to the internal security team tasked with defending against both real and simulated attacks. If this raises your curiosity about whether and how closely Red Teams and Blue Teams collaborate in security testing, then you’ve pinpointed the fast-rising cybersecurity trend of “Purple Teaming.”

What Makes Purple Teaming Different?
For years, organizations have run penetration tests similarly: The Red Team launches an attack in isolation to exploit the network and provide feedback. The Blue Team typically knows only that an evaluation is in progress and is tasked to defend the network as if an actual attack were underway. 

The most important distinction between Purple Teaming and standard Red Teaming is that the methods of attack and defense are all predetermined. Instead of attacking the network and delivering a post-evaluation summary of finding, the Red Team identifies a control, tests ways to attack or bypass it, and coordinates with the Blue Team in ways that either serve to improve the control or defeat the bypass. Often the teams will sit side by side to collaborate and truly understand outcomes.

The result is that teams are no longer limited to identifying vulnerabilities and working based on their initial assumptions. Instead, they are testing controls in real time and simulating the type of approach that intruders are likely to utilize in an actual attack. This shifts the testing from passive to active. Instead of working to outwit each other the teams can apply the most aggressive attack environments and conduct more complex “what-if” scenarios through which security controls and processes can be understood more comprehensively and fixed before a compromise.

How Deception Technology Adds Value to Penetration Testing
Part of what makes Red Teaming and Purple Teaming so valuable is they provide insight into the specific tactics and approaches that attackers might use. Deception technology can enhance this visibility by incorporating deception technology into the testing program. The first benefit comes from detecting attackers early by enticing them to engage with decoys or deception lures. The second comes from gathering full indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) into lateral movement activity. This significantly enhances visibility into how and when attackers circumvent security controls, enriching the information that typically results from these exercises.

Cyber deceptions deploy traps and lures on the network without interfering with daily operations. A basic deployment can easily be completed in under a day, providing the Blue Team an additional detection mechanism that blends in with the operational environment. This creates more opportunities to detect when the Red Team bypasses a defensive control, forcing team members to be more deliberate with their actions and making simulated attack scenarios more realistic. It also offers a truer test of the resiliency of the organization’s security stack and the processes it has in place to respond to an incident.

The rise of Purple Teaming has changed the way many organizations conduct their penetration tests by providing a more collaborative approach to old-fashioned Red Team vs. Blue Team methodology. The increased deployment of deception technology in cybersecurity stacks has further augmented the capabilities of both the Red and Blue teams by allowing them to adopt a more authentic approach to the exercises.

Related Content:

• Effective Pen Tests Follow These 7 Steps
• Think Like An Attacker: How a Red Team Operates
• Inside the Criminal Businesses Built to Target Enterprises

Joseph Salazar is a veteran information security professional, with both military and civilian experience.  He began his career in information technology in 1995 and transitioned into information security in 1997.  He is a retired Major from the US Army … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/the-rise-of--purple-teaming-/a/d-id/1334909?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The Domain Name System (DNS), which is part of essentially every transaction on the Internet, has also become a critical part of many online attacks. Now, a monitoring framework presented at IETF 104 in March is providing new insight into the way DNS queries are received and answered across the Internet, as well as how that process might have an impact on security.

The DNS Observatory is a research project backed by Farsight Security. It allows researchers to see details of the queries and traffic flowing between recursive DNS resolvers (the kind most users query when they type in a website name) and authoritative name servers (the DNS servers that keep the canonical list of Web names and addresses). 

According to Farsight, the DNS Observatory looked at streams of passive observations between recursive DNS resolvers and authoritative name servers. The Observatory processed over 1 trillion DNS transactions from January to March and saw over 2.5 million unique Fully Qualified Domain Names (FQDNs) per minute, on average.

One of the primary findings from that is that the vast majority of DNS resolution requests are made through a relative handful of servers. “Approximately 60% of the DNS transactions captured in our list were handled by just 1,000 name servers; the majority of queries flowed into ASes [authoritative servers] operated by less than 10 organizations,” according to Pawel Foremski, scientist/senior distributed systems engineer at Farsight.

Paul Vixie, founder of Farsight Security, points out that this concentration of requests can represent a significant security risk for the global Internet. “I’d say it seems to be a lot of eggs in a small number of baskets,” he says. “We’re not seeing the kind of organizational diversity that characterized the earlier internet.”

Vixie explains that the limited number of authoritative name servers, coupled with subtle server behaviors regarding how long servers will try to respond to queries for a nonexistent domain or those involving both IPv4 and IPv6 addresses, means the time for resolving names has crept up over time. “Some of the transaction times here are almost a tenth of a second to reach some pretty popular domains,” Vixie says.

While that’s not a time likely to be perceived by a human user, it is enough time to create opportunities for attacks involving DNS. “When Dan Kaminsky came up with his novel attack on DNS transactions in 2008, it turned out that the time taken for a content server to answer a question from one of these recursive servers controlled the number of opportunities that the attacker would have to try to guess the various combinations of numbers that were in the transaction,” Vixie says.

While increasing the number of authoritative servers could speed the transaction time for DNS resolution and minimize one set of risks, the possibility exists that the same action would increase other risks, Vixie says. “There is no way to separate the benefits and the costs of scale,” he says. “If we add a lot more name servers, then we will be adding more computers that have to be audited, upgraded, and fixed when they break.”

Vixie points out that these additional servers will need additional trained staff. The complexity will increase the attack surface for malicious actors to work on, and that attack surface will demand additional monitoring and protection. “There’s no way to avoid that,” Vixie says.

Farsight Security says it will make DNS Observatory data available to other researchers and invites ideas for its use.

Related Content:

• Website Attack Attempts Rose by 69% in 2018
• Nation-State Hacker Group Hijacking DNS to Redirect Email, Web Traffic
• Ongoing DNS Hijack Attack Hits Consumer Modems and Routers
• DNS Hijacking Campaign Targets Organizations Globally
• 7 Recent Wins Against Cybercrime

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/dns-observatory-offers-researchers-new-insight-into-global-dns-activity/d/d-id/1334953?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Whether it’s from Apple fans, embedded marketing people, or actual developers, applause is an oft-heard feature of any keynote at Apple’s Worldwide Developers conference. 

Yet the loudest applause at this year’s conference came not for some shiny feature, but for a seemingly insignificant, geeky detail: providing users with randomized e-mail addresses. As part of its coming “Sign in with Apple” feature, the company said it will provide users with the ability to use a random e-mail address for each app, holding out the possibility that consumers could, once again, have some small control over the informational transactions with application makers.

The applause for that small detail was both raucous and sustained. 

“A lot of love for random addresses here,” said Craig Federighi, senior vice president of software engineering at Apple, before the WWDC 2019 crowd last week. “And that’s good news because we give each app a unique random address. This means that you can disable any one of them at anytime when you are tired of hearing from that app.”

Among a host of announcements, the “Sign in with Apple” offering stood out. It promised to treat people as valued customers rather than digital horseflesh to trade on the open market, taking aim squarely at two technology giants of whom consumers — and governments — have increasingly become wary: Google and Facebook. And it gave Apple some measure of cover in the US government’s investigation of whether its own business should be considered a monopoly that needs to be broken up. A bifurcated Apple, after all, may not be able to offer privacy as a selling point.

“This gives them a chance to improve the privacy of, at least, Apple users,”  says Jacob Hoffman-Andrews, senior staff technologist at the Electronic Frontier Foundation. “They also show a world is possible where companies are not snarfing up all your data to make money.”

The announcement placed the focus at the WWDC 2019 on privacy, but in smaller venues speaking to a more technical crowd, Apple focused on security as well.

The company announced it had made app notarization — a process that runs automated security checks against developers’ release candidates — mandatory as of June 1, 2019. Not to be confused with the App Review process, notarization involves sending a release candidate to Apple, which scans the code and checks it for common errors and security problems, as well as creates a certificate that validates the software. In return, developers are prevented from inadvertently shipping malicious code, gain the benefits of Apple’s hardened runtimes, and are provided an audit trail of their developer account’s activity, Garret Jacobsson, CoreOS security engineer at Apple, told developers at the conference.

“Users are more likely to download and try new software knowing that Apple has scanned it for known security issues,” he said.

The next version of the Mac OS, dubbed Catalina, will also have more extensive security checks. Apple has applied defense-in-depth principles to a greater extent in the coming version of the Mac OS. Gatekeeper, a program that originally blocked specific malicious software programs from running on Macs, has evolved into a much more comprehensive tool that scans for malicious content but also validates the signature provided by as part of the notarization process. 

While the current version of the Mac OS, Mojave, blocks apps from accessing certain types of data without explicit user permission — including contacts, calendar appointments, reminders, and photos — almost all user data will be included in the permission-based model in the coming version. Applications that try to access files on the desktop, in the user’s Documents folder, or in any type of storage will require either explicit or inferred permission. 

Unsurprisingly, considering its recent privacy-focused advertisements, Apple spent a great deal of time on showcasing its pro-privacy technologies. Any app that offers the capability of single sign-in with Facebook or Google will have to offer the user the “Sign-in with Apple” capability, Federighi said. In addition, the company will give users the ability to share location only a single time, requiring applications to request permission for each new time they want to use location data. 

“At Apple, we believe that privacy is a fundamental human right, and we engineer it into everything we do,” he said.

Apple moves, along with the regulatory pressure from the European Union’s General Data Protection Regulation (GDPR) and antitrust investigations, will likely put pressure on Google and Facebook to change how much control they give users.

“I think there is a lot of pressure on the data companies from a lot of different directions,” says Omer Tene, vice president and chief knowledge officer at the International Association of Privacy Professionals. “Apple will continue to be the most aggressive proponent of privacy as it provides them a competitive advantage.”

Yet, whether technology companies that provide services for free can wean themselves off of data remains to be seen, the EFF’s Hoffman-Andrews says.

“Apple’s particular corner of the market is sustainable because they are one of the richest companies on the planets,” he says. “But can others follow in their footsteps? Probably not.”

Related Content

• How iOS App Permissions Open Holes for Hackers
• Facebook Data Deals Extend to Microsoft, Amazon, Netflix
• Researchers Finds Thousands of iOS Apps Ignoring Security
• GDPR Suit Filed Against Amazon, Apple
• Privacy Futures: Fed-up Consumers Take Their Data Back

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/apple-pledges-privacy-beefs-up-security-/d/d-id/1334955?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple