STE WILLIAMS

A previously undiscovered flaw in the WhatsApp messaging application allowed an attacker to target human rights activists and lawyers by compromising mobile phones and installing commercial-grade spyware just by making a call, Facebook and independent researchers stated on Tuesday.

A variety of government agencies, security companies, and digital rights activists warned WhatsApps users of the seriousness of the issue, although users have been protected since the Facebook subsidiary blocked the attack vector on the network late last week, the company said in a statement. WhatsApp briefed several human rights organizations on the attack over the past few days.

“We believe a select number of users were targeted through this vulnerability by an advanced cyber actor,” the company said. “The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems.”

The attack shows the dangers of zero-day vulnerabilities, which are often sold to private companies and government agencies. The current exploit appears to be part of a spyware program called Pegasus, developed by Israeli cyber-offense firm NSO Group and sold to governments for surveillance purposes. The NSO Group, and other offensive tool providers, incorporate exploits for undiscovered security issues into their attack tools to give their customers the ability to hack into the technology used by targeted citizens and companies. 

The University of Toronto’s Citizen Lab, a digital-rights research group, warned that evidence suggests that a human-rights lawyer was targeted by the attack over the weekend. On May 14, both the UK National Cyber Security Centre and the US Cybersecurity and Infrastructure Security Agency warned users to upgrade to the latest version of WhatsApp.

“This new type of attack is deeply worrying and shows how even the most trusted mobile apps and platforms can be vulnerable,” Mike Campin, vice president of engineering for security firm Wandera, said in a statement. “While this attack is based on a previously identified exploit known as Pegasus, the fact that it has been repackaged into a form that can be delivered via a simple WhatsApp call has shocked many.”

WhatsApp is considered to be a fairly secure, yet easy to use, messaging application, and so many activists, journalists, and dissidents use the application to protect their communications. It is relatively unclear how many people were targeted with the latest attack. 

The Financial Times, which broke the story on May 13, noted that WhatsApp has been targeted successfully in the past with attacks that allowed specially crafted text messages to force affected phones to download the attacker’s spyware. WhatsApp has not yet estimated the number of people affected.

By all accounts, WhatsApp acted quickly and blunted the impact of the attack, but parent company Facebook gave very few details of the vulnerability or what happened. A vulnerability report published by the company on May 13 consisted of two sentences:

“A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number,” the company stated, adding a second line listing the affected versions.

WhatsApp uses the secure real-time transport protocol, or SRTCP, to establish connections between clients and allow for audio and video calls. In this case, the code used to handle incoming data had a buffer overflow vulnerability, says John Kozyrakis, staff research engineer at Synopsys.

“Buffer overflow bugs are very common in code that parses incoming packets of complicated protocols due to the large attack surface,” he says, adding that by crafting a series of malicious SRTCP packets and sending them to a client identified by a phone number, an attacker could exploit the vulnerability. “The client is going to process this malicious packets and due to the buffer overflow bug, it will allow the attacker to also execute arbitrary code on the user’s device.”

An analysis by network security firm Checkpoint Software Technologies gives more details of the attack and how Facebook patched the WhatsApp application.

Despite the attack, security professionals continue to describe WhatsApp as a secure messaging application.

“WhatsApp remains one of the most safe and secure messaging clients, as far as security features are concerned, like encryption, message authentication, integrity, (and) replay protection,” Kozyrakis says. “[Another messaging app called Signal] uses the ZRTP protocol instead of SRTCP and may be considered more safe, while other messenger apps less so.”

WhatsApp’s quick response has likely cost the attackers, Bob Rudis, chief data scientist at vulnerability management firm Rapid7, said in a statement.

“This means they ‘burned’ the exploit—that is, wasted a valuable exploit on a campaign—since it’s now widely known and will get lots of attention and be patched by users pretty quickly,” he said. “These exploits tend to not be cheap so unless they really did get to their intended victims and find whatever they were looking for, this was a potentially big fail on their part.”

Related Content

• WhatsApp: Mobile Phishing’s Newest Attack Target
• Former NSO Group Employee Steals, Sells Spy Tools
• ‘Exodus’ iOS Surveillance Software Masqueraded as Legit Apps
• Pegasus For Android Spyware Just As Lethal As iOS Version
• Multiple Apple iOS Zero-Days Enabled Firm To Spy On Targeted iPhone Users For Years

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/commercial-spyware-uses-whatsapp-flaw-to-infect-phones/d/d-id/1334713?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A new resolution in the US House of Representatives would require all members of Congress and their staff members to receive annual training in information technology and cybersecurity.

The Congressional Cybersecurity Training Resolution, co-sponsored by Reps. Kathleen Rice (D-NY) and John Katko (R-NY), requires the chief administrative officer of the House to conduct the training. The two sponsoring representatives said that it is imperative that members of the House be able to recognize cyber intrusions and that the responsibility can best be met if they undergo the same sort of training now required of their staff members.

For more, read here and here.

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/resolution-requires-cybersecurity-training-for-members-of-congress/d/d-id/1334716?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Websites suffer an average of 62 serious attack threats per day — an average of 376 million per day, according to a new study of more than 6 million websites worldwide.

“Even though the numbers seems a little small, 62 attacks is still a pretty big number,” says Monique Becenti, product and channel marketing specialist at SiteLock, which published the study in a report today.

Those attacks weren’t concentrated in ransomware and cryptomining malware, but in such “classic” techniques as backdoors, shells, and JavaScript files. The JavaScript attacks are notable because they tend not to directly attack the website, but to hijack visitor traffic and send them to alternate, illegitimate destinations.

The report points out both the type of stealth attack seen in 2018 and the risk factors for compromise, factors that boil down to site complexity, site popularity, and site composition, or the software or CMS used to build the site.

According to the report, sites built with one of the three leading CMS platforms — Drupal, Joomla, and WordPress — are from 1.6 to 2.2 time more likely to be infected with malware than the average site. The issue, though, is not as simple as a problem with vulnerable CMS platforms, according to Becenti.

“Core files are starting to update a lot faster, as far as checking the security vulnerabilities,” she says of the major CMS platforms. “However, one of the primary culprits I feel we have to be worried about are plug-ins and schemes.”

Becenti notes that the three major CMS platforms are much more diligent than they once were about patching vulnerabilities and sending updates in a timely fashion. The hundreds or thousands of third-party plug-ins that add functionality to the core platforms, though, are where many vulnerabilities are introduced — and where many of those vulnerabilities remain for months or years without being patched.

“Website attack attempts per day grew by 59% from January 2018 to December 2018,” according to the report.

In terms of the total number of sites surveyed, the report says that approximately 1% of all sites are infected with malware at any given time — making roughly 17.6 million websites worldwide struggling with an infection every day. And of those infected sites, 50% had at least one backdoor, 48% had at least one shell script, 47% had at least one file-hacker, and 46% had at least one malicious evaluation request.

And SiteLock said cryptomining malware was found on just 2% of infected sites.

Related Content:

• Security Depends on Careful Design
• 5 Security Challenges to API Protection
• Nation-State Hacker Group Hijacking DNS to Redirect Email, Web Traffic
• Threat Hunting 101: Not Mission Impossible for the Resource-Challenged
• 78% of Consumers Say Online Companies Must Protect Their Info

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/website-attack-attempts-rose-by-69--in-2018/d/d-id/1334714?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Teaching a machine to think like a human is the promise of artificial intelligence (AI). Using that narrow definition, it naturally follows that AI’s future could ultimately include the idling of countless millions of workers who are gainfully employed today.

These concerns about job loss are logical and unavoidable, but in my opinion, they are as unfounded as they are provocative. While someday in the distant future AI systems may start to approach the holy grail of emulating the thought process and analytical capabilities of a human, today’s capabilities put AI squarely in the category of a beneficial, time-saving tool rather than a human replacement.

Beginning with the Industrial Revolution and continuing into modern times, machinery has replaced workers. Automated looms disrupted the textile industry, and mass production disrupted the automobile industry. Desktop computing and word processing cut short many stenographer’s careers, and other tools such as email and voicemail have imperiled letter carriers and administrative assistants.

But AI is different. AI enables the creation of work products that often cannot be replicated by any countless number of able-bodied humans. How many workers would it take to approximate the search capabilities of Google’s AI algorithms? What personal shopper is so gifted that he or she could build bundles and offers with the targeted appeal that Amazon does a thousand times per second? What linguist is well-versed enough to understand the native tongue of nearly any soul on this earth?

The question is not how many people will lose their job as a result of AI, but how can people learn to use AI as a tool to improve the quality of the human existence?

Birth of the Computer Gives Rise to the Spreadsheet
Many people are surprised to learn that the word “computer” is not a new term but first appeared in the early 17th century to describe throngs of low-paid workers who toiled into the night performing repetitive calculations. This miserable task was ultimately laid to rest in the late 1970s with the invention of VisiCalc, the first modern spreadsheet. In fact, before the commercial introduction of spreadsheets for personal computers, people avoided the tedium of creating forecasts, budgets, or other computation-rich numerical models. The spreadsheet was a new tool. It made these numerical models easier to create and easier to modify. The entire concept of “what-if” analysis was essentially spawned by the advent of spreadsheets.

Did this result in large job losses? Obviously not. It made financial analysts and others more efficient and more productive. They had to learn how to use this new tool and had to evolve how they did their jobs, but in the end what the spreadsheet really did was to elevate their thinking, allowing them to spend more time on real problems, analysis, what-if scenarios, and the decisions facilitated by their results versus the manual, laborious effort of endless calculations.

The same concept applies to AI. AI is a tool that people need to learn how to use and how to apply to what they’re already doing. It can improve efficiency and productivity and relieve us of some of the laborious, tedious aspects of security analytics.

And just as spreadsheets created new jobs for people who became experts at using the new tool, AI will also create new jobs — jobs focused on applying AI to security, improving AI techniques to do a better job, and on maintaining these new tools and the underlying AI technology, including tuning and data collection.

To be more precise about the new opportunities, we should separate AI-birthed jobs into two categories:

• Jobs for engineers who are knowledgeable about AI and apply core AI capabilities across a wide range of fields, and
• Jobs for people who aren’t necessarily experts in AI but use AI-empowered applications where another developer has applied AI to a specific field — for example, security analysts who use AI-driven security tools.

A plethora of new jobs will be created for those with expertise in applying core AI technology to new fields and applications. Experts will be needed to determine the best type of AI to use for a particular application (deep learning, expert systems, machine learning), develop and train the models, and maintain and retrain the systems as needed. In fields such as security, where vendors have empowered security software with AI, it’s up to users — the security analysts — to understand the new capabilities and put them to the best possible use, just as their predecessors did with spreadsheets.

Where the AI Jobs Will Be
What AI does very well is to classify, predict, and automate repetitive tasks. Currently, for example, enterprise security analysts are faced with seemingly endless alerts about anomalous events or suspicious activities taking place within their organization. An estimated 99% of the time, these alerts are benign, false positives, according to Lastline’s analysis of customer network traffic. Though I’ve never done it myself, I have been assured that sifting through false positives is one of the least agreeable and lowest-productivity jobs ever conceived. No product is built nor problem solved, no profit is earned, and 99% of the time one’s effort is totally for naught.

Education is another well-recognized field where AI is creating new jobs. Currently, across the US, the top two positions in the list of academic openings are for security and machine learning experts. Universities simply don’t have enough people and can’t find professors to hire and to teach these critically important subjects. AI-powered job growth will grind to a halt and ultimately be frozen in place if higher education capacity is constrained any further.

To conclude, AI presents a tremendous opportunity for enterprising people. Employees have the opportunity to dive into a new field and abstract their job to a new, higher level of analysis and strategic value. Employers need to support these moves, allow time and flexibility, and generally stay open to employees reinventing themselves and their jobs as they embrace new technologies that will pay handsome dividends.

People won’t be replaced by AI and security analysts and educators won’t lose out to AI-driven security software. AI is here to stay and will be a powerful tool for improving our collective ability to defend against advanced threats. AI must be understood — its capabilities and limitations — and embraced as a new tool that already has had and will continue to have profound impact on security and other fields. But it’s not something to be feared as a job killer. Nothing could be further from the truth.

Related Content:

• 6 Essential Skills Cybersecurity Pros Need to Develop in 2019
• Hacker AI vs. Enterprise AI: A New Threat
• Artificial Intelligence: The Terminator of Malware

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

John DiLullo has nearly 30 years of demonstrated success in enterprise security, networking, cloud, and AI, plus go-to-market expertise spanning sales, marketing, customer success, technical support, and operations. His career includes extensive time domestically and abroad … View Full Bio

Article source: https://www.darkreading.com/careers-and-people/why-ai-will-create-far-more-jobs-than-it-replaces/a/d-id/1334635?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

There’s little debate about whether penetration tests should be part of a comprehensive cybersecurity plan. It’s critical that defensive systems be tested by real-world pros so vulnerabilities and weaknesses can be found and corrected.

Instead, the question is how to get the most from the investment.

In all but the rarest cases, a pen test means having a third party explore the strength of an organization’s security. Many of the keys to effectiveness have been repeated as business wisdom so often they’ve become cliché: Know what you want, know the group you’re hiring, communicate clearly, write it down, and have a plan for what you’ll do with the results.

[Hear John Sawyer, director of red team services at IOActive, present Getting the Most Out of Penetration Testing and Red Teaming at Interop 2019 next week]

With each of these points, and the others on this list, factors specific to third-party pen tests need to be considered. This list, cherry-picked from conversations, conference panels, Internet articles, and personal experience, include the basics about what an organization needs to think through before launching a third-party pen test. What other factors should be on this list? Let us know in the Comments section, below.

(Image: putilov_denis VIA Adobe Stock)

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/effective-pen-tests-follow-these-7-steps----/d/d-id/1334697?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

For the past several years, security operations teams (SOCs) have consistently reported that one of the biggest obstacles they face is the lack of qualified candidates for open positions. With the increasing volume and sophistication of threats facing organizations, this problem has evolved from an inconvenience to a full-blown epidemic.

According to (ISC)² research, the shortage of cybersecurity professionals is currently close to 3 million globally and is expected to increase in the years to come. Given the increasingly digital-first orientation of the under-30 population, why is the security community experiencing this crisis of candidates, and more importantly, how can we close the gap?

Education
One of the most important elements used to evaluate candidates is their level of education. Over the past few decades, higher education has gone from being a luxury only a few could afford to an absolute requirement for gainful employment. Unfortunately, even though the job market has emphasized higher education as table stakes for most knowledge-based positions, not all forms of education are viewed as equal.

Typically, a college education is associated with a degree from a four-year institution, which many still view as the only true form of academic achievement. However, when recruiting for information security positions, hiring managers should look beyond these institutions for candidates, and also consider technical and trade schools as talent pools.

Historically, universities have focused on teaching more theoretical concepts. While these are important for developing critical thinking skills, they can leave some graduates underprepared for a hands-on career in information security. Trade schools, on the other hand, have always emphasized hands-on experience, which can prepare graduates to hit the ground running in their new careers. By focusing exclusively on graduates from four-year institutions, organizations are not only shrinking their talent pool but may also miss out on qualified candidates who may not have had the inclination or financial resources to acquire a traditional bachelor’s degree.

Experience
Education and experience go hand in hand. Every organization wants to ensure their staff has the tools to perform at a high level. However, many new graduates lack real-world experience, which may prevent quality candidates from applying to fill open positions. 

If experience is non-negotiable, organizations should consider partnering with universities, colleges, and trade schools to create programs that will produce graduates with the skill sets they desire. Through internships and work-study programs, organizations can train their prospects in their proprietary processes and procedures, and assess which possess the requisite tools to be brought on full-time, while students gain real-world work experience necessary to become gainfully employed.

Professional Burnout
One of the most overlooked factors contributing to the shortage of qualified information security professionals is burnout. The lack of staff within security teams and the firehose volume of incidents has forced existing personnel to take on increasing responsibilities and workloads. Often, this will lead to professional burnout and cause morale to drop. Together, low morale and burnout can lead to career train wrecks. It also explains why more individuals are not opting to join the security workforce. However, the industry as a whole can do something about by taking a few simple steps:

Mentorship
Creating a mentorship program within the organization that partners junior security professionals with senior peers provides two important benefits. Junior security analysts gain the experience they need to become more effective team members, while senior staffers get the additional support they desperately need to keep from burning out. In addition, this partnership will improve camaraderie and help boost morale.

Mentorship programs also benefit the organization by demonstrating to potential applicants that they will be valued, and have the opportunity to work in a team-oriented environment. With competition for qualified candidates at an all-time high, creating a culture that promotes professional development through on-the-job training and mentorship will attract applicants who are interested in a long-term career with the organization.

Automation
By its very nature, automation helps people do more with less. In SOCs, the automation of business processes can help free up security staff to not only perform more value-added tasks but also allow for a better work-life balance, and reduce the risk of the previously discussed burnout syndrome.

Automation can be used across a wide range of repetitive, early-stage functions such as prioritizing security events and vulnerability assessment findings, creating incident response workflows, and tuning security rulesets.

Related Content:

• 6 Essential Skills Cybersecurity Pros Need to Develop in 2019
• Staffing the Software Security Team: Who You Gonna Call?
• Ramblings of a Recovering Academic on the So-Called Lack of Security Talent

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Andrea Fumagalli has more than 20 years of experience in information technology and cybersecurity, and works globally with businesses and organizations including Fortune 500 multinational companies and governments on security technology related projects. View Full Bio

Article source: https://www.darkreading.com/risk/missing-in-action-cybersecurity-professionals/a/d-id/1334641?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple