STE WILLIAMS

US consumers who practice the fewest cybersecurity best practices to protect their data live in the states of Mississippi, Louisiana, California, Alaska, and Connecticut, according to a new study.

While those five states were ranked the riskiest, according to a Webroot survey, Kentucky, Idaho, Ohio, North Dakota, and New Hampshire ranked the least risky in the US when it comes to consumer security habits. The study surveyed 10,000 US citizens across all 50 states to determine what they know about cyberthreats and how they handle privacy and security of their social media accounts and other data. 

In all, less than half of Americans protect their data: Sixty-four percent don’t set their social media accounts to private, 63% reuse passwords across multiple accounts, and 62% of participants use free antivirus software, the study showed. While nearly 80% say they have heard of malware, just 28% could define it. Even so, nearly 90% of respondents say they are adopting the proper cyber protections.

Just 5% back up their data, run a modern anti-malware tool, and rely on a password manager.

Read more here.  

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/risk/us-states-with-the-worst-consumer-cyber-hygiene-/d/d-id/1334630?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A Chinese hacking group obtained access to an exploit and backdoor used by US intelligence – not by stealing the code, but apparently just by being a vigilant defender when it was attacked by them, new research published today found.

Researchers from security firm Symantec revealed evidence that a state-sponsored group they call Buckeye used an exploit in 2016 for a previously unknown vulnerability that was later leaked in April 2017. The exploit and a backdoor used by Buckeye were both part of the Equation Group toolset leaked by the Shadow Brokers, an unidentified hacking group. 

The report indicates that Chinese operatives reverse-engineered an attack by the Equation Group and began using the tools to attack others. Symantec by policy does not provide attribution for hacking groups, but other industry experts long have said Equation Group is the National Security Agency (NSA).

Buckeye’s study and development of the Equation Group tools is not actually surprising, says Eric Chien, technical director at Symantec, because security companies regularly do the same: learning attacker techniques to inform defense.

“The whole security industry publishes information every day on information gathered from attacks,” he says. “People should have already realized that … if you are conducting some cyber-offensive operation, those things could come back against you.”

The incident illustrates a major issue for military and security professionals considering the lessons of cyber warfare: Attacks essentially teach the victims how to attack. The timeline discovered by Symantec indicates that the Buckeye attack group had access to the exploit and backdoor for at least a year before the tools were leaked by Shadow Brokers.

The ability to reverse-engineer an attack and begin using the code is often just referred to as “reversing” or “re-rolling.” 

“If you look at the actual versions, what it looks like is that … the Shadow Brokers likely stole the tools” at some earlier time, and “then, the Equation Group continued to modify them and used them against Buckeye, who takes them and re-rolls the tools themselves,” says Chien. 

The tools released by the Shadow Brokers were from some earlier time, he says. “If you look at the version that the Shadow Brokers had, they have less features than ultimately what Buckeye recovered from the Equation Group,” Chien says.

Half ‘Eternal’

The exploit used in the Buckeye attacks is one half of the EternalRomance and EternalSynergy exploit tools, information on which was leaked by the Shadow Brokers. Both tools consisted of a remote exploit paired with an information disclosure exploit. While the remote exploit was the same, the information disclosure exploit differed, Chien says. 

Symantec discovered a custom tool that used the remote exploit from EternalSynergy and EternalRomance paired with a previous unknown information-disclosure exploit that Symantec reported to Microsoft in September 2018.

“Once we found that in 2018, we looked back to see when it was used and discovered the traceback,” Chien says.

In addition, the Buckeye group also began using a variant of the Equation Group’s DoublePulsar. 

Buckeye, also known as APT3, is a group linked to Chinese intelligence, three members of which the United States charged with hacking in 2018, while the Equation Group activities are linked to the National Security Agency. 

The Shadow Brokers started leaking data and hacking tools used by the National Security Agency starting in August 2016. 

This is not the first time that Symantec has discovered previously undetected links between zero-day exploits and malware. Since 2008, Symantec has analyzed the exploits used in malware and during compromises. In a paper released in 2012, Symantec found that seven of 18 zero-day attacks had gone unnoticed during the previous three years.

Chien confirmed that the descendent of that research system had been used to also detect the latest connection between the Buckeye group’s malware and the Equation Group’s exploits.

“That’s it,” he says. “That’s exactly it.”

Less Likely Scenarios

Other theories could explain the fact that the same tools are being used by two different nation-state groups, but none of them fit the data to the extent of Symantec’s preferred scenario. 

For example, if Chinese intelligence also ran the Shadow Brokers, that could explain why both Buckeye and the Shadow Brokers had access to the exploit and the backdoor. However, the theory would not explain why the iterative improvement of the Buckeye group’s version of the tools and the mismatch between those tools and what was eventually leaked by the Shadow Brokers.

“The tools that they—the Shadow Brokers—leaked are different versions than what Buckeye recovered,” Chien says. “For that to be plausible, what would have happen is that the Shadow Brokers would have to have be holding more tools than they leaked, and we don’t have any evidence of that.” 

Related Content:

• Report: ShadowBrokers Obtained Stolen NSA Info Via Rogue Insider
• Nation-State Attackers Steal, Copy Each Other’s Tools
• ‘Strong Connection’ Between Files Leaked By ShadowBrokers The Equation Group
• APT3 Threat Group a Contractor for Chinese Intelligence Agency
• Newly Discovered ‘Master’ Cyber Espionage Group Trumps Stuxnet

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/how-a-chinese-nation-state-group-reverse-engineered-nsa-attack-tools/d/d-id/1334632?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A security vendor’s analysis of breach data from first-quarter 2019 suggests an organization that discovers a security breach on its own is actually likely to take longer to disclose it than an organization alerted to a breach via an external source.

Risk Based Security found that when organizations first learned of a breach from an external source such as law enforcement, they publicly reported the incident within 43 days, on average. In contrast, when organizations discovered a breach via an internal team, they took a much longer 74 days on average to report it. Half of all externally discovered incidents were reported in just eight days compared with a median of 46 days for internal discovery.

That finding is somewhat unexpected. It runs counter to the theory about organizations that are better able to detect a breach also being better prepared to respond to it, says Inga Goddijn, executive vice president of Risk Based Security. “We’re very interested in understanding whether the first-quarter report findings are an outlier or a more typical result,” Goddijn says.

For now, the reasons why it might be happening are really anyone’s guess, she says. “We have some theories as to why companies that discover their own breaches would take longer to disclose them. But we’d like to see more data before pointing to possible reasons for the delay,” Goddijn notes.

Risk Based Security’s report shows that an astounding 1,903 breaches were publicly disclosed in the first three months of this year. That number has already put 2019 on track to being the worst year ever for data breaches. The number of reported breaches in first-quarter 2019 was 56.4% higher than the number reported in the same period last year. The number of exposed records shot up 28.9% from about 1.5 billion in 2018 to 1.9 billion this year.

As is usually the case, a handful of breaches were responsible for a vast majority of the records that were compromised last quarter. One breach alone — at email verification company Verifications.io — exposed some 983 million records containing names, email addresses, dates of birth, personal mortgage amounts, and other data. Most reports of the incident so far have pegged the number of exposed records at a smaller, but still staggeringly high, 763 million.

Risk Based Security’s report showed that, together, the top five breaches in the first quarter accounted for about 1.3 billion of the total number of exposed records. In other words, the number of records exposed in the remaining 1,898 breaches combined was around 600,000.

Web Compromises Remain Top Cause for Data Exposures
Malicious hacking remained the top cause for data breaches. It accounted for 84.8% of reported security breaches last quarter. However, significantly more records once again were compromised through exposures on the Web — of the accidental, negligent, and malicious variety — than any other breach cause. Risk Based Security’s analysis showed that nearly 68% of the records that were compromised in the first quarter were via leaks on the Web.

“Researchers are increasingly going public when they discover sizable, unprotected databases containing sensitive information,” the Risk Based Security analysis noted. “Unfortunately, they aren’t terribly difficult to find when you know where to look.” The massive compromise at Verifications.io, for instance, happened because a MongoDB database containing the sensitive information was left completely open — without even password protection — and accessible to the Internet. 

More than eight in 10 (85.6%) of the records that were exposed last quarter belonged to organizations in the business sector, which in Risk Based Security’s counting includes finance and insurance companies. Meanwhile, the government and education sectors — often criticized for lax security practices — accounted for some 5.8 million exposed records or less than 0.03% of the total last quarter.

“Despite so much attention on the need for improving security, breaches are still happening at an unprecedented rate,” Goddijn says. “There really is no sign of a slowdown in breach activity, which to me illustrates just how difficult it is to protect networks and data.”

Related Content:

• 763M Email Addresses Exposed in Latest Database Misconfiguration Episode
• Password Reuse, Misconfiguration Blamed for Repository Compromises
• US States with the Worst Consumer Cyber-Hygiene
• 8 Steps to More Effective Small Business Security

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/orgs-are-quicker-to-disclose-breaches-reported-to-them-via-external-sources-/d/d-id/1334636?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The city of Baltimore has been hit with a ransomware attack that forced the shutdown of most city servers as officials investigate the origin and severity of the campaign.

Baltimore’s 911 and 311 systems were not affected in the incident, the Baltimore Sun reports. City Hall employees were instructed to unplug Ethernet cables and turn off computers, printers, and other devices, Democratic city councilman Ryan Dorsey said to the publication. He indicated the attack was “spreading computer to computer.”

Lester Davis, a spokesman for Democratic mayor Bernard C. “Jack” Young, noted this attack was similar to the ransomware campaign that infected Greenville, NC, last month. In that case, officials found a form of ransomware called RobinHood. It has not yet been determined which specific type of threat has been used in this particular attack against Baltimore.

This marks the second time ransomware has hit Baltimore: In March 2018, a cyberattack infected the city’s 911 dispatch system and took down automated dispatches for 911 and 311 calls. An Internet port was reportedly left unprotected and exploited by attackers, officials said.

Read more details here.

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/endpoint/baltimore-city-network-struck-with-ransomware-attack/d/d-id/1334639?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The quest for frictionless yet secure authentication has been the central driver of innovation in identity and access management (IAM) systems for a long time. But today — as new technologies become available and passwords continue to fall by the wayside — novel forms of authentication are coming faster than ever.

For instance, many industries have grown comfortable using device-based biometrics such as fingerprint, voice, and face recognition, and some major brands — including Bank of America, Cigna, Intuit, and T-Mobile — have even begun to allow “biometric gesture”-based authentication on mobile phones, tablets, and PCs. A unique swipe or similar gesture is used to securely access online services and eliminate the need for passwords.

The global market for biometrics overall is growing nearly 20% annually and is on track to reach more than $10 billion by 2022. Amid this burgeoning market, “behavioral biometrics” has emerged as a new segment. This new area uses various sensors on your phone to create a behavioral signature. Behavioral biometrics on smartphones may prove to be a big driver of biometrics market growth. Against this backdrop, the evolution of behavioral biometrics could have a major impact on the whole IAM industry. 

Understanding Behavioral Biometrics
What is behavioral biometrics? Normal biometrics actively asks the user to engage the system in some way, such as swiping a finger or looking into the facial recognition camera or iris sensor/camera. Once the active gesture is complete, the biometric system match is done. 

The phrase “behavioral biometrics” is typically applied to the passive monitoring of biometrics on a continuous basis. For example, to check how a user interacts with his or her device and to assess if this is the same person who initially was enrolled or authenticated through active measures. The first wave of behavioral biometrics looked at how the user was typing on a keyboard. With mobile devices, it became possible to look at other sensor data indicating the angles at which the phone is held, the speed of taps and swipes, etc. The key is that behavioral biometrics does not ask the user for a gesture but instead passively monitors his or her interactions on the device.

Behavioral biometrics continues to evolve. Its assessments may include the steps a person takes, the gait while walking, the angle at which the phone is held, and the way the user types on the keyboard, etc. All these elements are captured, analyzed, and aggregated to create a behavioral “profile” for that user to verify identity and detect when the user changes. 

One of the major benefits of behavioral biometrics is that authentication can continue after the user was authenticated with his or her password, one-time password, or biometric. The behavioral system would passively monitor interactions over time. The goal is to detect when the “user” of the phone (or PC) changes or is different from the one who authenticated at the start, thereby indicating potential risk. This passive monitoring infers that nothing has changed, which allows the user session (cookies or tokens) to be long-lived without explicitly asking the user to repeat an authentication gesture.

Breaking Down Security and Privacy
Despite the “wow” factor of behavioral biometrics, there are issues around both security and privacy. Behavioral biometrics is not a substitute for strong authentication and cannot protect against phishing or other common attacks. It is suitable to augment strong authentication to detect changes in the user of the device.

Strong authentication is required to establish the initial session. Then, depending on the risk profile of the application, a returning user could be taken directly into a secure session without repeating strong authentication. Usually, this is done for the sake of lowering user friction. Note that if the user is performing a sensitive operation or when the maximum advisable time for a session is met, you should repeat the strong authentication step.

You should also clearly understand what user behaviors and data from the mobile device are being used for the behavioral system in order to ensure they don’t present privacy concerns for your jurisdiction. How user data (such as location or other identifying information) is sourced, stored, and processed, for instance, needs to be clearly understood. If the system extracts other data from the device unrelated to the usage (such as a user’s contacts), that should be clearly understood as well. If user profiles are being built or registered or cross-correlated across websites, that should be clearly understood because such profiling may run afoul of certain privacy mandates that may require transparency as well as explicit user consent and control over the gathering and use of such information.

The Right Way to Build Behavioral Biometrics
Ultimately, behavioral biometrics is a building block to be used with other security measures. Effective identity and access management implementations require strength on multiple fronts, including strong identity proofing and easy-to-use strong user authentication such as face, finger, or iris biometrics; strong signals for risk management (versus spoofable signals from virtual machines); strong recovery in case of loss of primary authenticator; and strong session management to avoid situations like the recent Facebook debacle during which session tokens were compromised. Behavioral biometrics is not a panacea but, when used in conjunction with the measures above, provides added benefits.

Coupling behavioral biometrics with strong proofing and authentication can deliver great benefits for a more frictionless user experience and can provide a solid foundation for security, while also respecting privacy.

Related Content:

• 7 Tips for an Effective Employee Security Awareness Program
• Why Password Management and Security Strategies Fall Short
• Ignore the Insider Threat at Your Peril
• Credential-Stuffing Attacks Behind 30 Billion Login Attempts in 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Rajiv Dholakia is the vice president of products at Nok Nok Labs and is responsible for strategy and the development of the company’s products and solutions. He has more than 30 years of global operating experience in private and public companies spanning security, ecommerce, … View Full Bio

Article source: https://www.darkreading.com/endpoint/authentication/better-behavior-better-biometrics-/a/d-id/1334581?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The concept of “the pivot” is well-understood by entrepreneurs, who often set out to build a business or technology and realize they need to shift their strategies. Visually, one foot remains firmly in place while the other turns to reorient the rest of the body. Typically, they don’t throw everything out the window and start over. Rather, they reimagine the way they can use the tools at their disposal.

The same can be said about today’s sophisticated e-criminals, who are increasingly pivoting and reusing their existing technology for new ways to generate revenue.

For example, malware-as-a-service has been a prominent component of the e-crime ecosystem for the past decade. Criminals built specialized platforms for large-scale credential theft. Malware distributed this way — with names like Dridex, Trickbot, and BokBot — has long been optimized to steal account information using webinjects. That is how it inserts itself into a browser, downloads and installs other malware/tools, captures screens or memory buffers filled with sensitive information, and, in recent years, even steals cryptocurrency wallets.  

The e-criminals behind these malware platforms also built relationships with other e-criminals who specialize in spam, pay-per-install, and exploit kit development to optimize distribution. When your bread and butter is to steal credentials, the name of the game is to get your malware out as far and wide as effectively as possible. Pushdo, Smoke, and Emotet have emerged as some of the malware families/actors that specialize in getting payloads delivered to the would-be victim machines. CrowdStrike has observed the symbiotic relationships between these e-criminals for quite some time, and it has shaped our model of the e-crime ecosystem.

But in recent months, e-criminals have begun to recognize that enterprise ransomware – what we call “big-game hunting” – offers tremendous financial advantage over the more traditional e-crime tactics of wire fraud and account takeover. (We touch on this trend in the “2019 CrowdStrike Global Threat Report.”)

This realization is, in part, due to the evolving cat-and-mouse game between the adversary and security practitioner; as new countermeasures are deployed to mitigate wire fraud or account takeover the cost/benefit calculus changes. Another factor is that the competitive landscape for e-criminals conducting these types of attacks has become more crowded. In general, adversaries across the entire spectrum of threat actors prefer to take the path of least resistance, rather than work harder and work smarter.

In short, margins for threat actors conducting wire fraud and account takeover have become tighter. In need of a new way to increase revenue, they are pivoting.

The first indication of the shift to ransomware can be traced back to summer 2017, when INDRIK SPIDER, the adversary CrowdStrike associates with Dridex development, began to deploy BitPaymer in enterprisewide ransomware directed against the healthcare sector. (CrowdStrike Intelligence uses the naming scheme SPIDER to describe e-crime actors.) Approximately one year later, GRIM SPIDER emerged deploying the Ryuk ransomware, a derivative of the Hermes ransomware against a variety of verticals, including financial, government, healthcare, hospitality, legal, and retail.

In March of this year, we reported on a change of tactics by PINCHY SPIDER, the actor behind the GandCrab ransomware that emerged in early 2018 with a partnership program offering a split of the profits to actors who utilized its ransomware to conduct extortion. Also this year, LockerGoga emerged as another enterprise ransomware that was employed against manufacturing and industrial companies, demanding high-dollar ransom amounts.  

Big-game hunting attacks typically begin with deployment of banking Trojans or through a compromise of an external-facing system. Adversaries seeking to deploy ransomware across the enterprise move laterally, escalate privileges, and deploy their payloads. CrowdStrike’s 1-10-60 rule is one organizations should strive to achieve: It means aiming to detect an intrusion in under a minute, performing a full investigation in under 10 minutes, and eradicating the adversary from the environment in under an hour.  

The writing is on the wall for e-criminals: There is big money in big-game hunting, and it is disrupting businesses across the globe. Paying the ransom doesn’t necessarily resolve the problem either. It is more important than ever that organizations and agencies have the right people, processes, technology, and intelligence to stay ahead of these threats.

Related Articles:

• Confluence Vulnerability Opens Door to GandCrab
• New Attacks (and Old Attacks Made New)
• 6 Things To Know About the Ransomware That Hit Norsk Hydro
• Think Twice Before Paying a Ransom

 Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Adam Meyers has over a decade of experience within the information security industry. He has authored numerous papers that have appeared at peer reviewed industry venues and has received awards for his dedication to the field. At CrowdStrike, Adam serves as the VP of … View Full Bio

Article source: https://www.darkreading.com/risk/the-big-e-crime-pivot/a/d-id/1334605?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple