STE WILLIAMS

An international bust has led to the shuttering of two dark web marketplaces for drugs, weapons, hacked data, hacking tools and other illegal goods: the Wall Street Market (WSM) and the Valhalla Market (better known by its Finnish name, Silkkitie).

Europol and German police announced the “double blow” to dark web marketplaces on Friday, saying that German authorities have arrested three suspects and seized over €550,000 in cash, along with cryptocurrencies Bitcoin and Monero in “6-digit amounts,” several vehicles, computers and data storage, and at least one firearm.

An investigation by the Attorney General in Los Angeles also led to the arrest of two suspects who are alleged to be among the markets’ biggest drug sellers.

On Friday, Finnish Customs said that they’d seized the Silkkitie web server earlier this year and seized a “significant” amount of Bitcoin. They said that after shutting down Silkkitie, some of the Finnish drug dealers moved to other illegal sites on the Tor network, including WSM.

German investigators had their eye on the three suspects since March – a 31-year-old from Bad Vilbel, a 29-year-old from the district of Esslingen and one 22-year-old from Kleve, all three of whom are German nationals.

The stench of exit scam

WSM had been stinking of exit scam for a while. The admins switched the platform into maintenance mode on 23 April, then began transferring customers’ funds to themselves. Customers and buyers responded by howling about the “Sorry guys we are currently redesigning WSM” message, which the admins posted on Friday, 26 April, and which said that the “maintenance” would last a week.

Here’s one of the less offensive comments on the MSW market listing at the DeepDotWeb, a site devoted to covering dark web markets. It was posted on 26 April:

Administrators are trying to steal all the money flee this .onion right now and pls DEEPDOT ban this from “topmarkets”

Rogue admin attempts blackmail, then doxxes IP address

Police moved in, seizing the marketplace’s servers on Thursday, 2 May. But first, chaos and desperation had apparently set in, as one of the site’s moderators – Med3l1n – started blackmailing WSM vendors and buyers, demanding 0.05 Bitcoin (~$280) in payment. Otherwise, Med3l1n threatened, they’d tell authorities information about vendors and buyers who’d slipped up and shared their details in unencrypted support requests.

So apparently WallStreet Market is threatening customers who sent addresses in cleartext. https://t.co/vLMAPfiQIg

—
Caleb (@5auth) April 20, 2019

A few days after that, Med3l1n went rogue and leaked login credentials and the IP address (located in the Netherlands) for the WSM backend on Dread, a Reddit-like community for dark web users.

Of much greater concern to users: The same mod has posted his login credentials to Dread. This gives anyone the abi… twitter.com/i/web/status/1…

—
Patrick Shortis (@Patrick_Shortis) April 24, 2019

Beyond exposing the physical location of WSM’s server, this enabled anyone to log in to the marketplace’s administrative section and gain the data necessary to strip anonymity from the market’s vendors, buyers, orders and more.

Six days later, on 30 April, WSM’s site started showing an error. Police took it down on 2 May. It’s not known how much the rogue admin’s disclosure helped the investigation, but German police had apparently already been watching the suspects as far back as March.

This was a big one

Europol called Silkkitie one of the oldest and internationally best-known dark web marketplaces. It’s been running on the Tor anonymity system since 2013, Europol says.

A press conference in Wiesbaden on Friday included representatives of the US attorney’s office, the FBI, and Europol. According to DW, the president of Germany’s Federal Criminal Police (BKA), Holger Münch, described the case as “extraordinary,” involving security services from the US and Netherlands, as well as Europol and Germany’s ZIT internet crime agency.

It had to be that complex and had to be an international effort, he said, given that it’s initially impossible to ascertain where such platforms are run from. One of the clues was the languages used on the market: the common language was English, but German was also an option. By piecing together various clues like that one, the international team eventually traced the server infrastructure to not just Germany and the Netherlands, but also to Romania.

During the press conference, Ryan White, the US federal prosecutor who heads cybercrime prosecutions in Los Angeles, announced the arrest of “two major drug traffickers” in Los Angeles who had used Wall Street Market.

This investigation will continue to bear fruit, they said, given that it’s spawned secondary investigations now ongoing in Germany. White’s response to a reporter:

It should be no surprise that we are very interested in pursuing additional actions based on this case, so stay tuned.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/RUUMpKPhQXk/

In order to protect Firefox users from malicious add-ons, Mozilla has banned extensions that contain obfuscated code.

Caitlin Neiman, Add-ons Community Manager at Mozilla, said in a blog post on Thursday that the new policy will go into effect on 10 June.

Here’s the gist of that new policy:

We will no longer accept extensions that contain obfuscated code. We will continue to allow minified, concatenated, or otherwise machine-generated code as long as the source code is included.

If your extension is using obfuscated code, it is essential to submit a new version by June 10th that removes it to avoid having it rejected or blocked.

And here’s a link to the add-on policy in full.

Blocking, also called “blocklisting,” add-ons that contain obfuscated code means disabling them in the browser after the user installed them, Neiman explained.

Extensions that violate Mozilla’s policies will face the wrath of a newly proactive Mozilla, Neiman said:

We will be casting a wider net, and will err on the side of user security when determining whether or not to block.

Neiman said that Mozilla will also keep on blocking extensions that intentionally violate its policies or that have critical security vulnerabilities, or that compromise user privacy or skirt user consent or control. Other unexpected “surprises” that Mozilla doesn’t want to see (without a clearly worded opt-in and clearly stated name of what add-on is asking for what) include extensions that change default settings, such as the new tab page, homepage or search engine; extensions that make unexpected changes to the browser or web content; or ones with features or functionality not related to the add-on’s core function(s).

Let’s keep that browser predictable

After all, surprises are fun when they pop out of birthday cakes, but not coming from an extension, Mozilla says:

Surprises … are not welcome when user security, privacy and control are at stake. It is extremely important to be as transparent as possible when submitting an add-on. Users should be able to easily discern what the functionality of your add-on is and not be presented with unexpected user experiences after installing it.

Mozilla’s got some history behind this new no-obfuscation policy.

In August 2018, it axed 23 add-ons, following a report that a security add-on was up to funny business. Mozilla had highlighted that add-on in a blog post promoting a collection of security-focused extensions to the browser. But when curious techies picked apart the program to find out exactly what it was doing, they discovered that it was assigning each user an ID and sending information labelled ‘old-URL’ and ‘new-URL’ to a consistent IP address.

On further examination, Mozilla engineer Rob Wu found 22 other browser extensions in the Firefox portfolio that were also up to no good: one group that was sending browsing information to a remote server that could potentially launch a remote code execution attack on the client, and a second group that didn’t collect URL information but were still able to launch a remote code execution attack on the client.

That code was heavily obfuscated, Wu said at the time.

 

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/GNsbuBEkAq0/

Roundup Welcome back, Brits, from your three-day Bank Holiday week. Allow us to catch you up on recent infosec comings and goings.

‘Hamas hackers’ bombed: Israeli Defence Forces claim they destroyed a building in the Gaza Strip on Saturday said to be used by Hamas hackers. The Palestinian militants were targeted in the air strike in response to cyber-attacks against Israel, the IDF said in a tweet: “We thwarted an attempted Hamas cyber offensive against Israeli targets. Following our successful cyber defensive operation, we targeted a building where the Hamas cyber operatives work. HamasCyberHQ.exe has been removed.”

A tentative ceasefire is now underway. It’s thought to be the first publicly known kinetic response by a military to an ongoing digital offensive. We note that rogue Brit hacker Junaid Hussain was killed by a US drone strike in 2015, though that was probably because he was an ISIS recruiter in Syria at the time.

Internet of Things: The UK government announced a public consultation internet-of-things security as it mulls regulations on forcing manufacturers to proactively protect devices from attack. “We recognise the urgent need to move the expectation away from consumers securing their own devices and instead ensure that strong cyber security is built into these products by design,” the civil servants thundered. Do let them know your thoughts, enlightened readers.

Office 365: Take a moment to secure your company Office 365 accounts. Barracuda claims: “A recent analysis of account-takeover attacks targeted at Barracuda customers found that 29 percent of organizations had their Office 365 accounts compromised by hackers in March 2019.”

NSA transparency: Over in the US, the Office of the Director of National Intelligence’s annual transparency report [PDF] into Uncle Sam’s surveillance programs had mixed news on the privacy front.

On the one hand, the number of issued National Security Letters, used to investigate corporate data under a permanent gagging order, dropped in 2018 to 10,235, nearly half of the total five years ago. But on the other hand, the number of foreign individuals under communication surveillance rose 28 per cent to 164,770 and the number of Americans under similar watch rose from 7,512 in 2017 to 9,637 last year.

UK taxman falls foul of GDPR, agrees to wipe 5 million voice recordings used to make biometric IDs

READ MORE

Jenkins plugins: If you’re using third-party plugins in your Jenkins installation, be aware NCC Group’s Viktor Gazdag has found and reported security flaws in at least one hundred of them, and not all of them have been fixed. Now would be a good time to look over Gazdag’s findings, and ensure you’re not running vulnerable code.

Bitcoin scammers: A UK Channel Islands man from Jersey was scammed out of £1.2m ($1.5m) in Bitcoin after crooks convinced him to invest the sum in an online investment scheme. After being promised 15x returns, local media reports, the man then lost the lot and called the police, although he’s unlikely to see the money again.

Extradition: Ukrainian Oleksii Petrovich Ivanov, 31, was extradited from the Netherlands to the US this month to face one charge of conspiracy to commit wire fraud, four charges of wire fraud, and one of computer fraud, over an alleged malvertising campaign. Millions of netizens were exposed to web adverts designed to infect their systems with malware, prosecutors claim.

Marcus Hutchins sentencing: It looks as though the Marcus Hutchins saga is coming to an end. After pleading guilty to two charges of creating and distributing malware earlier this month, his sentencing hearing has been set for July 26, nearly two years to the day after he was first arrested. There have been calls for a pardon, or community service rather than a custodial sentence, but that’s up to the judge.

Ladders leak: An executive recruitment agency was left red-faced after accidentally exposing the personal information of more than 13 million people on its books. The New York-based Ladders agency left the data in an unsecured Amazon Elasticsearch database and it was found by GDI Foundation member Sanyam Jain. The data included names, job and salary histories, security clearances and work authorizations, and addresses, and while it doesn’t appear to have been accessed by hackers, it’s still highly unprofessional. The database has since been hidden from public.

Laboratory IP theft: A financial filing by American biotech biz Charles River Lab this week reports that “a highly sophisticated, well-resourced intruder,” got onto its corporate servers and stole sensitive client information. The lab doesn’t say exactly what was stolen beyond estimating one per cent of its files, suggesting a highly targeted attack.

Google wiping data: Google takes a lot of flack, sometimes deservedly so, for slurping too much info on us all. Now it’s offering a tool to cut back on the tracking of location history and online activities. In a blog post it explains that netizens can now set up their Google accounts to auto-delete this data after three to 18 months. The new controls will be out in a few days or so.

China’s Muslim spying: The level of surveillance undergone by Muslim inhabitants of China has been uncovered and revealed by Human Rights Watch. The non-profit reverse engineered a government app used by Chinese police to monitor and detain ethnic Uyghurs and other Turkic Muslims. Meanwhile, a Chinese smart city’s face-recognizing surveillance system was caught leaking info all over the internet.

Hardcoded passwords: Gas stations, or petrol stations, or servo, depending on where you live, were found running insecure firmware on their fuel pumps – from hardcoded passwords to stack-based buffer overflows. Patches are available; affected equipment is mostly in the US.

US airlines cover cameras: United and Delta airlines in the US have reportedly said that will cover up passenger-facing cameras in their seats, with American Airlines planning to follow suit. The cameras, located in the premium and business class seats, were never used and just included with the in-flight entertainment hardware, the airlines insisted, but they made high-paying passengers nervous so they’ll now be covered up. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/05/07/security_roundup/

As the 737 MAX scandal rolls on, “software delivered to Boeing” has been blamed by the company for the malfunctioning of a safety display.

In a statement issued over the weekend, the American airliner manufacturer admitted that its software was not properly displaying fleet-standard warning captions to pilots. This admission comes after sustained media reporting over cockpit angle-of-attack (AOA) displays and warnings, one of which was sold by Boeing to airlines as an optional extra for their aircraft.

Warning captions (wording that flashes up on the pilot’s display screen) on the 737 MAX included one, AOA Disagree, which alerted the pilots if the 737 MAX’s two AOA sensors were delivering different readings from each other. If the two go out of sync, the logic goes, one must therefore be faulty.

Worse, Boeing engineers knew about the problem in 2017 – months before the fatal Lion Air and Ethiopian Airways crashes. The company only revealed this to US Federal Aviation Authority regulators after Lion Air flight JT610 crashed in October 2018, claiming in this week’s statement that “the issue did not adversely impact airplane safety or operation”.

“Senior company leadership was not involved in the review and first became aware of this issue in the aftermath of the Lion Air accident,” added Boeing.

The AOA sensors feed the controversial MCAS trim system, another software feature that did not work properly. Improper MCAS activations seemingly caused by faulty AOA readings are suspected to have contributed to two fatal Boeing 737 MAX crashes within the last year, costing hundreds of lives.

Boeing said the 737 MAX’s “display system software did not correctly meet the AOA Disagree alert requirements”, adding that “software delivered to Boeing linked the AOA Disagree alert to the AOA indicator, which is an optional feature on the MAX” and earlier versions of the 737.

“Accordingly,” continued Boeing, “the software activated the AOA Disagree alert only if an airline opted for the AOA indicator.”

This was not what should have happened. Even if an airline didn’t pay extra for the AOA indicator display gauge (pictured here on a schematic for earlier 737 versions than the MAX), if the sensors went out of sync, a warning should have been shown to the pilots.

AOA gauges have been offered as a feature on Boeing 737s since the mid-1990s 737-600 model, known in marketing terms as the first of the 737 Next Generation (NG). The NG series, comprising the 737-600, -700 and -800 models, preceded the controversial MAX series.

Boeing is now issuing a display system software update to correct this fault, it said. This is on top of a promised software update to MCAS to stop it from attempting to push the 737 MAX’s nose towards the ground. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/05/07/boeing_blames_software_737_max_aoa_warning_captions/

Turla hacking team abuses a legitimate feature of the Exchange server in order to hide out and access all of the target organization’s messages.

A well-known Russian nation-state hacking group has been infiltrating the Microsoft Exchange email servers of its targeted victims since at least 2014 via a custom backdoor. 

Researchers at ESET say the so-called Turla group, aka Snake, has been hacking into victims’ Microsoft Exchange servers and planting its sophisticated LightNeuron backdoor malware for cyber espionage purposes. Turla accesses the email systems by abusing Exchange Server’s legitimate Transport Agent feature, which lets other software from Microsoft as well as third parties to operate with Exchange, including spam-filtering tools. The feature lets these other applications process email messages coming and going from Exchange.

The LightNeuron backdoor for Exchange specifically allows Turla attackers to read and modify email messages, create and send their own messages, and block messages to users at the victim organization, ESET said in new research it revealed today. Turla previously had been seen targeting Outlook email clients, an attack method ESET detailed last August.

Matthieu Faou, a malware researcher with ESET, says he believes this is the first case of malware specifically targeting Exchange servers. “It’s really similar to the Outlook backdoor, but it has access to all emails of the [victim] organization. It’s focused on the main email server,” he says.

And by employing Exchange’s Transport Agent, the attackers can blend into the email environment. “This feature is something generally used by security products, such as anti-spam, to integrate into Microsoft Exchange,” Faou says.

Turla’s LightNeuron backdoor also operates a rare command-and-control method that uses email JPEG and PDF attachments to transport the commands – hidden within the attachments using steganography. “The attacker sends an email with the JPEG and PDF and the content is decoded and decrypted by LightNeuron on the main Exchange server,” Faou explains.

ESET found three victims of the LightNeuron attacks, a ministry of foreign affairs in Eastern Europe, a diplomatic organization in the Middle East, and an unidentified organization in Brazil. The Brazilian victim was discovered via a sample uploaded to VirusTotal, according to ESET’s report published today on the newly found Turla operation.

“The victims we found were the regular usual targets” of Turla, diplomatic entities, Faou says.

LightNeuron uses a PowerShell script to install LightNeuron, msinp.ps1, and a remote adminstiration tool called IntelliAdmin were discovered on victim machines, acccording to ESET.

Security researchers at Kaspersky Lab have seen similar Exchange Server attacks and steganography-masked C2 activity by Turla, according to Kurt Baumgartner, a security researcher with Kaspersky. “They are active,” he says, noting that Kaspersky Lab has previously written about the latest twist in Turla attacks in private reports to clients. “Their technical capabilities are impressive and they are really well-resourced … They are a top-tier APT,” he notes.

No Patch

And like other so-called “living-off-the-land”-style attacks that abuse legitimate tools and software in a victim organization, there’s no software patch to prevent a LightNeuron backdoor attack. ESET’s Faou says there are some measures Microsoft could add, such as enforcing a digital signature from a Transport Agent, for example, to ensure its legitimacy. But if an attacker steals the Exchange server’s admin privileges, there’s not much even more layers of security for Exchange can do, he says.

“It’s not really a vulnerability. They are using legitimate functionality” of Exchange, he says.

Microsoft was not available for comment at the time of this posting.

If an organization gets hit with Turla’s LightNeuron, recovery is complicated. “Simply removing the two malicious files will break Microsoft Exchange, preventing everybody in the organization from sending and receiving emails. Before actually removing the files, the malicious Transport Agent should be disabled,” ESET warned in a report it published on the attacks today.

The problem, Faou says, is that Transport Agent is registered in the configuration of the server, so even if LightNeuron gets removed, Exchange will try to load it. “If it’s unable to load the Transport Agent, it will totally break the main server so you cannot send or receive emails anymore,” he says. “You need to administer Transport Agent properly before removing the files,” he says. ESET details the proper removal process in a whitepaper it published today.

Turla attackers first must steal credentials to the Exchange Server to install LightNeuron. So enabling multifactor authentication among user accounts can help thwart the attack. In addition, ESET recommends monitoring the main Exchange Server, including installing endpoint detection and response (EDR) tools or other security monitoring.

The bottom line is many organizations typically don’t monitor when a new Transport Agent gets installed on the Exchange Server: “That’s the main problem. It’s a feature that’s not very well-known,” Faou says of Transport Agent.

Meanwhile, ESET said code snippets of the Windows version of LightNeuron indicate that there’s also a Linux variant of the backdoor that was created by Turla.

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/application-security/russian-nation-state-group-employs-custom-backdoor-for-microsoft-exchange-server/d/d-id/1334628?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

After a year-long investigation, a top California exec has been arrested by the FBI for allegedly hacking into a competitor’s website and stealing their customer data in an effort to ruin their business.

There is an unusual twist, however: this isn’t the high-stakes world of big tech or high finance, but American school lunches.

Chief financial officer of Choicelunch, Keith Wesley Cosbey, 40, was collared last month over claims that he illegally grabbed details from competitor The LunchMaster on what precisely youngsters across the San Francisco Bay Area like to eat and are allergic to.

He has been charged with unlawful computer access and fraud, and identity theft. If found guilty, Cosbey faces up to three years behind bars.

According to the criminal complaint against him, filed in San Mateo County, Cosbey stole data on hundreds of students, and then sent it anonymously to the local government department that oversees the school lunch program in an apparent effort to undermine his competitor.

The approach backfired, though, when the California Department of Education contacted The LunchMaster about the data leak, and the company searched its access logs, it is claimed. It apparently tracked the intrusion down to an IP address associated with Danville, California – where Choicelunch is headquartered.

The LunchMaster then contacted the FBI, the San Francisco Chronicle reported today, which carried out an investigated before nabbing Cosbey last month. He is currently out on $125,000 bail, and is due to appear in court on May 22. The news of his arrest emerged after The LunchMaster was given permission to notify the families of the students whose data has been accessed.

Amazingly, this is not the only time that the two companies have been at loggerheads. Back in 2013, Choicelunch sued The LunchMaster for copyright infringement and unfair competition, claiming the biz copied its website design and software.

Food for thought

The complaint in that case [PDF] alleged Choicelunch’s online ordering form, where customers are able to select specific days from a calendar view and then click on available food options, was ripped off by The LunchMaster in a website redesign based entirely on their approach.

Choicelunch then sent a DMCA copyright takedown notice to The LunchMaster’s hosting company – Amazon Web Services – and, amazingly, Amazon pulled the site, prompting The LunchMaster to set up a replacement website, which Choicelunch then also tried to bring down. Amazon then informed Choicelunch it would enforce a permanent injunction against The LunchMaster if Choicelunch filed a federal complaint. And so Choicelunch did.

Fortunately for website owners, the case landed in front of tech-savvy Judge William Alsup, who made it plain he wasn’t happy about people using copyright laws on web designs to tear down someone’s online operation.

Judge Alsup refused [PDF] an injunction to take down The LunchMaster’s replacement website (now hosted by Digital Ocean) and ordered Choicelunch to “withdraw any and all DMCA notices directed at defendant Nob Hill Catering” and ordered that it be “further prohibited from issuing further DMCA notices directed at defendant’s website.” The two sides settled before it went to trial.

Of course the question you are likely asking is: how on Earth has the market for school lunches devolved in lawsuits, website takedowns, and hacking allegations?

And the answer is, of course, money. And procurement contracts worth millions of dollars. School districts across the Bay Area sign school lunch contracts for a school year, and the market is quite flexible: there is a chance to grab a new contract every year, sparking fierce competition.

Often parents are able to login into the school lunch provider and select the meal they want for their child – which is great for schools that don’t have to deal with the logistics of hundreds of daily meals but also means that parents are very aware and vocal about any problems.

Contractual issues

As just one example, a contract won by The LunchMaster over Choicelunch for Del Mar Union School District back in 2015 was ended after just two months and re-awarded to Choicelunch because The LunchMaster was having trouble filling orders in time.

Each meal is worth roughly $5 and there are hundreds of students at dozens of schools in each district, so the contracts are enormous and scale is everything. With all contracts potentially up for grabs every year, what you would imagine is a cosy world of food delivery to kids in schools has become a cutthroat business.

Enough, it is alleged, for one executive to hack the website of another in an effort to undermine them.

We have asked both Choicelunch and The LunchMaster for more details on the case and will update this article if they get back. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/05/06/school_lunch_data/

The deployment of 5G networks will bring new use cases and revenue opportunities, mobile providers say, but security will be essential.

Mobile service providers think the future of 5G networks will drive revenue opportunities and new use cases driven by the Internet of Things (IoT) — however, security must be improved for 5G to fulfill its potential.

Sixty-seven percent of mobile providers will deploy their first commercial 5G networks within 18 months, another 21% within the next two years. Most (94%) expect increases in network traffic growth, connected devices, and mission-critical IoT use cases to drive security and reliability concerns. A majority (79%) say 5G is a factor in current security investments.

The insights come from “Securing the Future of a Smart World,” a new report based on a survey conducted by the Business Performance Innovation (BPI) Network and commissioned by A10 Networks. As a whole, mobile providers recognize new applications (such as self-driving cars, smart cities, and remote patient observation) will heighten the need for safe and secure network connections.

“When we look at what happened when 4G networks came in, there was a lot of disruption to the industry,” says Paul Nicholson, director of product marketing for A10, who anticipates the rise of 5G networks will cause greater disruption than 4G networks did in the past. “Security issues normally come when there’s a disruption in the technology,” he explains.

Researchers found the top drivers for 5G include smart cities (60%), industrial automation and smart manufacturing (48%), high-speed connectivity (39%), fixed wireless (37%), and connected vehicles (35%). As 5G continues to grow, so too will use cases and devices relying on it, he adds. A connected car, for example, has to be reliable in a split second — there’s little room for error.

While mobile providers think 5G networks will drive opportunity, it will also increase risk. 5G will bring more traffic and connected devices, many of which will be mission-critical. Network security is very important (72%) or important (26%) to most respondents asked about 5G.

Sixty-three percent view advanced distributed denial-of-service (DDoS) protection as the most important security tool built into 5G. Nearly 80% have or will upgrade to Gi/SGi firewalls; 73% have or will upgrade to a GTP firewall. Progress is slow going: Only 11% have upgraded their Gi firewalls and 13% have upgraded GTP firewalls, resulting from the complexity of control and management planes in 5G.

“Service providers are keenly aware of the DDoS attack problem,” says Nicholson. More data will be transferred at a greater volume as 5G networks become larger and more essential to individuals and businesses, making providers concerned about the opportunities for attacks, he explains.

Related Content:

• The 2019 State of Cloud Security
• Open Security Tests Gain Momentum With More Lab Partners
• Security Doesn’t Trust IT – and IT Doesn’t Trust Security
• Study Exposes Breadth of Cyber Risk

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/mobile/security-top-concern-as-mobile-providers-think-5g/d/d-id/1334620?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The new software development kit – free and open source – will be available to election officials and technology suppliers this summer.

Microsoft today debuted ElectionGuard, a free, open source software development kit (SDK) aiming to protect political voting processes as the spotlight on election security grows harsher.

CEO Satya Nadella announced ElectionGuard during his keynote at the Build developer conference, this week in Seattle. The SDK, built in partnership with security company Galois, is designed to make the election process more secure by providing verification throughout elections and letting third parties securely validate results, among other capabilities.

ElectionGuard isn’t a voting machine, and it’s not intended to replace paper ballots or support Internet voting. It’s built to secure current systems that rely on modern voting technology and serve as a platform for new systems to protect against tampering. Microsoft’s goal here is to give officials a means to handle and organize votes while letting individuals verify their votes. People can verify their votes were correctly recorded and that recorded votes were properly counted.

Verification happens in two ways: Each voter gets a tracker with a code that can be used to follow an encrypted version of his or her vote throughout the election. Voters also can see their selections on a Web portal provided by authorities; however, once a vote is cast, neither the tracker nor portal data can be used to reveal the vote. After the election, these codes can be used to confirm votes were not changed and were included in the total count.

The tool includes an open specification, or “road map,” as Microsoft puts it, which lets voters and candidates run verifiers to confirm the recorded votes have been accurately counted. It relies on homomorphic encryption, which lets mathematical procedures be done to encrypted data. This lets individually encrypted votes be combined to form an encrypted vote count, which can be decrypted to view a full tally that protects voter privacy. Someone who runs an open election verifier can confirm encrypted votes were aggregated and the encrypted tabulation has been decrypted to get the final count.

[Hear Microsoft’s Shawn Anderson, executive security adviser, present Crash Course: Principles of Endpoint Defense, at Interop 2019 next month]

“This process allows anyone to verify the correct counting of votes by inspecting the public election record, while keeping voting records secure,” writes Tom Burt, corporate vice president of customer security and trust, in a blog post on the news. “The use of homomorphic encryption to enable verification is separate from and in addition to the process of paper ballots counted as an official election tally.”

If a vote needs to be audited, ElectionGuard lets officials compare random ballot records with corresponding paper ballots to confirm a match. By comparing paper with digital records, fewer ballots would be necessary to ascertain confidence in an election, Burt explains.

ElectionGuard will be available this summer to election officials and technology suppliers so they can incorporate it into voting systems. Microsoft also has teamed up with election tech suppliers to explore integration of ElectionGuard into voting systems. It reports it has existing partnerships with suppliers responsible for more than half of the voting machines in the US.

This tool is part of Microsoft’s Defending Democracy Program, through which it works with governments, nongovernment organizations, academics, and businesses to protect election campaigns, develop technology to protect processes, and defend against disinformation.

Microsoft isn’t the only tech company strengthening its focus on election security. Late last summer, jurisdictions across the US registered for free website and user-account protection services offered by vendors including Google and Microsoft. Back in 2017, Google and sister company Jigsaw teamed up to offer digital protection – password alerts andmultifactor authentication – to election candidates and their campaigns.

Related Content:

• Security Depends on Careful Design
• 7 Ways to Get the Most from Your IDS/IPS
• The 2019 State of Cloud Security
• Real-World Use, Risk of Open Source Code

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/endpoint/microsoft-debuts-electionguard-to-secure-voting-processes/d/d-id/1334623?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

MegaCortex uses a compromised domain controller in its attack.

The ransomware note sent by a newly spotted and active ransomware variant called MegaCortex sends a ransom note that reads as if it came from the voice of Lawrence Fishburne’s character Morpheus, from The Matrix. The note interestingly doesn’t include a ransom fee but, instead, an offer for “consultation on how to improve your companies [sic] cyber security” and a promise that taking the attackers up on that will “guarantee” they won’t attack again.

MegaCortex last week was spotted by Sophos hitting a large number of its enterprise customers across the US, Europe, and Canada — with 47 attacks occurring within 48 hours at one point.

Andrew Brandt, principal researcher at Sophos, says the victims reported a compromised domain controller as the originator of the attacks, and the attackers employed stolen admin credentials to run a PowerShell script in the attack via the compromised controller.

While Sophos is still investigating the new ransomware and its infection process, Brandt wrote in a blog post that MegaCortex seems to mainly be found among organizations with existing Emotet and Qbot infections. “If you are seeing alerts about Emotet or Qbot infections, those should take a high priority. Both of those bots can be used to distribute other malware, and it’s possible that’s how the MegaCortex infections got their start,” he wrote.

Jessica Bair, senior manager of advanced threat solutions at Cisco Systems, says that in some ways MegaCortex is similar to other ransomware variants, with a couple of key exceptions. “It’s unique in that it uses stolen credentials and the compromised domain controller it uses to run the batch scripts,” Bair says.

Read Sophos’ post here. 

[See Jessica Bair, senior manager of advanced threat solutions at Cisco Systems, present Tracking Ransomware: Using Behavior to Find New Threats, at the Security Pro Summit at Interop on May 21.]

 

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/endpoint/matrix-themed-ransomware-variant-spreads/d/d-id/1334619?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Armed with stolen credentials from another breach or from a misconfigured file, attackers delete developers’ repositories on GitHub, Bitbucket, and GitLab, leaving behind ransom notes.

Atlassian’s Bitbucket, GitHub, and GitLab notified hundreds of developers over the weekend that their accounts on those repository services were breached and their code deleted by attackers using credentials harvested from another site or misconfigured files.

The accounts of more than an estimated 1,000 developers were impacted by the attack on the three services. In each case, the attackers deleted the victim’s code repository and left behind a ransom note demanding a tenth of a bitcoin — about $570 — to restore the data.

Atlassian, which declined to say how many of the users of its Bitbucket service were affected, notified developers whose accounts were impacted and blamed password reuse for the attackers’ ability to compromise the service.

“During this attack, a third party accessed your repository by using the correct username and password for one of the users with permission to access your repository,” the company stated in a notification to affected users. “We believe that these credentials may have been leaked through another service, as other git hosting services are experiencing a similar attack.”

The attack highlights the dangers of mishandling passwords. Reportedly, 392 GitHub users were impacted by the attack, although only 320 users’ repositories are currently showing signs of the ransom note. Bitbucket appears to have blocked search results for affected users, while GitLab does not have facilities for searching through repositories.

Reusing the same password on different services is a problematic habit of online users that can undermine security. In addition, developers often unwittingly leave passwords in files that are published to public repositories. None of the services hosting affected developers’ repositories found signs of a compromise. Instead, attackers logged onto them from an unrecognized Internet address using valid credentials and then deleted the victim’s code. 

“GitHub has been thoroughly investigating these reports, together with the security teams of other affected companies, and has found no evidence GitHub.com or its authentication systems have been compromised,” the company said. “At this time, it appears that account credentials of some of our users have been compromised as a result of unknown third-party exposures. We are working with the affected users to secure and restore their accounts.”

GitLab started investigating the issue on Sunday, after one developer reported that its code had been deleted. The organization concluded that the breach may have occurred when developers mistakenly published passwords stored in another repository.

“We have identified affected user accounts, and all of those users have been notified,” a GitLab spokesperson said. “As a result of our investigation, we have strong evidence that the compromised accounts have account passwords being stored in plaintext on a deployment of a related repository.”

Atlassian also urged users to not leave passwords in files that may be replicated into public repositories.

The repositories of affected users were deleted by the attackers and replaced with a ransom demand, reading: “To recover your lost code and avoid leaking it: Send us 0.1 Bitcoin (BTC) to our Bitcoin address [deleted] and contact us by Email at [email protected] with your Git login and a Proof of Payment. If you are unsure if we have your data, contact us and we will send you a proof. Your code is downloaded and backed up on our servers. If we dont receive your payment in the next 10 Days, we will make your code public or use them otherwise.”

Companies underscored that two easily implemented security measures — a password vault and two-factor authentication — could have prevented the attack by limiting the use of stolen credentials.

“We strongly encourage the use of password management tools to store passwords in a more secure manner and enabling two-factor authentication wherever possible, both of which would have prevented this issue,” GitLab’s spokesperson said.

Security professionals urged developers to use more care in managing their repositories, especially for projects that produce the open source components used as the foundation of many development projects. Two-factor authentication should be required for anyone who is committing to a broadly used software project, said Craig Young, computer security researcher in the vulnerability and exposure research team at security firm Tripwire, in a statement sent to Dark Reading.

“This is especially important for accounts which can make commits into source code repositories,” he said. “Although this attack was very noisy, someone else could also stealthily put ransomware in various software libraries, which are in turn used by other projects. Considering open source is used at least in part by the vast majority of popular software packages, GitHub becomes a very critical point of failure for modern supply chain security.”

For the most part, compromised accounts could easily be restored by using a git command to upload the latest repository from the affected developer’s system, GitLab stated in an advisory. 

“We believe that no data has been lost, unless the owner/maintainer of the repository did not have a local copy and the GitLab copy was the only one,” the company stated. “In some cases, repository files were changed. After updating account credentials, we recommend making use of git commands to restore your repository to its previous state.”

Related Content:

• Open Source Software Poses a Real Security Threat
• Shhhhh! The Secret to Secrets Management
• Build Security into Container Deployment
• Worst Password Blunders of 2018 Hit Organizations East and West
• Git Gets Patched for Newly Found Flaw

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/password-reuse-misconfiguration-blamed-for-repository-compromises/d/d-id/1334624?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple