STE WILLIAMS

For the longest time, drones looked like a good-news tech story that would transform aerial photography, disaster relief and parcel delivery.

The world is still waiting to receive packages from the air (although UPS claims it’s started deliveries this week), which might be just as well because experts are having second thoughts.

Among those investigating the implications of a world filled with “very small and fast flying objects” are the Israeli-Japanese researchers behind a new study, Security and Privacy in the Age of Drones.

In hindsight, it’s amazing people didn’t see the problems coming as these devices got smaller, cheaper and able to operate many kilometres from the person controlling them.

The potential for terror-by-joystick malevolence and mischief is obvious, as London’s Gatwick Airport found out to its cost in December 2018 when it was forced to close its main runway.

But subtler problems might be worth looking at, the researchers argue, such as aerial spying and surveillance, of which there have already been several high-profile examples:

Exploiting these facts, drones have increasingly become a threat to individuals’ privacy as evidenced by their use to detect a cheating spouse, film random people, and celebrities, and take intimate pictures of neighbors.

People tend to ignore the potential for intrusion when it’s celebrities who are being pestered, forgetting that micro-drones are now small and inexpensive enough that anyone could be victimised on a whim.

Regulation and cyberattacks

A fundamental problem has been regulation, which has been caught between the need to allow drones to fly where needed to be useful while restricting their use over airports, prisons, military facilities, and critical infrastructure.

This has turned out to be a challenge. Detecting them can be difficult – not all radar systems can detect small drones or distinguish them from other objects such as birds – while stopping them when they are detected can be almost impossible.

The long-term solution sounds clunky but unavoidable – a system of identification and authentication to separate legitimate drones from rogues:

One interesting method that can be used for this purpose as an out-of-band solution is installing a microcontroller on a group of white-listed drones.

Another approach would be to assign each drone with a unique identifier – although how to do that in a way that couldn’t be copied, disabled or spoofed remains an open question.

Perhaps the biggest issue hanging over all of this is how easy it might be for hackers to take control of legitimate drones through frequency jamming, GPS interference, or by exploiting a software or design flaw.

This hasn’t happened yet, but it’s probably just a matter of time. The researchers’ partial solution to this is interesting: instead of trying to stop it happening at all, focus on detecting and responding to it when it does.

For example, a drone that departs from its intended flight path could activate a protocol that instructs it to return to its base immediately by stepping through the manoeuvring commands that led it to where the event was detected.

Seen as novelties when they first appeared at the CES Show in 2010, putting these toys back in the box after a decade of mostly optimistic hype isn’t going to be easy. As so often happens, it looks as if the technologists who invented them will now have to busy themselves scrambling to secure their creation.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/HfpGNg6mDUQ/

Calling the company’s software development practices chaotic and unsustainable, a UK government oversight group calls on the company to make measurable progress toward more secure and sustainable code.

The group responsible for overseeing Huawei’s technical compliance with software and security standards in the UK roundly criticized the company for “serious and systematic defects in software engineering and cyber security competence” in a report released Thursday.

The annual report summarized the findings of the Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board, a panel of experts from the UK’s National Cyber Security Center (NCSC) tasked with evaluating the efforts of Huawei to adhere to technical and cybersecurity standards. The group’s fifth report found that the company continues to fail to adhere to basic secure coding practices, uses unsafe functions and libraries, suppresses warnings from security tools, and has an unmanageable build process.

“Given the scale of the issues, significant and sustained evidence of improvement across multiple versions and multiple products will be necessary to begin to build confidence in Huawei’s software engineering and cyber security quality and development processes,” the report stated. “A single ‘good’ build will provide no confidence in the long-term security and sustainability of the product in the real world.”

The criticism comes as some Western governments are pushing back at Huawei’s success in telecommunications networking technology. The US has pushed back against Huawei’s success in cellular communications infrastructure and the rollout of 5G technology worldwide, going so far as passing a law to ban the technology in the US and threatening to curtail intelligence sharing with some nations. Huawei fired back, filing suit against the US government in US courts.

Yet the issues identified by the UK’s NCSEC Oversight Board are more fundamental than political. Technology companies, especially those responsible for critical infrastructure, need to have better development practices in place, says Lane Thames, senior security researcher at Tripwire.

“Security evaluations of their hardware and software before production deployment should be required,” he says. “The organization who runs the infrastructure should implement strong foundation controls, such as change management, file integrity monitoring, secure configuration management, and vulnerability management, to ensure that systems comply with security policies once they are in production.”

Huawei has repeatedly committed to improving its software development and secure coding standards, but has so far failed to implement better practices, the HCSEC Oversight Board stated in the report. 

The Oversight Board’s analysis of the company’s use of the open source OpenSSL codebase, for example, found that it used 70 full copies of four different versions, 304 partial copies of 14 versions, and fragments of 10 other versions. Later versions of the company’s code had reduced the number, but the board members said it contained “code that is vulnerable to 10 publicly disclosed OpenSSL vulnerabilities, some dating back to 2006.” 

Another analysis of safe memory-handling functions found that the 11% of direct byte-copying functions, 22% of string-copying functions, and 9% of string-printing functions used unsafe variants.

“Despite Huawei mandating application of its secure coding standards across RD, extensive use of commercial static analysis tools and Huawei’s insistence that risky code has been refactored, there has been little improvement in the object software engineering and cyber security quality of the code delivered for assessment by HCSEC and onward to the UK operators,” the board members stated in the report.

Huawei did not respond to a request for comment sent vie e-mail, but the company has committed to investing $2 billion over the next five years in its software engineering process. The Oversight Board lauded the commitment, but questioned how little progress is visible. 

“This proposed investment, while welcome, is currently no more than a proposed initial budget for, as yet, unspecified activities,” the board members stated in the report.

The problem is not just with Huawei, however. Other companies — from Microsoft to Cisco — often have critical vulnerabilities in their software but have generally embarked on secure programming initiatives to train developers in secure coding practices. 

“The problem here is that, one, developing secure software is hard, and, two, we are failing to integrate security fundamentals into our education system for STEM-based students,” Tripwire’s Thames said. “Vendors who develop Internet-connected hardware and software should ensure that they implementing secure coding practices.”

Cybersecurity and geopolitical concerns have had an increasing impact on how companies do business. Two-thirds of security professionals have had to change where and with whom they do business because of cybersecurity concerns, according to a survey conducted by security firm Tripwire at the RSA Conference last month. 

“While some of these responses are not surprising, it’s likely that we’re underestimating the impact that growing nation-state cyberattacks have on business choices,” said Tim Erlin, vice president of product management and strategy at Tripwire, in a post. “We may not be far off from a time when locating a business in a nation that provides strong defenses is viewed as a competitive advantage.”

Calling on Huawei to provide demonstrable evidence that its software development practices have changed, the HCSEC Oversight Board stated that “strongly worded commitments from Huawei in the past have not brought about any discernable improvements,” the report stated.

Related Content:

• Hacker Targeted Huawei Router 0-Day in Attempt to Create New Mirai Botnet
• Chinese Hackers Target Logistics Shipping Firms With Poisoned Inventory Scanners
• 6 Ways Mature DevOps Teams Are Killing It in Security
• Cisco Router Vulnerability Gives Window into Researchers’ World

 

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/risk/uk-watchdog-criticizes-huawei-for-lax-software-security-development/d/d-id/1334287?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The invention of STRIDE was the key inflection point in the development of threat modeling from art to engineering practice.

Today, let me contrast two 20-year-old papers on threat modeling. My first paper on this topic, “Breaking Up Is Hard to Do,” written with Bruce Schneier, analyzed smart-card security.  We talked about categories of threats, threat actors, assets — all the usual stuff for a paper of that era. We took the stance that “we experts have thought hard about these problems, and would like to share our results.”

Around the same time, on April 1, 1999, Loren Kohnfelder and Praerit Garg published a paper in Microsoft’s internal “Interface” journal called “The Threats to our Products.” It was revolutionary, despite not being publicly available for over a decade. What made the Kohnfelder and Garg paper revolutionary is that it was the first to structure the process of how to find threats.  It organized attacks into a model (STRIDE), and that model was intended to help people find problems, as noted:

The S.T.R.I.D.E. security threat model should be used by all MS products to identify various types of threats the product is susceptible to during the design phase. Identifying the threats is the first step in a proactive security analysis process.

STRIDE was not the first suggestion for a systematic approach. In his 1994 book, Fundamentals of Computer Security Technology, Ed Amaroso outlined a way to create threat trees, “starting with a general, abstract description of the complete set of threats that exists for a given system, and then introducing detail in an iterative manner, refining the description carefully and gradually.”

The invention of STRIDE is the key inflection point in the development of threat modeling from art to engineering practice. By moving us from folk wisdom to structure, STRIDE unleashed a flood of work towards making threat modeling accessible to all engineers.

At Microsoft, the frames included:

• Frank Swiderski and Window Snyder’s Asset/Entry approach
• J.D. Meier’s Patterns and Practices
• Shawn Hernan and Tomasz Ostwald’s STRIDE per element, and
• Adam Shostack’s (my) breakdown of approaches by their focus on asset, attacker or software, and four-question framework (There were certainly others; these are illustrative.)

Asset/Entry is a model derived from the physical world. For example, imagine a burglar stealing your stereo. The stereo is your asset, and the windows, doors, and chimney are the entry points. You track from one to the other and consider controls, such as locks or alarms, that stop or detect an attacker. 

Patterns and Practices is a framework that Microsoft has used for talking about development and operations for quite a long time; I believe it predates threat modeling. Patterns and Practices is more descriptive: This is what people do. They draw diagrams like these. They find that spoofing threats tend to associate with account creation patterns…

STRIDE per Element noted that certain threats happen less for types of elements: data flows aren’t spoofed (endpoints are); data stores are not subject to elevation of privilege.

Beyond Microsoft, over the past two decades, there has been a Cambrian explosion of tools.  Some are built on STRIDE, others not, but they all owe a debt to it.

That explosion, and my attempts to make sense of it led to an understanding that different approaches often centered on either assets, attackers or the systems being built. Even the asset- and attacker-centered approaches had a way of scoping what are we working on. All had ways of addressing what can go wrong. These are the first two questions in my four-question frame; the others are what are we going to do about it, and did we do a good job?

The debt we owe to STRIDE is the idea that a model can give us a broadly applicable structure. That structure can go beyond just a single issue, such as “known plaintext” to multiple attacks. Now, if I’m using the known plaintext as an example, many readers will know that there’s chosen plaintext, adaptive chosen plaintext, and more variants. But those attacks are centered on cryptosystems and do us little good outside it. I’ve used STRIDE on everything from operating systems to a single addition to a web service. It’s broad in a way that its predecessors were not. 

The debt we owe STRIDE is also a debt that we owe Microsoft, for ongoing investments in tools, techniques, and software, and freely sharing much of that. 

Using STRIDE gives me the ability to understand the firehose of new attack variants and see them as small variants on other work. (For that, I use STRIDE and “memory corruption,” which is enough for most attacks.)

We should celebrate having a model that started in the era of desktop computing and has survived into the age of mobile, cloud, and web, and shows few signs of becoming obsolete.

Related Content:        

• 7 Low-Cost Security Tools
• Threat Hunting 101: Not Mission Impossible for the Resource-Challenged
• Making the Case for a Cybersecurity Moon Shot
• ‘EFAIL’ Is Why We Can’t Have Golden Keys

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Adam is a consultant, entrepreneur, technologist, author and game designer. He’s a member of the BlackHat Review Board and helped create the CVE and many other things. He currently helps organizations improve their security via Shostack Associates, and advises startups … View Full Bio

Article source: https://www.darkreading.com/20-years-of-stride-looking-back-looking-forward/a/d-id/1334275?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Promo With cyber-attacks on the rise and constantly taking new forms, organisations rely more than ever on skilled IT security staff who can detect and deal with vulnerabilities in their systems.

If you are a cybersecurity professional, you can deepen your knowledge and catch up with the latest security developments at the SANS Institute training event taking place in Stockholm, Sweden, from 13-18 May.

Five intensive courses will sharpen the skills you need to defend your organisation against data breaches and prevent them happening in the future. SANS courses are written and taught by the best in the industry, their real world experiences are brought into the classroom and shared with the students.

They also offer the chance to prepare for GIAC Certifications, and SANS pledges that you will be ready to apply your skills on returning to work.

The courses on offer are:

Network penetration testing and ethical hacking

Covering tools and techniques, this course gives you a grounding in conducting penetration testing projects end to end.

With more than 30 challenging hands-on labs, it reveals dozens of methods for targeting systems to gain access and measure business risk

Start with planning, scoping and recon, then delve into scanning, target exploitation, password attacks and web app manipulation. You will study a target’s infrastructure by mining blogs, search engines and social networking sites.

Automating information security with Python

Python is a simple, user-friendly language designed to make it easy to automate security tasks. Whether you are a beginner or have been coding for years, the course will enable you to create programs that lighten your workload.

Windows forensic analysis

Whether you know it or not, Windows is recording a vast amount of data about you and your users. The course helps you make sense of that data by focusing on in-depth knowledge of Microsoft Windows.

Learn how to recover and analyse forensic data, track user activity on your network, and organise your findings for incident response, internal investigations and litigation.

Cyber threat intelligence

The course aims to enable practitioners from across the security spectrum to develop analysis skills, synthesise complex scenarios, create intelligence through threat modelling, and understand threat intelligence.

You will learn the various sources of adversary data and how to exploit it, how to validate information received externally, and how to use formats such as YARA and STIX.

ICS/SCADA security essentials

A foundational course for security professionals and control system engineers charged with defending national critical infrastructure.

Topics covered include controlling attack surfaces, network defence architectures, responding to incidents in an industrial environment, and governance models and resources.

Full details on the course and how to register can be found right here

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/29/cybersecurity_sans_stockholm_2019/

Hacktivists are spreading booby-trapped copies of the New Zealand mass shooter‘s Islamophobic rantings, in what is being described as an online “vigilante” operation.

Security house Blue Hexagon claims it discovered a version of the killer’s manifesto doing the rounds online containing Windows malware that, when executed with the necessary privileges, reboots the system and leaves the user staring at an anti-racist message. The idea being to punish those who seek out the document, it appears.

The software nasty pulls this off by overwriting the boot drive’s master boot record (MBR), a data structure needed to start up the operating system after power on or a reboot, to just display the text, and then restarts the machine for good measure.

While the manifesto – a meme-laden soup of troll-tastic nihilistic nonsense – has been outlawed in New Zealand for inciting murder and terrorism, the file continues to circulate in underground forums. Links to the MediaFire-hosted doctored rant, we’re told, were first shared on Twitter, and 8chan – the LinkedIn-for-pedos forum site frequented by the Christchurch gunman whose name is not worth the bytes repeating here.

According to Blue Hexagon, the MBR-altering malware itself isn’t embedded directly inside the poisoned manifesto, being sent around as a .docx, but rather it is downloaded and executed by an obfuscated Visual Basic script within the document that triggers when opened and run.

“The weaponized version of the document resembles content from the original manifesto but does have several distinguishing features,” Blue Hexagon’s Irfan Asrar explained this week.

Our amazing industry-leading AI was too dumb to detect the New Zealand massacre live vid, Facebook shrugs

READ MORE

“The metadata from the original manifesto states the author as the name of the alleged suspect who has been arrested in connection with the terror attack, whereas the author info in the weaponized trojan says it was created by the author ‘Maori’ (a name for the indigenous people of New Zealand). The biggest difference in the weaponized version is the presence of the obfuscated VBA script code that attempts to download a second stage payload.”

The script in the document fetches a second file called haka.exe – the Haka being a traditional dance of the Maori, the indigenous people of New Zealand – and here is where the real damage is done. The executable scribbles over the MBR on the host, and then forces a reboot.

As the machine restarts, the user is presented with a black screen and the message in red text: “This is not us!” That’s a phrase shared by anti-racists, in an attempt to unite and heal, after attacks by white nationalists.

“Other than being disruptive, there is no motivation; such as a monetary one to be found in this attack,” Asrar concluded. Consult your operating system’s recovery and repair tools to rebuild the MBR if for some reason you’re hit with this malware. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/28/new_zealand_manifesto_malware/

Ex-NSA contractor Harold Martin has admitted he took home piles of top-secret US government reports and other materials, contrary to security rules and basic common sense.

The 54-year-old, of Baltimore, Maryland, who had worked for Uncle Sam for more than 22 years within a number of NSA departments, agreed in a federal district court on Thursday to plead guilty to a single charge of willful retention of defense information. He had earlier denied the allegation, and has pleaded not guilty to nine other identical counts, which are almost certain to be dropped as part of this week’s plea deal.

Martin is said to be facing up to nine years in the cooler, and will be sentenced later this year.

Ex-NSA contractor Harold Martin indicted: He spent ‘up to 20 years stealing top-secret files’

READ MORE

When he was indicted [PDF] back in 2017, prosecutors said Martin had spent the better part of two decades harvesting and hoarding digital and printed copies of hush-hush NSA and other government materials at home. Uncle Sam’s lawyers estimated Martin had snatched 50TB of secret information.

US government officials feared the files, once outside secured buildings and in Martin’s home, could or would fall into the hands of foreign spies and agents.

In his roles as a contractor, and previously while serving in the US Navy between 1988 and 1992, Martin had access to secret and top-secret documents. It is alleged that, beginning in 1996, he began to squirrel away copies of the dossiers in violation of America’s national security laws.

“Martin was never authorized to retain these documents at his residence or in his vehicle,” the indictment claimed. “Martin knew that he was not authorized to remove National Defense Information and classified documents from secure locations, was not authorized to retain them at his residence, and was not authorized to retain them in his vehicle.”

It is suspected that some of the documents ended up in the hands of the hacker group dubbed the Shadow Brokers, who later released NSA exploit code and other materials to the general public. Those cyber-weapons ended up being reused by miscreants in destructive malware, most notably the Wannacry ransomware, that was lobbed at civilian networks.

It is not yet known exactly how the secret data got from Martin’s stash to Shadow Brokers, if that were the case, though Kaspersky Lab had reported receiving an offer of exfiltrated NSA docs from someone they believed to be Martin. When he was arrested in 2016, the bloke was working for Booz Allen Hamilton, the same contractor that employed Edward Snowden when he absconded with a cache of NSA slides.

Martin’s lawyers, meanwhile, have argued that Martin’s actions were the result of mental illness that caused him to become a hoarder, and that the contractor never meant to put classified documents in the hands, or at least in reach, of America’s enemies.

Should Martin get the expected nine-year term, he would supersede former NSA worker Nghia Pho for the longest sentence handed down to someone letting slip classified American intelligence. Another ex-NSA employee, Reality Winner, was given five years and three months behind bars for leaking a classified report on Russian election meddling. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/29/nsa_harold_martin_guilty_plea/

‘Gustuff’ also designed to steal from cryptocurrency wallets, payment services, e-commerce apps.

A Russian-speaking malware writer has developed a dangerous new Android Trojan that features a Swiss army knife-like set of capabilities targeting banking apps, crypto currency wallets, online payment services, and e-commerce sites.

Security vendor Group-IB, which discovered the threat, Thursday described it as spreading via text messages and targeting customers of more than 100 banks globally including several US-based ones such as Bank of America, Wells Fargo, and Capital One.

In an advisory Thursday, the Russia-based Group-IB described the malware, dubbed “Gustuff,” as also capable of targeting users of 32 cryptocurrency apps, numerous ecommerce sites, and payment services such as Western Union, BitPay, and PayPal.  

“Gustuff is a new generation of malware complete with fully automated features designed to steal both fiat and crypto currency from user accounts en masse,” the security vendor warned.

Rustam Mirkasymov, head of dynamic analysis of the malware department at Group-IB, says Gustuff infects Android smartphones via SMS messages containing a link to a malicious Android Package Kit (APK) file. The APK file format is what Android uses to distribute and install mobile app on user devices.

Clicking on the link in this case downloads Gustuff on the user’s device. “The content of SMS can vary, but in general, it prompts users to click on the link to start downloading the malicious app,” Mirkasymov says.

Typically, Android prevents users from installing applications downloaded from unknown sources. “However, many people disable this security option, so the malicious application asks the user to grant a number of permissions, including the use of Accessibility Services,” he says. Once on a system, the malware is designed to spread further using the contacts list on the infected device.

Android’s accessibility services feature is designed to allow users with disabilities to more easily use Android apps and services. Attackers have even previously shown how the feature can be manipulated to enable malware downloads and other malicious activities that bypass security controls on the system. However, so far at least such misuse has been relatively rare, Mirkasymov says.

Exploiting Android Accessibility Services

According to Group-IB, Gustuff makes use of the Android Accessibility Service to interact with online banking apps, cryptowallets, applications for payment services, e-commerce sites and, other apps of interest to the attackers. Gustuff gives attackers a way to use the Accessibility Service to enter or to change the values of the text fields in banking apps and carry out other illicit transactions.

The malware is also designed to push out fake notifications that appear to be from a legitimate banking and other targeted apps that an Android user might have installed on their device.

When a user clicks on the fake notification, the malware downloads a Web page that appears to belong to the banking or other app that sent the notification. For example, if the fake notification purported to be from the user’s mobile bank app, the malware serves up a Web page that appears to be that of the banks’ account login page.

In other instances, when a user clicks on the fake notification, the associated legitimate app opens and Gustuff then uses Android’s Accessibility Service to automatically manipulate payment and other fields for illicit transactions, Group-IB said.

“Accessibility Service allows Gustuff to focus on the object, click on the object, and change the object text,” Mirkasymov says. The privileges associated with the accessibility service “allows the Trojan to access to and interact with push notifications as well as SMS.”

Significantly, Gustaff uses an automatic transfer system (ATS) function in conjunction with the Accessibility System for auto filling fields in legitimate mobile banking and other apps.

“Gustuff is not the first Trojan to successfully bypass security measures against interactions with other apps’ windows using Android Accessibility Service,” Mirkasymov noted. “The major difference is that the ATS function is implemented with the help of Accessibility Service, which both speeds and scales up thefts.”

Gustuff is another cautionary tale of downloading Android apps from outside the Google Play app store. Unsanctioned and insecure third-party app sites continue to be by far the biggest source of Android malware.

Also important is the need for users to pay attention when granting extra permissions to applications, Mirkasymov says. “It is important to always install software updates, pay attention to downloaded files’ extensions, and of course avoid suspicious SMS links.”

Group-IB said its researchers first observed Gustuff on hacker forums in April 2018. A Russian-speaking cybercriminal appears to have developed the malware but it is exclusively for use outside the country.

Related Content:

• Google Researcher Unpacks Rare Android Malware Obfuscation Library
• APT Attacks on Mobile Rapidly Emerging
• New Android Smartphones in Developing Markets Sold With Pre-installed Malware
• 10 Tips for More Secure Mobile Devices

 

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/mobile/new-android-trojan-targets-100+-banking-apps/d/d-id/1334284?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A judge granted Microsoft the injunction allowing them to disrupt a network of sites operated by an Iranian-linked group of hackers.

Microsoft said it has taken down 99 websites belonging to an Iranian state-linked hacking group it calls “Phosphorus,” aka APT35, Charming Kitten, and Ajax Security Team.

According to court documents unsealed this week, Microsoft received a court order allowing them to take control of websites the hacking group had used to execute phishing attacks with fake Microsoft security warnings.

In a blog post on the takedown, Microsoft’s Tom Burt, corporate vice president, customer security trust, wrote that the company had worked with other companies, including Yahoo and a number of domain registrars to build the case that was taken before the judge to obtain the injunction.

Microsoft had been tracking Phosphorus since 2013 and had seen the group launch attacks around the world, though its more recent activity seemed to target businesses, government agencies, and “those involved in advocacy and reporting on issues related to the Middle East.”

The Iranian hacking group last December was spotted by researchers at Cerfta attempting to hack email accounts of US Treasury members, defenders, detractors, Arab atomic scientists, Iranian civil society figures, DC think-tank employees, and enforcers of the US-Iran nuclear deal. 

Phil Reitinger, president and CEO of the Global Cyber Alliance, says Microsoft’s use of legal power to disrupt the group is a best-case scenario. “Using what amounts to civil judicial remedies where you can get the evidence to back it up strikes me as a best practice for disrupting a group that’s harming you. Can mistakes be made? Sure, but for the sophisticated players that can support this, it is the most certain and defensible way to proceed,” he says.

Monique Becenti, channel and product specialist at SiteLock, says Phosphorus’ operation presents a cautionary tale for other businesses. “This is the second time Microsoft has had a run-in with nation-state cybercriminals and it goes to show that even one of the biggest and most sophisticated technology companies in the world can’t prevent these types of attacks,” she says.

That opinion was echoed by Terence Jackson, CISO at Thycotic. “Bad actors often know websites are often the weakest link and have infiltrated this time and time again.”

Microsoft, meanwhile, has dealt with this type of site impersonation in the past. In his blog post, Burt wrote, “We have used this approach 15 times to take control of 91 fake websites associated with Strontium.”

Ultimately, Reitinger hopes that other organizations will see this action as effective and use it as a model, rather than relying on other, extra-legal tactics.

“I think it’s worth highlighting the difference between this and the kind of activity referred to as ‘hack-back.’ I’m not in favor of hack back because it’s people taking the law into their own hands,” he says. “Using civil remedies – such as a temporary restraining order to take control of malicious sites – is a powerful tool that can be used to prevent or mitigate cyberattacks.”

Related Content:

• New Android Trojan Targets 100+ Banking Apps
• FIN7 Cybercrime Gang Rises Again
• New Botnet Shows Evolution of Tech and Criminal Culture
• 8 Cybersecurity Myths Debunked

  

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/microsoft-takes-down-99-hacker-controlled-websites/d/d-id/1334286?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

An unspecified weakness in some versions of the Magento e-commerce platform is reportedly being misused by carding criminals to surreptitiously test the validity of stolen, leaked or skimmed credit and debit cards.

That’s according to news site ZDNet, which said it had seen an advisory from Magento which, frustratingly, doesn’t appear to have been made public yet – or mentioned in Magento’s sizeable list of security fixes released on 26 March. If you’re running Magento, I suggest you head over to the patch list and update anyway, as there are some fairly serious bugs in there.

A problem for criminals purchasing stolen credit card details from dark web dumping grounds is that they don’t know which ones are old or deactivated and which are still open to fraud.

Chances are, most won’t work but anything that helps them quickly sift the gold from the mud without drawing attention to themselves is incredibly useful.

The technique they’ve hit upon is by submitting large numbers of zero dollar ($0) transactions through Magento sites integrated with PayPal’s Payflow Pro card payment system.

PayPal can be integrated into eCommerce sites in several ways, one of which – Payflow Pro – offers the advantage that the customer is never distracted by having to leave the merchant’s website.

As PayPal explains:

PayPal is only running on the back end to process the payment. The customer never goes to the PayPal website and they only receive an order receipt from you, not one from PayPal.

A legitimate feature abused by fraudsters

This ability to channel queries through e-commerce sites without having to authenticate via PayPal might be what is attractive to criminals – from PayPal’s perspective, transactions will appear to come from the merchant.

If that’s what’s going on, this is simply a technique to obscure lots of otherwise suspicious transaction requests behind a legitimate front.

In theory, neither the merchant or PayPal should lose money directly. It’s a way to cheekily check card validity to enable fraud elsewhere.

On that basis, the hazard for merchants running Magento is that PayPal may eventually notice the strange transactions and suspend their accounts.

Why PayPal and not another platform? Sending zero dollar transactions is a legitimate feature that merchants can use to verify cardholder data without asking for money. Some platforms charge a tiny amount for this facility so if PayPal doesn’t then presumably it’s easier for any abuse of the system to pass undetected by merchants.

What to do?

Vulnerable versions are 2.1.x and 2.2.x, including both cloud and self-hosted. It’s not clear whether version 2.3 is affected but, writes ZDNet…

…the Magento team has not seen any evidence of abuse against these types of sites, as of yet.

Is there any way to detect whether a site has been affected? Until the issue is more clearly explained, it’s impossible to say with certainty – although it’s possible that large numbers of unusual transactions might generate unexpected PHP error messages that would show up in Magento logs.

There was a time when securing an e-commerce site using a third-party security tool would have been viewed as cautious. Given the rising number of attacks on e-commerce sites in the last year, perhaps it’s time to reassess this way of thinking.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/60q0BLjnLqA/

We’ve written about internet hoaxes many times before on Naked Security.

Sometimes, hoaxes – made-up nonsense about software, bugs or hackers – get spread widely because they sound exciting and scary.

Even when a hoax sounds bizarre and unlikely, it may get picked up and repeated as an earnest truth by millions of people, all of whom really ought to know better.

A few years ago, for example, we had Talking Angela, where a rumour took off that an unexplained reflection depicted in an app’s image was actually a paedophile that could take pictures of your children via your phone’s camera.

More recently, we had the odious hoax known as the Momo Challenge, where parents around the world needlessly terrified their own children by warning them that the image of a chicken-headed woman was circulating online, and bad things would happen to them if they accidentally saw it.

Of course, all the endlessly repeated gossip and hearsay surrounding this Momo picture resulted in the image itself – which was scary but not actively dangerous in any cybersecurity sense – being widely circulated, so that every panicky parent would know what it looked like just in case…

…while every panicked child would probably see it too, causing an uncontrolled spiral of fear.

Not all hoaxes are fear-mongering ones, however.

There are also pranks, like the Rickroll, where you send someone a link that you say is one thing but when they click it, they see a video of Rick Astley singing Never Gonna Give You Up.

The rickroll has cult status, and it’s well-known enough that most people who get caught out don’t get offended, but take it as a bit of harmless fun.

Indeed, the rickroll, if not overused (warning: it gets old quickly), could even be said to help people learn the lesson of not blindly clicking through “just because”, all without actually putting them in harm’s way.

But some pranks are neither harmless nor really funny once you think them through.

The “Twitter 2007 multicolor” hoax

This week’s “Twitter 2007 multicolor” hoax is a small but useful example.

Tweets have been circulating saying that you can trigger a cool new Twitter feature – colored tweets in a sort-of rainbow theme – simply by changing your birthday to 2007:

change ur birthday on twitter to 2007 and ur twitter changes completely different colors, it’s crazy, @ me when u do it.

Apprently if you change your Birthday on Twitter to 2007, each tweet starts getting a different color wtf…

Many people routinely give fake birthdays to cloud services, of course, with good reason.

A lot of organisations continue to treat birthdays as some kind of touchstone for customer identification, on the dangerously mistaken assumption that your birthday is meant to be a secret and is therefore a reliable way to establish someone’s identity over the phone or the internet.

A birthday is a useful way of cross-checking someone’s identity. That’s why surgical hospitals ask your name and birthday and what you’re in for on the way to the operating theatre. It doesn’t prove your identity, but it’s not supposed to – it’s just a simple precaution that helps to spot cases of mistaken identity. The hospital isn’t trying to stop you pulling off a fraud and tricking your way into getting someone else’s operation. It’s trying to make sure it doesn’t make a dreadful blunder and send you in for the wrong procedure.

So it might seem harmless to fiddle with your birthday and see what happens.

After all, many apps and services have so-called easter eggs, hidden features that only pop up when some unusual user input or configuration setting is used.

Easter eggs have a bit of a cult following with programmers and technical users – Microsoft Excel famously included hidden games until the company’s Trustworthy Computing initiative rightfully banned the practice as being a likely source of risky bugs from improperly tested code.

In this case, the “Twitter 2007 multicolor” hoax is actually a cruel way to get you locked out of your Twitter account.

Anyone spreading the hoax either hasn’t thought it through before repeating it, or has thought it through and figures it would be funny to cause trouble for other people.

Think about it!

Think about it – anyone born in 2007 is currently at most 12 years old, and therefore couldn’t possibly be 13, which is Twitter’s minumum age.

As Twitter Support itself urges:

We’ve noticed a prank trying to get people to change their Twitter birthday in their profile to unlock new color sc… twitter.com/i/web/status/1…

—
Twitter Support (@TwitterSupport) March 27, 2019

Age is a bit of a poisoned chalice for Twitter and other social networks: it’s easy to lie about your age, so the “are you 13” check is kind of useless, because no one under 13 is going to say so…

…but if someone does say they are under 13, the service operator isn’t allowed to assume they’re joking and ignore them.

What to do?

If you go out of your way to insist to Twitter that you are too young to use its service, don’t be surprised if you get locked out of your account.

So, here’s what to do:

• Don’t tell Twitter you’re 12 if you aren’t.
• Don’t tell anyone else to tell Twitter they’re 12 if they aren’t.

---

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/a1LIYmz0KNo/