STE WILLIAMS

A growing number of blog posts and news stories are being written about the impact of the relatively new TLS 1.3 transport encryption standard, and for good reason. While TLS 1.3 enables much better end-to-end privacy, it can break existing security controls in enterprise networks that rely on the ability to decrypt traffic in order to perform deep-packet inspection to look for malware and evidence of malicious activity. Well-known examples of those security controls include next-generation firewalls, intrusion prevention systems, sandboxes, network forensics, and network-based security analytics products.

These security controls rely on access to a static, private key in order to decrypt traffic for inspection. The use of such keys is replaced in TLS 1.3 by the requirement to use the Diffie-Hellman Ephemeral perfect forward secrecy key exchange. That exchange occurs for each session or conversation that is established between endpoints and servers. In addition, the certificate itself is encrypted, which denies those tools access to valuable metadata for additional analysis.

The ephemeral key exchange is not new to TLS. TLS 1.2 also included it as an option. In TLS 1.3, it is required. Because TLS 1.3 restricts the ability that existing security controls and network performance troubleshooting tools need to peer into packets to perform properly, you’d think that enterprise enablement of the new TLS 1.3 standard would be relatively slow and cautious — akin to the adoption rate after IPv6 was finalized. In fact, the opposite is true. New research, TLS 1.3 Adoption in the Enterprise: Growing Encryption Use Extends to New Standard, published recently by Enterprise Management Associates (EMA), shows that enterprises are rapidly adopting the new specification, which was actually 10 years in the making.

In a survey conducted in late 2018, of 249 IT and IT security respondents in organizations primarily serving North America, 40% say they were already working to enable TLS 1.3 for internal network traffic, and 32% were already enabling it for inbound connections. Another 34% are planning to enable TLS 1.3 for internal traffic in the following six months, while 41% plan to enable it for inbound connections in that time frame. 

Security and Operational Issues
Despite the bullish adoption rate, respondents voice concerns about security and performance monitoring implications of the new standard. Only about 8% of respondents say they had no concerns over implementing TLS 1.3 from a security and operations perspective. Another 22% say they had “significant” concerns about both security and operations, and 40% report “some” concerns about security.

Why the disconnect? There are a few possible explanations:

• Privacy concerns in North America may have caught up with European attitudes and values, especially as new regulations like the European General Data Protection Regulation and the new California Consumer Protection Act of 2018 go into effect. Both of those policies impact any organization that handles personal information of Europeans and Californians. Awareness overall about online privacy (or the lack thereof) has no doubt increased dramatically with the revelation of the Facebook/Cambridge Analytica scandal.
• Enterprise IT shops may also feel pressured to respond to the quick uptake of the standard by major web server and browser vendors. Even before the finishing touches were put on the standard, Apple, Google, Microsoft, and Mozilla had already implemented TLS 1.3 in their web products.
• Many enterprise IT security practitioners are painfully aware that their networks are already compromised, and it could be that they see encryption as a means to ensure that critical data is kept safe. In fact, of all the benefits that might motivate organizations to adopt the new TLS 1.3 standard, the top-ranked reason was improved data security, with 73% of respondents ranking security as the most important benefit, trailed closely by improved privacy for end-to-end security.

Multiple studies in the past have shown a steady increase in the use of encryption across the Internet as well as within enterprise networks. The EMA study validates those earlier findings. For example, 31% of respondents indicate that their organization’s use of encryption rose between 26% to 50% over the last 18 months. That trend will continue. Unfortunately, bad actors are also increasing their use of encryption to hide their tracks as they get past existing security controls and move laterally within enterprise networks in search of valuable data to exfiltrate. 

Clearly, the need for visibility into network traffic is not going to go away, even though stronger encryption standards are improving the privacy of data in motion. Enterprises will find that they have to adapt their security architectures to work with the new standard in order to maintain that visibility. How they will accomplish that remains to be seen.  

Related Content:

• TLS 1.3 Won’t Break Everything
• Preparing for Transport Layer Security 1.3
• Ready or Not: Transport Layer Security 1.3 Is Coming
• 10 Ways to Protect Protocols That Aren’t DNS

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Paula brings over 30 years of experience covering the IT security and networking technology markets. She has been an IT security analyst for 10 years, currently as a research director at Enterprise Management Associates. Prior to joining EMA she served as a research director … View Full Bio

Article source: https://www.darkreading.com/endpoint/tls-13-a-good-news-bad-news-scenario/a/d-id/1334180?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A critical denial-of-service (DoS) vulnerability was found in Facebook Fizz, the social media giant’s open source implementation of the Transport Layer Security (TLS) protocol, Semmle reports.

If you’re not familiar, Fizz enables secure communication with Web services and is used on most of Facebook’s internal and external infrastructure. Facebook made the source code open source last August; since then, it was likely used by other organizations and projects. The bug was discovered by Kevin Backhouse of Semmle’s research team and reported Feb. 20.

Semmle says the vulnerability is “relatively easy to trigger” for unauthenticated remote attackers. It’s considered a DoS bug because it causes an infinite loop in Fizz and renders the service unavailable for other users. By exploiting this, an attacker could take down any infrastructure that relies on Fizz but couldn’t gain unauthorized access to user data.

Facebook issued a patch (CVE-2019-3560) on Feb. 25, and its Web services are no longer vulnerable. Web applications dependent on Fizz are urged to upgrade their Fizz libraries. Semmle was awarded a $10,000 bug bounty for the discovery, which is out of the ordinary for DoS.

“While denial-of-service issues are typically not considered as part of our bug bounty program, this submission discussed scenarios which could have had significant risk,” Facebook said in an email to Semmle. The security firm will donate the bounty to Techtonica (which doubles the donation to $20,000) and match the original $10,000 bounty with a donation to Community Servings.

Read more details here.

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/application-security/critical-denial-of-service-bug-patched-in-facebook-fizz/d/d-id/1334202?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Here’s some eyepopping data about the computing devices that wind up at businesses that refurbish computers or accept donated devices: Out of 85 devices tested by researchers at Rapid7, only two were wiped properly – and three were encrypted.

Tod Beardsley, director of research at Rapid7, says the study was the brainchild of Josh Frantz, a senior security consultant at Rapid7, who made the project a labor of love on nights and weekends.

Frantz tested desktops, laptops, removable media, hard drives, and cell phones from 31 businesses around his home in Wisconsin. He spent about $600 on the equipment. At the end of the six-month project, he found that many of the refurbishing and donation businesses don’t actually wipe data from those devices as promised.

“One of the big problems with the devices that wind up at these place is that it’s often hard to distinguish between work and personal devices today because so many people mix their personal and work lives,” Beardsley says. “From an IT perspective, it’s really important for corporate IT departments to set a policy that when the company refreshes devices that they all get wiped before the employee receives the new device. And for personal devices like a smartphone, it’s much easier today to wipe a phone and return it to the factory settings.”

In a blog posted by Rapid7 earlier this week, Frantz reported some of his findings. Data found on the exposed devices included the following:

• 41 Social Security numbers
• 19 credit card numbers
• Two passport numbers
• 147,000 emails
• 214,000 images/photos

Frank Dickson, a research vice president at IDC, says it’s actually surprising that Rapid7 found any computers that were properly wiped. He says companies should be careful about everything from old ATM machines (not all ATMs are properly managed by banks), printers, fax machines, computers, and smartphones.

“With printers, for example, the company may have it on a lease so they have to be sure to wipe the data on those printers before it goes back to the leasing company,” Dickson says. “While it’s not clear how large a threat vector this is, the opportunity is there. This is one of easiest security issues to solve. You just have to remove the threat.

“If you don’t have time to wipe the device, use a hammer.”

Related Content:

• 65% of Resold Memory Cards Still Pack Personal Data
• 6 Questions to Ask While Buying a Connected Car
• More Than Half of IT Pros Employ Insecure Data Wiping Methods
• New Consortium Promotes Proper Data Sanitization Practices

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/less-than-3--of-recycled-computing-devices-properly-wiped/d/d-id/1334208?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Many companies take an “it will never happen here” mindset to insider threats because they believe they hire the best, most honest and trusted employees. That may be true in the beginning, after a bulletproof background screening done years ago. But later on, stress factors sometimes intrude in an individual’s life such as a difficult divorce, a DUI, or some other type of arrest, bankruptcy, or lien.

Most of the time, these stressors are external and out of sight of the employer. In some cases, they lead employees to disrupt events internally, which puts organizations at risk, even if executives know nothing about the individual circumstances.

There are many recent examples of workforce problems that have negatively affected large corporations financially and in terms of their reputations:

• A former Goodwill employee stole $93,000 from the charity by faking payroll records.
• A rogue Tesla employee broke into the company’s manufacturing operating system and sent highly sensitive data outside of the firm.
• Uber’s 60-person crisis team is dealing with 1,200 severe incidents reported to the company weekly, including verbal threats, physical and sexual assault, rape, theft, and serious traffic accidents.

The good news is that many security executives have begun to recognize the fallout from insider workforce risks. According to a recent Endera survey of 200 security executives, on average, companies with 1,000 employees or more experience at least three workforce-related incidents a week — that’s 156 per year — which includes fraud, cybersecurity risks, workplace violence, and device theft or loss. Several key trends from this report also highlight the need for security executives to dig deeper and be more proactive.

A proactive workplace safety culture: The Endera report revealed that 88% of respondents agree that companies can proactively head off problems through effective policy enforcement and employee assistance programs to retain talent and ensure a motivated and safe workforce environment. Conversely, in the wake of a workforce-related security incident, almost 40% of respondents reported that employees lost confidence in the organization’s ability to keep them safe.

Supply chain risks: A full 87% of security executives surveyed said independent contractors/freelancers are most likely to be the cause of workforce-related security incidents such as fraud and device theft at their company, and 64% reported that supply chain/third-party vendors were the most likely cause of these risks. The report went on to find that 71% of those contractors have face-to-face interactions with customers, including those who rely on the extension of the enterprise to provide daily services such as child care, transportation, healthcare, and more.

A broader, more holistic view of threats: A full 86% of respondents reported device theft or loss among their top three risks, followed by fraud (80%) and cybersecurity threats (74%). Three in 10 (31%) respondents cited cybersecurity incidents, including IP theft and data loss as the costliest internal or external security threat being experienced by their organization over the last 12 months. While cyber threats are clearly important, security executives need to consider physical workforce risks as well.

Negative business effects of workforce risks: The vast majority — 98% — of security executives reported that their organization has experienced negative business effects as a result of workforce-related incidents. For example, the survey found that:

• 63% of respondents stated they experienced financial loss and loss of sensitive data.
• 60% shared that customers’ trust in the organization decreased and that the organization’s reputation suffered.
• 59% reported declining workforces’ confidence in the organization’s ability to keep them safe and that employees left the organization as a result of these incidences.

Pre- and post-employment screening: While three-quarters of all organizations surveyed conduct pre-employment screens 44% of the time, companies said they are not aware of potential workforce or personnel issues prior to an incident. Just under half (48%) of respondents said these employee screening checks are continued on a regular basis. Of those using internal data from data loss prevention tools, user activity monitoring, communications monitoring, or keystroke software to evaluate risk in their workforce, four in 10 respondents reported that the information isn’t always available quickly enough, and 34% reported that the range of information isn’t up to date and doesn’t always cover all of the data, such as ongoing scanning of public criminal or civil records, ongoing sanctions, or license requirements needed to actively mitigate the risk. The majority of respondents reported that employee screenings, such as background checks or ongoing evaluation, happens on a less-frequent basis, with only 11% reporting that it happens monthly and only 2% of respondents reporting that their organization updates external background checks on an individual on a daily basis.

The ability to proactively evaluate, diagnose, and mitigate workforce risk by knowing and understanding all risk factors is critical. Security teams must move from a reactive to a proactive workforce risk management approach and look holistically across the entire enterprise including cybersecurity, compliance, technology, and human resources to truly address the business impacts of workforce risk.

Related Content:

• 7 Real-Life Dangers That Threaten Cybersecurity
• Why Cybersecurity Burnout Is Real (and What to Do About It)
• Insider Threats Insider Objections
• The Case for a Human Security Officer 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Raj Ananthanpillai is the chairman and CEO of Endera. Previously, he was the CEO of InfoZen, a high-end cloud and DevOps IT services company which was successfully sold in 2017. Prior to this, he served as the chief strategy officer of ePlus, Inc. (NASDAQ: PLUS), a business … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/the-insider-threat-its-more-common-than-you-think--/a/d-id/1334186?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A now-patched vulnerability in the Web version of Google Photos could let cybercriminals learn the details of a user’s photo history, Imperva reports.

Through browser-based timing attacks, hackers could analyze image data to learn when a person visited a particular place. It’s not a common threat, and it’s most effective in a targeted scenario, but it was possible for someone to use a malicious website to access photo data.

Google Photos knows a lot about the people who use it. The service automatically tags each image using metadata (date, location coordinates), and its artificial intelligence engine can detect objects and events that would indicate a wedding, waterfall, sunset, or range of other locations, explains Imperva researcher Ron Masas. Facial recognition tags people also present in the photos.

Coupled with Google Photos’ powerful search engine, this detailed information could share a lot about when, where, and with whom a person has been. All of this data can be used in search queries to unearth certain photos – for example: “Photos of me and Ashley from Paris 2018.”

Masas decided to investigate Google Photos for side-channel attacks when he learned the extent of its search capabilities. He found the service’s search endpoint is vulnerable to an attack called Cross-Site Search, or XS-Search. In a proof of concept, he used the HTML link tag to create multiple cross-origin requests to the Photos search endpoint. Using JavaScript, he measured the time it took for the onload event to trigger. This is the baseline time, or the time it took to query Google Photos’ server and receive zero photo results as a response.

With this baseline time, Masas queried “photos of me from Iceland” and compared the two times. If this search took longer, he could infer the user had visited Iceland based on the data. If he added a date, he could know whether photos were taken in a specific time frame. For every place queried, a time longer than the baseline time indicates the user took photos there.

Here’s how this vulnerability works: An attacker would have to first send the target a malicious link while that person is logged into Google Photos, by embedding malicious JavaScript inside a Web advertisement or sending a direct message via email or a online messaging service. Malicious JavaScript code creates requests to the Google Photos search endpoint and extracts answers.

“The vulnerability is basically allowing different sites to search for you,” Masas explains. As the malicious page is open, an attacker could repeatedly query Google Photos in the background. “By using the advanced search feature, I can ask a lot of questions about you,” he adds.

However, once the victim closes the malicious page, the searches stop. “The moment you close the site, I no longer can do that,” Masas says. “But I can trick you into opening another site in the future and can continue from there. It does require you to open a website each time.”

In his opinion, this isn’t a very complex attack but it does have the most value if a hacker is specifically targeting one individual. For example, someone could have used this to determine the location of a high-profile person or know who they have been spending time with. This type of attack “is very hard to detect if you’re not looking for it actively,” Masas adds. Could a similar vulnerability exist in other online services and applications? “Definitely,” he notes. Many developers aren’t aware of this problem, and it’s important large and small sites learn of it.

This isn’t the first time Masas has exposed an attack of this nature. Earlier this month, Facebook patched a flaw he had discovered in the Web version of Facebook Messenger, which could have let attackers view the people with whom someone had been chatting. Similarly, a victim would have to be tricked into opening a bad link; he’d also have to click somewhere on the page. When a new tab opened, the attacker could use the previous page to load the messenger chat endpoint and view which specific person or bots the target had been talking to.

Related Content:

• TLS 1.3: A Good News/Bad News Scenario
• Microsoft Office Dominates Most Exploited List
• 6 Ways Mature DevOps Teams Are Killing It in Security
• The Case of the Missing Data

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/application-security/google-photos-bug-let-criminals-query-friends-location/d/d-id/1334209?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A Lithuanian man extradited to the US in 2017 has pled guilty to a business email compromise (BEC) scam that netted him more than $100 million.

Evaldas Rimasauskas, 50, operated the BEC scam from 2014 to 2015, fooling a multinational technology firm and global social media company to wire funds into accounts he controlled. The US Attorney’s Office did not disclose the names of the victim companies.

Rimasauskas, who now faces a maximum sentence of 30 years in prison for wire fraud, created a company in Latvia with the same name as an Asia-based computer hardware manufacturer, according to the USAO. He sent phishing emails to employees and associates of the victim firms, directing them to purchase products and services from the phony company, and money was wired to accounts he controlled. 

“As admitted today, he devised a blatant scheme to fleece US companies out of $100 million, and then siphoned those funds to bank accounts around the globe.  Rimasauskas thought he could hide behind a computer screen halfway across the world while he conducted his fraudulent scheme, but as he has learned, the arms of American justice are long, and he now faces significant time in a US prison,” Manhattan U.S. Attorney Geoffrey S. Berman said in a statement. 

Rimasauskas will be sentenced on July 24, 2019.

Read more here. 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/bec-scammer-pleads-guilty/d/d-id/1334210?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In April 2014, Google announced that one of its researchers had found a critical vulnerability in the widely deployed OpenSSL software used to encrypt connections to Web servers and other Internet hosts. 

To assess the risk from the vulnerability, security professionals and academic researchers began scanning the 4.3 billion addresses on the Internet, looking for unpatched servers vulnerable to the now-infamous Heartbleed flaw. Researchers were not the only ones searching the entire Internet. Within a few days, attacks came from more than 700 different sources, according to a 2014 paper published by a team of researchers from various universities.

The ability to gain similar intelligence in the future may disappear, however. About a quarter of Internet users currently connect to Google over IPv6, up from 5% four years ago, according to data collected by the search giant. As service providers adopt the next-generation Internet protocol, IPv6 will become more common, and researchers worry that their ability to exhaustively search the network will fail. 

“As the number of IPv6 users continues to increase, we are beginning to see some of the security implications present in many of the default configurations being deployed around the world,” says Earl Carter, manager of security research at Cisco. “This has contributed to many of the threats that are being encountered by organizations on a daily basis,” he says.

Time for a little math.

The IPv6 Internet has 2^128 addresses, or 3.4 times 10^38 — an astronomical number. (For comparison, astronomers estimate that there are 2 times 10^23 stars in the universe, which means there are a million billion times more IPv6 addresses than stars.) If it took a single second to scan the entire IPv4 address space, it would take 25 billion billion centuries to scan all of the IPv6 address space.

In a March 18 blog post, two members of the Cisco Talos research group highlighted the issue.

“Enumerating all active hosts by scanning all of this address space is practically, and theoretically, infeasible,” wrote Martin Zeiser and Aleksandar Nikolich. “With the greater adoption of IPv6, this threatens to hide an ever-larger number of hosts in future internet surveys. This is especially critical as a growing number of unsecured internet-of-things devices come online.”

Yet researchers should not be counted out quite yet. While an exhaustive search of the IPv6 Internet is not possible, researchers have been searching for workarounds that could allow them to find active systems in the dark recesses of the IPv6 Internet.

“It comes down to tricks,” said Tod Beardsley, research director at vulnerability-management firm Rapid7. “IPv6 is a ginormous space. … Your server cannot be found unless you are advertising its address.”

Rapid7 regularly scans the entire IPv4 Internet for 70 different protocols under its Project Sonar service, which feeds the company’s other security and threat-intelligence products. In 2018, the company found that the United States had the most exposed systems, including 6.1 million exposed databases and 1.2 million exposed SMB servers.

The company has not yet developed a way to provide a similar service under IPv6, Beardsley said.

In their blog post, the two Cisco Talos researchers described one way that servers could be located in the dark matter of the IPv6 space. Universal Plug and Play (UPnP), a protocol designed to allow automated network discovery on local networks, is often exposed to the Internet and can be used to fool devices into revealing their IPv6 addresses. 

By sending out a UPnP notify packet to every IPv4 address, the research duo found about 12,000 devices that advertised their IPv6 addresses. Most of the devices were consumer devices, such as security cameras, smart TVs, and, in some cases, Windows machines set up as BitTorrent peers.

“Even though our resulting dataset is small, it represents a unique subset of active IPv6 devices which were so far unexplored,” the researchers stated. “Users should ensure that their devices don’t have unintentional IPv6 connectivity or if it’s intentional, that it’s adequately firewalled.”

Others have also found some ways around the enormous, and sparsely populated, IPv6 address space. The scanning service Shodan, which offers a searchable database of exposed Internet services, exploited the details of a widely used pool of servers that allow others to synchronize times, according to a description published by the SANS ISC Internet Forum. A server that wants to update its time to the global norm contacts its default Network Time Protocol (NTP) servers and requests the latest time. To do so, it has to provide its address. Servers using an IPv6 address essentially announce themselves, says Johannes Ullrich, dean of research for the SANS Technology Institute.

“Shodan came up with this ingenious idea of having systems connect to them,” he says. “And, of course, there is nothing that you can do at that point, and they will scan you based on that. That is one of the more efficient ways to find IPv6 hosts.”

The question for companies is whether being scanned is good or bad. While it could allow altruistic researchers the ability to find unknown problems and notify the company, more often attackers will use scanning to find servers vulnerable to a specific attack. 

“As a first step, you probably should ‘fix’ your NTP infrastructure,” Ullrich stated in the blog post. “Systems in your network should only synchronize with internal NTP servers, and only these authorized NTP servers should communicate with the outside.”

Related Content

• Researchers Unite To #ScanAllTheThings
• Accidental Heartbleed Vulnerabilities Undercut Recovery Effort
• Project Sonar Crowdsources A Better Bug Killer
• Fast Scanning To Fuel ‘Golden Age’ Of Global Flaw Finding

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/researchers-seek-out-ways-to-search-ipv6-space/d/d-id/1334213?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple