STE WILLIAMS

About two-thirds of USB memory sticks bought secondhand in the US and UK have recoverable and sometimes sensitive data, and in one-fifth of the devices studied, the past owner could be identified.

These results come this week from a study conducted by the University of Hertfordshire in the UK and commissioned by Comparitech, a consumer product comparison website.

The researchers purchased 200 USB drives, 100 in the US and 100 in the UK between January and May 2018, from eBay, secondhand shops and conventional auctions. In the US, at least, most sellers demonstrated awareness of the need to erase data – only a single drive showed no sign of an erasure attempt. In the UK, 19 showed no sign of attempted cleansing.

Troublingly, the material recovered was often fairly sensitive. There were nude images of a middle-aged man, along with contact details. There were legal documents like a search warrant and risk assessments. There were financial papers dating back years, along with personal data. There were also tax forms, wage slips and the like.

From the data found, 20 former device owners in the US and 22 in the UK could be identified. The researchers, however, did not make an effort to contact those individuals to alert them to their poor data hygiene.

Sixty-four people in the US and 47 in the UK tried to delete their data, but didn’t actually manage it. Eight USB sticks in the US and 16 in the UK had been reformatted, but the data could be recovered “with minimal effort.”

About the same percentage of people managed to wipe their data successfully, presumably with a data erasing tool – 18 in the US and 16 in the UK.

There were also several drives that could not be read at all – six in the US and one in the UK – as well as one USB stick in the UK that could not be read because it was encrypted with BitLocker.

It’s not that people don’t know data should be deleted when disposing of drives. Rather they don’t know how to do so in a way that makes the data unrecoverable. People often believe that rituals like dragging files to the trash and selecting “Empty Trash” or one-pass reformatting of storage media actually erase files.

As anyone with even modest knowledge of IT security will tell you, that’s just not the case. Data deletion requires rather a bit of effort, which is why US standard bod NIST has more than 60 pages of guidance on the subject.

“This study would indicate that while in the US, some effort had been made to remove the data from the USB memory sticks in 99 per cent of the cases, in the UK this figure was only 81 per cent,” the study says. “This would indicate a higher level of awareness in the US to the potential issues.”

Despite this people in the US were no more likely to delete data successfully than those disposing of drives in the UK.

Computer makers could help matters by relabelling the “Empty Trash” menu to something more accurate like “Sweep Files Under the Rug” but computer users ultimately have to look after their own interests.

In an email to The Register, Paul Bischoff, editor of Comparitech, advised not cutting corners when erasing data. “If you’re throwing it out, destroy it with a hammer or drill first,” he said. “If you’re selling it, use secure erasure software or a full, low-level format – not a ‘quick’ format – to completely remove remnant data.” ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/14/usb_recoverable_data/

A bunfight over a controversial UAE mobile security company led to the discovery that millions of TLS security certificates have been improperly issued – thanks to a dodgy default configuration in popular certificate authority (CA) management software.

During a discussion on the mozilla.dev.security.policy group about Darkmatter’s application to become a fully fledged cert-issuing CA, netizens discovered that the company’s supposedly 64-bit serial numbers in its certificates were in fact one bit short, the top bit being always zero to indicate a positive integer. After engineers at other organizations read the thread, they realised their own certificates were similarly affected.

Some 2,000,000-plus security certificates, issued by Google, GoDaddy, and others, may need to be replaced, as a result.

UAE-based Darkmatter is in the spotlight due to a January report by newswire Reuters alleging its involvement in state-backed hacking efforts, which it has denied. The report subsequently drew the attention of Firefox browser-maker Mozilla and prompted the Moz dev chatter.

Security researcher Adam Caudill summarised the problem in a blog post earlier this month: “During an analysis of certificates issued by DarkMatter, it was found that they all had a length of exactly 64 bits – not more, not less.”

The most l33t phone of MWC: DarkMatter’s Katim

READ MORE

As he explained, RFC 5280, which, among other things, governs the format of public key certificates, states that cert serial numbers must be a “positive integer” of at least 64 bits and absolutely cannot be a negative number.

That may well explain why Darkmatter’s certificate serial numbers have their top bits clear. The software used to generate the numbers may be using two’s complement to represent the integers, which would require it to keep the top bit clear in each serial number to indicate it is a non-negative value. That would reduce the effective length to 63 bits.

Caudrill speculated that Darkmatter may have used a particular open-source certificate-issuing package, EJBCA, which defaults to outputting 64-bit certificate serial numbers from a random-number generator with the top bit clear to enforce the non-negative rule. This dramatically reduces the number of possible serial numbers, which are used to track issued certs and revoke them.

A cert’s serial number should be unique among all other certificates issued by its CA. You really don’t want any collisions between certs, as it will lead to further headaches and confusion, and one fewer bit increases the chance of this, for example.

It’s not the end of the world. Traffic encrypted using the certs will not suddenly fall open to eavesdropping, for instance. It’s pretty much mainly an embarrassing oversight in the strict, by-the-book world of cryptography.

There is nothing to stop CAs using longer serial numbers; it’s just that the default in this particular toolkit is misleading.

D’OH-fault settings

A recent MDSP mailing list response by SSL.com’s Fotis Loukos, its director of RD, as reproduced by Mozilla CA program manager Wayne Thayer here, suggested that EJBCA’s default settings may have been responsible for lulling CAs into a false sense of security. Ouch.

“EJBCA’s method of generating serial numbers has led to a discrepancy between expected and actual behavior and output, such that any CA using EJBCA with the default settings will encounter this issue,” he posted, noting that this would put those CAs into breach of Baseline Requirement 7.1, which is the CA rule (PDF, 65 pages) that states all non-sequential certificate serial numbers must be at least 64 bits wide, positive, and derived from a cryptographically secure pseudo-random number generator (CSPRNG).

Other responses from Apple, Google and others shed light on the practical impact.

Apple admitted it had issued a total of 878,000 non-compliant TLS certificates, of which 558,000 were still in use five days ago, as well as 2,000 S/MIME certs. In a timeline appended to its report yesterday, it said that in April 2017 it had “mistakenly suppressed alerts detecting serial numbers suspected to be insufficient in length,” before starting to revoke the affected certificates last week.

Google Trust Services, the adtech monolith’s certificates arm, did not spell out precisely how many non-compliant certificates it had issued but did say that it comprised all certificates that its Google Internet Authority G3 trust chain issued between 30 September 2016 and 28 February this year.

GoDaddy was similarly affected from 2016 onward, according to its response, having issued a total of 285,936 non-compliant certificates, of which 12,152 are still live. It scaled this down from its original estimate of 1.8 million non-compliant certificates, adding: “We are looking to scope and roadmap upgrading our certificate serial number to a minimum of 128-bit, or the max possible.”

The controversy over Darkmatter continues. While the serial number security issue is largely theoretical – 63 bits leaves plenty of space to fend off collision attacks, even if it’s not compliant with the spec – CAs will continue to have a minor headache as they identify, revoke, and reissue affected certs. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/13/tls_cert_revoke_ejbca_config/

Android adware found its way into as many as 150 million devices – after it was stashed inside a large number of those bizarre viral mundane job simulation games, we’re told.

The so-called Simbad malware was built into mobile gaming titles such as Real Tractor Farming Simulator, Heavy Mountain Bus Simulator 2018, and Snow Heavy Excavator Simulator, according to infosec research biz Check Point today.

Each of those named apps had more than five million installs at the time the research was carried out, with Snow Heavy Excavator Simulator having been downloaded more than 10 million times. In total the malware was found in 210 seemingly legitimate apps, which have now been pulled from the Google Play store.

Although researchers believed that the titles were legitimate, they said they thought the devs were “scammed” into using a “malicious SDK, unaware of its content, leading to the fact that this campaign was not targeting a specific country or developed by the same developer.”

Once installed, the malicious Simbad SDK phones home and starts embedding itself on the user device to prevent removal, and would start fetching and displaying ads to generate revenue. Anti-removal techniques it uses include “removing the icon from the launcher,” displaying background ads during normal phone usage, and forcing the device’s browser to open a given URL.

‘Mummy, what’s felching?’ Tot gets smut served by Android app

READ MORE

“SimBad has capabilities that can be divided into three groups – Show Ads, Phishing, and Exposure to other applications,” said Check Point in its summary of the research. “With the capability to open a given URL in a browser, the actor behind SimBad can generate phishing pages for multiple platforms and open them in a browser, thus performing spear-phishing attacks on the user.”

The malware’s command and control server runs an off-the-shelf install of Parse Server, an open source version of the Parse Backend mobile app infrastructure software.

With its capabilities including opening targeted URLs in the browser, something which could be used to present a user with a fake login page, Check Point noted that “already has the infrastructure to evolve into a much larger threat.”

So now people have to go through the list of applications and remove them to get rid of the malware, so get busy all you players of Beard mustache hairstyle changer Editor (over one million downloads amazingly).

Google should also take another look at its malware scanning systems. While the Chocolate Factory claims that its AI-powered code checkers booted out 700,000 malicious apps in 2017, it’s clear the ad giant is still asleep at the switch. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/13/checkpoint_adware_downloads/

Hot on the heels of this month’s security updates from Microsoft, Adobe, and SAP, Intel has kicked out a batch of its own bug patches.

Chipzilla’s March patch dump is highlighted by fixes for 19 CVE-listed vulnerabilities in its graphics drivers for Windows. If you use Windows and have those drivers (and if you’re running an Intel CPU with integrated GPU, you almost certainly do) you will want to patch sooner than later.

All of the flaws require local access to exploit, so users will only be in danger if a miscreant is already running code on your machine, at which point you would already be in a pretty bad spot. Some also require the compromised or rogue user account to be an administrator, further reducing the potential harm inflicted through these bugs – because if you’re a malicious user or malware with admin rights, you can already go fill your boots.

Among the most serious flaws, according to Intel, addressed in the update are fixes for CVE-2018-12214 and CVE-2018-12216, both in the kernel-mode driver, though they require the attacker to have privileged access to exploit them.

The 12214 bug is a memory corruption error, while the 12216 flaw is due to insufficient input validation. If exploited, both would potentially allow code execution at the operating system kernel level. A third vulnerability, CVE-2018-12220, could also allow code execution, but is considered a low security risk as it is much more difficult to exploit.

Microsoft changes DHCP to ‘Dammit! Hacked! Compromised! Pwned!’ Big bunch of security fixes land for Windows

READ MORE

Also of note is CVE-2018-12223, a virtual machine escape flaw stemming from bad access controls in the User Mode Driver. A successful exploit of that bug would allow the user of a VM to get access to the host machine on their local server.

Denial of service errors accounted for six of the bugs: CVE-2018-12211, CVE-2018-12212, CVE-2018-12213, CVE-2018-12215, CVE-2018-18090, CVE-2018-18091. As the description would suggest, those flaws potentially allow for a crash if exploited, and are classified as either low or medium exploit risks.

The remainder of the patched vulnerabilities cover information disclosure issues. For the most part, these would be considered low-risk problems as the attacker would need to have local access to the target machine. For the most part, those flaws would allow the malicious user to view things such as device configuration information or read memory contents.These are also considered low to medium security risks.

Users and admins will be able to patch all of the bugs by updating to the latest available versions of Intel Graphics Driver for their processors, here.

But wait, there’s more

Finally, there are a bunch of other security fixes out this week for more Chipzilla products.

Most notable is a load of updates to address vulnerabilities in Intel’s CSME, Server Platform Services, Trusted Execution Engine, and Active Management Technology firmware and software. These holes can, for instance, be exploited by anyone with physical access to a vulnerable box to execute code at the motherboard firmware level or thereabouts, increase their privileges, read data, and cause other mischief.

Some of the bugs require a compromised or rogue user to be logged in with admin rights to exploit, and some require no authentication at all beyond physical access.

These vulnerabilities are rather nasty because they lie within the hidden motherboard firmware used by IT pros to manage office PCs, workstations, and servers remotely. This technology appears in a range of Intel processors, from Core desktop to Xeon data-center parts, though, whether you’re a home user or office worker, so your system may be affected.

Don’t start panicking, please, because, as we said, someone either needs to, in some cases, physically get hold of your machine to attack it, or they need to have admin rights on the box anyway.

This vulnerable technology runs beneath the operating system and any antivirus packages, and thus compromising these components can potentially compromise the entire box without anyone noticing, allowing the intruder to silently spy on victims, siphon off documents, and tamper with data. We’ve written about this sort of threat a lot, for example, here.

Here’s a run down of these latest system firmware-level patches:

• CVE-2018-12188: Intel Converged Security and Management Engine (CSME) or Trusted Execution Engine (TXE): An unauthenticated user can potentially modify data via physical access.
• CVE-2018-12189: Content Protection subsystem of CSME or TXE: Privileged user can potentially modify data via local access.
• CVE-2018-12190: CSME or TXE: Privileged user to potentially execute arbitrary code via local access.
• CVE-2018-12191: CSME or TXE: An unauthenticated user can potentially execute arbitrary code via physical access.
• CVE-2018-12192: CSME or Server Platform Services: An unauthenticated user to potentially bypass MEBx authentication via physical access.
• CVE-2018-12199: CSME or TXE: A privileged user can potentially execute arbitrary code via physical access.
• CVE-2018-12198: Server Platform Services: A privileged user can potentially cause a denial of service via local access.
• CVE-2018-12208: HECI subsystem in CSME, TXE, or Server Platform Services: An unauthenticated user can potentially execute arbitrary code via physical access.
• CVE-2018-12200: Capability Licensing Service: An unprivileged user can potentially escalate privileges via local access.
• CVE-2018-12187: Active Management Technology (AMT): An unauthenticated user can potentially cause a denial of service via network access.
• CVE-2018-12196: AMT in CSME: A privileged user can potentially execute arbitrary code via local access.
• CVE-2018-12185: AMT in CSME: An unauthenticated user can potentially execute arbitrary code via physical access.

Check the above advisories for affected version numbers, then fetch and apply these updates from your computer’s manufacturer as required. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/14/intel_march_patches/

Incident leaves GPS units showing a location in England and a date 17 years in the future.

At least seven manufacturers at the annual Geneva Motor Show, which began last week in Switzerland, have been hit by an attack that left their cars thinking they were somewhere far, far away.

According to Jalopnik, which covers the automotive industry, Audi, Peugeot, Renault, Rolls-Royce, Volkswagen, Daimler-Benz, and BMW reported to show security that their cars’ GPS units were displaying a location in Buckingham, England. Oh, and that the year was 2036.

While the address is the home office of RaceLogic, a company that makes GPS simulation equipment, a company spokesman said RaceLogic has nothing to do with the issue and that unmodified equipment couldn’t cause spoofed information over the wide area affected by the attack.

So far, no one has claimed responsibility for the attack, and it is unknown whether it was intentional or accidental. Whichever the case, it seems further proof that GPS signals can be spoofed by any number of actors — something that is raising concerns for many in transportation industries.

Read more here.

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/iot/gps-spoof-hits-geneva-motor-show/d/d-id/1334147?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

People on the autism spectrum often possess traits that could help them succeed in cybersecurity – providing they don’t fall into cybercrime first.

Many cybercriminals aren’t diagnosed with autism until they enter the criminal justice system – and the same traits that lead them toward digital crime could potentially help them fight it.

Rebecca Ledingham, vice president of cybersecurity at Mastercard, spotted the trend earlier in her career as a cyber agent for the UK’s National Crime Agency. “They weren’t the kinds of offenders I was used to dealing with in drugs and sex crimes,” she said in an interview with Dark Reading. Their social behavior, she said, was different from what she’d seen in other areas of crime.

Often, she continued, cybercriminals are first diagnosed as being on the autism spectrum during the criminal justice process. Later in her career, as a cyber agent for INTERPOL’s Global Complex for Innovation (IGCI), she realized the issue was broader. Ledingham’s work with global agencies revealed outside of cybercrime, no other offense came with a foundational condition. “There’s no other organic set of offenders that may be predisposed to cybercrime due to the nuances of their disorder,” she said.

Autism presents itself at the age of two or three, and more than 17 million people worldwide are diagnosed, said Ledingham in an RSA Conference talk. Their curiosity and eagerness to solve problems, among other traits, can lead them into dangerous areas, especially online.

Traits on the autism spectrum that lead folks into cybercrime could work just as well in a security operations center – but it’s essential to understand the nuances of these behaviors because no two people with autism have the same set of characteristics. As Lysa Myers, ESET security researcher, put it: “If you’ve met one autistic person, you’ve met one autistic person.”

So which traits lend themselves to careers in tech and, specifically, cybersecurity?

“Oftentimes people with autism are very good with math and science,” said Ledingham in her talk. IT is logical and syntax-guided; there is usually one way of doing things. Many people with autism are pattern-thinkers, she added. “If you look at a piece of code and it’s missing a semicolon, you would notice because the pattern doesn’t fit,” she said.

Many people with autism are “hyperlexic,” an autism-related term for those who are intensely interested in letters and numbers and who possess an advanced reading ability. For them, it would be simple to switch between English and coding, as they could easily understand both.

A photographic memory is another trait seen in people with autism, Myers said. It’s another quality that could, for example, help them think of a network architecture and visualize security holes.

“People with autism are very focused on problem solving,” Ledingham said. “You have a real difficult problem … they will focus on it until it’s solved.” They’re detail-oriented, rule-oriented, and they have the tenacity to stick with complex issues other people may abandon.

So Why Turn to Cybercrime?
“Our scientific and digital world has been built on the output of the autistic mind,” Ledingham said. Still, there are a number of complicating factors that make it more likely that people with autism will fall into cybercrime rather than start a security career.

For starters, many struggle with social anxiety. They avoid eye contact and/or suffer from depression, social isolation, and a high need for control. Most people Ledingham worked with tried to get the academic credentials to legitimize themselves but failed to succeed in college – an atmosphere characterized by social interactions and a lack of routine or control.

“For some people, college can be really overwhelming,” Myers said. “They can have poor grades and not make it through.” As a result, they lack the degree needed for most security jobs.

But on the Internet, they could be who they want to be. People who are bullied in real life can have a plethora of friends online, she added. When she talks to cybercriminals who have later been diagnosed, she has found gaming is the common threat that lures them into crime. These days, the gateway is Fortnite: Kids as young as 14 are part of a hacking program built around the game.

“The police are not interested when your Fortnite account or World of Warcraft account gets hacked,” she said. “But if kids are cutting their teeth on it, there’s no legal consequences.”

We have to think of crime profiling differently in cybersecurity, Ledingham said. People with autism often understand right and wrong, but they often don’t understand actions and consequences.

What Businesses Should Know
Organizations could benefit by welcoming employees with autism, but many don’t know how. People with autism often don’t reflect personality in interviews and struggle with behavioral-based questions. You can’t ask them to imagine how they might act in a certain scenario, for example. Questions should be specific, literal, and direct. Deadlines should be made clear.

“The more you spell things out, the easier it is,” Myers said. During the hiring process, be specific about each step and expected date of each one. When onboarding new employees, outline what is expected within the first three months and continue to work with them to set goals, schedule deliverable dates, and notify them of any changes. “Be clear about what steps you’re going to have, what’s expected of them, and what’s expected of you,” she explained.

It helps to approach the hiring process in a project-oriented way, Ledingham said. Give them a project and evaluate their performance, then hire them based on the output of that project. She pointed to Microsoft as an example of a company with a program designed for workers with autism.

“They now have one of the most comprehensive hiring programs where autism is concerned,” she noted.

Related Content:

• Web Apps Are Becoming Less Secure
• How the Best DevSecOps Teams Make Risk Visible to Developers
• It Takes an Average of 3 to 6 Months to Fill a Cybersecurity Job
• 3 Places Security Teams Are Wasting Time

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/autism-cybercrime-and-securitys-skill-struggle/d/d-id/1334149?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Comparitech assessed the websites of more than 7,500 politicians in 37 countries and found 60.8% did not use valid SSL certificates.

Security and politics have become so intertwined since the 2016 presidential election that research group Comparitech decided it was time to look into the security of politicians’ websites.

What they found is alarming: Three in five politicians’ websites lack basic HTTPS security, according to their new study.

HTTPS — the secure version of the Hyper Text Transfer Protocol — provides a way to ensure site visitors that they are communicating with the correct party, says Paul Bischoff, the tech journalist, privacy advocate, and VPN expert, who posted a blog about the study for Comparitech.

“It’s really easy for fraudsters to set up a phishing site and collect money,” Bischoff says. “There needs to be a push for the politicians to lead by example and make their sites more secure.”

In conducting the research, the Comparitech team went old-school, Bischoff says, combing websites one-by-one to see whether the URLs contained HTTPS. The researchers only searched for the websites of politicians, not political parties or government agencies.

In all, Comparitech assessed the websites of more than 7,500 politicians in 37 countries. It found 60.8% did not use valid SSL certificates, meaning visitors’ connections to those sites are not private or secure — not great when they collect forms and donations and ask people to sign up for e-newsletters, Bischoff says.

There were some surprises in the study, too. Among them: Tech-savvy countries such as South Korea and India did not fare well. In South Korea, 92.3% of politicians’ websites were insecure, while in India the number was 83.9%. While the United States fared well, with only 26.2% of websites insecure, that’s “a pretty high number given how security-conscious people are in the United States,” Bischoff says.

Avivah Litan, a vice president and distinguished analyst at Gartner, warns that politicians should not take security lightly.

“People could be sending sensitive information to their representatives that should be protected,” she says. “Deploying SSL certificates is an easy way to support the website, so it’s really not excusable. We are in a major cyberwar, and the politicians are so not aware of security issues. Many don’t take the time to learn.”

Related Content:

• 19 Minutes to Escalation: Russian Hackers Move the Fastest
• The ABCs of Hacking a Voting Machine
• 4 Practical Measures to Improve Election Security Now
• Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/three-in-five-politicians-websites-dont-use-https/d/d-id/1334151?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A new strain of point-of-sale malware skims credit card numbers and comes via a highly polished marketing campaign.

Malware is constantly evolving and, according to a new blog post from Cisco Talos, so is malware marketing. The point-of-sale (PoS) malware being sold, called GlitchPOS, isn’t particularly advanced, but its packaging and marketing are — and those advanced techniques promise new troubles for security professionals working in retail and hospitality fields.

In the blog post, researchers detail how they found the malware on a crimewave forum and rapidly discovered that it comes complete with video instructions on its use and a modular format that makes putting it in the field quite easy.

How easy is it to deploy? “I would say it’s about the sophistication of installing a video game,” says Craig Williams, director of outreach at Cisco Talos. As a consequence, “My concern is that you’re going to see younger and younger cybercriminals with kits like these. It’s just getting easier and easier,” he explains.

The growing sophistication of GlitchPOS is similar to that found in the marketing and support of Cayosin, malware with a sophisticated sales infrastructure that was discovered by researchers at Perch in February. In that case, Perch senior threat researcher Paul Scott pointed out that the malware’s author “… has got 127 posts, he’s got 1,382 followers and he’s following 306 accounts.” The Cayosin author offered individual support through direct messages as well as video and photo support showing how to create attacks on his network.

GlitchPOS’s author, identified as edbitss by researchers at Cisco Talos and Check Point, claims authorship of the DiamondFox L!NK botnet in 2015/2016 and 2017, according to the Cisco Talos blog post. Williams says that while DiamondFox L!NK was sophisticated, “The author has polished this” and improved both the malware and its marketing.

Although the malware is being marketed globally, Williams says that the victims are likely to be concentrated in the US because credit cards are still being issued with magnetic strips and some stores have delayed moving their PoS equipment to chip readers. “The cards still have mag stripes, so if they’re still swiping, they’re vulnerable,” Williams says.

Related content:

• POS Vendor Announces January Data Breach
• Small-Time Cybercriminals Landing Steady Low Blows
• PCI SSC Publishes Minor Revision to PCI Data Security Standard
• Kaspersky Lab Finds Prilex POS Malware Evolving to Target Chip and PIN-Protected Cards
• 7 Privacy Mistakes That Keep Security Pros on Their Toes

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/iot/new-malware-shows-marketing-polish/d/d-id/1334150?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Google is tooling up in the war against malvertisers. Developers of its Chrome browser are introducing a feature that they hope will choke off one of the most malicious forms of malware infection: drive-by advertising downloads.

Automatic downloads via advertising frames are a popular cause of drive-by downloads. In these attacks, a malicious party will rent space from an online advertising network, which pays for banners on participating websites. The network serves up ads from its clients through those banners, usually based on information compiled about the website visitor. This is how websites can creepily show you ads for things you were searching for elsewhere.

In this case, things get creepier still. The attacker’s ad includes a download – usually a JavaScript executable – that takes advantage of a browser vulnerability and infects the victim’s computer.

The feature that Chrome will add is, in reality, more of a removal. Google is planning to deprecate a feature that automatically downloads any content from an advertiser.

The update comes from Yao Xiao, a developer on the Chromium open-source browser project that feeds Chrome. It isn’t his first attack on drive-by downloaders. He introduced a similar update in a January document that targets the same behaviour in IFrames – an HTML element which effectively creates a window from the host webpage into another webpage. Attackers quickly began using IFrames to spray malicious content through websites to infect users’ browsers. That update takes effect in Chrome 74, which ships in April.

The advertising frame implementation will commence at a later date, but is already on the list of forthcoming developments for Chrome. The listing says:

Download doesn’t make much sense with ads. It happens very rarely in practice and is also difficult to reproduce, which implies that a very small amount of ads are doing automatic downloads. Blocking download in ad frames without user gesture will make the web less abusive and more secure.

The block won’t apply to all downloads from advertising frames. Those with user gestures, such as when users actually click on something to download it, will still be allowed. From the accompanying paper:

The only kinds of downloads that can occur without a user gesture are navigations and simulated clicks on a download links. Therefore, our intervention will block such downloads if they occur without a user gesture.

Expect all versions of the Blink browser engine behind Chrome to support this. That means the iOS version of Chrome won’t have these protections because it uses WebKit as a rendering engine and Apple won’t permit any alternatives. Google forked away from WebKit to create Blink in 2013.

Malvertising has been a problem for years, with sites ranging from Forbes through to the Daily Mail being hit. Entire networks of fake ad agencies have helped stoke the pipeline for malicious ads. It’s a particularly damaging form of cybercrime because it undermines support for popular sites that people should be able to trust. It also drives the use of ad blockers, which in turn damages advertising-driven content models and impacts publisher profits.

The move is part of a broader campaign that Google is waging against advertisers that don’t play by the rules. Having tried to warn users about advertising redirects in November 2017, it took another swipe at rogue advertisers in November 2018, implementing a warning system for ads that behaved suspiciously or misled users.

Adverts aren’t going away, so anything that browser developers can do to make ads safer for millions of web users has to be a good thing.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/5uTxD1MATXM/

A bunfight over a controversial UAE mobile security company led to the discovery that millions of TLS security certificates had been improperly issued – thanks to a dodgy default configuration in popular certificate authority (CA) key-generation software.

During a discussion on the mozilla.dev.security.policy group about Darkmatter’s application to become a fully fledged cert-issuing CA, netizens discovered that the company’s supposedly 64-bit certificate serial numbers were in fact one bit short, the top bit being always zero to indicate a positive integer. After other companies read the thread, they realised their own certificates were similarly affected.

The most l33t phone of MWC: DarkMatter’s Katim

READ MORE

The UAE firm is in the spotlight due to a January report by newswire Reuters alleging its involvement in state-backed hacking efforts, which it has denied. The report subsequently drew the attention of Firefox browser-maker Mozilla and prompted the Moz dev chatter.

Security researcher Adam Caudill summarised the problem in a blog post earlier this month: “During an analysis of certificates issued by DarkMatter, it was found that they all had a length of exactly 64 bits – not more, not less.”

As he explained, RFC 5280, which, among other things, governs the format of public key certificates, states that certificate serial numbers must be a “positive integer” of at least 64 bits and absolutely cannot be a negative number. However, in Caudill’s words: “Requiring a positive integer means that the high [order] bit can’t be set – if it is set, it can’t be used directly as a certificate serial number.”

In this implementation, the high order bit denotes whether the number is positive or negative. It must be zero to be a positive number, due the way the integer is stored using two’s complement. And seeing as it must be a positive integer, this top bit is always zero, reducing the effective length to 63 bits.

Caudrill speculated that Darkmatter may have used a particular open-source key-generation package, EJBCA, which defaults to outputting 64-bit certificate serial numbers from a random-number generator, with the top bit clear. This dramatically reduces the number of possible serial numbers. There is nothing to stop CAs using longer serial numbers, it’s just the default is misleading.

D’OH-fault settings

A recent MDSP mailing list response by SSL.com’s Fotis Loukos, its director of RD, as reproduced by Mozilla CA program manager Wayne Thayer here, suggested that EJBCA’s default settings may have been responsible for lulling CAs into a false sense of security. Ouch.

“EJBCA’s method of generating serial numbers has led to a discrepancy between expected and actual behavior and output, such that any CA using EJBCA with the default settings will encounter this issue,” he posted, noting that this would put those CAs into breach of Baseline Requirement 7.1, which is the CA rule (PDF, 65 pages) that states all certificate keys must have at least 64 bits of output from a cryptographically secure pseudo-random number generator (CSPRNG).

Other responses from Apple, Google and others shed light on the practical impact.

Apple admitted it had issued a total of 878,000 non-compliant TLS certificates, of which 558,000 were still in use five days ago, as well as 2,000 S/MIME certs. In a timeline appended to its report yesterday, it said that in April 2017 it had “mistakenly suppressed alerts detecting serial numbers suspected to be insufficient in length,” before starting to revoke the affected certificates last week.

Google Trust Services, the adtech monolith’s certificates arm, did not spell out precisely how many non-compliant certificates it had issued but did say that it comprised all certificates that its Google Internet Authority G3 trust chain issued between 30 September 2016 and 28 February this year.

GoDaddy was similarly affected from 2016 onward, according to its response, having issued a total of 285,936 non-compliant certificates, of which 12,152 are still live. It scaled this down from its original estimate of 1.8 million non-compliant certificates, adding: “We are looking to scope and roadmap upgrading our certificate serial number to a minimum of 128-bit, or the max possible.”

The controversy over Darkmatter continues. While the key security issue is largely theoretical – 63 bits is plenty of entropy against cryptographical attack, even if it’s not compliant with the spec – CAs will continue to have a minor headache as they identify, revoke and reissue affected certs. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/13/63_bit_tls_cert_revoke_ejbca_config/