STE WILLIAMS

Update: This story was updated on 03/05 with comments from FireEye.

Internal security teams at enterprise organizations are generally getting better at detecting compromises, but it’s still taking them well over a month to discover them.

A FireEye analysis of global breach data from 2018 shows that half of all organizations last year took 50.5 days or longer to detect an intrusion after it first began. That was one week faster than the median of 57.5 days it took them in 2017.

However, when organizations first learned of an intrusion from law enforcement or another source, it was typically only after the attackers had already been on their networks for 184 days, or more than six months. That number was almost unchanged from the 186 days recorded in 2017. The FireEye report shows that a higher proportion of organizations in the Americas discovered breaches internally compared with counterparts in Europe, the Middle East, and the Asia Pacific region.

Thirty-one percent of the compromises that FireEye’s Mandiant group investigated in 2018 had dwell times of 30 days or less, meaning the breaches were detected in less than a month from first intrusion. The number represents a modest increase from the 28% of organizations that detected intrusions in less than one month in 2017.

One reason why more companies were able to detect compromises in less than one month last year was simply because there were more incidents involving ransomware and cryptomining tools. Such attacks are generally easier to spot than other types of attacks, according to the FireEye Mandiant report.

“While there was a modest decrease in dwell time, the dwell times by engagement varied in large measure,” the FireEye report noted. “We saw an uptick in financially motivated compromises such as ransomware and business email compromise, which tend to have both immediate impact and immediate detection by the targeted organization,” the vendor said.

Another reason was that more firms are improving data visibility through better tooling and technologies.

Reducing dwell times can help organizations become more effective at containing incidents, says Charles Carmakal, vice president and CTO at FireEye.

“The time to contain an incident can vary based on several variables,” he says. This can include the size of the organization, scope of the compromise, length of time the threat actor is in the environment, and number of compromised systems.

“If a compromise is identified within hours, it may only take hours to contain the incident,” he says. “However, if a threat actor has been in an environment for months, it could take two to four weeks — or months — to contain the incident.”

Significantly, FireEye’s data also shows that threat groups frequently go back and attack organizations they have previously already targeted. Nearly two-thirds (64%) of organizations that were victims of a targeted attack last year experienced at least one other attack by the same or similar threat group. The data represented a noticeable increase from the 56% that experienced a similar fate in 2017 and shows that companies that have experienced a breach are much more likely to experience once again, the FireEye report said.

Many organizations that had previously been compromised are retargeted because they continue to have data of value to the attackers, Carmakal says. “For example, threat actors that successfully stole intellectual property associated with defense systems in 2014 may be tasked to steal updated versions of the data in 2019. As companies continue to innovate, governments will task groups to obtain that data,” he says.

Advanced persistent threat groups from Russia, China, North Korea, and Iran continued to pose major challenges for organizations in the US and elsewhere last year. FireEye’s report highlights several of them, including APT40 aka Periscope, a newly emerged China-government-sponsored espionage group targeting organizations of interest to the country’s naval modernization effort. APT40’s targets last year included maritime companies, defense, chemicals and aviation firms, as well as government, RD, and technology companies.

Governments worldwide generally have not changed their rules of engagement in response to the growing threat posed by state-sponsored cyberthreat actors. But several of them last year publicly attributed attacks to specific APT groups and handed down indictments against their members. Examples in the US cited in the FireEye report include indictments against Iran’s Islamic Revolutionary Guard Corps in March 2018, indictments against Ukraine’s FIN7 group in August, and the indictment and subsequent extradition of a Russian hacker in September.

“Public attribution by governments and indictments by the US Department of Justice have helped curb activity from some threat actors and increase their cost of offensive operations,” Carmakal notes. In one instance, FireEye observed a noticeable decline in activity by a threat actor following their indictment, he says. In other instances, groups that have been indicted have shifted tactics, tools, and procedures, he says.

“While we don’t expect public attribution and indictments to stop threat actors completely, we believe it can reduce and delay some activity,” Carmakal says.

Related Content:

• New Research Seeks to Shorten Attack Dwell Time
• Attacker Dwell Time Still Too Long, Research Shows
• Hacking Back: Simply a Bad Idea
• 2019 Attacker Playbook

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/organizations-taking-less-time-to-detect-breaches/d/d-id/1334049?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

For many of us, The Terminator series introduced us to the potential dangers of artificial intelligence (AI). As Skynet’s advanced AI became self-aware, it concluded that humanity was a threat to its existence and sprang into self-preservation mode, ultimately triggering a nuclear holocaust and deploying an army of Terminators to battle the resistance.

While this was purely fictional back in 1984, 35 years later, AI-powered threats are the new reality and raises the question: Are we headed for a Skynet-like future in which AI takes over the world? Perhaps we’re not quite there yet, but the ingredients are all there and it could be a potential recipe for disaster.

As our understanding of AI progresses and evolves, AI attacks will get more sophisticated and continue to improve. Maturing open source machine learning tools like TensorFlow from Google and others will be used in malcode, distributing even more damaging botnets, viruses, worms, trojans, targeted phishing expeditions, and so on. Of particular concern is the combination of machine learning, automated facial recognition and huge amounts of data in recent dumps. This  puts billions of people at risk of being compromised more than ever before.

One recent data dump is now raising alarm flags because it has the potential to affect millions of people. Known as Collections #1–5, well over 2 billion usernames and passwords were dumped onto the Dark Web. With data the foundation of AI, hackers can now carry out machine learning-based operations that leverage automated facial recognition and the information in Collections #1–5 to traverse social media networks and other sites to carry out automated spearphishing campaigns and a variety of other villainous exploits.

An AI populated with billions of email password pairs has a huge head start on leveraging evasive and powerful attack tools such as DeepLocker and Social Mapper. Consider the kill chain of shared credentials between corporate and personal emails. That’s a very soft target for the Terminator of malware. Even if only 1% of the passwords in the “Collections” are still accurate and shared across accounts, that is well over 20 million vulnerable victims. From statistical analysis, we know the rate is far higher than that.

So, how bad could it get? Realistically, a mass collective hive of botnets with knowledge of credentials, email, facial recognition, and social networks could make AI phishing lures that will be make email unusable. Theoretically, with Collections #1–5 at its disposal, Skynet could now take over the world.

Which leads us to the need for a Resistance. Fortunately, Skynet does not exist… at least, not that we know of. But it will take a lot more than John Connor to win the AI war with cybercriminals. It will take a global coalition of brilliant minds and organizations from the private and public sectors fighting fire with fire, deploying AI-based security solutions that can keep pace, outmaneuver, and outthink these AI-powered attacks. The US Department of Defense echoed this sentiment in a recently unveiled summary of its official artificial intelligence strategy:

We cannot succeed alone; this undertaking requires the skill and commitment of those in government, close collaboration with academia and non-traditional centers of innovation in the commercial sector, and strong cohesion among international allies and partners. We must learn from others to help us achieve the fullest understanding of the potential of AI, and we must lead in responsibly developing and using these powerful technologies, in accordance with the law and our values.

Perhaps the late Stephen Hawking said it best: “Unless we learn how to prepare for, and avoid, the potential risks, AI could be the worst event in the history of our civilization.”

Or as the Terminator might say: “Hasta la vista, baby.”

Related Content:

• 10 Threats Lurking on the Dark Web
• The Double-Edged Sword of Artificial Intelligence in Security
• Machine Learning, Artificial Intelligence the Future of Cybersecurity
• The Enigma of AI Cybersecurity

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Chris Rouland is Co-Founder and Chief Executive Officer of Phosphorus Cybersecurity, Inc. A 25-year veteran of the information security industry, Chris is a renowned leader in cybersecurity innovation and disruption. In his career, Chris has founded and led several … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/artificial-intelligence-the-terminator-of-malware/a/d-id/1333976?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Image Source: Adobe Stock: kinwun

Car manufacturers are quickly moving to a time when autos will be mostly, if not fully, autonomous. Meanwhile, new cars are packed with Bluetooth, cellular gateways, and Wi-Fi connectivity — which means they are open to security vulnerabilities.

In putting together this story, we talked to several experts who follow developments regarding the connected car, and just about all of them say there’s still a lot in flux.

“There not a salesperson in a showroom anywhere who could answer even basic security questions,” says Steve Hoffenberg, director of Internet of Things (IoT) and embedded technology at VDC Research. “But that doesn’t mean consumers shouldn’t be asking questions about security.”

“People need to ask the car companies where they stand on security,” says Kayne McGladrey, director of security and IT at Pensar Development and an IEEE member, who cites companies such as Apple and Google, which have made strong public statements on these matters.

When asked if the car companies have followed suit, McGladrey says, “Not really.”

So, what are consumers to do? Security pros may know more about what to ask for, but there are thousands, even millions, of consumers who simply don’t know where to start. Read these six tips to get an idea of what you should be thinking about when you step into that showroom and the salespeople start selling you on a connected car.

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/6-questions-to-ask-while-buying-a-connected-car/d/d-id/1334039?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

RSA CONFERENCE 2019 – San Francisco – Axonius, a company solving the “unsexy” topic of asset discovery and management, was awarded top honors at the RSAC Innovation Sandbox Contest here Monday, beating out solutions for edgier problems including firmware vulnerabilities and API attacks.

Axonius narrowly beat out second-place honoree Duality, an end-to-end homomorphic encryption solution that enables collaborative data analysis in low-trust situations. 

The Innovation Sandbox recognizes emerging security companies with creative, marketable solutions to big challenges. The 10 finalists chosen this year also covered identity management, cloud security ops automation, API security, and more.

“We fought long and hard to get to the top 10 this year,” said Niloofar Howe, tech investor, entrepreneur, and one of the Sandbox judges. “It really was hard, but I think it is an incredible group.”

After all finalists made three-minute pitches and endured interrogation by a panel of judges, Axonius rose to the top (despite the fact its CMO, Nathan Burke, had to fill in for its CEO, Dean Sysmun, whose flight to San Francisco was delayed).

Companies were judged on the problem they were trying to solve, the originality and soundness of their intellectual property, their go-to-market strategy, their team, the impact the solution was likely to have, and how well the product had already been validated by the market. The judges were Howe; Patrick Heim, operating partner and CISO of ClearSky; Richard Seiersen, CISO, author, and adviser; Asheem Chandna, partner at Greylock Partners; and Shlomo Kramer, CEO of Cato Networks and founder of multiple security firms.  

The judges praised runner-up Duality for the way it enabled collaborative data analytics projects in cases where widescale trust among the parties was impossible to achieve. Speaking from his own experience as a CISO in both financial services and healthcare, Seirsen said that “in both cases, to be able to have privacy-protected analysis is really the holy grail.” Pharmaceutical companies, hospitals, and insurance companies, for example, might be able to gain insights from one another’s data, but it could not be shared without addressing privacy concerns.

Judges praised Axonius for solving a fundamental, widespread, long-standing problem that for some reason has not been solved.

“I’ve lived the pain of never having a straight answer around assets,” said Heim, who has been CISO for companies with over 200,000 users said. “We never know how many servers there are, virtual machines, endpoint devices. …

“Before we worry about solving problems – you know, ninjas chasing us with APTs and zero-days, basically – there are some basic things you need to solve first,” Heim said. “Axonius really resonated very, very strongly with me because finally I can put a checkbox into one of these problems that’s been around for 20, 30 years, and basically say, ‘This has potential for solving it, and it leverages my existing security infrastructure investments by pooling it all together, versus having to deploy more agents.”

In an interview with Dark Reading, Axonius’ Burke said, “The last thing we want to say is, ‘You have yet another dashboard, another solution you’ve got to manage.'” Therefore, Axonius integrates with other security products, so the asset management information it gathers could be used by another company’s orchestration product, for example. 

If Axonius can “kill one of these really old problems,” it frees up companies’ security resources for other responsibilities, Burke said. “You could really use people better and not spend your time on boring stuff,” he said, and thanked the judges “for taking an unsexy thing and making it a winner.”

The other eight Innovation Sandbox finalists were:

• Wirewheel: A cloud-based data privacy and protection platform that can “translate your technical stack into something your privacy program can use.” Wirewheel is trying to tackle the data privacy problem at scale by partnering with infrastructure-as-a-service providers like AWS.

• ShiftLleft: A continuous application security platform that both finds vulnerabilities so you can fix them and protects the application against the vulnerabilities you decide not to fix. It uses a combination of static code analysis (code property graphs) and application instrumentation.

• Salt Security: Discovers API vulnerabilities and attacks. Salt uses an AI-based behavioral protection model that learns how an organization’s APIs work and can therefore – without much customer configuration – determine what’s normal, what’s abnormal, and what’s malicious.

• Eclypsium: Firmware security company that detects firmware vulnerabilities and compromises (like Meltdown and Spectre) and protects devices from tampering throughout the OEM supply chain. 

• {disruptOps}: Automates security operations for the cloud. Helps cloud users set and reach security benchmarks quickly (like finding and deactivating stale identity access keys).

• CloudKnox: Manages identity privileges across hybrid cloud and multiplatform cloud environments. Uses a “privilege creep index” and a “Just Enough Privileges controller” to ensure that identities have only the privileges they need, when they need them. Head of product Balaji Parimi told judges that CloudKnox might replace whatever product an organization is currently using to mitigate insider threats. 

• Capsule8: Provides security for production Linux systems without taking a toll on operations. API-first, fully extensible, operating outside the Linux kernel, Capsule8 stops attacks like kernel exploits and container escapes in real time, without the performance impacts.   

• Arkose Labs: Low-friction fraud and abuse prevention tool, backed by PayPal, that helps prevent attacks like account takeover and carding.

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: https://www.darkreading.com/axonius-unsexy-tool-wins-rsac-innovation-sandbox-/d/d-id/1334055?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

RSA CONFERENCE 2019 — San Francisco — Evidence from a command-and-control server has linked a massive campaign against sensitive industries and government agencies to the Lazarus Group, a North Korean state-sponsored operator, cybersecurity firm McAfee announced at the RSA Conference this week.

After gaining access to code and data from the CC server, McAfee researchers analyzed the evidence and concluded that the campaign — which they dubbed Operation Sharpshooter —started a year earlier than previously thought and targeted a larger group of organizations. In a previous analysis, published in December 2018, McAfee researchers hesitated to connect the campaign to the activities of the Lazarus Group.

“Operation Sharpshooter’s numerous technical links to the Lazarus Group seem too obvious to immediately draw the conclusion that they are responsible for the attacks, and instead indicate a potential for false flags,” the company’s researchers stated at the time. “Our research focuses on how this actor operates, the global impact, and how to detect the attack. We shall leave attribution to the broader security community.”

With the additional evidence from the server used by the attackers to manage their network of compromised systems, McAfee’s researchers found that the Sharpshooter campaign used the same software implants and malicious code as the Lazarus Group.

The report highlighted the increasing sophistication as well as the ubiquity of cyber-operations from North Korea, which uses attacks to steal funds, collect intelligence and punish rivals. North Korean groups are among the most brazen state-sponsored attackers, said Tom Kellerman, chief cybersecurity officer with Carbon Black.

“They finally have an A-team, thanks to the tech transfer from Russia,” Kellerman said.

An interesting piece of the puzzle is that early attacks focused on networks in Namibia, leading McAfee researchers to conclude that the Sharpshooter group may have used the African nation as a testing ground for its software implants and attack code.

Financial Services, Government Bear Brunt of Attacks
Getting access to the command-and-control server gave McAfee researchers the evidence needed to connect Operation Sharpshooter to the Lazarus Group, Christiaan Beek, McAfee senior principal engineer and lead scientist, said in a statement.

“Access to the adversary’s command-and-control server code is a rare opportunity,” Beek said. “These systems provide insights into the inner workings of cyberattack infrastructure, are typically seized by law enforcement, and only rarely made available to private sector researchers.”

The most recent attacks mainly focused on financial services, government agencies, and critical infrastructure, McAfee stated. The attackers primarily targeted Germany, Turkey, the United Kingdom and the United States. Earlier attacks had also focused on telecommunications companies and had included Israel as one of the primary targets.

In a survey of financial services CISOs, Carbon Black found that two-thirds of respondents had faced more cyberattacks in the last 12 months than the same period the prior year. While social engineering attacks remain the most common — with 79% of firms encountering highly targeted phishing attacks — 32% of firms detected attacks coming from third parties, such as suppliers and partners.

In addition, destructive attacks against financial institutions — a hallmark of many North Korean operations — have become more common, with a quarter of all attacks having a component that destroys or encrypts data.

“You see this transition now from bank heists to a hostage situations,” Kellerman said. “These attacks are not being leveraged at the beginning of the attack, but at the end … They want to be punitive on their way out, because they know they are being reacted to.”

Needed: Subtler Incident Response
Much of this is a reaction to incident responders trying to stop attackers and clean up compromised servers and workstations, Kellerman said. About a third of institutions surveyed experienced some form of counter incident-response reaction from attackers, either destroying data or using a sleep cycle to wake up secondary command-and-control channels. 

“We are being too loud in how we conduct incident response, and we are being a bit too cocky by immediately terminate command and control,” he said. “This really highlights our need to become better at how we conduct the ultimate investigation.” 

Attackers are also using sophisticated techniques such as steganography — hiding data in images or other file types — as either a secondary command-and-control channel or as a way of delivering additional malware payloads to the targeted server. 

“Embedding multiple content types within a single file … has been a common technique seen in many malware droppers for some time,” Carbon Black stated in its report. “This technique is used to evade detection on the network wire and on the endpoint as well has hide content on disk in familiar file types such as images.”

Related Links

• Lazarus Group Builds its First Mac OS X Malware
• Attack Campaign Targets Financial Firms Via Old But Reliable Tricks
• Emotet Malware Gets More Aggressive
• Inside the North Korean Hacking Operation Behind SWIFT Bank Attacks

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/lazarus-research-highlights-threat-from-north-korea/d/d-id/1334063?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

System information and event management (SIEM) systems and intrusion detection and prevention systems (IDS/IPS) are our frontline defenses in an increasingly hostile world. As effective as they seem, if they’re not properly configured and maintained, they can become essentially useless.

Part of the problem is that this work isn’t sexy or easy — it’s basically digital sanitation. But it’s extremely important. Imagine what would happen if your company’s garbage suddenly stopped being collected. While SIEM/IDS/IPS maintenance isn’t quite as stinky, it’s very similar. Networks change. Threat landscapes change. Most IDS rule sets don’t change (other than getting bigger). Software or services stop being used. And unfortunately, somebody needs to paw through your SIEMS’s entrails to find these things.

There are a few ways to mitigate the grunt work to make the task more manageable for your security engineers.

1. Roll Out Slowly
If you are just rolling out your SIEM/IDS/IPS system, avoid turning on everything at once — this is a major mistake. Turn on subnets or VLANs one by one — tuning as you go. A SIEM throwing out 100 alerts in a day is a sure bet of burning out your security analysts quickly, and pretty much ensures overly liberal whitelists will quickly become commonplace.

2. Good Documentation
Make sure every rule set added is documented (and reviewed by someone) when it is added. And make sure the documentation is complete. The “magic whitelist” is routinely encountered when doing audits. Such an incomplete entry usually happens at 4:59 p.m. on a Friday afternoon filled with false positives. Unfortunately, Monday rolls around and the whitelist isn’t updated, and months later a similar alert is triggered. Make sure your documentation is precise and helpful. Don’t allow any ambiguity. If something is a false positive, explain why.

3. Fine Tune (Preferably the First Time)
Don’t rush through the configuring of your baseline — no matter how long it takes. Tuning out the legitimate false positives while taking the time to thoroughly investigate each alert is important. The more granular you can get your rule sets, the better. If you can pinpoint false positives from specific machines in a subnet, exclude the machines and not the subnet.

Remember that you are doing this not only to find stale or overly liberal policies but to improve performance. Your SIEM/IDS needs to process every single rule it encounters, so the more rules you have, the slower your device will be. Look for ways you can consolidate rules wherever possible — and toss the chaff.

4. Frequent Auditing
Make auditing a regular exercise. Instead of leaving the entire task to be done once a year, make the process a monthly or bimonthly process. Tie changes into a change control process wherever possible. If changes are made on the fly, make sure they are still entered into the change registry as an emergency modification. I can’t stress enough how important building and maintaining a robust change control framework is; not only will it help drive security, your entire IT infrastructure will benefit.

Wherever possible, use this audit phase to help build or validate your configuration management database/asset tracking process. When you encounter a system, you should be able to identify what OS/apps/data are on this box, who is the point of contact, and ideally who the data custodian for the box is. This will drive not only security and business continuity processes, and improve efficiencies for the IT group as well.

5. Validate Log Flows
Make sure you routinely validate that traffic from all devices is still inbound. Often, outages of a significant period get silenced — only to not be turned back on when the outage is resolved. I’ve seen a company go well over a year before realizing there were no alerts triggering in their SIEM from an entire branch location.

6. Check Your Capacity
When establishing or reviewing your SIEM, be sure that your storage capacity is appropriate for your logs. A lot of solutions base their pricing on consumption — a cap on events per second, for example. Sometimes, companies decide to limit what they are logging in an event to keep pricing to a minimum. This can be a crucial mistake. Many — probably most — penetrations of networks initially occur on individual user machines rather than on critical systems. If you are monitoring only critical or major systems to save money, you might very well be missing all the initial warning signals of the initial intrusion. Your first indication might end up being when you see your database being sent across the wire.

Proper capacity doesn’t just apply to the size of the SIEM’s hard drives. It is critical to ensure that you have adequate staffing for deploying and maintaining a SIEM. Don’t underestimate the manpower required when you budget for operations.

A properly configured and maintained SIEM/IDS can help save your bacon. But as you’ve seen here, they aren’t devices you can simply deploy and forget about. They can be a big financial and logistical burden, but if you follow the tips discussed above, they can also be your company’s best friend.

Related Content:

• 2019 Attacker Playbook
• For a Super Security Playbook, Take a Page from Football
• The SOC Gets a Makeover
• 6 Ways to Anger Attackers on Your Network

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Shane MacDougall is Senior Security Engineer at Mosaic451, a managed cybersecurity service provider (MSSP) and consultancy with specific expertise in building, operating, and defending some of the most highly secure networks in North America. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/care-and-feeding-of-your-siem-/a/d-id/1334002?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

RSA CONFERENCE 2019 – San Francisco – Children under the age of 12 who play video games have become a prime target for cybercriminals, who are taking advantage of the kids’ naivete and susceptibility to influence, according to a new report by Rubica.

Rubica CEO Frances Dewing, who will discuss the report at an RSA session Wednesday afternoon, says parents should look out for free gaming apps, which almost always contain advertisements and in-app purchase or upgrade options.

“An adult consumer expects to be advertised to when using an otherwise free service,” Dewing says. “Using advertising or in-app purchasing as a revenue method is a socially accepted practice. However, the problem with free apps targeting children is that studies have proven that children are often unaware that what they are watching or interacting with is an advertisement.”

The major app stores do not contain safety ratings that factor in advertising practices or guidelines for parents, guardians, or educators, Dewing adds.

“More concerning in a game or app made for young children is the prevalence of deceptive and inappropriate tactics,” Dewing explains. “It’s not uncommon for kids’ apps to contain aggressive prompts to download other apps that may be age-inappropriate or unlock gates for cybercriminals to access everything from emails to banking apps.”

Dewing says there have been numerous cases in which wealthy individuals have lost hundreds of thousands of dollars in hacking cases involving children and video games, though such cases typically do not make the news.

Michael Bruemmer, vice president of consumer protection at Experian, says preying on young children playing video games has become a perfect storm around three trends: the lack of awareness of the children; the exploding world of downloads and apps kids have access to without proper adult supervision; and the unblemished identities of the children.

Threat actors steal the identities of young children to pose as adults and set up fraudulent credit cards and bank accounts.

“There was a case I heard of in which a woman who worked from home had her children download games onto her work computer, only to find out that a bad threat actor had injected keylogging software that stole user name and password information,” Bruemmer says. “When the woman planned to make a wire transfer of $28,000, the bad threat actor posed as one of the kids in an email and had the exchange diverted. Fortunately, two-factor authentication software used by the broker intercepted the wire exchange and the fraudulent wire transfer was stopped.”

As part of the Rubica study, the company evaluated the top 20 free kids apps on the iTunes and Google Play app stores. A recent Experian report also discusses cyberthreats to the online gaming industry.

Related Content:

• Fortnite Players Compromised Via Epic Games Vulnerability
• How Gamers Could Save the Cybersecurity Skills Gap
• Why Online Video Gaming Will Be The Next Industry Under Cyber Attack
• Utah Hacker Pleads Guilty to DoS Attacks: DoJ

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/cybercriminals-target-young-gamers--/d/d-id/1334066?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

RSA CONFERENCE – SAN FRANCISCO – The need for trust — in machines, in systems, and in one another — was a central theme here today, when leaders took to the keynote stage to officially kick off the RSA Conference (RSAC), a meeting of tens of thousands of cybersecurity professionals.

Some of the themes discussed were the inherent trustworthiness of both humans and machines. How do artificial intelligence, the Internet of Things, misinformation campaigns, and the coming “biodigital era” erode trust? And what solutions can the security industry — as people and technologists — create to address that issue?

The crowd was first warmed by the voices of the Oakland Interfaith Gospel Choir and acclaimed actress Dame Helen Mirren, who gave the opening address.

She dubbed the RSA delegates “a steadfast constellation of guiding stars that never waver,” and continued: “You see, you, you, you are a hero … but you see perhaps you do not have to be such very solitary heroes. So, seize this moment to become better and stronger together.”

“Thank you, thank you from me to you,” she said. “Thank you for all you do, all you sacrifice, all you bravely represent.”

RSA president Rohit Ghai and cybersecurity strategist-entrepreneur Niloofar Razi Howe followed by presenting both an image of the future that was first a harrowing tale of trust broken, and then a happy tale of trust restored.  

“The key to the biodigital era is trust,” said Ghai.

“But are we trustworthy?” countered Howe.

They presented the possibility that fear of exploitation and misinformation could cause regulators to take Draconian actions (“walls went up, and trust dried up”), but that it was possible for risk and trust the coexist. Just as the human body manages to survive despite being home to more bacterial cells than human cells, other systems can manage risk, they said.

Ghai described technology with a “‘Spidey sense’-like human intuition” in which “every piece of technology is instrumented to sense risk and adjust its functionality based on risk.”

They also discussed the concept of “trustworthy twins” — that humans and machines working together are more trustworthy than either is individually. While humans fail to remember passwords, artificial intelligence lacks empathy and is subject to the biases of the data it’s given. A combination of humans asking questions and machines hunting for answers would be a more trustworthy duo.

Howe and Ghai also spoke of a “chain of trust” or “reputation bank account” that would keep a running record of organizations’ positive and negative actions (such as times they misled the public or times they successfully repelled a cyberattack or were honest about a breach).

McAfee CTO Sam Grobman and chief data scientist Dr. Celeste Fralick further discussed trust as it relates to artificial intelligence models. They commented that the technology is both bereft of a moral compass and can be tricked. They presented examples of how the technology can be used maliciously in applications like deep fake videos and how, by poisoning machine learning classifiers, it could be tricked to identify a photo of a penguin as a photo of a frying pan.

“We must embrace artificial intelligence, but remember its limitations,” said Grobman. “It’s just math.”

Liz Centoni, Cisco’s senior vice president and general manager of IoT, spoke about another kind of trust during her presentation on industrial IoT security: the lack of trust between operational technology (OT) and IT teams.

“The OT world cares about safety, not data loss,” said Centoni. “They want their systems to be up and running even when there’s an outage. … They’re measured on different things.”

OT teams know they have an asset visibility issue, she said — it’s not uncommon for industrial environments to be unable to see 40% to 50% of what’s on their environment — but some of those assets have been in the environment for many years and don’t speak languages like 802.1x. Any efforts to improve visibility are driven to improve operations, not stop cyberattacks.

“Lean in and learn about the OT environment,” she said.

Related Content:

• Cybercriminals Target Young Gamers
• Lazarus Research Highlights Threat from North Korea
• Axonius’ ‘Unsexy’ Tool Wins RSAC Innovation Sandbox
• CrowdStrike Debuts Mobile Threat Detection System at RSA Conference

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/trust-or-lack-of-it-is-a-key-theme-on-rsac-keynote-stage/d/d-id/1334065?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The manner in which Microsoft Word handles integer overflow errors in the Object Linking and Embedding (OLE) file format has given attackers a way to sneak weaponized Word documents past enterprises sandboxes and other anti-malware controls.

Security vendor Mimecast, which discovered the issue, says its researchers have observed attackers taking advantage of the OLE error in recent months to hide exploits for an old bug in the Equation Editor component of Office that was disclosed and patched in 2017.

In one instance, an attacker dropped a new variant of a remote access backdoor called JACKSBOT on a vulnerable system by “chaining” or combining the Equation Editor exploit with the OLE file format error. 

“Our detection engines spotted an attacker group, which seems to originate from Serbia, using specially-crafted Microsoft Word documents to take advantage of how Microsoft Word handles Integer Overflow errors in the OLE file format,” Mimecast said in a report Tuesday. By using the OLE bug, the attacker was able to sneak the Equation Editor exploit past anti-malware defenses on the system, the vendor said.

The Equation Editor bug (CVE-2017-11882) was first disclosed in November 2017 and gives attackers a way to gain complete remote administration control of vulnerable systems. Microsoft issued a security patch for the bug the same year. But attackers have continued to exploit the Equation Editor issue on unpatched systems since then.

Meni Farjon, chief scientist for advanced threat detection at Mimecast says that the integer overflow issue it discovered in the OLE file format can be used to hide exploits for any Microsoft Word vulnerability, not just the Equation Editor bug.

“The benefit isn’t specifically for the Equation Editor exploit. [It] can be used to carry any payload into an OLE file,” Farjon notes. “Consider this as a vehicle which can cloak the payload. The overflow alone can’t do anything harmful, so it has to be chained into a payload.”

Farjon describes the integer overflow issue as resulting from a miscalculation on raw inputs from file parsing. “Microsoft Word, when parsing OLE structured files, is trying to locate the file sectors on which the data is being stored,” he says. A part of that process involves making a calculation for a sector ID, he says. “Attackers were able to provide very big sector ID numbers, which caused the application to behave unexpectedly when the resulting number was larger than a 32-bit integer.” In such instances, Word can be tricked into loading malicious objects into memory without following the correct guidelines, he said.

The behavior that Mimecast was able to uncover is undocumented, which shows that this is unintended behavior. “This acts as a bypass or an abuse technique for attackers,” Farjon noted. “They are using this unintended behavior to bypass security solutions, even Microsoft’s own solutions, to hide malicious code and exploits.” The vulnerability does not have a CVE.

Mimecast has reported the OLE file format issue to Microsoft along with working proof-of-code. Microsoft has acknowledged that the behavior is unintended but does not have immediate plans to release a security patch for it, Mimecast said in its report. That’s because the overflow alone does not cause memory corruption or code execution, the vendor said.

Microsoft did not immediately respond to a Dark Readingrequest for comment.

Farjon says that up to now, Mimecast researchers have observed only limited targeted attacks using this bug. “No specific conditions need to exist in order for this to be exploited,” he says. Patching for the Equation Editor bug can protect organizations against exploits targeting that specific vulnerability, but not against the integer overflow issue itself, he says. “This is a vehicle to cloak an attack — this can be used with any Microsoft Office exploit and chained together to achieve high stealth capabilities.” 

Related Content:

• Microsoft Office: The Go-To Platform for Zero-Day Exploits
• Persistent Attackers Rarely Use Bespoke Malware
• Backdoors Up 44%, Ransomware Up 43% from 2017
• 7 Common Breach Disclosure Mistakes

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/word-bug-allows-attackers-to-sneak-exploits-past-anti-malware-defenses/d/d-id/1334070?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple