STE WILLIAMS

A kernel-level bug in an endpoint security tool for MacOS remains unpatched after IBM was unable to deliver a patch within the vulnerability researchers’ 120-day disclosure deadline.

IBM Trusteer Rapport is endpoint security software that protects confidential data like access credentials. Researchers from Trustwave SpiderLabs discovered a signedness bug in the handling of user-supplied buffers on a driver used by Trusteer Rapport on MacOS. The bug can lead to a memory corruption vulnerability in the Apple MacOS kernel and, subsequently, arbitrary code execution in the kernel. 

Trustwave SpiderLabs researchers first reported the bug to IBM Aug. 15 and have been working with the IBM Security Vulnerability Management Team since then, researchers wrote Thursday. When IBM was unable to provide a patch within Trustwave’s normal 90-day disclosure policy, the researchers granted IBM an additional 30 days. (IBM representatives could not be reached to verify this timeline as of this posting.) When that deadline again passed without a fix, Trustwave opted to publicly disclose the bug.

The good news is that the vulnerability can only be exploited locally. However, there are several exploits in which attackers could obtain arbitrary code executations within the context of the kernel, researchers said. Security teams should take measures to ensure only authorized users can obtain local access to affected machines.

Read more details here. 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/endpoint/unpatched-kernel-level-vuln-in-ibm-security-tool-for-apple-macos-revealed/d/d-id/1333547?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

(Image: Moritz320)

Peter Drucker, aka the founder of modern management, is credited with writing, “If you can’t measure it, you can’t improve it.” Over time, that has been broadened to, “If you can’t measure it, you can’t manage it,” a statement that is taken as holy writ for most modern executives.

Indeed, business in the 21st century is all about metrics. Cybersecurity has plenty, measuring everything from port probes to login attempts. It’s expected that cybersecurity managers will have a good handle on all of these metrics and know what they’re saying about their organizations. But in today’s business organization, these security metrics aren’t enough.

In order to protect the business, security has to speak the language of business. The last decade has seen a growing, if sometimes grudging, acknowledgment of this by security professionals. The question for many security pros is, “Which business metrics should I know?”

Each organization may have its own unique key performance indicators (KPIs) to take into consideration. But certain metrics matter regardless of the particular business. To cover all of them is the subject of an MBA, but we’ve put together a list that includes some basics, some that might escape first notice, and some that have a particular interest from a security perspective.

In each case, these are metrics that cybersecurity pros should understand and pay attention to. Do you use them in your security practice? What other metrics do you think should be on this list? Let us know in the comments.  

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/network-and-perimeter-security/7-business-metrics-security-pros-need-to-know/d/d-id/1333549?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Two members of China’s APT10 hacking group have been indicted by the US Department of Justice on charges unsealed this morning. Zhu Hua (aka Afwar, CVNX, Alayos, and Godkiller) and Zhang Shilong (aka Baobeilong, Zhang Jianguo, and Atreexp) were charged with conspiracy to commit computer intrusions, conspiracy to commit wire fraud, and aggravated identity theft.

The pair “acted in association with the Chinese Ministry of State Security’s Tianjin State Security Bureau,” said the DOJ in a statement. During a campaign lasting at least six years, the two targeted managed service provicers and individual companies, with victims including at least 45 companies in a dozen US states as well as a number of government agencies.

“It is galling that American companies and government agencies spent years of research and countless dollars to develop their intellectual property, while the defendants simply stole it and got it for free. As a nation, we cannot, and will not, allow such brazen thievery to go unchecked,” said US Attorney Geoffrey Berman during the press conference announcing the indictments. 

“The indictment alleges that the defendants were part of a group that hacked computers in at least a dozen countries and gave China’s intelligence service access to sensitive business information,” said Deputy Attorney General Rosenstein, speaking at the same news conference.  “This is outright cheating and theft, and it gives China an unfair advantage at the expense of law-abiding businesses and countries that follow the international rules in return for the privilege of participating in the global economic system.”

In addition to the theft of commercial intellectual property, the indictment alleges that the two “compromised more than 40 computers in order to steal sensitive data belonging to the Navy, including the names, Social Security numbers, dates of birth, salary information, personal phone numbers, and email addresses of more than 100,000 Navy personnel.”

In a statement provided to Dark Reading, CrowdStrike co-founder and CTO Dmitri Alperovitch said, “It is unprecedented and encouraging to see the US government, joined by so many international allies, taking a decisive stance against Chinese state-sponsored economic espionage. Today’s announcement of indictments against Ministry of State Security (MSS), whom we deem now to be the most active Chinese cyber threat actor, is another step in a campaign that has been waged to indicate to China that its blatant theft of IP is unacceptable and will not be tolerated.”

Read more details here and here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/network-and-perimeter-security/us-indicts-2-apt10-members-for-years-long-hacking-campaign/d/d-id/1333535?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The US government has indicted two Chinese hackers for their roles in a state-sponsored cyber esponiage campaign that included attacks on managed service providers (MSPs) and, subsequently, the MSPs’ clients. Security experts wonder, however, what impact the indictments will really make.

In an indictment unsealed in Manhattan federal court, the Justice Department described Zhu Hua and Zhang Shilong as members of APT10, a cyber espionage group working for the Chinese Ministry of State Security’s Tianjin State Security Bureau. 

Security researchers have long identified China as one of the biggest sources of hacking activity targeted against US companies, critical infrastructure, and government. APT10 has been previously linked to attacks on construction companies, aerospace firms, telecoms, and government organizations for years. In 2017, the group was found to be targeting MSPs, in an attack campaign dubbed Operation Cloud Hopper.

“APT10 has been tracked by FireEye for years and is one of the most prolific cyber espionage groups,” said Ben Read, senior manager of cyber espionage analysis at FireEye, in a statement. “Their move towards compromising managed service providers (MSPs) showcases the danger of supply chain compromises and reflects their continuously evolving tactics.” 

Through their involvement with APT10, Zhu and Zhang are alleged to have broken into computers and networks belonging to numerous MSPs around the world in order to then gain access to systems belonging to the MSPs’ clients. Over the course of the MSP theft campaign, which began in 2014, Zhu and Zhang allegedly gained access to and stole data from computers belonging to organizations in various sectors, including banking, finance, manufacturing, consumer electronics, medical equipment, biotech, and automotive.

Long-Standing Issue
In announcing the charges, US officials accused the Chinese government of actively supporting the hacking activities to further its own long-term economic and security goals.

“It is galling that American companies and government agencies spent years of research and countless dollars to develop their intellectual property, while the defendants simply stole it and got it for free,” said Geoffrey Berman, US Attorney for the Southern District of New York. “As a nation, we cannot, and will not, allow such brazen thievery to go unchecked.”

FBI director Christopher Wray described China’s cyber campaigns and the alleged motives behind them as hurting American businesses, jobs, and consumers. “No country should be able to flout the rule of law – so we’re going to keep calling out this behavior for what it is: illegal, unethical, and unfair,” he said.

The allegations are not new but are almost certain to put further pressure on the already strained relationship between the US and China. The Washington Post last week, in fact, had described the then forthcoming indictments as part of an intensifying US campaign to confront China over the economic espionage activities.

Planned actions include sanctions against individuals responsible for the activities and declassification of information related to the breaches.

How far such measures will go to deter China remains an open question. Though China famously signed an agreement with the US in 2015 promising not to engage in cyber activities for economic espionage, there’s no evidence that hacking activity out of the country has even abated, far less stopped.

Dave Weinstein, vice president of threat research at Claroty, sees the latest actions as yet another example of the effort law enforcement is putting into investigating and holding accountable those responsible for such attacks. “At the same time, we’ve seen this play out before, dating back to 2014 when several [People’s Liberation Army] officers were indicted on hacking charges,” Weinstein says. “It’s not clear to me that the legal process is the best way of stopping what has been China’s persistent behavior for over a decade.”  

Indictments like these highlight the challenge the private industry faces in defending against well-funded, state-sponsored actors with little concern about reprisals, says Pravin Kothari, CEO of CipherCloud. “The US government needs to defend our Internet infrastructure to protect commerce and communications,” he says.

It needs to be done within the rule of the law and by making all evidence available for public view, too. “In the meantime, we also need to engage in constructive discussions with the Chinese government to try to reach an end to this activity,” Kothari says.

The Charges
The victim organizations of the MSP campaign were scattered across 12 countries, including the US, UK, Germany, France, Switzerland, Sweden, and India.

Separately, Zhu, a penetration tester, and Zhang, a malware developer, also broke into computers and networks belonging to 45 technology companies and US government agencies in 12 states. The technology theft campaign began in 2006 and resulted in Zhu and Zhang stealing hundreds of gigabytes of sensitive data. Among the victims were seven organizations in the aviation and space sectors, three communications companies, three manufacturers of advanced electronic components, NASA, and the Jet Propulsion Laboratory.

The APT10 intrusions include one that compromised more than 40 computers belonging to the Navy and resulted in the theft of personally identifiable information belonging to some 100,000 Navy personnel.

Related Content:

• Cloud, China, Generic Malware Top Security Concerns for 2019
• Report: China’s Intelligence Apparatus Linked to Previously Unconnected Threat Groups
• Evidence in Starwood/Marriott Breach May Point to China
• 8 Threats That Could Sink Your Company

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/apt10-indictments-show-expansion-of-msp-targeting-cloud-hopper-campaign/d/d-id/1333539?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Fo cybercriminals, the Internet of Things (IoT) is becoming a bigger draw, ransomware is still a profitable tool, and there are ways around even major legal actions. Those are some of the conclusions in the “McAfee Labs Threats Report: December 2018,” released this week.

A number of findings in the report show certain trends continuing long-term patterns. New examples of IoT malware grew 72% in the third quarter, part of a total malware increase of 203% in past four quarters. And while many analysts have seen the growth of cryptominers slow in recent months, cryptomining malware increased by 71%, a figure based largely on the continuing growth in the number of IoT devices themselves.

“Platforms based on Linux are predominantly being hit,” the McAfee research team told Dark Reading in an email interview, as they explained the rise in IoT malware. “Whereas previously these were dominated by DDoS-related botnets – the introduction of cryptojacking has led to the increase.”

While these numbers are impressive, the most important developments in the malware landscape may be occurring behind the scenes. “Several individual sellers have moved away from large markets and have opened their own specific marketplaces,” the McAfee researchers said. Other marketplaces, such as Dream Market, Wall Street Market, and Olympus Market, have become popular replacements for the lost markets (though Olympus Market suddenly disappeared, taking money and trusted relationships with it).

In a continuing response to the legal takedown of major Dark Web markets like Hansa and AlphaBay, and the disappearance of Olympus Market, some criminals have created their own “dark commerce” sites where they do business with their customers, the researchers said. These smaller sites make it more difficult for law enforcement to gain access and conduct surveillance on criminal activity.

Another trend that makes life more challenging for law enforcement is a growing tendency by some criminals to forgo a Web-based market altogether and use communications networks such as Telegram to conduct their business.

The communication is critically important for the criminals due to the continuing growth of criminal affiliate networks, seen in the evolution and increase of affiliate-architected malware such as the GandCrab ransomware package. The affiliate model is also seen in the operation of “RDP shops” that sell remote desktop access to compromised servers so that criminals can install and run their illicit software. “RDP continues to be an Achilles heel for many organizations, judging by the amount of targeted ransomware attacks, such as SamSam, BitPaymer, and GandCrab, that leverage RDP as an entry method,” the report states.

Malware’s evolution makes McAfee’s suggestion that security also continue to evolve an obvious step. “We have to consider the speed in which criminal operators are adapting techniques and leveraging new approaches to achieve their objectives,” the research team told Dark Reading. “For example, the introduction of new exploit kits and the continual development of GandCrab suggests that security teams need to remain vigilant on the evolution of such new threats.”

Related Content:

• 2018 In the Rearview Mirror
• The Economics Fueling IoT (In)security
• 4 Lessons Die Hard Teaches About Combating Cyber Villains
• ‘Highly Active’ Seedworm Group Hits IT Services, Governments

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/criminals-move-markets-to-remain-in-the-shadows/d/d-id/1333542?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

First prize (a $25 Amazon gift card) to Joe Stanganelli, managing director, Blackwood King LC, Boston, Mass., with second prize honors (a $10 Amazon gift card) to gerald626 for:

“Strangely enough, it meets audit compliance.”

Congratulations to all the winners and submitters who kept our panels of judges — John Klossner and the Dark Reading editorial team: Tim Wilson, Kelly Jackson Higgins, Sara Peters, Kelly Sheriden, Curtis Franklin, Jim Donahue, Gayle Kesten, and yours truly — smiling for days.

If you haven’t had a chance to read all the entries, be sure to check them out today.

Related Content:

• Risky Business: Dark Reading Caption Contest Winners
• Make a Wish: Dark Reading Caption Contest Winners
• Threat Landscape: Dark Reading Caption Contest Winners

Marilyn has been covering technology for business, government, and consumer audiences for over 20 years. Prior to joining UBM, Marilyn worked for nine years as editorial director at TechTarget Inc., where she launched six Websites for IT managers and administrators supporting … View Full Bio

Article source: https://www.darkreading.com/i-spy-dark-reading-caption-contest-winners/a/d-id/1333536?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Your worst fears about home assistants came true for one Amazon customer whose Alexa recordings were accidentally sent to a complete stranger. Amazon failed to disclose the mistake, but don’t worry: The recipient learned enough about the Alexa owner to reach out.

It started when a German Amazon customer requested his Amazon-owned data, which he has a right to do under the General Data Protection Regulation (GDPR). After several weeks, the company sent a downloadable 100-Mb zip file. Some of its contents reflected the customer’s Amazon searches. However, hundreds were .wav files and one contained transcripts of voice commands recorded by Alexa. The person had never owned an Alexa, so he reported the issue to Amazon, which did not respond but killed the link to the data.

However, the customer had already saved the files, so he reached out to German magazine c’t because he worried Amazon hadn’t shared the mistake with the data’s rightful owner. By listening to the files, the publication was able to learn the person’s name, habits, jobs, musical taste, and more intimate details that “got our hair standing on end,” the report states. First and last names helped determine his close friends; Facebook and Twitter data filled in more of the details.

C’t learned enough about the victim to contact him and inform him of the mistake. Amazon did not share the error with him, he said, but the company later contacted both the victim and accidental recipient. It claims a staff member made “a one-time error,” Gizmodo reports.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/iot/amazon-slip-up-shows-how-much-alexa-really-knows/d/d-id/1333545?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple