STE WILLIAMS

According to a recent Pew survey, two-thirds of Americans do not believe current laws are doing enough to protect their privacy, and six out of 10 respondents would like greater autonomy over their personal data. In an even more surprising turn of events, leadership at several leading tech companies — among them Apple CEO Tim Cook — are now encouraging smarter government regulation and data privacy laws. These shifts indicate a growing awareness and concern within the United States around data privacy and data protection.

In 2019, I predict constituents across the US will seek even greater data protection legislation from their representatives. In the aftermath of the recent Marriott data breach, for example, several members of Congress demanded cybersecurity legislation focusing on consumer protection and privacy, among them, Senator Mark Warner (D-Va.) who  asked for “laws that require data minimization, ensuring companies do not keep sensitive data that they no longer need …. and data security laws that ensure companies account for security costs rather than making their consumers shoulder the burden and harms resulting from these lapses.”

Battle Royale: Authoritarian vs. Democratic
While the US has been, for the most part, sitting on the sidelines over the past few years, we’ve seen a steady march toward greater data localization laws that foreshadow a global battle over data security and privacy. On the one hand are authoritarian regimes that are implementing data localization policies to enable greater government access to both personally identifiable information and intellectual property. This digital authoritarianism includes Internet controls and restrictions, integrating disinformation, and limiting individual data access through various forms of censorship. One the other are the democratic nations that are using legislation such as  the European Union’s General Data Protection Regulation (GDPR), which favor the rights of the individual over government access to the data of private citizens.

Russia, for instance, recently announced greater oversight and harsher fines to existing data laws, which include requiring government access to encryption keys and storing Russian users’ personal data in Russia. But Russia is not alone. According to Freedom House’s Freedom of the Net, this form of digital authoritarianism is the most dominant trend, coinciding with eight consecutive years of rising global Internet censorship.

Conversely, GDPR and now the California Consumer Privacy Act (CCPA) represent the emergence of more democratic models that focus on individual data protection and provide a counterweight to digital authoritarianism. Given these global trends — coupled with constituent pressure — the US will find it increasingly difficult to maintain its current patchwork of industry and state-specific approaches to cybersecurity and data protection. Expect to see the US step off the bench and put some skin in the game.

2019: The Year of Security UX?
While the United States will inevitably see additional forms of data protection legislation introduced in 2019, given the stagnation of current cybersecurity legislation in Congress and the nonstop mega-breaches, the public likely will not be satisfied to sit back and wait and see if legislation gets passed. In the last few weeks of 2018, the recent Marriott mega-breach, the National Republican Congressional Committee email hack, and the Facebook email dump have served as constant reminders about the magnitude of this problem. Given the confluence of corporate breaches, proliferation of attackers, and the global diffusion of surveillance and censorship, individuals want to take back control and gain agency in their own data protection.

The security industry notoriously lacks usability and often blames the user as the weakest link and source of all security problems. But in 2019, users will revolt against this and demand greater, more intuitive individual control over their data. The movement toward usable security will also drive security professionals to work closely with social scientists and user experience experts to ensure that incentive structures and human-computer interaction match those for the broader population of product users and consumers. Usable security will become the new buzzword and signal a rejection of the argument that there must be a trade-off between convenience and security and privacy. The public will demand both convenience and data protection, and there will finally be some progress toward true democratization of security for the masses.

Related Content:

• 2019 Attacker Playbook
• 6 Ways to Strengthen Your GDPR Compliance Efforts
• How to Find a Privacy Job That You’ll Love ( Why)

Dr. Andrea Little Limbago is the chief social scientist at Virtru, a data privacy and encryption software company, where she specializes in the intersection of technology, cybersecurity, and policy. She previously taught in academia before joining the Department of Defense, … View Full Bio

Article source: https://www.darkreading.com/perimeter/privacy-futures-fed-up-consumers-take-their-data-back/a/d-id/1333499?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

An ongoing targeted attack campaign against financial institutions demonstrates how older and well-trodden hacking methods still remain effective. 

Since August, a group of attackers have used Java-based remote access Trojans, phishing emails, and zip-compressed files – and hosted their malware on popular cloud services – to target employees at banks and other financial institutions, according to a report released this week by Menlo Security.

The attackers write their initial infectors in Java and Visual Basic, and customize versions of popular malware frameworks to steal account information, the company says.

“A lot of these attacks are stealing credit card information, they also steal accounts and steal money directly from the accounts,” says Vinay Pidathala, director of research at Menlo Security, a Web security firm. “They can inject code directly into the pages to infect account holders, and they can put a keylogger, along with taking screenshots.”

That these older tactics work should not be a surprise. Attackers still use these techniques because they work. In 2017, for example, 93% of breaches had a phishing e-mail component, according to the 2018 Verizon Data Breach Investigations Report (DBIR). While only 4% of recipients clicked the malicious link in a phishing e-mail on average, only a single person needs to let in the attacker.

Menlo Security found in its research that 4,600 phishing sites use legitimate hosting services. In the latest campaign, the attackers used storage.googleapis.com to host their malicious payload.

“Attackers are increasingly using popular domains to host their attacks,” Pidathala says. “It’s an easy way around being blocked by security software, because these sites are on a known good list.”

Rise of the jRATs 

Another common technique is using Adobe Flash or Oracle’s Java as an initial infector. While personal computers have tried to move away from these ubiquitous runtime agents, for malware writers the write-once-run-anywhere technology allows a single file can run on Mac systems as well as Windows. 

The capability has resulted in consistent efforts to infect systems using malware written in those languages. More than a year ago, security firms warned that Java-based remote access trojans, or jRATs, were targeting business users using attachments that appeared to be communications from the Internal Revenue Service (IRS) or a purchase order, according to an April 2017 analysis by security firm Zscaler. 

“The jRAT payload is capable of receiving commands from a CC server, downloading and executing arbitrary payloads on the victim’s machine,” writes Zscaler security researcher Sameer Pail. “It also has the ability to spy on the victim by silently activating the camera and taking pictures.”

Java-based RATs allow attackers to initiate an attack and download specific executables, depending on the operating system encountered. As Macs become an increasing part of the corporate world, such flexibility is key, experts say.

“More and more enterprises are using Macs, and with one JAR file you can design an attack that can infect both platforms,” says Menlo Security’s Pidathala. “Java is still installed on a significant number of computers around the world.”

Old But Modified RATs

The attackers also used well-known remote access Trojans: Houdini and qRAT. Both are modular, so attackers are able to customize their payloads and add capabilities through a modular architecture. 

Menlo Security’s Pidathala argues that such RATs are more useful than automated botnets because attackers can easily tailor their attack to attempt to bypass the victim’s defenses.  

“It is a RAT, so it is very flexible because it is modular—it can do lateral movement, or it can do reconnaissance, just by updating its modules,” he says. “Going forward, the concept of botnets, meaning malware that has automated functionality to steal specific things, will die down in favor of more malware that can be customized to the attackers’ needs.”

Related Content:

• The Browser Is the New Endpoint
• The 5 Challenges of Detecting Fileless Malware Attacks
• New Threats, Old Threats: Everywhere a Threat
• Another Cyberattack Spotted Targeting Mideast Critical Infrastructure Organizations

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/perimeter/attack-campaign-targets-financial-firms-via-old-but-reliable-tricks/d/d-id/1333528?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

NASA is investigating a data breach that exposed personally identifiable information (PII) — including Social Security numbers — belonging to current and former employees who joined the agency after July 2006.

The breach is the latest of numerous major and minor security incidents at NASA in recent years and is sure to heighten scrutiny of its cybersecurity practices.

In an internal memo to employees Dec. 18 (posted here), NASA’s head of human relations, Bob Gibbs, said the space agency’s cybersecurity staff discovered the breach when investigating a potential compromise of several servers in late October. An initial analysis of the incident showed that one of the impacted servers contained PII on NASA employees that the attackers may have stolen.

“Upon discovery of the incidents, NASA cybersecurity personnel took immediate action to secure the servers and the data contained within,” Gibbs’ memo stated without further elaboration.

NASA and other federal cybersecurity partners are doing a forensic analysis of the impacted systems to understand the full scope of the breach and to identify employees whose data might have been stolen, the statement noted. The process will take time but is a top priority at NASA, with senior leadership is actively involved in understanding the breach and developing a response.

“NASA does not believe that any agency missions were jeopardized by the intrusions,” a spokeswoman said in a separate emailed statement to Dark Reading. “The agency is continuing its efforts to secure all servers and is reviewing its processes and procedures to ensure the latest security practices are followed throughout the agency.” NASA did not respond to a question about why the agency waited so long to disclose the breach.

The server intrusions appear to be the latest manifestation of what NASA’s Office of Inspector General (OIG) has previously described as long-standing security issues at the agency.

In a November 2017 assessment of NASA’s top management and performance challenges, inspector general Paul Martin identified IT governance and information security as one key issue. According to the OIG, NASA reported more than 3,000 computer security incidents involving malware or unauthorized access to agency computers in the two years preceding the report.

“These incidents included individuals testing their skills to break into NASA systems, well-organized criminal enterprises hacking for profit, and intrusions that may have been sponsored by foreign intelligence services seeking to further their countries’ objectives,” the report noted. In one instance, a contract employee was indicted for illegally accessing and attempting to sabotage NASA systems.

To address these issues, NASA has implemented a series of initiatives, including expanded network penetration testing, more incident response assessments, broader deployment of intrusion detection systems, and increased Web application security scanning. Despite such measure, problems persist, the OIG said. Among them: inadequate IT acquisition and governance practices, gaps in the agency’s incident detection and handling capabilities, inadequate monitoring tools and Web application security controls.

Also troubling, according to the OIG, were NASA policies that did not distinguish OT systems from IT.

As of November 2017, the agency managed more than 500 information systems for everything from controlling spacecraft and processing scientific data to enabling NASA personnel to collaborate with peers around the world. NASA also manages some 1,200 publically accessible Web applications — or about 50% of all non-military federal websites that are publicly accessible.

Not a Houston Problem Alone
NASA, by far, is not the only federal agency with cybersecurity challenges. Though civilian US federal agencies spent an estimated $5.7 billion on cybersecurity last year, many serious deficiencies persist across the spectrum, said the White House Office of Management and Budget (OMB) in a report in May. Among them were gaps in network visibility that prevented agencies from fully knowing what was going on in their networks, lack of standardized processes and capabilities, and limited situational awareness. One example: In 38% of federal cybersecurity incidents, investigators were not able to identify an attack vector.

Michael Magrath, director of global regulations and standards at OneSpan, says breaches like the one at NASA are not surprising given how big of a target federal agencies are for cybercriminals because of the PII they collect and store. “That large human resources target plus the potential damage that can be inflicted from a national security standpoint means that federal agencies will always [face] cyberthreats,” he says.

The OMB is expected to soon release final policy to address federal agencies’ implementation of Identity, Credential, and Access Management (ICAM) policy, he says. The policy will update previous requirements for multifactor authentication, digital signatures, encryption acquisition, and other areas of security. “It remains to be seen what is included in the updated requirements,” Magrath says. “Hopefully it addresses the growing number of successful cyberattacks on federal agencies.”

Somewhat ironically, the latest breach is unlikely to make a huge difference for the victims because a lot of their PII was likely already compromised in the 2015 intrusion at the US Office of Personnel Management (OPM). In that incident, PII belonging to as many as 21.5 million current and former federal employees and others was compromised.

“Given the depth of the OPM breach, it is likely that most of the information has already been made available,” says Keenan Skelly, vice president of global Partnerships at Circadence.

Related Content:

• Congress Passes Bill to Create New Federal Cybersecurity Agency
• White House Cybersecurity Strategy at a Crossroads
• A Shift from Cybersecurity to Cyber Resilience: 6 Steps
• 2018 State of Cyber Workforce

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/nasa-investigating-breach-that-exposed-pii-on-employees-ex-workers/d/d-id/1333529?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Nine Russian GRU officers were sanctioned today by the US Department of Treasury for their alleged hacking and document theft of US election systems during the 2016 presidential race, as well as for hacking the World Anti-Doping Agency database. The officers also were indicted on July 13 by the US. They are:

• Aleksey Aleksandrovich Potemkin (Potemkin), who ran the computer infrastructure used by the hackers for releasing stolen documents online.
• Anatoliy Sergeyevich Kovalev (Kovalev), who in July 2016 hacked a state board of elections website and pilfered voter information, as well as hacked a US firm that provided voter registration verification software for the 2016 election. 
• Viktor Borisovich Netyksho (Netyksho), a GRU unit commander.
• Boris Alekseyevich Antonov (Antonov), who managed the actors targeting the US election.
• Ivan Sergeyevich Yermakov (Yermakov), who hacked email accounts and servers related to the US election, as well as the World Anti-Doping Database in 2016.
• Aleksey Viktorovich Lukashev (Lukashev), who sent spear-phishing emails to US election campaign officials.
• Nikolay Yuryevich Kozachek (Kozachek), who wrote the malware used by the GRU used to hack into networks during the election.
• Artem Andreyevich Malyshev (Malyshev), who monitored the GRU malware and helped hack WADA’s database.
• Aleksandr Vladimirovich Osadchuk (Osadchuk), a GRU commanding officer. 

Read the full sanctions report here, which includes other Russian officials sanctioned for the WADA hack, the online election-influence campaign, and the March 2018 nerve agent attack on Sergei Skripal and his daughter.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/perimeter/us-names-sanctions-russian-gru-officials-for-2016-election-hacks-/d/d-id/1333530?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Attackers with access to your server holds your company in their hands – and it’s not hard for them to abuse their power and brick the server from anywhere, researchers report.

Most people view firmware attacks, and other attacks that cause permanent damage, as physical in nature. Analysts at Eclypsium sought to demonstrate how it’s possible to remotely brick a server and disrupt infrastructure by exploiting vulnerabilities in the baseboard management controller (BMC) and system firmware. The result would spell enterprise disaster.

The idea of bricking systems is not new, says John Loucaides, vice president of engineering at Eclypsium. While the concept has been around for a while, and security experts have discovered the vulnerabilities that could lead to this level of compromise, few have shown it. Eclypsium’s goal in documentation published today is to help improve understanding of the remote attack vector, which can be performed at scale with enormous potential damage.

“It’s a fairly significant impact,” Loucaides points out. Recovery for most malware involves wiping affected systems and restoring good data. Recovery for this type of attack would require opening each affected server and physically connecting to deliver new firmware. It’s a slow, technical process that’s beyond the abilities of most IT staff and current enterprise systems, Loucaides explains. “This is an area that normal security technologies are missing,” he says.

It doesn’t take a sophisticated actor to pull this off, he notes. Many people will think of this as a nation state-level attack, he continues, but open source toolkits exist on the Internet that can give attackers the access they need to render a target system inoperable. Eclypsium’s demonstration marks the first time it’s using this specific method and technique, and it emphasizes the low barrier to entry for launching a successful attack of this nature.

Similar threats have been seen in the wild, Loucaides explains. Attackers have replaced server components with corrupted firmware, for example, or firmware that doesn’t work. Eclypsium’s method, which leverages past BMC research, bricks a server by remotely exploiting a BMC. If you’re not familiar, the BMC is an independent computer within the server. It’s used to remotely configure the system without relying on the host operating system or applications.

How It Plays Out
Step one is getting a foot in the door. “The first thing we’re doing is assuming you have some sort of compromise,” Loucaides explains. Perhaps the system got infected with malware; perhaps credentials were lost and picked up by the wrong person.

In Eclypsium’s demonstration, researchers then used normal update tools to pass a malicious firmware image to the BMC. No special authentication or credentials are required to do this, and the firmware update contains additional code which, once triggered, erases the UEFI system firmware and essential components of the BMC firmware itself, analysts say in a blog.

Why target the BMC? You could target any part of the server and get a similar result, says Loucaides, but the BMC “is the most understandable and the most obvious.” In a ransomware attack or other major-impact scenario, the BMC is used to recover the system.

Step three is when the BMC boots to the attacker supplied image. Because the BMC handles system management and recovery, it can install components into any part of the system. Researchers could use the malicious capability they installed in the BMC to corrupt system firmware; by corrupting the BMC, they leave no path for a system operator to recover it.

There is an arbitrary amount of time between stages three and four, in which the code executes, Loucaides explains. Attackers could launch malicious code as soon as they gain access via credential compromise, or they could install a component in the BMC and leave it there for as long as they like. “It doesn’t all have to happen at the same time,” he adds. The final payload could be triggered by a timer or external command and control.

The window between stages three and four depends on the attacker’s goals. If they’re going for maximum damage and disruption, Loucaides says, he would likely want to take his time and infect as many components as possible before bringing it all down at once. In step five, the BMC reboots the server, which is now unusable.

What You Can Do
Existing security defenses don’t focus on firmware or hardware, says Loucaides, but there are ways to stop this type of attack. It starts with preventing initial compromise, which goes back to basic cyber hygiene: protecting credentials, for example, and using multifactor authentication.

“You can’t do everything perfectly,” he admits. “Something is going to go wrong. The trick is to be assessing the integrity of different components in your system.”

Updates get plenty of attention at the application and operating system level, he continues, but not many people pay attention to firmware updates. Security teams should be running scans and monitoring infrastructure for anomalies, and interrupting the process before it’s complete.

Related Content:

• 6 CISO Resolutions for 2019
• Attack Campaign Targets Financial Firms Via Old But Reliable Tricks
• When Cryptocurrency Falls, What Happens to Cryptominers?
• Cryptographic Erasure: Moving Beyond Hard Drive Destruction

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/application-security/how-to-remotely-brick-a-server/d/d-id/1333531?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple