hacking – Page 591 – STE WILLIAMS

‘CARTA’: A New Tool in the Breach Prevention Toolbox

library
crime | hacking | security

Gartner’s continuous adaptive risk and trust assessment for averting a data breach addresses the shortcomings of static security programs.

A hacker who recently stole U.S. military secrets about combat drones and tried to sell them on the black market apparently accessed the data by searching the Internet for misconfigured Netgear routers and exploiting a 2-year-old known vulnerability involving default login credentials. Clearly, even the military struggles to protect itself from threats and attacks.

The root of this data breach emanates from an old way of thinking about implementing security — one that relies on static risk and vulnerability management. These principles and practices, which are locked in a binary view of the world, are diminishing in effectiveness in the face of a dynamically changing threat landscape. Unlike the old world of black and white, and good and bad, grayness is the new the reality in security.

To deal with this gray zone, organizations need a new approach, one that continuously monitors, assesses, adapts, and responds to risk as needed in real time.

Research firm Gartner has defined this new approach as Continuous Adaptive Risk and Trust Assessment (CARTA). The firm predicts that by 2020, 25% of new digital business initiatives will adopt a strategic CARTA approach, up from fewer than 5% in 2017.

In a nutshell, Gartner sees CARTA as a way for organizations to manage the risks that come with the digital world by deploying security that moves at the speed of digital business.

How to Implement CARTA
Under CARTA, all systems and devices are considered potentially compromised and their behaviors are continuously assessed for risk and trust. Here are the five key components for deploying a CARTA-inspired security model:

Asset Discovery
The first step in implementing a CARTA-based security program involves gathering and maintaining a comprehensive and up-to-date asset inventory. Without this data, it is virtually impossible to assess risks and apply appropriate defenses. Asset management should be automated so an organization can efficiently keep track of devices — their type, model, location, functions, and configurations — and of software, notably versions, patches, problems, and a history of vulnerabilities.

Without such information, an organization cannot perform basic proactive security measures such as monitoring network activity, taking snapshots of current configurations, and preventing attacks. Asset information can also be used to restore devices and software if an attack occurs.

Trust Relationships
Strong asset management is only as strong as the process for managing trust relationships between various devices, software, and the people who use them. Accordingly, organizations need to understand, monitor, and manage how devices, software, and people interact on an hourly basis each day.

As trust and risk increases and decreases dynamically based on context and behavior, models of trust and risk should be created that observe patterns over time. If the risk score of a specific device or user gets too high and outweighs the trust (for example, a user who tries to download a massive amount of sensitive data to an unmanaged device), an organization has two choices: reduce the risk score or increase the trust score.

Vulnerability Assessment
This consists of continuous assessment and prioritization of vulnerabilities for remediation. Because thousands of vulnerabilities are discovered each year, addressing all of them is not achievable. A more effective approach is to focus on the most serious, imminent, and executable threats. For example, remote code executions (RCEs) are among the most toxic threats to an organization. These should receive a high prioritization, especially when evidence from security intelligence feeds indicates a particular RCE vulnerability has been weaponized and is being actively exploited in the wild.

Metrics
As always, the devil is the details. This has become increasingly important because cybersecurity is now also a concern of the C-suite and boards of directors. Being able to report security metrics in business terms is now a requirement in larger organizations. These metrics are also critical to senior management when they make the case for additional investments in security resources; shoring up cyber defenses requires fact-based evidence of threats, gaps, and risks that can be understood by a nontechnical audience.

Adaptability
This is the core component of any CARTA-based security program. In response to changing security conditions, organizations need to reassess their risk levels each month, certainly each quarter. A best practice is to be proactive and adaptive, leveraging a risk-based strategy to security that adapts to the changing network of devices and applications. In addition, since the network changes far more rapidly than policies and procedures in standard compliance frameworks, a risk-based approach should be implemented on top of frameworks that may change only once a year.

Digital transformation, which is being driven by cloud, mobile, and Internet of Things technologies, is making static approaches to enterprise security irrelevant. Defending a constantly expanding attack surface, which often lacks a perimeter, requires a dynamic and continuous approach to vulnerability and risk assessment, prioritization, and remediation.

CARTA provides a useful road map for implementing a security program that is capable of responding to the volume and velocity of threats and their polymorphic nature.

Related Content:

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Christopher Acton is vice president of security services and customer success for RiskSense, a provider of vulnerability prioritization and management software. He is a security researcher and expert in web application, infrastructure and system security. View Full Bio

Article source: https://www.darkreading.com/risk/carta-a-new-tool-in-the-breach-prevention-toolbox/a/d-id/1333244?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Irony meters explode as WordPress GDPR tool hacked, cell network hack shenanigans, crypto-backdoors, etc…

library
crime | hacking | security

Roundup This week we had broken promises in China, broken keys in Steam, and broken ..err, everything in Apache Struts.

Here’s some other stuff kicking off in infosec beside everything else we’ve reported since this time last Saturday.

FaceTime looks ugly after bug reports

A Google researcher punched a trio of holes in Apple’s FaceTime, and apparently broke a few Cupertino pocketslabs in the process.

Natalie Silvanovich took time out from pwning Tamagotchis to uncover three different bugs in Apple’s video chat platform that would allow an attacker to do things like decrypt traffic, cause an application to crash, or even send the device into a kernel panic.

Fortunately, any well-maintained iPhone will be protected. The flaws have all been addressed in the latest iOS update from Apple, but not before Silvanovich was able to have some fun with the Cupertino code monkeys. This from fellow Google bug hunter Tavis Ormandy:

Natalie bricked a room full of Apple engineer’s phones when they asked her to help repro this! 😆Answer a FaceTime call from an attacker, and remote iOS kernel memory corruption…. https://t.co/3aFWcOMWs2

— Tavis Ormandy (@taviso) November 5, 2018

Iranian users menaced by government malware

The Iranian government may be using shady mobile apps to spy on users within the country who plan to organize protests.

Researchers with Cisco Talos report that a number of knock-off apps claiming to be Telegram or Instagram clients are circulating within the country. Classified as “greyware”, the apps aren’t outright malicious, just extremely stalkery, collecting device and user information then sending that data to servers within Iran.

“Talos hasn’t found a solid connection between the several attacks we’ve observed, but all of them target Iran and their nationals and the Telegram app. Although this post focuses on Iran, mobile users across the globe still need to be aware that these techniques could be used by any threat actor in any country, state-sponsored or not,” the researchers note.

“This is especially prevalent in countries like Iran and Russia, where apps like Telegram are banned, and developers create clones that appear on official and unofficial app stores to replicate Telegram’s services.”

Spain and Russia agree to hacking ceasefire

It’s not exactly the Camp David Accords, but earlier this week Russia and Spain have struck a deal that will see the two countries agree to stop spreading damaging disinformation campaigns against one another.

The deal was negotiated by foreign ministers Josep Borrell and Sergei Lavrov, and will see the two nations take action to crack down on damaging misinformation attacks and work to address anything that could cause problems between their respective governments.

Amazing what happens when you actually address a problem instead or writing it off as a “witch hunt.”

Infosec brains claim Edge exploit

A duo of researchers say they have uncovered a flaw in Edge that can be exploited to break out of the browser’s sandbox. A report describes the eggeheads’ claims, and includes a video demonstrating exploitation of the flaw, although no details nor working proof-of-concept code have been released yet. It’s maybe something to keep an eye on next Patch Tuesday.

NYC DA has some dumb thoughts on encryption

Just when we thought America was past the whole “encryption backdoors for police” thing, the New York Attorney General had to go and sound off.

Cy Vance is apparently arguing, again, that in order to protect us all from terror, drugs, pedos, etc, etc, etc, phonemakers should build every handset with a workaround that completely negates its encryption, on demand for the Feds. As before, the argument [PDF] is that police should have a quick and easy way to decrypt data on, and flowing in and out of, criminals’ phones in order to gather intel in a timely fashion. From the afore-linked report:

The companies that manufacture our cellphones and related devices control access to information that is vital to the lives of millions of Americans, and they do so without the regulation and oversight that is common across other industries where there is a need to protect public safety and guard against abuse.

Such oversight remains sorely needed, and our Office stands willing to assist Congress and all relevant stakeholders in the effort to find a more rational balance among the interests of device makers, consumers and law enforcement in the regulation of smartphone encryption.

Still not addressed: how to protect those encryption backdoors from falling into the wrong hands, with the cops can’t even keep track of their own firearms.

Bug-buster busted for offering ‘doxx as a service’

A security researcher could find himself in hot water after being outed as the alleged operator of a doxxing-for-hire operation.

Noted internet sleuth Brian Krebs claimed that a hacker calling himself “Phobia” was on a number of popular hacker forums offering to provide detailed personal information on US mobile phone customers in exchange for Bitcoins.

It is alleged Phobia found and reported vulnerabilities in carriers’ networks – flaws that could be exploited to look up subscribers’ personal information from their cell numbers – and yet also offered to exploit said flaws on the down-low for cash. If you gave him $25 in BTC and a number, he’d be able to get you someone’s info, it is claimed.

Fortunately, Krebs says Phobia told him he wasn’t getting much, if any, business from the posts, allegedly, so hopefully there was little harm actually done in the matter. Krebs also suggests Phobia is looking for a job, in case anyone out there is hiring.

Dumbass cuffed for making bomb threat while trying to recover Bitcoin

Sure, we all did some dumb things when we were teenagers, but at least we didn’t go as far as one young man from the Jalaun district in India.

The unnamed 18 year-old apparently had some Bitcoin swindled from him by a scammer and wanted to enlist the FBI’s help to get the pilfered cryptocoins back.

When the feds refused to help the young man out with his request, the kid made the perfectly rational decision to lash out by making 50 separate threats blow up the Miami International Airport. His plan sort of worked, in that it finally got the attention of the FBI, but rather than send a team of agents to track down the young man’s funbux, they instead arrested him.

No word on what, if any, charges will be filed against the brainless teen.

Uncle Sam begins dumping foreign malware on VirusTotal

The US Cyber Command has started uploading declassified malware samples up to VirusTotal, the repository of digital nasties, and has set up a Twitter account to spread the word in the future.

Based on the first uploads the malware samples aren’t entirely new, although one or two files differ from previously seen version. Various security software vendors say they are already protecting against these particular pieces of code. The uploads will be of serious interest to virus researchers, who may be interested to see what’s catching the US government’s eye.

As you’d expect, the bulk of the new code appears to come from Russia. Given groups associated with the Russian government is suspected to have been behind the Shadow Brokers and Vault 7 releases of US hacking tools, you could say it’s payback time.

GDPR tool proves less than safe for WordPress fans

The European Union’s General Data Protection Regulation (GDPR) was supposed to make data more secure, but in the case of WordPress world, the opposite has proven to be true.

For once, given WordPress’ reputation for lax security, it isn’t the content platform’s fault. Instead the problem comes from a third-party plugin called WP GDPR Compliance, which is supposed to indicate if a website is breaking the EU rules.

The plugin is used by around 100,000 WordPress installations, and has multiple critical vulnerabilities. Users of the plugin will need to update to version 1.4.3 as soon as possible. Hackers have, we’re told, exploited these holes to hijack sites.

And finally… a bootloadernote

Memory-corruption vulnerabilities (CVE-2018-18440, CVE-2018-18439) were found in the U-Boot bootloader, used in embedded devices, that could be exploited to bypass verified boot. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/10/security_roundup_101118/

I found a security hole in Steam that gave me every game’s license keys and all I got was this… oh nice: $20,000

library
crime | hacking | security

A bloke has told how he discovered a bug in Valve’s Steam marketplace that could have been exploited by thieves to steal game license keys and play pirated titles.

Researcher Artem Moskowsky told The Register earlier this week that he stumbled across the vulnerability – which earned him a $20,000 bug bounty for reporting it – by accident while looking over the Steam partner portal. That’s the site developers use to manage the games they make available for download from Steam.

A professional bug-hunter and pentester, Moskowsky said he has been doing security research since he was in school, and for the past several years, he has made a career out of finding and reporting flaws.

In this case, while looking through the Steam developer site, he noticed it was fairly easy to change parameters in an API request, and get activation keys for a selected game in return. Those keys, also known as CD keys, can be used to activate and play games downloaded from Steam. The API is provided so developers and their partners can obtain license keys for their titles to pass onto gamers.

“This bug was discovered randomly during the exploration of the functionality of a web application,” Moskowsky explained. “It could have been used by any attacker who had access to the portal.”

Essentially, anyone who had an account on the developer portal would be able to access the game activation keys for any other game Steam hosted, and sell or distribute them for pirates to use to play games from Steam. Fetching from the /partnercdkeys/assignkeys/ API with a zero key count returned a huge bunch of activation keys.

“To exploit the vulnerability, it was necessary to make only one request,” Moskowsky told El Reg. “I managed to bypass the verification of ownership of the game by changing only one parameter. After that, I could enter any ID into another parameter and get any set of keys.”

‘DerpTroll’ derps into plea deal, admits DDoS attacks on EA, Steam, Sony game servers

How severe was the flaw? Moskowski says that, in one case, he entered a random string into the request, to pick a title at random, and in return he got 36,000 activation keys for Portal 2, a game that still retails for $9.99 in the Steam store.

Fortunately for Valve, Moskowsky opted to privately come forward with the flaw via HackerOne. The programming blunder has since been fixed.

As the HackerOne entry for the vulnerability shows, Moskowsky first submitted the report on the flaw in early August. Three days later, Valve handed out the $15,000 bounty as well as a $5,000 bonus for the find, though Valve only allowed the report to go public on October 31.

The researcher told us this is a pretty good turnaround, and Valve in particular is very good with handling researcher requests and paying out bug bounties.

Impressively, this $20,000 bounty isn’t even the biggest payout Moskowsky has received from the games service. Back in July he was given a cool $25,000 for weeding out a SQL Injection bug in the same developer portal. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/09/valve_steam_key_vulnerability/

Tasty news bytes from networking land: Route security, Cisco cert death, ETSI and more

library
crime | hacking | security

Roundup Cisco admins, you thought your week was over, right? Sorry: if you have kit that runs Adaptive Security Appliance software or the Firepower Extensible Operating System, there’s one more item on the task list: updating your certificate.

Switchzilla’s field notice explained that Cisco’s root CA for tools.cisco.com was rolled over to a QuoVadis Root CA 2 cert on October 5, and that could affect “Smart Licensing and Smart Call Home functionality for all versions” of ASA or FXOS.

That causes a Communication message send response error error, and because the platforms can’t register with the Cisco servers, “smart licenses might fail entitlement and reflect an Out of Compliance status”.

You can either upgrade, or import the new cert from the CLI.

And there’s one more wrinkle to be aware of: the QuoVadis cert isn’t FIPS-compliant. If you need FIPS compliance, there’s a different certificate to import, the HydrantID SSL ICA G2 intermediate certificate, also available from the CLI.

Better route security comes to APNIC

The Asia-Pacific Network Information Centre, APNIC, this week announced extra routing security.

Its members can now run Resource Public Key Infrastructure (RPKI) operations in MyAPNIC, including generating an AS0 Route Origin Authorisation.

As we explained in September, RPKI means a network can positively identify its authority to make route announcements, and America’s National Institute of Standards and Technology recommended its adoption.

ETSI publishes TLS 1.3 “middlebox” workaround

The European Telecommunications Standards Institute, ETSI, this week published what it called a “Middlebox Security Profile specification”, Enterprise TLS (eTLS).

Hang on, I hear you ask: isn’t the Internet Engineering Task Force responsible for TLS standards?

Yes, and that was part of the problem. Welcomed for improving user security, TLS 1.3 is unloved by attackers, spooks, and those who want to proxy the security protocol at the enterprise edge.

IETF standards bods have considered the matter of TLS 1.3 proxies, but so far nobody’s hummed up sufficient support to get an RFC published – and that’s where ETSI comes in. It pitches eTLS as an enabling technology that allows net admins to carry out operations like “compliance, troubleshooting, detection of attacks (such as malware activity, data exfiltration, DDoS incidents), and more, on encrypted networks”.

eTLS only allows decryption where “both parties in a connection … are under the control of the same entity”, in which case it implements its own key exchange mechanism so TLS 1.3 packets can be sniffed snooped decrypted.

When that happens, users can see that their communications are being examined by checking the certificate (which everybody knows how to do, right?).

As we’ve reported more than once, middleboxes aren’t just invasive, they’re frequently insecure.

But at least there’s a standard for them now …

Packetpushers has reported that startup MPLS private network Mode has cut a deal with SD-WAN vendor Versa, allowing customers to set up connections to Mode services from within Versa’s portal.

BIND, OpenSSH replace WordPress and Drupal in ZDI bounty-list

The Zero Day Initiative has tweaked its Targeted Incentive Program, replacing Drupal and WordPress with OpenSSH and BIND as “high value” targets.

A successful OpenSSH code execution chain will earn you a cool $200,000, which ZDI said reflects “how much we rely on OpenSSH”.

BIND, the world’s most common DNS server, is also down for $200k, as is Windows SMB, for versions newer than 1.0.

IETF docs get sloshed

A four-party collaboration has come up with an Internet-Draft answering a conundrum you might not know existed: what’s a good way to render long lines in Internet standards documents?

Recall that the Internet standards process is ancient, and as a result, it has inherited a 72-character line length from ”green-screen” terminals.

A few years ago, the IETF adopted XML as the canonical standard for storing documents like drafts and RFCs, but humans still need to read plain text.

Code fragments pose a problem (as does the ubiquitous ASCII art of Internet documents), because they need to be stored and rendered as they are, if possible.

“Handling Long Lines in Artwork in Internet-Drafts and RFCs” suggests a simple approach: use a backslash (“”, also referred to as a “slosh”) to indicate that a line has been folded.

As Kent Watsen (Juniper), Qin Wu (Huawei), Adrian Farrel (Old Dog Consulting) and Benoit Claise (Cisco) wrote: “The approach produces consistent results regardless of the content and uses a per-artwork header. The strategy is both self-documenting and enables automated reconstitution of the original artwork.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/09/network_roundup_november_9/

Google’s secret to a healthy phone? Remote-controlling your apps

library
crime | hacking | security

Google has claimed to have cut Android malware by half.

Figures out of Mountain View this week suggest that the prevalence of PHAs (potentially harmful applications) found on Android 9 Pie devices is half the rate seen in its predecessor. Overall, this has fallen from 0.66 per cent in Lollipop to 0.06 per cent in Pie.

The number is derived from malware detected by Google Play Protect scans, which covers both applications distributed through its Play Store, other app stores, and sideloaded apps. The figures appear in Google’s first Android Ecosystem Security Transparency Report.

On average, reckoned Google, only 0.09 per cent of devices that used Google’s own Play Store had a piece of malware on board in 2017. That translates to 1.8 million phones.

Click to enlarge

Google attributes the decline in malware to remote control. Since 2017, when the Play Protect scan finds a PHA, it disables it by default: shoot first, ask the user questions (“re-enable or delete?”) later.

Google made Play Protect scanning one of the selling points of its Android One programme, which brings order and uniformity to low-end and mid-range ‘Droids. Phone makers lose the ability to customise their phones, but buyers get two years of scanning.

(One is not to be confused with Go, which is the low-footprint “Poundland edition” of Android.)

Google said it published the report to increase transparency. But given the regulatory scrutiny of Android, the dominant mobile platform, it also needs to tell a happy story about its governance of the ecosystem – and more specifically, on why it takes a 30 per cent cut of revenues. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/09/google_play_protect_report/

Vulnerabilities in Our Infrastructure: 5 Ways to Mitigate the Risk

library
crime | hacking | security

By teaming up to address key technical and organizational issues, information and operational security teams can improve the resiliency and safety of their infrastructure systems.

Excluding the financial services industry, there were 649 breaches reported on and analyzed for the 2018 Verizon Data Breach Investigations Report (DBIR) in industries that are considered part of infrastructure verticals. These include utilities, transportation, healthcare, and others that employ operational technology (OT) systems in addition to traditional IT for their main operations.

In total, that represents 29.2% of reported breaches (not incidents). So, what exactly does that mean?

It means that just because an incident hasn’t happened in your infrastructure environment, that doesn’t mean it won’t happen or that you can postpone or underfund your cybersecurity efforts. No, I don’t believe we are facing a “Cyber Pearl Harbor.” But I do believe organizations operating both IT and, particularly, OT systems need to put a more conscious effort into securing these systems not only from a security perspective but in terms of quality, safety, and reliability.

Although OT industries face a similar set of problems as traditional IT, the overall application of security programs and technologies is quite different in OT, and there is even more differentiation based on the characteristics of each vertical. That being said, there are best practices in key areas, both technical and organizational, that can help mitigate the risk to infrastructure environments, regardless of the vertical. Here are five.

Risk 1: Your Environment
An organization is at a serious disadvantage if it doesn’t take the time to inventory its systems and assess the security posture for a given environment. It is nearly impossible to secure an environment if you are unaware of what is in it, how everything is connected, what data it uses (or generates), and how it affects your bottom line.

Best Practice: One of the best pieces of advice for organizations with a large installed base or many infrastructure environments is to pick a representative environment. Once you have selected an important or representative environment, move forward by cascading the lessons you’ve learned to the rest of your environments.

Risk 2: Patch Management
One of the prevailing issues in OT networks is the lack of technical solutions and organizational practices for patching. This is particularly relevant if the application sits on a commercial OS, as most do. In my experience, the average number of remote code execution vulnerabilities on the host operating system alone in OT environments is around 55! Consequently, developing and maintaining a strong patch management strategy is one of the most effective activities an organization can undertake. It’s also a daunting undertaking.

Best Practice: To get started, interact with your system vendors. If your representative isn’t familiar with the company’s patching solutions, press deeper into the organization. Most major automation manufacturers are working toward solution sets compliant with standards such as IEC 62443, and customer pressure can convince niche vendors to address this problem as well.

Risk 3: Network Segmentation
Many OT systems are deployed in a flat network topology or without any segmentation between systems that should not be able to interact. There are two reasons for this. First, due to a misunderstanding about which systems need to communicate with one another, and the second, as a result of deploying systems from multiple vendors or integrators over time.

Best Practice: After assessing the network topology and data flows, you will need to develop network segmentation policies, which are similar to various industry standards language describing the zones and conduits of controlling access. The goal of these policies is to mitigate the damage potential of breaches or issues related to anomalous network traffic. Bottom line: only required traffic should pass between systems, and restrictions on communication paths between various zones should be enforced.

Risk 4: Your Supply Chain
In many OT environments, vendors maintain an aspect of control over the technical implementation of the solutions they provide through support contracts and changes that must be validated and certified to ensure the safe operation of a given system.

Best Practice: Your organizations should be sure to include security requirements for the procurement of new systems as well as ongoing maintenance efforts within their vendor management programs. Industry standards such as IEC 62443 can provide guidance in this effort.

Risk 5: IT vs. Process Control Teams
Over the past few years, at both the leadership and execution levels, IT security teams have become involved in OT network security efforts. In several cases, the differences in priorities and the understanding of technology has led to organizational stalemates and differing opinions on how to address security in operational environments.

Best Practice: Organizations need to bring these groups together with a common goal in order to foster a culture of cooperation between the two groups to address cyber threats. Training for both OT and IT security personnel should be part of that effort, including the development of a common understanding of objectives and solutions that work for your organization.

Related Content:

Michael Fabian is a principal consultant within the Synopsys Software Integrity Group. His primary area of specialization involves adapting and bringing systems-level security objectives, processes, and technical solutions into a variety of non-traditional cyber systems in … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/vulnerabilities-in-our-infrastructure-5-ways-to-mitigate-the-risk/a/d-id/1333211?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Guilty Plea Made in Massive International Cell Phone Fraud Case

library
crime | hacking | security

A former West Palm Beach resident is the fifth defendant to plead guilty in a case involving thousands of victims.

Penalties in a global cell phone fraud scheme continue to mount as a fifth defendant has pleaded guilty in connection to the case. Braulio De la Cruz Vasquez, a 54-year-old former resident of West Palm Beach, Fla., entered pleas in the Southern District of Florida.

De la Cruz pleaded guilty to one count of wire fraud, one count of aggravated identity theft, and one count of conspiracy to commit wire fraud, access device fraud, the use, production or possession of modified telecommunications instruments and the use or possession of hardware or software configured to obtain telecommunications services.

According to the US Department of Justice, the scheme involved stealing access to existing cell phone accounts, then fraudulently opening new accounts based on the information. In his admission of guilt, De la Cruz said that thousands of international calls would be routed via the internet to his residence, where phones programmed with the fraudulent accounts would be used to place the calls to countries such as Cuba, Jamaica, and the Dominican Republic, while the charges were billed to the original customers’ accounts.

De la Cruz received amounts in the tens of thousands of dollars from VoIP companies for routing the calls. Sentencing is scheduled for Jan. 18, 2019; others in the case have already received sentences of 36 to 75 months for their roles in the scheme.

For more, read here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/mobile/guilty-plea-made-in-massive-international-cell-phone-fraud-case/d/d-id/1333237?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

What You Should Know About Grayware (and What to Do About It)

library
crime | hacking | security

Grayware is a tricky security problem, but there are steps you can take to defend your organization when you recognize the risk.

Everyone has seen them: applications that come on many new systems offering services with unfamiliar names, or apps that have familiar names but are offered on sites that aren’t from their publishers. They’re grayware – or “potentially unwanted applications” – and they’re an ongoing issue for computer security.

Grayware’s nature makes it difficult for organizations to keep it away from their systems. “It’s not a technical problem, it’s a classification problem. There is a thin line being malicious or not and the operators play with the line. Which limits what researchers and law enforcement can do,” said Vitor Ventura, senior security researcher at Cisco Talos, in an email interview.

Some IT professionals might be tempted to ignore grayware while they focus on more obvious malware and other threats. But there are legitimate reasons not to.

“Oh, it’s horrible,” says Chet Wisniewski, principal research scientist at Sophos. “Not only are you getting something that’s annoying to the user, it’s often more than doubling the attack surface of your computer because of the additional amount of Internet-facing code that’s often poor quality.” That’s in addition to the privacy and productivity implications of code that tracks activity and pops up unwanted ads, he says.

IT and security teams need to consider a number of factors about grayware, both in terms of what it is and how to deal with it. Without many automation option to help, response is up to a well-informed staff.

(Image: typographyimages)

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/what-you-should-know-about-grayware-(and-what-to-do-about-it)/d/d-id/1333216?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Dropbox Teams with Israeli Security Firm Coronet

library
crime | hacking | security

The partnership is expected to improve threat detection for Dropbox while growing Coronet’s user base.

Dropbox has partnered with Israeli security firm Coronet in an agreement expected to ramp up security for the file-sharing platform while increasing Coronet’s user base.

Coronet’s data breach protection platform will be incorporated into Dropbox as part of the collaboration. The cloud security integration will build on Dropbox’s security with data loss prevention, malware mitigation, suspicious behavior detection, and data breach protection.

Small to midsize businesses are Coronet’s target market, Reuters notes, because they struggle to afford and manage enterprise-level security resources.

Coronet expects the partnership will help add to the 1 million users, devices, and software-as-a-service applications using its platform. Dropbox Business is used among more than 300,000 teams. This integration will be available to Dropbox Business customers by the end of 2018, they report.

Inside CSAW, a Massive Student-Led Cybersecurity Competition

library
crime | hacking | security

Nearly 400 high school, undergraduate, and graduate students advance to the final round of New York University’s CSAW games.

CSAW – Brooklyn, New York – New York University’s CSAW, which calls itself the world’s largest student-run cybersecurity competition, this week announced the 397 high school, undergraduate, and graduate students from around the world who will enter its final round.

CSAW started in, and is organized by, NYU’s Tandon School of Engineering. This year, its 15th running, saw 3,500 teams from more than 100 countries enter the games. The remaining contenders will now travel to academic sites across four continents to compete in the finals.

The competition was founded in 2003 as a small local event by Nasir Memon, an NYU professor of computer science and engineering. It has since expanded to include eight global events, all of which evolve to host challenges and contests that align with the changing threat landscape.

“It started accidentally, like many things start,” said Memon in an interview with Dark Reading at the North American branch of the CSAW finals. The event is taking place this week on NYU Tandon’s campus in Brooklyn, New York.

CSAW’s first participants, all Tandon students, were challenged with cleaning up poorly configured laptops among other adversarial tasks designed to test their offensive and defensive security skills. The internal competition quickly expanded — first to local New York universities, then throughout the tri-state area, and now in Mexico, Israel, and around the world.

“What we really caught on to was, there’s a kind of talent that likes these adversarial challenges,” Memon explained. “You cannot really teach security by lecturing in a classroom. You have to understand how attackers work.”

The first stage of CSAW happens online. When competitors reach the finals, they’re brought together so they can get to know each other. “In order to protect … you need to be sharing information with each other,” he said. “Otherwise, the bad guys have an advantage.”

Challenges are designed with the help of New York City’s top white-hat hackers. Players of all ages and levels can join Capture the Flag, the flagship CSAW event that tests hacking and defensive skills. An embedded security challenge, which CSAW calls its most difficult event, pits red teams against blue teams in simulated cyberattacks. This year’s, created with the United States Office of Naval Research, requires participants to perform data exfiltration attacks against Internet of Things devices.

Different challenges attract students of different levels and expertise. A Policy Challenge attracts students in policy and law school who are interested in how security will play a role. Applied Research accepts peer-reviewed security papers that have been published in scholarly journals. A forensics analysis competition is restricted to high school students, he explained.

Memon said CSAW has proven an effective way to attract students to cybersecurity, a concept he said wasn’t yet in people’s minds when the competition started 15 years ago. Studies show after competing, students often decide to pursue cybersecurity careers, he pointed out. If they don’t, they have greater security awareness as software engineers or other non-infosec roles.

The event has become a hot spot for recruiters, who CSAW initially brought in to help offset the cost of transportation and accommodations for students who fly in for the finals. “We’re not doing this to make money,” Memon said, noting all the workers are volunteers. But flights and hotels for a growing pool of student competitors can get expensive.

Companies “across the board” come to CSAW to recruit security employees, he said, with the majority representing the tech and financial sectors. A growing number of businesses are expressing interest in attending the event to seek out talent.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/risk/inside-csaw-a-massive-student-led-cybersecurity-competition/d/d-id/1333241?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple