STE WILLIAMS

Sysadmins will tell you that pathetically weak passwords are, in the words of one Redditor, “crazy normal.”

You have no idea how many Excel sheets containing passwords have “Passw0rd1!” peppered in them.

Right. But in this case, we’re not talking about any old vanilla set of users who get it into their heads, in spite of what one presumes/hopes to be organizational policy to the contrary, to cook up weak and/or iterative passwords. Rather, we’re talking about a vendor manual for voting machines that instructs users – and in this case, that means election officials – to use weak, iterative passwords.

On Monday, Motherboard published a report by Kim Zetter about these manuals, which, Zetter says, are used in about 10 states.

The manuals tell customers to use easy-to-guess, easy-to-crack passwords… and, in spite of the legions of security experts who advise against the practice of password reuse, to go right ahead and reuse those passwords when changing login credentials per federally mandated password-change prompts.

Motherboard hasn’t been able to verify what vendor produced the manual, but given that it’s for a Unisyn optical vote-counting machine, and that “unisyn” is one of the passwords suggested in the manual, one imagines it might have some ideas on the matter. However, it hadn’t responded to Zetter’s requests for comment as of Tuesday evening.

Unisyn machines are used in 3,629 precincts in 12 states, plus Puerto Rico.

Simple, shared logins please

Motherboard reports that the manual for the Unisyn voting machine indicates that the login name for the election-management system is the ubiquitous default “administrator,” and the sysadmin password is a simple string of five letters with a number appended to it: (e.g. admin1, admin2, admin3). The root password is the company’s name – unisyn – with the same number appended to it.

It continues on in that manner, Zetter writes:

Once logged into the system the credentials needed to access the tabulation monitor or the system for creating reports of ballots and vote tallies are different. The username is again a simple word to log in. The password is the same word with “1” appended to it. Users are told that to change the password when prompted, they should simply change the number sequentially to 2, 3, 4, etc.

The username for logging into the critical tabulator client where votes are tallied and stored is “supervisor.” According to the manual, the password is “election specific” – meaning officials create a different password for the tabulator client for each election. Given how simple other passwords for the system are, it’s not likely this election-specific password is more sophisticated, however.

This all came to light when Harri Hursti, founder of Nordic Innovation Labs and a longtime election security expert, found a binder containing loose leaf pages in an election office during a county risk assessment.

At first, Hursti figured the manual might have come from a third-party vendor. But then he came across yet another binder with the same guidelines being used by an election office in a different state – a state where that third-party vendor doesn’t help out with elections. So, Hursti surmised, those manuals must be coming from Unisyn itself.

An employee at the third-party vendor told Motherboard that yes, the passwords used are simple, and they get reused: that way, he and his colleagues don’t have to keep calling the elections office to get a password every time they need to get at the system.

Joseph Lorenzo Hall, chief technologist for the Center for Democracy and Technology, told Motherboard that the practice of password reuse across jurisdictions could lend itself to coordinated attacks, all carried out via physical access:

If those two passwords are commonly alternated in all of the Unisyn systems, that means anyone with this bit of knowledge of the Unisyn system will know how to direct an insider attack in another jurisdiction. We talk a lot about the diversity of our election systems being a strength, but things like this reduce that diversity so you just need a few facts about a system to have all you need to change a system in [multiple jurisdictions].

Motherboard notes that guidelines from the federal Elections Assistance Commission (EAC) encourage election officials to change passwords after each election, and to follow these guidelines:

• Passwords should be at least six characters long, preferably eight.
• At least one character should be an uppercase letter.
• At least one character should be a lower case letter.
• At least one character should be numeral.
• At least one character should be a special symbol.

Although this represents a vast improvement over the advice accompanying the Unisyn machine, formulas like this are also problematic. Insisting that passwords follow rules like these reduces the number of possible passwords, and so reduces the amount of guesswork a password cracker has to do.

The guidelines also suggest that passwords “should be easily remembered (so there will be no need to write them down)” while still “sufficiently vague that they cannot be easily guessed.”

How to pick a proper password

Please do note that “easily remembered” should also be hard to guess: for example, as Paul Ducklin explains in the two-minute video below, you can make up a little saying to help you out that leet-speak-ishly translates into Uc4nM^als2HYO… or you can use a password manager.

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/_alQzWLwOT4/

An infosec researcher has expressed his frustration with disclosure processes by going public with a zero-day in VirtualBox, Oracle’s open-source hypervisor.

The vulnerability was published at GitHub by “MorteNoir1” accompanied by a demonstration video on Vimeo posted by Sergey Zelenyuk.

In the GitHub post, MorteNoir1 expressed frustration with bug disclosure processes, which impose delays (“half a year is fine”), subject researchers to the indignities of bounty processes (which flip between interested and not interested), the “marketing bullshit” of “naming vulnerabilities and creating websites for them”, and researchers putting themselves in front of “a thousand conferences in a year”.

The flaw affects VirtualBox up to 5.2.20 on any guest or host operating system – the bug is “in a shared code base” – and “the only requirement is that a network card is Intel PRO/1000 MT Desktop (82540EM) and a mode is NAT”.

Until it is patched, he wrote, admins can change either the network card or the VM to PCnet or to paravirtualized network; or move off NAT mode, although “the former way is more secure”.

If the attacker has root/admin as a guest, they can “escape to a host ring 3”, after which existing attack techniques let them “escalate privileges to ring 0 via /dev/vboxdrv”.

“We turned an integer underflow to a classical stack buffer overflow,” the post said. That occurs in the VirtualBox networking code and can be exploited either by reading data from the guest into a heap buffer, leading to a “function pointers overwrite”, or abusing a function that allocates an attacker-addressable buffer. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/07/virtualbox_0day_github/

A look at some of the more interesting investments, acquisitions, and strategic moves in the security sector over the past year.

Image Source: Pixabay

It’s been another busy year in the cybersecurity business.

During the course of 2018, many established and new players in the security industry made strategic moves that revealed as much about their plans as it did about where the industry is heading.

The following is a list of organizations, arranged in alphabetical order, that garnered attention in the industry due to investments they made, companies they acquired, funding they attracted, or strategic directions they took.

Their moves paint a picture of an industry in transition. Small pure-play security vendors are quickly growing up and spreading out from their traditional niches. Big technology vendors – particularly those selling cloud services — have increasingly begun acquiring capabilities for securing customer workloads and applications on their software-, Internet- and platform-as-a-service environments. And investors seeking a slice of the still-lucrative cybersecurity pie — global market revenues are expected to a href=”https://www.darkreading.com/endpoint/privacy/gartner-says-it-security-spending-to-hit-$124b-in-2019/d/d-id/1332561″target=”_blank”top $124 billion in 2019/a, according to Gartner — continued to pour money into the industry.

Many firms featured on this list are relatively young but are not officially startups anymore; others are established players in the security sector with thousands of customers, hundreds of millions in revenues, and market valuations in the billions. There’s also a handful of players that aren’t traditional security vendors but made the cut because of the impact they are having on the industry. 

Here is our list of 20 security vendors to watch.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/analytics/20-cybersecurity-firms-to-watch/d/d-id/1333184?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Cybersecurity folks often struggle to get threat intelligence’s benefits. Fortunately, there are ways to overcome these problems.

Offense is the best defense. To defend well, we must take the initiative. When we are aware, we can prepare. Whatever the motto of your cybersecurity team, fighting cybercrime requires keeping an ear to the ground to anticipate threats.

That’s what threat intelligence is all about, isn’t it? Identifying and mending the weak spots of corporate IT infrastructure before someone maliciously exploits them instead. At least that’s what the theory says. And many organizations are buying into it as global spending in threat intelligence services will surpass $1.4 billion in 2018 — up from $905.5 million in 2014.

The problem is, CSOs and cybersecurity folks often struggle to understand threat intelligence’s benefits. Let’s examine the reasons why and who’s to blame — and how to move beyond those problems.

1. Mismatch with Particular Cybersecurity Needs.
Cybersecurity teams sometimes see threat intelligence as the quick fix that will protect them from hackers and scammers. This expectation is largely overinflated. The fact is, there is no such thing as one-size-fits-all threat intelligence.

Instead, threat intelligence solutions must be implemented as per the particular security needs of each organization, suborganizations, or even department — or all that’s being achieved is accumulating irrelevant data that gives a false sense of security.

A financial services company, for example, probably wants to pay close attention to website forgery and malicious contact forms aimed at deceiving targets into revealing their credit card and bank account numbers.

A pressing concern for technology providers, in parallel, is making sure proprietary information (such as trade secrets and RD advancements) do not fall into the wrong hands, be it due to email spoofing, poor encryption, or malware.

2. No Resources to Act Upon Threat Intelligence
Say that you have access to insights. How do you intend to use that information to respond to threats coming your way? The reality is that 44% of daily security alerts are never investigated, and threat intelligence data may end up unutilized, too, for a variety of reasons.

It could be that nobody in the organization knows how to interpret what they’re looking at, much less act on it. Or they may lack leadership’s commitment to the cause and the corresponding budget needed to lift up defenses.

Either way, knowing there is something wrong without understanding security flaws or having the means to resolve the situation does not reduce the prevalence or intensity of cyberattacks.

To overcome that gap, it’s advisable to get C-level sponsors who are ready to allocate resources to train relevant employees about threat intelligence’s working practices and the concrete steps for tackling flagged vulnerabilities.

3. Treating Threat Intelligence Like Any Other Cybersecurity Effort
There is an undeniable connection between threat intelligence and other cybersecurity initiatives. Threat intelligence is here to provide direction to security awareness undertakings, spot server misconfigurations, and stay on top of new forms of malware, among other things.

Following that train of thought, it is easy to assume that any security professional is ready to handle threat intelligence like a pro. However, there is a significant disparity in orientation and methodology.

More than anything else, threat intelligence is the job of an analyst whose expertise helps make sense of the big picture and establish a cybersecurity road map for proactive threat prevention and interception. That’s much unlike the role of an incident response specialist trained to be reactive and respond to individual threats as they occur.

Acknowledging the discrepancy is essential, and that means responsibilities may need to be redistributed within cybersecurity teams — potentially dedicating someone to monitoring threats as they emerge in light of existing and recently acquired online assets.

4. Failing to Integrate Threat Intelligence
How can you make sure that your cybersecurity staff uses threat intelligence insights? The quickest path to product adoption is often by linking innovations to what users already know, and threat intelligence is no exception.

In fact, it’s essential to connect threat intelligence and its data feeds to commonly deployed software such as, for example, security information and event management applications. Doing so will speed up implementation and make insights more accessible as part of a comprehensive cybersecurity program.

Lack of integration, on the other hand, not only makes threat intelligence less effective, it also adds to the workload of cybersecurity teams that need to manually assemble and compare data from yet another source to assess the infrastructure’s well-being.

5. Disregarding the Lingo of Threat Intelligence
Depending on whom you ask, threat intelligence can mean different things, and its corresponding language can vary significantly. Fail to account for this and stakeholders at various levels of the organization may quickly get lost in translation.

When senior managers talk about threat intelligence, chances are that the focus will be on high-level decision-making. Where should this financial year’s security budget be spent? Which technology vendors should be kicked out for not being compliant with corporate security policies?

But sit with cybersecurity analysts and the conversation will quickly take a technical turn. Are our SSL certificates up to date? Shall we better connect to that malware database to stay on top of ransomware attacks? What are the top 100 websites employees interact with on a daily basis?

Through internal communications and awareness initiatives, it’s necessary to ensure interested parties become aware of the different perspectives threat intelligence can take. In general, these can be broken down into two levels, one being concerned about strategic undertakings such as MA and long-term partnerships, and the other about operational matters — e.g., the reinforcements, fixes, and configurations of websites, servers, and applications.

Threat intelligence, like any other new practice, comes with its load of promises and benefits — most of which have seduced CSOs and their security teams. Misconceptions and misunderstandings like the ones discussed in this post, however, will keep on delaying threat intelligence’s full-blown deployment and potential to tackle cybercrime.

Related Content:

• 8 Threats That Could Sink Your Company
• The Three Dimensions of the Threat Intelligence Scale Problem
• How Secure Are Our Voting Systems for November 2018?
• Kraken Resurfaces from the Deep Web

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Jonathan Zhang, CEO/Founder of WhoisXML API and TIP, is a serial entrepreneur in the infosec industry and the founder of whoisxmlapi.com and threatintelligenceplatform.com. He has vast experience in building tools, solutions, and systems for CSOs, security analysts, and … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/5-reasons-why-threat-intelligence-doesnt-work/a/d-id/1333188?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

One of the top traffic metrics websites on the internet is apparently being used by criminals to steal Bitcoins from a currency exchange.

Researchers at ESET have found that the JavaScript used by StatCounter’s analytics platform has been modified by miscreants so that when embedded into the pages of Gate.io, a cryptocurrency exchange, it can siphon off alt-coins.

The ESET team today said that the crooks injected malicious code within statcounter.com/counter/counter.js, a piece of JavaScript that StatCounter’s two million or so customers embed in their websites to measure their visitor traffic.

While millions of sites may have pulled in that modified code, however, it appears that just one site was the target. ESET’s eggheads say the malicious code within the StatCounter script performs a single check for a specific path: myaccount/withdraw/BTC.

“It turns out that among the different cryptocurrency exchanges live at time of writing, only gate.io has a valid page with this URI,” explained ESET malware researcher Matthieu Faou.

“Thus, this exchange seems to be the main target of this attack.”

Should that path be accessed by a visitor, a second script on a separate domain is fetched and executed. That script tries to redirect any Bitcoin transactions to one of several wallet addresses controlled by the masterminds of this attack.

Bitcoin backer sues ATT for $240m over stolen cryptocurrency

READ MORE

Because the thieves used multiple wallets to receive the hijacked funds, the researchers do not know precisely how much was stolen. They believe, however, that the loss could be significant.

Gate.io did not respond to a request for comment, and StatCounter also could not be reached. ESET says it has notified both companies of the caper.

“Even if we do not know how many Bitcoins have been stolen during this attack, it shows how far attackers go to target one specific website, in particular a cryptocurrency exchange,” said Faou.

“To achieve this they compromised an analytics service’s website, used by more than two million other websites, including several government-related websites, to steal Bitcoin from customers of just one cryptocurrency exchange website.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/06/statcounter_javascript_theft_scheme/

Dutch police claim to have snooped on more than a quarter of a million encrypted messages sent between alleged miscreants using BlackBox IronPhones.

The extraordinary claim was made in a press conference on Tuesday, in which officers working on a money-laundering investigation reckoned they had been able to see crims chatting “live for some time.”

The suspects had been using the IronChat app on their IronPhones, which uses a custom implementation of the end-to-end off-the-record (OTR) encryption system to scramble messages.

Netherlands police said the BlackBox smartphones cost “thousands of Euros” –BlackBox charged a seriously premium subscription of around €1,500 for six months of use – and sport a panic button that’s supposed to delete all a user’s messages when pushed.

An endorsement to regret … click to embiggen

While the officers did not detail how they got hold of and cracked the encrypted IronChat messages, they had seized BlackBox Security’s server. It sounds as though the encrypted conversations were routed through that system. Therefore, once collared, that box could have been set up to decrypt and re-encrypt messages on the fly, or otherwise intercept the connections, allowing the cops to spy on the chats.

Intelligence from these conversations was then used to snare folks suspected of laundering money and other crimes.

Specifically, the clog-plod seized the website and server of the Edward Snowden-endorsed company BlackBox Security after arresting two men apparently behind the business: a 46-year-old from Lingewaard, and a 52-year-old from Boxtel. Another three men were nabbed in Almelo and Enschede, and police expect to make “hundreds” more arrests in the course of their investigation.

Hansa down, this is cool: How Dutch cops snatched the wheel of dark web charabanc

READ MORE

Aart Garssen, Head of the Regional Investigation Service in the Eastern Netherlands, said there have been 14 arrests so far in total, including folks cuffed at a suspected drug lab in Enschede where officers seized €90,000 in cash, automatic weapons, and “large amounts” of drugs like ecstasy and cocaine.

He added that police moved on the criminal operation to forestall “retaliatory action” between members accusing each other of snitching to the cops.

Speaking to De Telegraaf, Fox-IT researcher Frank Groenewegen called the police probe a “nice piece of research work,” and noted that using encrypted chat apps that rely on central servers “puts your fate in someone else’s hands.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/07/dutch_police_black_box/

Backgrounder Recent headlines have been full of IT security breaches at major corporations, such as the theft of customer data from British Airways in September 2018. Yet, smaller companies should not believe that they fly beneath the radar of attackers.

The Small Business Cyber Risk Report [PDF] from insurance firm Hiscox found that 47 per cent of small businesses surveyed in the US, UK, and Europe, had suffered at least one cyber attack during the past 12 months.

The most common type of attack was ransomware that can easily arrive via email, such as in a recent attack on the Arran brewery in Scotland. Other common attacks include hackers breaking into systems, or loss or disclosure of sensitive information.

And while hackers may be responsible for some network breaches, 54 per cent of respondents to a 2017 Ponemon Institute survey indicated that employee negligence was the root cause.

Staff at small and medium biz (SMB) are falling victim to phishing, social engineering scams, and cross-site scripting attacs, while the servers supposedly policed by the IT department are succumbing to SQL injection.

And yet, the conventional wisdom among those running SMBs is they are safe. Fifty-one per cent don’t see themselves as targets, according to a Switchfast survey. Hiscox, meanwhile, reckons just 52 per cent have a clearly defined strategy around cyber security.

“The actions of small business employees and leaders reveal little is actually being done to address the lax attitude toward security. Negligent employees are the number one cause of data breaches at small businesses,” Switchfast wrote of those in the US.

So: a growing number of attacks compounded by complacency and common workplace practices. How do SMBs get beyond this?

Overcoming the obvious

Reading the headlines it would be simple to conclude business software is as leaky as a sieve, but hackers are exploiting a relatively small number of vulnerabilities. Fortinet earlier this year found malware writers targeting just 5.7 per cent of known vulnerabilities in software. Translated: it’s within the means of IT teams to apply published fixes to vulnerabilities.

The fact that SMBs are coming under attack, however, suggests their sysadmins are making the basic mistake of not applying available fixes.

Overcoming this problem should be a relatively easy task of remediation that simply means making sure systems are up to date with patches and protected by anti-malware tools. This can be an onerous task for a small business that may have few IT staff, but is an integral part of “good IT hygiene,” Trend Micro principal security strategist Bharat Mistry told The Reg.

“SMBs tend to forget about [patching] it, or they do it on a six-monthly or yearly basis. We’re seeing new security updates and security notices: look at the impact of them and start thinking about putting a regime in place whereby you are reducing the risk and patching the systems,” Mistry said.

Scottish brewery recovers from ransomware attack

READ MORE

Access control is another problem – granting carte-blanche access to all.

“We often see things like everyone in the company being given full admin privileges on their machines, or giving everyone access to all the data in the organisation,” Mistry tells us.

“SMBs may not have that kind of segregated control on a need-to-know basis. On things like the payroll system, you wouldn’t want every Tom, Dick and Harry to have access.”

Limiting user privileges can prevent malware from getting the kind of toehold in systems that would prevent them running, while putting in place access controls can help stop the malware that does manage to make it onto your network from getting access to other key resources. These measures can be onerous, especially for small businesses that do not have a Single Sign-On (SSO) capability, but could save the company from a lot of bother in future.

Whoever is fulfilling the role of the chief IT administrator in the company needs to ensure that admin privileges are restricted to themselves and other sysadmins, with role separation so that each has access only to the resources they are expected to oversee.

When it comes to phishing and social engineering scams, the answer is less technical as educational. This includes routine phishing tests and making staff aware of common ways that fraudsters target businesses through invoice scams, bogus messages claiming to be from the boss or a business partner asking for key documents, or for money to be transferred, and so on.

End point of the line

In today’s mobile environment, laptops, tablets, and smartphones are increasingly on the front line of your company’s network. They also represent a weak link in your defence.

Perhaps the biggest risk is connecting on such devices to free public Wi-Fi. This is a gift to hackers, who’ll try to steal your emails, credit-card information, and security credentials in order to masquerade as you at a later point. This could be done by exploiting vulnerabilities, or sniffing out plain-text traffic. Malware writers will also use public Wi-Fi as a means to deliver rogue code to your device and then to your work’s systems once back a base.

And yet: two thirds of staff and 44 per cent of SMB chiefs connect to public Wi-Fi for work, says Switchfast, while apparently fully knowing the risks. Carlson Wagonlit found public Wi-Fi is recognised by business travellers as one of the top two ways they could lose their employer’s data – loss or theft of laptop is the other.

Users may even unwittingly give the network, and thus anyone on the same Wi-Fi, permission to access data on the device, or even on the corporate network. In Ponemon’s report, 30 per cent of SMBs cited compromised or stolen devices were the cause of security-related incidents.

Larger companies typically try to get around this using mobile device management (MDM). This lets admin staff identify devices users are working with, enforce settings – such as data encryption, password or PIN protection – and remotely wipe data in the event of loss or theft.

But the MDM market is fragmented, with with a plethora of pricing plans. If, like most SMBs, you are short on IT staff and long on jobs, then evaluating and choosing an MDM platform will likely get kicked way down the long list of priorities.

SMBs do have some relatively simple options – for example, Microsoft’s Office 365 productivity suite. Office 365 uses the hosted email server as the point of control for ensuring that devices, such as smartphones, have had a password or PIN set by the user to secure access to them, that data encryption is enabled, and can also be used to wipe work emails and files.

Microsoft’s Office traditionally had a strong presence among businesses of all sizes, and while the as-a-service Office 365 is growing, it has come from a relatively long way behind among SMBs.

Alternatively, cloud-based MDM providers offer a free tier for users with only a limited number of devices.

Using a Virtual Private Network (VPN) can protect and encrypt your internet or corporate traffic over Wi-Fi and other untrusted networks. Again, while they are complex to some and potentially costly, VPN providers do serve SMBs. Better yet, set one up yourself using OpenVPN, Algo, or Outline, for example, if you know what you’re doing.

Back me up, Scotty

Finally, SMBs need a fallback. What, if after all this, you still get hacked or held to ransom? Backups are not strictly cyber-security, but it does play a role in terms of protection and recovery.

Ponemon found 51 per cent of SMBs had experienced a ransomware attack within the previous three months. If an attack succeeded, 60 per cent had to pay the ransom, with an average payout of $2,157.

The salient fact, however, was this: of those who did not pay, 67 per cent said this has been because they were able to recover their data from a full backup.

And yet… “Some organisations don’t even have a backup strategy to help them,” Mistry said. Trend subscribes to the view you need three copies of your data: two separate media types, and one offsite copy. “That’s a very simple, basic rule and a lot of people are simply not doing this,” he said.

Conventional wisdom is a dangerous place for SMBs, a place defined by complacency. Hackers and malware writers have changed – shifting their targets – and SMBs must change, too. Overcoming prevailing logic doesn’t demand complex technology answers or radical workplace re-engineering – the answers are available and are relatively simple. They simply require application. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/07/smb_security_tips/

One of the top traffic metrics websites on the internet is apparently being used by criminals to steal Bitcoins from a currency exchange.

Researchers at ESET have found that the JavaScript used by StatCounter’s analytics platform has been modified by miscreants so that when embedded into the pages of Gate.io, a cryptocurrency exchange, it can siphon off alt-coins.

The ESET team today said that the crooks injected malicious code within statcounter.com/counter/counter.js, a piece of JavaScript that StatCounter’s two million or so customers embed in their websites to measure their visitor traffic.

While millions of sites may have pulled in that modified code, however, it appears that just one site was the target. ESET’s eggheads say the malicious code within the StatCounter script performs a single check for a specific path: myaccount/withdraw/BTC.

“It turns out that among the different cryptocurrency exchanges live at time of writing, only gate.io has a valid page with this URI,” explained ESET malware researcher Matthieu Faou.

“Thus, this exchange seems to be the main target of this attack.”

Should that path be accessed by a visitor, a second script on a separate domain is fetched and executed. That script tries to redirect any Bitcoin transactions to one of several wallet addresses controlled by the masterminds of this attack.

Bitcoin backer sues ATT for $240m over stolen cryptocurrency

READ MORE

Because the thieves used multiple wallets to receive the hijacked funds, the researchers do not know precisely how much was stolen. They believe, however, that the loss could be significant.

Gate.io did not respond to a request for comment, and StatCounter also could not be reached. ESET says it has notified both companies of the caper.

“Even if we do not know how many Bitcoins have been stolen during this attack, it shows how far attackers go to target one specific website, in particular a cryptocurrency exchange,” said Faou.

“To achieve this they compromised an analytics service’s website, used by more than two million other websites, including several government-related websites, to steal Bitcoin from customers of just one cryptocurrency exchange website.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/06/statcounter_javascript_theft_scheme/

The Apache Foundation is urging developers to update their Struts 2 installations and projects using the code – after a critical security flaw was found in a key component of the framework.

A warning this week from Apache reveals that devs should make sure their websites and other applications are running Struts versions 2.5.12, or later, to protect from exploits of CVE-2016-1000031. The vulnerability, a deserialization error that would allow unsanitized code in a Java Object to run unchecked, was found in the commons-fileupload library.

A miscreant could exploit the flaw to execute remotely on the targeted host, allowing them to potentially seize control of the server, install spyware, and cause other mischief. An attack would typically involve submitting a booby-trapped file to a vulnerable website, and waiting for Struts 2 to inadvertently execute malicious code smuggled inside the document.

“Your project is affected if it uses the built-in file upload mechanism of Struts 2, which defaults to the use of commons-fileupload,” Apache said in its advisory.

“The updated commons-fileupload library is a drop-in replacement for the vulnerable version. Deployed applications can be hardened by replacing the commons-fileupload jar file in WEB-INF/lib with the fixed jar.”

Apache did not say why a bug first cataloged in 2016, judging from its CVE, was only being patched in November of 2018.

While updating to the latest version of Struts will protect future projects from exploitation, projects built with older versions will need to be manually upgraded. Apache said this can be done by adding a dependency to the project:

dependency
  groupIdcommons-fileupload/groupId
  artifactIdcommons-fileupload/artifactId
  version1.3.3/version
/dependency

Getting the fix added to all existing projects will likely be a long and tedious process for developers, said SANS network security researcher Johannes Ullrich.

“There is no simple ‘new Struts version’ to fix this,” Ullrich explained. “You will have to swap out the commons-fileupload library manually.”

While most netizens will not be familiar with Struts, vulnerabilities in the framework are nothing to scoff at. Bugs in the framework are an increasingly popular target for online exploits.

One such Struts flaw was exploited in 2017 by the attackers who used the bug to get into systems at Equifax and ultimately compromise the personal details of more than 145 million Americans. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/07/flaw_in_apache_struts/

New vulnerability exposes encryption keys in the first proof-of-concept code.

A new Intel side-channel vulnerability dubbed PortSmash promises to lay encryption keys open to discovery by threat actors.

PortSmash uses characteristics of Simultaneous Multi Threading (SMT), a technique used in Intel processors to run two programs on a single core. In this case, one of the processes sniffs the activity of the other until it’s able to work out the timing and details of instructions based on port contentions and their resolution.

The proof of concept, which was created by researchers at Finland’s Tampere University of Technology and the Technical University of Havana, works out the location of data in order to steal an OpenSSL private key from a TLS server.

“Any time you have the opportunity to capture what we assume is secret — in this case a private key — it’s serious,” says Kevin Bocek, vice president of security strategy at Venafi. In the future when more organizations have complex workloads running on cloud platforms and lack complete control and full visibility, this sort of vulnerability will become even more serious, he notes.

One factor underscoring the seriousness of the vulnerability is the relative ease with which it can be exploited, says Justin Jett, director of audit and compliance at Plixer. Discovering the core on which the TLS server is running is easy with open source tools like taskset or cpuset, he says, and then injecting a process into that same core is quite simple.

“Ultimately, you create malware that will be inserted into the same core [as the server]. This malware then has the capability of getting the decryption key that OpenSSL is generating,” he explains.

The issue could become worse, Jett says, “if that site also has deployed some form of single sign-on, then the credentials passed through the Web server could be compromised. And if that single sign-on happens to use Active Directory server, then that could further compromise the systems themselves.”

If there’s good news here, it’s that the same issues currently exist for PortSmash that exist for all similar side-channel vulnerabilities. “This type of attack means that you’re already able to execute code on somebody’s computer,” says Chet Wisniewski, principal research scientist at Sophos. “Typically, once you’ve already got malicious code running on a computer, why bother executing such a complicated thing in order to potentially steal encryption you probably can already steal?” 

Wisniewski says he believes PortSmash deserves a rating of four on a ten-point scale of severity, but that it could prove more dangerous as time goes on. “A four can turn into a seven or eight down the road. Right now it’s too hard for an average criminal to bother with it, but as researchers refine the attack over six-, 12-, 18 months, we’ve seen all the other attacks suddenly become more important,” he explains.

Little Control

There’s relatively little that cloud or hosted service customers can do to protect themselves from this sort of vulnerability, researchers say. “Changing the frequency with which TLS keys are replaced is important,” Venafi’s Bocek says.

“We should certainly be monitoring processes, and making sure that we know there aren’t rogue processes that are on the servers that are injecting themselves into specific cores,” says Plixer’s Jett.

The threat will be problematic for mid-tier organizations without the knowledge or resources to update their applications with newer encryption libraries more resilient to the attack, Wisniewski notes.

“It’s inevitable: death, taxes, and more side-channel attacks. I can’t protect the chips, but I can protect the TLS certificates,” says Bocek. “There will be more side-channel attacks. The sky isn’t falling, but it is serious.”

Related Content:

• Side-Channel Attack Exposes User Accounts on Facebook, XBox, Other Social Sites
• 8 Big Processor Vulnerabilities in 2018
• Hackers Use Public Cloud Features to Breach, Persist In Business Networks
• New Spectre Variants Add to Vulnerability Worries

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/portsmash-brings-new-side-channel-attack-to-intel-processors/d/d-id/1333215?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple