STE WILLIAMS

Roundup This week there were Hacked Home Hubs, buggered BBC Bits, and PortSmash privilege punch-ups.

But that wasn’t all that happened – here’s a weekend roundup just for you.

Huawei helped China with hacks, says Australia

So it turns out all those governments weren’t just being paranoid when they barred Huawei from working on networks.

A report from The Australian (paywalled) cites a Down Under government source in reporting that on at least one occasion Huawei was pressed by the Chinese government to provide access to a foreign network.

The article does not give details on who was targeted or when, but claims that China asked Huawei to provide it with log-in credentials for networking equipment the company had sold to someone in another country.

If true, this would validate the worst fears of governments around the world: that Chinese telcos and manufacturers are in fact subject to the whims of Beijing and could at help their home country infiltrate the networks of customers, including government agencies and contractors, in other countries.

Raunchy worker gets blame for government malware mess

A horny (dare we say rock-hard) employee at the US Geological Survey ended up getting more than an eyeful after an adult site dropped malware on the government agency’s network.

A US government report last month [PDF] traced a Russian malware outbreak on the USGS network to an infection spawned from a single workstation that had cruised through some 9,000 porn sites.

The IG believes that the worker had downloaded videos from the site that included the malware payload, and once running on the workstation the infection was able to spread throughout the network.

You will not be shocked to learn that said employee no longer works at the agency.

The D in SystemD stands for “Do we really have to do this again?”

Last week alarms were sounded over a serious vulnerability in SystemD. Just days later, we got wind of two more, slightly less serious vulnerabilities also present in the Linux management tool.

IBM’s Xforce says that CVE-2018-15687 is a security bypass bug that will allow an attacker to target a race condition that, when successful, allows for file permissions to be overwritten.

Meanwhile, CVE-2018-15686 is a privilege escalation bug that would potentially allow an attacker with local access to elevate into root privilege by sending a specially-crafted request to the NotifyAccess component.

While neither is as serious as the remote code bug disclosed last week, admins would be well advised to make sure they are running the latest version of SystemD, in which both bugs are patched.

Bigger, badder, destructive-ier: it’s Stuxnet II, Iranian Boogaloo

The Stuxnet attack will go down as one of the most complex and destructive malware operations ever.

But if a report out of Israel is to be believed, there’s a bigger, badder sequel in the works.

The Times of Israel claims that critical infrastructure in Iran, including essential networks, are already being menaced by a purpose-built malware that is “more violent, more advanced and more sophisticated virus than before, that has hit infrastructure and strategic networks.”

The report does not say what exactly the malware does, or how it plans on wreaking havoc in Iran. As you might imagine, the Israeli government doesn’t have much to say about the subject.

But, considering that Stuxnet was able to physically destroy uranium subterfuges, the promise of a nastier, more destructive follow-up is definitely something worth paying attention to.

Google says everyone has to run JavaScript now

Don’t like JavaScript? Tough. A recent set of security updates to the Google login page will now require JavaScript be enabled on the browser in order to work. No JavaScript, no sign-in.

Apparently, Google is using an assessment tool that will check for suspicious behavior when the user logs in. Part of that tool requires JavaScript, hence the requirement that you have it enabled.

The Chocolate Factory doesn’t seem to worried of a user revolt, as it says nearly everyone already runs JavaScript.

“Chances are, JavaScript is already enabled in your browser; it helps power lots of the websites people use everyday. But, because it may save bandwidth or help pages load more quickly, a tiny minority of our users (0.1%) choose to keep it off,” Google offers.

“This might make sense if you are reading static content, but we recommend that you keep JavaScript on while signing into your Google Account so we can better protect you.”

Crapto crypto Mac app carries covert back doors

If you’re a Mac user invested in crypto-currencies, you’ll want to keep a close eye on the apps you’re using to track your investments.

Researchers at Malwarebytes say a currency-tracking tool called CoinTicker activates a pair of back doors when it is installed on an unsuspecting user’s machine.

“Although this functionality seems to be legitimate, the app is actually up to no good in the background, unbeknownst to the user,” Malwarebytes says.

“Without any signs of trouble, such as requests for authentication to root, there’s nothing to suggest to the user that anything is wrong.”

Meanwhile, the app is installing a copy of EggShell server as well as a script to link up the infected machine with a command servers. As you might have guessed, the likely aim here is to harvest coin wallets en masse.

Accused Russian agent may have run cyber recon on targets

Back in September, Russia’s Maria Butina was charged with acting as an unregistered foreign agent, allegedly after years of working on behalf of the Kremlin to sway influential US politicians and lobbying groups.

If a new report from the Associated Press is to be believed, Butina also did a bit of infosec research in her time in the US. The AP claims that Butina, while a graduate student at American University, cased out the cyberdefenses of several US nonprofit organizations.

The report notes that the assignment wouldn’t have drawn much attention at the time, but after Butina was arrested and charged, the operation was seen in an entirely different light – as a possible effort by the Kremlin to infiltrate and spy on non-profit groups that focused on things like human rights and media freedom.

The AP notes that, thus far, there is no evidence Butina actually passed the findings of the project on to Russia.

Man oh Manchin: West Virginia Senator says accounts got hacked

Senator Joe Manchin (D. WV) is the latest congresscritter to fall victim to hackers. This time, it was Manchin’s social media accounts that were compromised.

While the reports don’t say exactly what the hackers were going for or what they were able to get from the accounts, but Manchin’s office has said it is working with law enforcement on the matter.

With the US mid-term elections just days away, it would not be surprising at all to find out that any number of people in the House and the Senate have had one or more social media accounts compromised. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/03/security_roundup_021118/

Iran apparently infiltrated the communications network of CIA agents who allowed their secret websites, used to exchange messages with informants, to be crawled by Google.

A report from Yahoo! news claims that a 2009 breach of the US spy bods’ communications channels came after the Iranian government infiltrated a series of websites the CIA had used to talk to its local sources in places like Iran and China.

“We’re still dealing with the fallout,” said one former national security official. “Dozens of people around the world were killed because of this.”

Web scraping is a two-edged sword

The communications leak was believed to have stemmed from a simple Google search. Suspecting the US had agents and sources within its nuclear program, Iran began to hunt for the mole. After a double agent showed Iran’s government one of the sites, they were then able to use Google to identify other sites the intel agency was using and began to intercept communications.

“Because Google is continuously scraping the internet for information about all the world’s websites, it can function as a tremendous investigative tool — even for counter-espionage purposes,” the report claims.

“And Google’s search functions allow users to employ advanced operators — like ‘AND’, ‘OR’, and other, much more sophisticated ones — that weed out and isolate websites and online data with extreme specificity.” As a result Iran announced the intelligence coup and arrested many operatives. Some were executed, although other managed to escape.

Once Iran was able to track down the sites their techniques were given to other friendly countries, who in turn used the information to weed out the CIA’s communications channel in their own territories as well.

Ex-CIA man fingered as prime suspect in Vault 7 spy tool manuals leak

READ MORE

“Iran was aggressively going out to hunt systems down,” a former intelligence official said. “They weren’t just protecting themselves anymore.”

The death toll mounts

This, Yahoo! says (citing agency officials), culminated in a 2012 incident in China where 30 agents working for the US were caught and executed.

The CIA does appear to have lucked out when it comes to Russia. The Intelligence Agency ring fences its Russian activities and the report states that intel chiefs were quick to harden up its Russian communications channel at the first sign of trouble.

But the rest of the agency had become too reliant on the system, which was originally intended to only be a temporary communications channel, and had left the relatively insecure site up far longer than intended and used it to send information that should have been reserved for more secure channels.

“It was never meant to be used long term for people to talk to sources,” the report quotes one official as saying.

“The issue was that it was working well for too long, with too many people. But it was an elementary system. Everyone was using it far beyond its intention.”

Shooting the messenger

A defense contractor for the CIA named John Reidy claims he warned the agency that it was using insecure communications systems in 2008, and again in 2010 when he started to suspect the channels had been cracked. A year later he was fired by the agency, a move he claims was retaliation for not shutting up.

“It was a recipe for disaster,” Reidy said. “We had a catastrophic failure on our hands that would ensnare a great many of our sources.”

Reidy said that he appeared to the CIA’s Inspector General and those who were supposed to be providing congressional oversight. No one did anything to sort out the issue and Reidy was sidelined and then sacked.

“This is one of the most catastrophic intelligence failures since Sept. 11,” said Irvin McCullough, a national security analyst with the Government Accountability Project. “And the CIA punished the person who brought the problem to light.

The CIA did not respond to a request for comment. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/02/iran_cracked_cia_google/

Domain name registrar EasyDNS has ‘fessed up to accidentally leaking cloaked contact details for about 1,500 domain owners in Whois query results for just over 24 hours.

Those details – such as names, phone numbers, email addresses, and postal addresses – should have been kept private, and not disclosed in Whois searches. However, between Thursday, October 25 1230 ET and Friday, October 26 1500 ET, the opposite happened, and records customers had paid to keep under seal were revealed in Whois searches. The Canadian biz notified its customers of the screw-up today, November 2.

In an email to punters, EasyDNS CEO Mark Jeftovic said the personal info was exposed by a bug in a system provided by Tucows – the second largest domain registrar in the world – which EasyDNS uses in its backend to manage domain names.

According to the boss, on Thursday, October 25, Tucows deployed some new components to prepare for the Registration Directory Services system that will replace the Whois directory system.

“Unfortunately the deployment contained a software bug, and the result was that domains with Whois privacy enabled had the underlying contact data displayed when queried via Whois during the period affected,” the email stated.

Jeftovic told The Register that about 2,400 domains with Whois privacy protections enabled were queried during the 26-hour period. This equated to about 1,500 customers who had their information disclosed in lookup results for their domain names.

What should have happened is that the queries return generic contact details for a front organization called MyPrivacyNet Ltd, masking the actual contact details for the domain-name owner. In reality, the real info slipped through into Whois lookups, giving away the identity and contact details of the owner of a particular EasyDNS-managed domain. People pay EasyDNS to keep that info under wraps for privacy reasons and to avoid spam.

Jeftovic stressed that only contact details for the domain were exposed; no passwords were leaked.

As for the risks involved from the leak, he told customers in a follow-up email: “We know from experience, the vast majority of Whois lookups are automated bots. The most likely negative outcome from this will be junk mail, junk faxes or email spam sent to your underlying contact info.”

Furor rages over ICANN and Facebook’s bid to publish home addresses of website owners

READ MORE

It appears that it was only EasyDNS punters who were affected by the bug, as Jeftovic said his biz has a unique configuration with Tucows, so it’s possible this was overlooked during testing. We’ve asked Tucows for comment.

Jeftovic said that as soon as EasyDNS became aware of the issue, on October 26, it immediately shut down access to its data via Whois, and alerted Tucows.

In an email exchange with The Reg he said Tucows was “extremely responsive,” but added that the situation “obviously sucks.” The contrite exec apologized to members by saying that his firm was “deeply regretful” about the incident and had made its concerns known to the vendor. We have asked Tucows for comment but there is no word as yet.

EasyDNS is also giving a $7.50 credit for all domains affected – which is the cost of its Whois privacy service – regardless of whether or not the owners had paid for it or if it was included in their service contract. Anyone who paid for Whois privacy as an add-on can contact the support team to have a refund rather than credit. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/02/easydns_whois_leak/

Brainiacs in Cuba and Finland have found a new side-channel vulnerability in Intel x64 processors that could allow an attacker to sniff out cryptographic keys and other privileged information.

Following disclosure of the flaw to Intel at the beginning of October, boffins from the Tampere University of Technology in Finland and Technical University of Havana, Cuba, today published proof-of-concept they’re calling PortSmash.

The research team used the PoC to steal an OpenSSL (version 1.1.0h or less) P-384 private key from a TLS server. (Subsequent versions of OpenSSL aren’t susceptible.)

To pull off this secret surveillance, the exploit code must run on the system under attack, specifically on the same CPU core as the process you want to pry into. That means it can’t be used to eavesdrop on software remotely, or easily on the same host, but it could be useful for determined miscreants and snoops who have managed to infiltrate someone else’s computer. You basically have to already be able to run your own evil code on a machine in order to PortSmash it.

In a post to a security mailing list, Bill Brumley, assistant professor in the department of pervasive computing at Tampere University of Technology, said the information leakage was made possible thanks to Intel’s implementation of simultaneous multi-threading, known as Hyper-Threading.

SMT works by allowing, typically, two separate running programs to share the same CPU core at more or less the same time: two threads in two independent processes can run alongside each other in a single processor core. If you have four cores, and two of these SMT hardware threads per core, then that’s effectively eight cores per processor as far as application software is concerned, which means more stuff can be executed per second. SMT therefore boosts performance, but in some cases, can reduce performance depending on the workload type.

The downside is that it is possible for code in one hardware thread to look over the shoulder of code in the other hardware thread, on the same core, and work out what its partner is doing. It can do this by studying patterns of access to caches, or timing how long it takes to complete an operation. This is why developers of cryptography software are encouraged to build in defenses to thwart side-channel eavesdropping.

“We detect port contention to construct a timing side channel to exfiltrate information from processes running in parallel on the same physical core,” as Brumley put it.

Meet TLBleed: A crypto-key-leaking CPU attack that Intel reckons we shouldn’t worry about

READ MORE

Thus, the attack works by running the PortSmash process alongside a selected victim process, on the same CPU core, with each process using one of the core’s two SMT hardware threads. The PortSmash code then measures timing discrepancies to snoop on the operations performed by the other process, and gradually discern its protected data.

That means if the spied-upon process is performing some kind of cryptography, it is possible for the PortSmash process sharing the same CPU core to extract secret information, such as an decryption key, from its victim program

The fix, Brumley suggests, is to disable SMT/Hyper-Threading in the processor chip’s BIOS. OpenBSD already disables Intel’s Hyper-Threading for security reasons.

The PoC, Brumley says, works out of the box for Intel’s Skylake and Kaby Lake, though it hasn’t been tested on other Intel chips. He suggests it may work for other SMT architectures – such as AMD’s Zen CPU family – if modifications are made to the code.

A CVE has been proposed, CVE-2018-5407, however, Intel doesn’t appear to think it’s worthy of a patch. For one thing, it has nothing to do with this year’s speculative execution flaws: Spectre, Meltdown, and the like.

In a statement emailed to The Register, an Intel spokesperson suggested any risk can be mitigated through existing software protections, such as writing code that is resistant to SMT side-channel attacks. Chipzilla is, essentially, taking a line suggested in the mailing list discussion of the flaw that this isn’t so much a vulnerability as “a fully expected by-design property” arising from SMT.

“Intel received notice of the research,” the chipmaker’s spokesperson said. “This issue is not reliant on speculative execution, and is therefore unrelated to Spectre, Meltdown or L1 Terminal Fault. We expect that it is not unique to Intel platforms. Research on side-channel analysis methods often focuses on manipulating and measuring the characteristics, such as timing, of shared hardware resources. Software or software libraries can be protected against such issues by employing side-channel safe development practices.”

Intel’s spokesperson repeated its assertion that the company takes protecting customer data seriously and considers it a top priority. We’ll also check to see if AMD is affected, too, as its modern CPUs offer SMT as well. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/02/portsmash_intel_security_attack/

Stop overwhelming developers and start using real-world attack behavior to prioritize application vulnerability fixes.

Application developers are drowning in work. Simply keeping up with business demands for new features and functionalities keeps their backlogs full of work. So it should come as no surprise why they struggle to make a meaningful dent in the vulnerabilities that give bad guys a pathway to break into valuable software and data. Applications are more vulnerable than ever today, and the breach statistics just keep going up.

The dilemma has application security (AppSec) pundits thinking hard about the fundamental ways today’s typical AppSec program is broken. According to researchers James Wickett and Shannon Lietz, AppSec faces an epistemological problem for developers and security to figure out.  

“What’s the problem? We don’t even know if we’re chasing the right things,” said Wickett, researcher with the firm Signal Science “We have to ask the question, ‘Is what we’re testing driving us toward finding the right issues?'” 

Wickett stepped up to the podium with Lietz last week at DevOps Enterprise Summit to describe to a developer-heavy audience why they believe organizations need to start refocusing security fix priorities based on adversary behavior—rather than sticking solely with standards like the OWASP Top 10, which often don’t account for the exigencies of real-world attack patterns.  

“When we think about things from the adversary perspective, we talk about means, motives, and opportunities,” said Lietz, who works as the leader and director of DevSecOps for Intuit and also was the person responsible for coining the term DevSecOps to describe the mashup of security principles and DevOps. “What’s happened to the application security industry is we focus a lot on opportunities. If we can block out the opportunity, then bad guys are going to go away. But the truth is, as an industry we’re not really driving those bad guys away.”

Instead, the bad guys adjust and keep coming. This is a key point that people in the security world and the development community need to “sit with for a minute,” Wickett said, explaining that it is incorrent to think that if developers could somehow start building a perfect system, it’ll be unhackable. 

“That is a fallacy,” he says.

It’s this type of mentality that has built up a situation where developers have a huge backlog and no truly effective way to prioritize what they fix first. Sure, there are vulnerability characteristics—like how severe the flaw is or how critical the application is in which a given flaw is found—but most security scan data offers no context about where that flaw falls within the pantheon of most popular tactics, techniques, and procedures of the bad guys hammering applications. 

“Ultimately, what happens is we overwhelm our development partners by not focusing on the stuff that bad guys actually focus on,” Lietz said. “Essentially, you got to have some way to have a conversation about what’s real and what’s perceived.”

They suggested organizations work to come up with what they call a “Real World Top 10” for developers to get started. These top issues home in on more adversary-relevant flaws, such as those that enable common attacks, like direct object reference, forceful browsing, and null byte attacks. 

This requires security organizations to instrument for and collect telemetry that helps them determine basic patterns in adversary data to start figuring out who the top adversaries are, how they typically operate, how often they change up their TTP, how often they return to an application, and even how confidently they’re operating based on how much it costs the enterprise to fix a problem.

“Most adversaries will go after your most important weakness based on how much it costs you to fix, and they know that because they know something’s really deeply ingrained, how you’ve built your application there’s actually long-term debt,” Lietz explained. “They’re surfing for your long-term debt just as much you’re trying to get rid of it.”

Ultimately, the goal is to find flaw characteristics contextualized by adversary interest. This can help the development team forecast the most important issues to fix based on adversary relevance, so they can stay ahead of the bad guys.  

“I’ve made a lot more friends in our developer community because I’ve found a way to be valuable,” Lietz says. “I care deeply about making these tactics more visible, making it easier for them to digest and making it faster for developers to get them sooner in the pipeline.”

Related Content:

• 7 Ways an Old Tool Still Teaches New Lessons About Web AppSec
• AppSec is Dead, but Software Security Is Alive Well
• Taming the Chaos of Application Security: ‘We Built an App for That’
• Not Every Security Flaw Is Created Equal

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: https://www.darkreading.com/application-security/speed-up-appsec-improvement-with-an-adversary-driven-approach/d/d-id/1333185?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Advisory addresses active exploitation of vuln in the wild, with no clear solution in sight.

Cisco has issued a new security advisory covering a vulnerability in Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense software that could ultimately lead to a denial-of-service (DoS) condition for specific devices.

Cisco is aware of active exploitation of the vulnerability in the wild, according to the advisory (CVE-2018-1545), which also states that no remediation is available. The only corrective action Cisco offers is to shut down Session Initiation Protocol (SIP) inspection — an action that closes the vulnerability but also “would break SIP connections if either NAT is applied to SIP traffic or if not all ports required for SIP communication are opened via ACL,” according to the advisory.

The affected devices are 3000 Series Industrial Security Appliance (ISA); ASA 5500-X Series Next-Generation Firewalls; ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers; Adaptive Security Virtual Appliance (ASAv); Firepower 2100 Series Security Appliance; Firepower 4100 Series Security Appliance; Firepower 9300 ASA Security Module; and FTD Virtual (FTDv).

Read more here and here. 

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/cisco-reports-sip-inspection-vulnerability/d/d-id/1333189?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The Insider Threat Program Maturity Framework is intended to help government agencies strengthen their programs.

The National Insider Threat Task Force (NITTF), an initiative co-directed by the FBI and the National Counterintelligence Security Center, today issued its “Insider Threat Program Maturity Framework” to improve on government agencies’ existing insider threat programs.

In 2012, the White House released the “National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs” to provide executive agencies with minimum standards for insider threat programs. The new framework takes these standards a step further by identifying key parts agencies can enhance to better detect and mitigate risk.

Officials developed the framework in fall 2017 by collecting ideas from the US government’s insider threat community. Feedback helped them build a model framework based on the capability maturity model process used in private industry. Earlier this year, representatives from the intelligence community, Department of Defense, and federal partner insider threat programs evaluated the new framework to ensure it was ready for rollout.

Read more details here.

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/nittf-releases-new-model-for-insider-threat-program/d/d-id/1333190?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Three individuals who worked for DRAM maker’s Taiwan subsidiary stole Micron IP to benefit company controlled by China’s government, US says in indictment.

Like many other businesses, semiconductor manufacturer Micron Technology employs a range of physical, electronic, and policy measures to protect its trade secrets. Yet all it took for the company to allegedly lose intellectual property worth at least $400 million to a Chinese competitor was two employees with legitimate access to the data.

A federal indictment unsealed this week in the US District Court for the Northern District of California described Micron as the victim of economic espionage involving a Taiwanese semiconductor company, a state-owned company in China, and three individuals who previously worked for Micron.

The indictment alleges that Stephen Chen, former president of a Micron subsidiary in Taiwan called Micron Memory Taiwan (MMT), conspired with two other former employees to steal proprietary data on Micron’s DRAM technology. The trio is then alleged to have used the stolen data to advance China’s development of its own DRAM technology.

Chen resigned from Micron in 2015 and began working as a senior vice president at United Microelectronics Corp. (UMC), a Taiwanese semiconductor foundry with a technology-sharing agreement with Fujian Jinhua Integrated Circuit, a Chinese government-owned semiconductor plant.

In that role, Chen is alleged to have hired two former MMT process managers to UMC. Both of the engineers allegedly stole confidential and proprietary data before and after quitting the Micron subsidiary and used it to advance UMC and, in turn, Finjan Jinhua’s own DRAM development work.

The stolen trade secrets included Micron’s work on DRAM design and manufacturing, the entire manufacturing process for a specific 25 nm DRAM product, software used to track the product through the fabrication process, and a design rules document. Also allegedly misappropriated was Micron IP relating to a next-generation 1 xnm DRAM product. The indictment estimated the market value of the stolen information to UMC and Fujian Jinhua as ranging from $400 million to a staggering $8.75 billion.

Before leaving MMT, one of the indicted individuals, based in Taiwan at the time, allegedly downloaded over 900 confidential and proprietary files belonging to Micron from the company’s US servers. The engineer stored the downloaded files on external USB drives and in a personal Google Drive account that he later accessed while working for UMC.

A lot of the stolen trade secrets were contained in PDF documents and multitabbed Excel spreadsheets. Several of the PDF documents contained hundreds of pages — the biggest one had 360 pages.

The indictment does not indicate what sort of access the Taiwan-based engineer had to these documents in the regular course of his work at MMT. It is also not clear how he managed to download the 900-plus files and put them on personally owned external USB drives and in a personal cloud storage account without being detected. However, in the weeks leading up to his resignation from the Micron subsidiary in Taiwan, the engineer systematically ran numerous deletion processes and the CCleaner utility program on his official laptop to hide evidence of the data misappropriation.

The indictment against the China government-affiliated actors is the latest manifestation of the US government’s crackdown on what it says is widespread economic espionage by China. Only earlier this week, the US Department of Justice charged Chinese government intelligence agents with conducting a wide-ranging IP theft campaign targeting American and European aerospace firms.

While a lot of attention is being paid to the geopolitical implications of such actions, for enterprises the main takeaway is the need to better protect against insider threats. While organizations are spending millions of dollars shoring up against external attacks, data suggests they are not doing enough to protect against insiders with trusted access to enterprise networks and data.

Numerous surveys have shown that employees pose as much, if not an even greater, risk to enterprise data than external actors. Many breaches have resulted from negligence and mistakes, while others, such as the one at Micron, have resulted from malicious behavior. Security analysts have long noted the need for organizations to deploy monitoring controls for detecting suspicious or anomalous user behavior to manage the threat.

Related Content:

• NITTF Releases New Model for Insider Threat Program
• Chinese Intel Agents Indicted for 5-Year IP Theft Campaign
• Report: China’s Intelligence Apparatus Linked to Previously Unconnected Threat Groups
• 6 Ways to Tell an Insider Has Gone Rogue
• The 6 Worst Insider Attacks of 2018 – So Far

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/ex-employees-allegedly-steal-micron-trade-secrets-valued-at-over-$400-million/d/d-id/1333192?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Two reports call out the most serious malware attacks and attackers of the year (so far).

What is the worst malware to rear its head in 2018? The year isn’t quite over, but candidates for the role of “worst” have made themselves clear.

According to a new report issued by Webroot, among the worst are three large botnets. The list starts with Emotet, included because of its ability to spread laterally within a victim’s network. Trickbot follows, both on the list and in the wild, adding capabilities (including the ability to carry ransomware payloads) to the ones introduced by Emotet. Zeus Panda is the third member of the botnet and banking Trojan trio, included because it employs a wide variety of distribution methods to infect its victims.

These botnets are, together, part of a major trend that has been building for some time, says Chris Doman, an AlienVault threat engineer. “One of the new, interesting trends is that the commercial malware people are looking toward open source and rentable malware because it makes them harder to trace and means that they can pay others to do development,” he states. Malware-as-a-service puts malicious capabilities into the hands of those who may have very little technical sophistication, he adds.

AlienVault, an ATT company, has released its own report that looks at the top threats and exploits seen in the first half of the year. It finds that malicious actors are broadening the horizons on which they attack and constantly shifting their approaches to evade detection and remediation.

Asked whether the overall news regarding malware is good or bad, Doman says, “The answer varies depending on which side you’re looking at. Are there more threats out there and more exploitable vulnerabilities? Yes.” At the same time, he says, “The defensive side is getting better. It doesn’t get the attention because it’s not as sexy as the hacking, but there are a lot of things today that are built in and we don’t have to think about.”

One of the areas AlienVault’s research looked at is major threat actors; this year, Lazarus took the No. 1 spot from Fancy Bear as the most-reported. The top 10 malicious actors were distributed across the globe, launching threats from North Korea (two groups), Russia (three), Iran (two), China (two), and India (one). According to the Webroot report, those top malicious actors have been busy in both rentable malware networks and ransomware. Webroot identifies the three worst ransomware actors for 2018 as Crysis/Dharma, GandCrab, and SamSam.

According to the AlienVault report, one change from 2017 is the distribution of the top threats and vulnerabilities across platforms. Whereas 2017’s top vulnerabilities were found almost exclusively in Microsoft Office and Adobe Flash, this year hackers have exploited vulnerabilities in Web application servers and Internet of Things (IoT) devices. That said, Microsoft Office still accounts for half the top 10, and Adobe Flash is still the home of the third vulnerability.

The malicious actors are increasingly turning from a near-exclusive focus on Microsoft and Adobe software to remote exploits of IoT and Web application platforms, such as Drupal, as they build cryptomining botnets to generate ready income and remain under the radar of law enforcement agencies.

Javvad Malik, security advocate at AlienVault, says that many of those technologically unsophisticated criminals have turned their hands to ransomware. “Because of the ease of deployment and the open system nature, [ransomware] can be deployed by people who aren’t hardened criminals,” Malik says. “It could pay for someone’s college fees, and then the cultural issues come in, where the perpetrators don’t see it as a real crime.”

AlienVault’s Doman says the Internet has, so far, avoided the mass wave of ransomware that marked 2017. “One thing that struck me is that last year we had things like WannaCry and BadRabbit — a few big worms that spread around causing chaos. They had ties to nation-states,” he says. “This year we haven’t had so much. There was Olympic Destroyer, but it was a one-off.”

Despite the focus on bad actors and malware, one piece of good news is improved information sharing about malicious software is becoming standard practice in the security field, Malik says. “A lot of the improvements are down to the more open sharing nature of what we’re doing,” he says. “We’re seeing a lot more independent researchers reaching out and sharing their data and research. I think that’s a very good thing.”

Related Content:

• Financial Services Organizations Face More Sophisticated Threats Than Others
• 3 Keys to Reducing the Threat of Ransomware
• Avoiding the Ransomware Mistakes that Crippled Atlanta
• 10 Scariest Ransomware Attacks of 2017
• Kraken Resurfaces From the Deep Web 

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/worst-malware-and-threat-actors-of-2018-/d/d-id/1333157?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Online services have several options as they move beyond passwords to try and make accounts more secure. Think of five websites that you have a user account for. How many of them offer you greater security with multi- or two-factor authentication (MFA or 2FA)?

The move to support 2FA is happening, slowly, but a report released this week suggests that many sites are lagging behind.

Password management company Dashlane examined 34 of the more popular consumer websites in the US to see how well they supported MFA.

It scored each site out of five, based on several criteria.

They got one point if they offered SMS or email authentication. They got another for using software tokens like Google Authenticator. Dashlane clearly considers hardware-based authentication superior though, as it awarded three points for websites that offered this option. These are hardware-based cards or keys like Yubikey or Google’s Titan that must be plugged into the computer or held next to it to authenticate the user. The FIDO Alliance’s Universal Second Factor (U2F) authentication is a good example of a standard that supports hardware tokens for accessing online services.

The good news is that most of the sites tested offered some form of 2FA. On the naughty list with no points were private neighbourhood social network NextDoor, gig economy company TaskRabbit, online medical care appointment booking service ZocDoc, and retailer Best Buy. They offered none of the three categories of 2FA, forcing users to rely on passwords alone.

Only about one quarter of the sites tested (24%) scored full marks by offering the full range of options, according to Dashlane. Bank of America, Dropbox, E*TRADE, Facebook, Google, Stripe, Twitter, and Wells Fargo scored five points each and were on the nice list.

Quite a few of the performers that fell somewhere in the middle are from the fintech or financial services side. Mint, which aggregates your financial account data, electronic payment company Venmo, and financial services players Discover, Citibank, Chase and American Express all relied solely on email or SMS-based authentication, the report said. Yet NIST deprecated support for SMS-based 2FA in 2016, and users who rely on email-based 2FA are vulnerable to phishing.

Dashlane also said that clarity was an issue in many websites. CEO Emmanuel Schalit said:

Through the course of our research we found that information on 2FA is often presented in a way that is unclear, making it difficult for consumers to confirm 2FA offerings. In fact, our researchers were forced to omit a large number of popular websites from our testing simply because the sites don’t provide any straightforward or easily accessible information about their 2FA offerings.

The Dashlane report focused on desktop browsers only, and didn’t include access via mobile apps in its assessment.

As patchy as support for 2FA may be, it’s only half the story. As recent research by Google and others has revealed, most of us don’t use 2FA even when it is available.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/7ilK9qhV2po/