STE WILLIAMS

It’s been rather too long coming but Reddit users can finally secure their accounts with two-factor authentication (2FA).

Read the announcement:

You asked for it, and we’re delivering!

Which ignores that Reddit is probably the last of the big internet brands to offer what, by 2018, has become a standard security option.

It is at least easy to turn on, by clicking on a link at the bottom of the preferences tab, which is also used to set the account password.

A small glitch Naked Security noticed is that the words “two factor authentication” don’t appear on all accounts in the appropriate space on the page. If that’s the case, look for the term ‘status’, beside which should be the phrase ‘click to enable’ to turn on authentication.

Using a 2FA app supporting the TOTP (Time-Based One-Time) protocol, such as Google’s Authenticator or Authy, the process is completed by scanning the QR code and entering a one-time six-digit verification code. A different code will be generated for every subsequent login.

Once finished, it’s important to generate and print out 10 backup codes in case there is a problem with the authentication app or the user mislays their smartphone.

The positive aspect of the announcement is that Reddit has jumped straight to app-based 2FA, eschewing the established but now insecure SMS text-based codes still offered by many sites.

It’s just a pity it’s taken so long. Pioneer Google first offered multi-factor authentication (called two-step verification) as long ago as 2011, as did Facebook (Login Approvals), both after noticing increases in attacks fuelled by weak passwords, password re-use and phishing attacks.

Twitter and Microsoft added the same in 2013 (login verification), while even Instagram and WhatsApp had it by 2016 and 2017, respectively.

A turning point for Reddit was the 2016 incident when a hacker broke into moderator accounts and defaced subreddits. This drew attention to the weakness of securing accounts using passwords alone – which some speculated might have been the point of the attack.

After eventually resetting the passwords on 100,000 accounts, the company admitted it was looking at implementing 2FA. As it said at the time:

Reddit itself has not been exploited, but even the best security in the world won’t work when people are reusing passwords between sites.

Equally, enabling 2FA will only make a difference to security if people bother to activate it.

A week ago, a Google engineer fessed that fewer than 10% of its Gmail users had bothered to turn on its 2-step verification security – and that’s after seven years in which the company has nagged its users relentlessly to do this.

It’s possible that users have grown weary of having to enable 2FA on lots of sites but apps like Google’s Authenticator (which works for multiple sites) is one way to streamline this.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/E5OLiYS8Q3w/

The Dutch public broadcaster, NOS, just published an fascinating flag-waving Spy vs. Spy story about how the Dutch intelligence services helped the US fight off cyberattacks during the last US elections.

The article, entitled Hackteam AIVD gaf FBI cruciale info over Russische inmenging verkiezingen (Dutch Intelligence hacking team gave FBI vital information about Russian election interference), presents a timeline of what you might call counter-hacking starting back in 2014.

[There’s an English version of the article online, but it’s a rewrite, not a translation.]

One of the claims made is that the Dutch counter-hackers were able to infiltrate a Russian cybergang known as Cozy Bear and keep an eye on them.

And when we say “keep an eye on”, we mean it quite literally.

Apparently, the Dutch penetrated a security camera in the corridor leading to the hackers’ office, giving the counter-spies a view of everyone who came and went – information that was shared with US intelligence.

The Cozy Bear crew, it seems, didn’t realise that they’d been counter-hacked and betrayed by their own network.

NOS continues by saying that there were “about 10 people” in the Cozy Bear group, an imprecision that suggests either that the hacked camera didn’t have very good image quality, or that some of the group worked off-site.

Nevertheless, it’s an almost delightful irony that the hackers’ own security precautions were turned against them.

Two-faced CCTV cameras are, sadly, not a new topic on Naked Security.

The current trend to “internetify” as many devices as possible – what’s known as the IoT, or Internet of Things – is happening at such a dramatic (and competitive) rate that security often takes back seat, or even no seat at all.

We’ve written about security blunders in IoT products from dolls to sex toys; from light bulbs to kettles; from routers to printers – and many other IoT devices, too.

What to do?

We don’t know exactly how the Dutch hacking team took over the camera in this story – it could have been via a security flaw in the camera itself, via the software that controlled the camera, or via some other related compromise on the hackers’ network.

But if you are planning on plugging in anything such as an internet enabled camera, thermostat or light switch at home, here are some tips to help you get started as safely as you can:

• Make sure your device has been updated to the latest firmware. Firmware refers to the combined operating system plus software bundle that controls the device itself, usually stored on flash memory inside the unit. Vendors are supposed to ship security patches from time to time; these are usually applied by downloading them to your desktop or laptop computer and using a special app to “burn” them to the device. Find out your model number and check the vendor’s download pages regularly.
• Make sure any remote access features are turned off before you go live. Many IoT devices come with a management app you can run on your desktop or laptop computer, so hunt around through the configuration options looking for any features to do with “remote administration”. Ideally, your IoT devices should be set up so they can be configured only from inside your network. That way, crooks have to break into your network and then into the device, instead of being able to hack away at the device itself remotely.
• Make sure you’ve changed default passwords and chosen decent replacements. Many IoT devices come with default login credentials such as root/root, admin/admin, and other combinations that are widely circulated on the internet. Don’t make it easy for the crooks: learn how to pick a proper password.

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/nLkHznKSuV8/

Acronis has released a free, standalone version of its Acronis Ransomware Protection with AI-based Active Protection tech.

It can be used alongside existing backup and antivirus products on Windows systems.

The lightweight (20MB) software runs in the background and is said to monitor system processes in real-time to automatically detect and stop any ransomware attacks. When one is detected, it blocks the malicious process and notifies the user with a pop-up. It also facilitates the instant recovery of affected files.

Acronis says the software uses behavioural heuristics enhanced by machine-learning models, which are generated by analysing hundreds of thousands of malicious and legitimate processes in Acronis’s Cloud AI infrastructure.

The models are directly incorporated into the free product; it doesn’t need an internet connection to run. We’re told it’s effective at defeating all ransomware strains, including zero-day attacks that signature-based solutions cannot detect.

It comes with a a cloud backup capability and every user receives 5GB of free Acronis Cloud storage.

You can use a ransomware simulator from RanSim to test the software. Acronis blogs about it here.

+Comment

This is a nifty marketing initiative by Acronis. Who would not like a free anti-ransomware tool if it is any good? Find out more here.

Pity it’s only available for Windows 7 SP1, 8, 8.1, and 10 systems.

Download the software here, no registration required. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/26/acronis_offers_free_ransomware_protection/

Roundup Technology companies can’t decide whether to take Russian money or run from it – not that they’ve ever been much good at turning down cash.

McAfee, SAP, and Symantec, which make software used by the US government, allowed Russian authorities to scan their source code for backdoors and other flaws, according to Reuters on Thursday, as has HPE.

Like China and other nations, the Russian government requires a look under the hood before it will consider spending cash on enterprise software as the applications could be compromised.

The fear is that foreign governments may stash backdoors in the code, effectively turning the apps into bugs – as in, spying bugs. Look no further than the US government, which refuses to run software from Moscow-based Kaspersky on its machines over concerns the antivirus tools can be abused to beam Uncle Sam’s secrets to the Kremlin. Kaspersky denies any impropriety.

Knowing that Russian officials have potentially glimpsed exploitable security bugs in applications used by US government departments will freak out American officials.

This is, don’t forget, the same Russian government implicated in the compromise of government agency networks, and the 2016 presidential election, in the US.

McAfee, SAP, and Symantec, along with Micro Focus which took over ArcSight, the HPE product audited, told Reuters that the code reviews were done under controlled conditions. No code was allowed to be copied, taken away, or altered by the Russians, we’re told.

Evidently aware of the downsides, McAfee and Symantec are said to have stopped code reviews and Micro Focus is said to have limited them substantially. Research firm IDC last year put the value of the technology market in Russia at $18.4bn, so don’t expect all cooperation between tech suppliers and the Kremlin to end.

Reuters noted it had no evidence of Russia exploiting any programming blunders found in the applications’ source code.

Dutch government ‘hacked’ Putin’s spies

Incidentally, when US intelligence agencies said they believed Russia to be behind election-related hacking and meddling, that conclusion was supported by information from AIVD, the Dutch intelligence service.

According to de Volkskrant, AIVD in 2014 had established surveillance on Cozy Bear, the Russian state hacking group, and observed its efforts to attack the US Democratic Party’s email systems and American government servers.

AIVD was, we’re told, able to compromise security cameras surrounding the building used by the Cozy Bear crew, to look out for known Russian spies entering the joint. The Euro snoops duly tipped off the FBI that something was afoot.

“Hackers from the Dutch intelligence service AIVD have provided the FBI with crucial information about Russian interference with the American elections,” reports the Dutch daily newspaper.

“For years, AIVD had access to the infamous Russian hacker group Cozy Bear … AIVD [became] witness to the Russian hackers harassing and penetrating the leaders of the Democratic Party, transferring thousands of emails and documents.

“It won’t be the last time they alert their American counterparts. And yet, it will be months before the United States realize what this warning means: that with these hacks the Russians have interfered with the American elections. And the AIVD hackers have seen it happening before their very eyes.”

Social media giants answer burning questions

Meanwhile, Facebook, Google, and Twitter on Thursday responded to questions from US Senate lawmakers looking into Russia spreading disinformation on social media to divide America during the 2016 White House race.

These companies, which sold ads to Russian buyers, some linked to the Kremlin, have been wrestling with how they can keep selling ads to allcomers without selling out US citizens in the process.

Asked whether it might consider requiring disclosures for bot accounts as a potential mitigation for social media manipulation, Sean Edgett, acting general counsel at Twitter, suggested too many false-positives would occur because so many tools can be used to automate posts.

“It is important to note, moreover, that not all automation is malicious,” he said.

Facebook general counsel Colin Stretch meanwhile insisted it is closing holes in its ads system that allowed hate-based advert targeting, and has added thousands of reviewers to help review content flowing through its system.

He also acknowledged that Russian trolls had used Facebook to create 129 real-world events, like an anti-immigrant, anti-Muslim rally in Idaho, for which a total of 62,500 people said they planned to attend.

“We do not have data on the realization of these events” he said.

But if you were to look through corporate ledgers, you could probably find the money.

Finally, Stretch was asked about Facebook offering Kaspersky antivirus tools to its social network addicts, so they can clean up any malware infections. Stretch replied: “We no longer make available Kaspersky’s anti-virus software to people with infected devices.”

However, Facebook will continue to use some Kaspersky tools internally that alert engineers to emerging online threats. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/26/tech_russia_source_code_dnc_hack/

Here’s an intriguing cryptocoin story – one that was three years in the hatching.

At the World Economic Forum Annual Meeting in 2015 – you probably know it as “Davos”, because that’s where it’s held – a biomedical researcher called Nick Goldman gave what you might call an improbable paper.

Goldman’s academic papers tend to have names such as More on the Best Evolutionary Rate for Phylogenetic Analysis and Maximum likelihood inference of small trees in the presence of long branches.

(We needed a research sabbatical just to figure out the titles. Turns out that second paper is about statistics, not arboriculture.)

But Goldman’s Davos 2015 paper was rather different, in a cool sort of way: he was at Davos to promote the idea that DNA – the funky spiral molecule that encodes life as we know it – can also be used as a reliable medium for long-term data storage.

If that sounds like a weird idea, it is – and you may be wondering how it could ever turn into anything more than an overpriced intellectual pretension and the prestige of a speaking gig at Davos.

Where did all that data go?

There’s more to it than just showing off, however, namely that we don’t yet have any truly reliable long-term data storage system – not even for tiny amounts of data.

Sure, we have rock carvings, cave paintings, even books, that have already survived hundreds, thousands, tens of thousands of years.

Perhaps that’s an existence proof that we already known how to keep things safe for millennia?

But – it seems rather feebly tautological to say this, but it’s important – we only have the ones we still have, by accident rather than by design.

Most of the data from yesteryear has vanished for ever, worn away by wind and water, leached by corrosive minerals, burned by censors, lost through carelessness, or simply rotted away.

We have a lot more data we want to store these days – all those Bitcoin transactions in the ultra-redundant copies of the blockchain, for a start – and yet we still don’t have a long-term storage medium we know we can rely on.

Who can be sure how long CDs will really last, for example?

Will those backups you burned in 1999 actually last for 100 years, assuming someone still has the software to read the files on them? (CDs only came out in 1982, so no one has done this yet.)

How long will hard drives keep their magnetism?

How long until your flash drives lose their electrons and your data turns into digital detritus?

We can store truly huge amounts of data for quite a long time, but we may be unable to store even quite modest amounts for a truly long time.

This issue is entirely relevant to computer security, which operates under the so-called holy trinity of confidentiality, integrity and availablity – or, more alliteratively, secret, safe and sound.

What about DNA?

DNA molecules don’t last for ever, to be sure, but we can make reliable estimates of how long they can last if stored in modestly controlled conditions – estimates that are helped by the fact that we have natural DNA samples that we can still sequence, and that are very ancient indeed.

DNA is also compact, and can be fairly reliably copied, making multiple redundant backups rather easy: once you’ve converted your precious data into a beaker of DNA dust, you will have zillions of copies of your data, all mixed up together.

Give 1000 different people a scoop of your data dust to take away, and you’ve figuratively, if not quite literally, scattered your data around the globe for safe keeping.

As long as it’s encoded consistently, so it can be strung back together reliably, and as long as it is encrypted if you want to keep the contents private (or not, if you want to distribute it as an anti-censorship measure)…

…data encoded as nucleotide sequences might be just the sort of archival system that the world has been wanting for years.

Free cryptocurrency!

Anyway, back to Davos 2015.

By way of adding a memorable keepsake to his 2015 presentation, Goldman took BTC 1 (one bitcoin, then worth about $200), sequenced its private key cleverly into DNA dust, and gave each delegate their very own copy of the bitcoin, sealed in a sample tube:

In the sort of challenge that techies love to do “because they can”, Goldman said that if anyone could read out the bitcoin within three years, they could keep it.

(Actually, he couldn’t have stopped anyone taking said Bitcoin after reading the DNA molecules – once you get the private key, you have the cryptographic secret needed to spend it, and that’s that.)

Here is the aforementioned Bitcoin now:

As you can see, someone spent it!

And that’s because Sander Wuyts, who describes himself as a computational microbiologist and “a real DNA-junkie”, completed Nick Goldman’s proof-of-concept challenge.

Nearly three years after Goldman wrote his data out into the DNA sample, Wuyts managed to read it back – just in time to spend the hidden bitcoin himself.

Given the meteoric rise in BTC’s value in the last year, Wuyts ended up with much more than just a $200 keepsake.

Note that this wasn’t a cryptographic challenge. Goldman himself scrambled the input data with what he called a “random keystream“, and some reports have taken this to mean that Wuyts had to crack a cipher to beat the challenge, and thus that this was a cryptographic puzzle. In fact, there was no encryption involved – we’re assuming the randomisation phase of the data processing was simply to ensure that repetitive chunks of input data didn’t cause overly repetitive molecular structure in the DNA. We are guessing that having “more random” nucleotide sequences in the DNA increases its longevity and improves the reliablity of sequencing it to read out its contents. The “random key” part was a detail of encoding, not of encipherment.

DNA disk drives any time soon?

Don’t get too excited just yet.

Wuyts just happened to have access to state-of-the-art genome sequencing gear, a coterie of DNA experts, and the financial sponsorship of the company that made the sequencer he used, presumably because of the neat publicity they could expect if he were to succeed. (Sequencers are expensive to run as well as to buy.)

Nevertheless, as a proof-of-concept, it’s a fascinating outcome.

Was it really the sort of issue that you might expect the World Economic Forum to consider?

Not really: we’re not going to see falling sea levels, soaring economies and clean water for everyone as an outcome of this.

But no matter how sceptical you might be of solving “developed world problems” of this sort…

…we really don’t have a known-good way of storing our precious data for future centuries, even though we’re talking of going to Mars.

We spologise if you were expecting a plain-English explanation of the computer science parts of the DNA encoding used here. In this article, we wanted to focus on the why of the challenge, rather than the how. If you’d like to see a follow-up that looks at the algorithmic aspects of this story, please let us know in the comments below and we’ll see what our Editor-in-Chief thinks of the idea…

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/fnbw5w2l9R0/

Jonathan C. Powell, who hacked into over 1,000 email accounts in search of sexually explicit images and videos of college-aged women, was jailed for six months for computer fraud, the US Department of Justice said on Thursday.

Arrested in November, 2016, Powell, a resident of Phoenix, Arizona, pleaded guilty last August in a New York court to accessing email accounts without authorization at two universities: Pace University in New York, and another unnamed university in Pennsylvania.

Powell’s hacking consisted of abusing the universities’ web-based password reset mechanism for student email accounts. According to prosecutors’ court filings [PDF], staff at one of the universities realized someone was slamming the password reset functionality, and hired a computer forensics firm to investigate. That biz found the reset utility had been accessed from a device issued to Powell 18,640 different times between October 2015 and September 2016.

“During that time frame, those Reset Utility accesses resulted in approximately 18,600 attempted password changes in connection with approximately 2,054 unique [Pace] email accounts, and approximately 1,378 successful password changes in connection with approximately 1,035 unique [Pace] email accounts,” explained FBI special agent Christopher Merriman in the complaint.

The university’s account reset process at the time required answering two security questions from a list of questions presented to the person activating the account.

Court documents do not reveal how Powell managed to guess over a thousand security questions correctly. But a LinkedIn account for Jonathan C. Powell in Phoenix, Arizona, that matches educational details cited in court documents suggests a possible explanation: he appears to have worked as a financial recruiter for staffing firm Robert Half.

His work experience may have provided insight into how to find answers to common security questions.

High school

According to Merriman’s account, the tablet Powell used for his scheme exhibited a pattern of “searching for biographical information about an individual victim” and then “leveraging that information to gain access to the individual victim’s email accounts via password reset utilities – for example, questions about the individual’s high school mascot and the names of the individual’s grandparents.”

The Register asked a Robert Half spokesperson for comment but we’ve not heard back.

In any event, having obtained access to students’ university email accounts, he was then able to obtain access to online accounts for other services, including Apple iCloud, Facebook, Google, Linkedin, and Yahoo!, using the same technique.

Powell’s interest in all this was obtaining private sexually explicit photos, which people apparently store in their email accounts without much thought about security. It’s not immediately clear why the large number of such images on the internet did not suffice.

In a statement, Geoffrey S. Berman, the United States Attorney for the Southern District of New York, said: “No college student should have to fear that personal, private information could be mined by strangers for potentially compromising material.”

According to the US Department of Justice, the probe revealed that Powell had compromised 15 email accounts at the unidentified Pennsylvania university. And in a statement made to investigators after his arrest, Powell is said to have admitted accessing email accounts without authorization at several other schools in Arizona, Florida, Ohio and Texas.

Merriman’s statement in the complaint indicates that the device used by Powell “accessed student directories and login portals associated with more than 75 other colleges or universities located in various locations across the United States.”

In addition to his six-month sentence, Powell faces two years of supervised release and restitution of $278,855. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/25/college_nude_selfie_hacker_jailed/

UK Prime Minister Theresa May has reiterated calls for a special magic version of encryption to be developed by technologists so law enforcement can access everyone’s communications on demand – and somehow engineer it so that no one else can abuse this backdoor.

Speaking at the World Economic Forum (WEF) in Davos, Switzerland, May today talked extensively about the benefits and dangers of technology (quick version: tech in business: good; tech in society: bad) and returned again to the issue of extremist content swirling around platforms like Facebook, arguing that more rules and laws were needed.

As part of that push, however, May ended up repeating the same message that politicians in both the US and UK have been pushing for over a year: that tech companies have to find a way to flip mathematics itself for the convenience of security services.

“We need cross-industry responses because smaller platforms can quickly become home to criminals and terrorists, ” May said, even picking on a minor player in the market – Telegram, an encrypted messaging app. “We have seen that happen with Telegram. And we need to see more co-operation from smaller platforms like this.”

She then threatened to use her pulpit to apply social pressure: “No-one wants to be known as ‘the terrorists’ platform’ or the first choice app for paedophiles.”

At the heart of the issue is software using truly end-to-end encryption – where not even the biz that developed the app is able to read messages sent between users. Governments fear that such applications will be used by extremists to plot attacks on Western targets without tipping off the intelligence agencies. Similarly, devices these days use tough filesystem encryption so not even the manufacturer can decrypt the data on demand without the password or passcode.

However, as technologists have consistently pointed out, there is no mathematical way to introduce a backdoor in a system to allow access to one particular group that cannot also be discovered and accessed by a different group. Whatever mechanism the Feds can use, hackers and criminals can potentially eventually use, too.

Same old

Just as May reiterated her own calls when she was UK Home Secretary and her current Home Secretary Amber Rudd who has also insisted on government agents being given access to people’s private encrypted messages, so the issue has again reared its head on the other side of the Atlantic.

Reminder: Spies, cops don’t need to crack WhatsApp. They’ll just hack your smartphone

READ MORE

New FBI director Christopher Wray gave a speech earlier this month in which he outlined his views on encryption. And it was more of the same.

Companies “should be able to design devices that both provide data security and permit lawful access with a court order,” he argued. And, reiterating the exact same wording of his predecessor, Wray also swore that he was “not looking for a backdoor.”

But when he went on to describe what he did want – “the ability to access the device once we’ve obtained a warrant from an independent judge” – it was pretty much indistinguishable from a backdoor.

In another go around the roundabout, Wray’s comments sparked a letter [PDF] today from Senator Ron Wyden (D-OR) in which the lawmaker lambasted the g-man for “parroting the same debunked arguments espoused by your predecessors, all of whom ignored the widespread and vocal consensus of cryptographers.”

“I would like to learn more about how you arrived at and justify this ill-informed policy proposal,” wrote Wyden. “Please provide me with a list of the cryptographers with whom you’ve personally discussed this topic … and specifically identify those experts who advised you that companies can feasibly design government access features into their products without weakening cybersecurity.”

Don’t hold your breath, Ron.

The insistence by politicians and prosecutors that there is a way to both have a backdoor and not have a backdoor has been put forward so frequently that experts have even come up with a term to summarize it: magical thinking.

Flattery

Faced with the magical thinking argument, those who want exclusive access to people’s communications and documents regardless have come up with their own pat response: passive-aggressive flattery.

It was there in spades in May’s speech this week: “These companies have some of the best brains in the world. They must focus their brightest and best on meeting these fundamental social responsibilities.”

So what are politicians hoping to achieve by maintaining an impasse: refusing to acknowledge the logical argument against putting a backdoor into encryption while jamming their foot in the door by claiming that the “best brains” can come up with a solution?

In all likelihood, they are waiting on a change in public mood.

The reason that fully encrypted apps exist – and are even made available by huge, consumer-focused companies like Apple and Facebook – is because of public fury over mass surveillance revealed by former NSA techie Edward Snowden back in 2013.

When it became clear that the US and UK governments (among others) were tapping everyone’s communications through a “gather it all” philosophy, a huge market opened up for people who want to be able to communicate in private without the sense that the government was keeping an eye on everything they said.

Downloads of privacy protecting apps like Signal and WhatsApp rocketed – even among ordinary folk – giving those developers a far greater profile and allowing them to edge toward the critical tipping point where so many of your friends and family already have the same app that there is little or no barrier to using it as a default.

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/25/uk_prime_minister_encryption/

Last year, cybercriminals shifted from consumer to enterprise targets and leveraged ransomware as their weapon of choice.

Ransomware became the fifth-most-common threat for businesses in 2017 as detections increased by 90% from the previous year. Attacks also hit consumers hard, reaching a 93% detection rate year-over-year, reports Malwarebytes.

The company today released its “2017 State of Malware Report,” which highlights trends based on telemetry data collected from products between January and November 2016, and January and November 2017. Analysts also pulled data from the company’s threat-facing honeypots in 2017 and combined this with their own observations and analysis.

“2016 was the year of ransomware for consumers,” says Malwarebytes CEO Marcin Kleczynski in an interview with Dark Reading. “2017 was the year of ransomware for businesses.”

Malwarebytes’ findings support a growing body of research highlighting the 2017 ransomware spike. The Online Trust Alliance (OTA) states attacks targeting businesses nearly doubled from 82,000 in 2016 to 159,000 last year. Ransomware attacks hit 134,000 in 2017 — double the 2016 count — and were the primary driver for the overall growth in cybercrime.

In its “2017 Global Threat Intelligence Report,” NTT Security found 77% of all detected ransomware was in four industries: business and professional services (28%), government (19%), healthcare (15%), and retail (15%). Ransomware-related incidents were the most common, at 22%, and made up half of all attacks targeting the healthcare industry.

Malwarebytes researchers also noticed criminals got creative with delivery methods. Leaked government exploits — such as EternalBlue, used in WannaCry — in addition to compromised update processes and increased geo-targeting were used to evade detection.

Development of exploit kits hit a standstill last year. Analysts didn’t detect any new zero-day exploits used by any exploit kits in the wild. It’s a “significant change” from previous years, in which exploits were the primary method of infection. Cybercriminals are instead focusing on evading detection and integrating multiple exploits into Microsoft Office documents.

Attackers started leveraging cryptocurrency mining for financial gain and using victims’ system resources to mine currencies. Tactics include compromised websites serving up drive-by mining code, miners delivered via malicious spam and exploit kit drops, and adware bundlers pushing miners.

Looking Ahead
Ransomware may have been hot in 2017, but, as all trends do, it has started to fade as businesses have smartened up and learned how to protect themselves. “You’re seeing less and less returns, as a criminal,” says Kleczynski of the ransomware slowdown. “It’s now hard to find and infect a company that really gets impacted by ransomware like the [the UK’s National Health Service] did.”

Cybercriminals are pivoting toward banking Trojans, spyware, and hijackers to attack enterprise targets and spy, move throughout their networks, and steal data, including login credentials, contact lists, and credit card data. Banking Trojans were up 102% in the second half of 2017.

“The strategy of cybercriminals continues to shift,” notes Kleczynski, adding that hijackers were up 40% overall last year. Spyware detections increased 30%, researchers found.

Looking toward the year ahead, he anticipates the largest incident in 2018 will be on the same level as the Mirai botnet that brought down major websites in October 2016. Mirai was “scratching the surface” on the number of unprotected IoT devices, he says.

“The biggest threat this year, in my opinion, is another Mirai-like attack,” Kleczynski continues. “We’ll see several this year that will take down major websites.”

Related Content:

• Meltdown Spectre: Computing’s ‘Unsafe at Any Speed’ Problem
• Ransomware Actors Cut Loose on Health Care Organizations
• Security Automation: Time to Start Thinking More Strategically
• 10 Costs Your Cyber Insurance Policy May Not Cover

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/endpoint/ransomware-detections-up-90--for-businesses-in-2017/d/d-id/1330909?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

TRITON/TRISIS attack on Schneider Electric plant safety systems could be re-purposed in future attacks, experts say.

No doubt it could have been far worse – even catastrophic. An apparent misstep by the attackers behind the malware now known as TRITON/TRISIS that was discovered embedded in a Schneider Electric customer’s safety system controller late last year fortunately failed, causing two of the safety instrumented systems (SISes) to shut down an industrial process in the plant. That outage led to the discovery of the customized backdoor malware in the Middle East industrial plant.

No smoking gun exploit to wreak physical damage in the plant was found, according to Schneider and other investigators who studied the attack. But TRITON/TRISIS exposed yet another breed of systems that attackers can now target to compromise industrial operations, the physical safety control systems – aka SISes – that provide automatic emergency shutdown of a plant process, such as an oil refinery process that exceeds safe temperatures.

“If you want to attack a chemical plant or a refinery that has safety instrumented systems, that’s the best place to start: you can put in a time bomb,” says Eddie Habibi, founder and CEO of ICS security vendor PAS Global. “A SIS is designed to prevent disasters. When it needs to, the SIS kicks in and brings down the plant safely and gradually. If it doesn’t kick in [because it’s been compromised], bad things can happen.”

TRITON/TRISIS joins the annals of game-changer industrial malware attacks like Stuxnet and BlackEnergy3 that ultimately led to sabotaging industrial processes of their targets: Stuxnet forced centrifuges in Iran’s Natanz nuclear facility to spin out of control and fail, and Black Energy3 led to a power outage for 225,000 Ukrainian power customers in December of 2015.

While TRITON/TRISIS was created to target a specific model and firmware version of Schneider’s Triconex Tricon SIS, this type of attack could be retooled to target other major ICS/SCADA vendors’ SIS products and customers, security experts say.

This new reality is not lost on Schneider, nor some of its competitors. “The tradecraft here … the idea now that there is a player with this kind of skill has to be an industry problem,” says Andrew Kling, director of cyber security and software practices for Schneider Electric.

Less than two weeks after the attack first was made public by FireEye, ICS/SCADA vendor ABB issued an advisory for its customers about TRITON/TRISIS. “While currently we have no indication that a similar malware exists which is targeting other safety products, conceptually the attack scheme can also be used against any sufficiently similar safety system, incl. ABB systems,” the ABB advisory said.

ABB also listed security recommendations for its customers to mitigate a similar attack, including segregating ICS networks, installing valid vendor patches to engineering system operating systems, and updating antivirus with new signatures for the malware. 

Siemens’ Harry Brian, product solution and security expert in the company’s digital factory division, points to Siemens’ secure software development lifecycle program, which includes software for its Simatic S7 industrial controllers, Simatic industrial PCs, Simatic Human Machine Systems Interface devices, Simatic PCS7, Scalance network devices, Simatics drives, and its Totally Integrated Automation Portal engineering software. 

Siemens’ SIS family includes the Simatic Safety Integrated for Process Automation system.

“Threats to Industrial Control Systems are taken seriously by Siemens,” Brian said in an email response to questions about Siemens’ view of a TRITON/TRISIS-type threat to its products. He pointed to the company’s internal CERT that fields and handles security vulnerability reports about its products.

“Siemens works in conjunction with several other CERT organizations worldwide to coordinate threat intelligence and security vulnerability information,” he said. Siemens recommends defense-in-depth practices, software-patching, and running up-to-date versions of its products, according to Brian, as a way to protect against threats. Brian did not elaborate on Siemens’ plans or possible concerns about a TRITON/TRISIS-type threat targeting Siemens’ SIS products.

“TRISIS is the first time we’ve seen something that’s gotten to the heart of the engineering department” in operations technology (OT), notes Rob Lee, CEO and founder of Dragos, whose firm has analyzed the TRITON/TRISIS malware. “If you have a safety system, regardless of whether it’s a Triconex or not, you should be asking questions about what you should do” to secure it, he says.

Dean Weber, CTO of IoT security firm Mocana, argues that TRITON/TRISIS’s targeting of plant safety systems should have come as no surprise: Stuxnet and BlackEnergy should have been the wakeup call for the threat of cyberattacks that lead to manipulating physical safety and processes in industrial plant, he says.

“We’ve been screaming about this for years: Stuxnet was the first … piece of code that attacked the safety systems,” says Weber. “It was a compromise of a safety system. The centrifuges were shaking themselves apart … and nobody saw it,” Weber notes. BlackEnergy3 attackers also waged a denial-of-service attack, he notes, on the Ukraine energy firm’s phone system center, which derailed restoration and communications efforts during the power outage.

Easier Ways In

While TRITON/TRISIS exposed another potential attack vector for critical infrastructure providers and industrial networks, there still are simpler ways for attackers to get in. The TRITON/TRISIS hackers had gathered some serious intel to understand the specific SIS running in the victim plant, and then presumably conducted intense reverse-engineering of the Triconex proprietary firmware and communications protocols.

“I think we shouldn’t worry about too many people imitating this type of attack because it requires really high skill of professionals to reverse-engineer everything and write those scripts, those backdoors,” says David Atch, vice president of research at CyberX, who has reverse-engineered the malware sample.

Atch believes the attack was the handiwork of Iranian nation-state hackers, in part due to timestamps he reconstructed from the malware code. Neither Schneider nor other companies that have studied the malware will reveal the victim nor name an attacker, however.

There are simpler ways to wreak havoc on safety systems than TRITON/TRISIS. “The interesting thing about safety and protection systems is they provide an opportunity for very simple, basic denial-of-service attacks,” says Ralph Langner, founder and CEO of Langner Communications. “If your goal is to shut down a plant, there are easier ways to do that than attack the safety systems … not even to attack it, but to trigger a shutdown condition.”

Reid Wightman, a vulnerability analyst at Dragos who has studied the malware, points to other more imminent threats to OT. “A bigger problem is that a lot of networks still have remote access and it’s just a matter of their leaving the network perimeter too porous,” he says. “If an attacker gets onto the network, there’s generally not that much security around the controllers themselves. That’s where I’d be more concerned about protecting, instead of a fairly sophisticated reverse engineering-y, backdoor installer-y, attack” such as TRITON/TRISIS, he says.

Even so, the attackers behind TRITON/TRISIS could strike again, experts say. “It’s very obvious to us they made mistakes in the malware, and the direction they were going was to remove safety logic and not to crash the system,” Dragos’ Lee notes. And it’s likely the attackers eventually will try again since their campaign was found out, he says.

Related Content:

• Schneider Electric: TRITON/TRISIS Attack Used 0-Day Flaw in its Safety Controller System, and a RAT
• TRITON Attacker Disrupts ICS Operations, While Botching Attempt to Cause Physical Damage
• First Malware Designed Solely for Electric Grids Caused 2016 Ukraine Outage
• Lessons From The Ukraine Electric Grid Hack

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/operations/industrial-safety-systems-in-the-bullseye/d/d-id/1330912?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Microsoft is a partner at annual contest for the first time.

In a sign of just how much value software vendors have begun attaching to crowdsourced security research, up to $2 million will be up for grabs at the Pwn2Own challenge at the CanSecWest conference in Vancouver, Canada, this March.

The amount is the highest ever offered in rewards at the annual hacking contest. It reflects contributions from VMware and Microsoft, which for the first time will participate as a partner at the event, along with Trend Micro’s Zero Day Initiative (ZDI).

Also for the first time, the Pwn2Own contest will offer a Windows Insider Preview challenge in which participants will have an opportunity to take a crack at prerelease versions of Windows products configured by Microsoft and running on the company’s hardware.

The challenge will use the Windows 10 RS4 (Redstone 4) Insider Preview build as the base platform and give bug hunters an opportunity to match their wits against some of Microsoft’s flagship security technologies.

“Microsoft has been a target before, but they have never participated as a partner,” says Dustin Childs, communications manager for ZDI. “We’re excited to have Microsoft as a partner and VMware as a sponsor for this year’s event. It shows vendors recognize the value provided by the contest,” he says.

The annual Pwn2Own contest has become something of an annual pilgrimage for many security researchers from around the world. The event provides an opportunity for them to essentially win rewards for hacking into widely used technology products using previously unknown exploits. Bugs and exploits that are uncovered in target products at the event are sold or shared with the respective security vendors.

Last year, security researchers, many of whom worked in teams, collected over $830,000 in total payouts for discovering various exploits in target products such as VMware Workstation, Microsoft Edge, Google Chrome, Microsoft Hyper-V, and Mozilla’s Firefox. Researchers participating at the event uncovered a total of 51 different zero-day vulnerabilities.

Since Pwn2Own launched in 2007 it has gotten progressively bigger, more formal, and more challenging for hackers. For some vendors the event is a testing ground of sorts for their products and an opportunity to discover security issues in their products before attackers exploit the flaws.

From initially focusing on Web browsers and operating systems, Pwn2Own has broadened to include multiple technologies such as virtualization, cloud, and mobile. Contestants these days need to do a lot more than just find a single vulnerability to win money. Rewards typically require researchers to string together multiple exploits.

“The first Pwn2Own required just one vulnerability to exploit an Apple Macbook,” says Childs. “A successful entry this year will require multiple exploits, sandbox escapes, mitigation bypasses, and other advanced techniques. In other words, it’s much more difficult.”

This year’s event offers contestants targets in five separate categories: virtualization, enterprise applications, Web browsers, servers, and Windows Insider Preview.

This March’s Pwn2Own event expands the virtualization category by adding Oracle’s VirtualBox as a target for contestants. The three challenges that Microsoft will offer as part of its Windows Insider Preview Challenge are also new.

Award amounts in the various categories vary depending on the target and level of difficulty.

For instance, contestants who can successfully execute a certain type of attack against Microsoft’s Hyper-V client can earn up to $150,000 in the virtualization category. A successful sandbox escape exploit on Google Chrome can fetch $60,000, while a Windows Kernel Escalation of Privilege exploit on Edge can garner $70,000. Rewards are higher for server exploits, at $100,000, while any team that can pull off a complete Hyper-V escape in kernel or hypervisor mode can make $250,000.

“This year’s largest awards are reserved for guest-to-host escapes in their various forms,” Childs notes.

Related content:

• You Break It, They Buy It: Economics, Motivations Behind Bug Bounty Hunting

• Bug Bounty Programs Are Growing Up Fast and Paying More

• A Bug Bounty Reality Check

• Profiles of the Top 7 Bug Hunters from Around the Globe

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/this-years-pwn2own-hackfest-will-offer-up-to-$2-million-in-rewards/d/d-id/1330913?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple