STE WILLIAMS

Patch Tuesday In case you’ve been hiding under a rock for the entirety of this new year (and we don’t blame you if you have) there are a handful of major security flaws that have been dominating the news, and feature prominently in this month’s Patch Tuesday update load.

First, let’s look at the latest developments in the Meltdown/Spectre saga:

Nvidia, IBM deliver Spectre patches

Nvidia has got around to kicking out graphics driver updates that address the Spectre flaws present in its hardware – for example, here are some patches for Ubuntu. IBM is also due to release Spectre mitigations for its POWER server line today.

Microsoft AMD-bricking Spectre update yanked

Meanwhile, Microsoft has pulled down KB4056892, the Spectre bug fix that was found to be causing some AMD machines to crash on startup. The Redmond giant now says it is working with AMD to get a compatible patch out ASAP, but in the meantime Athlon machines will not be getting the Spectre update (AMD CPUs are not susceptible to Meltdown, an Intel-specific condition.)

And now back to your regularly scheduled patch headache

The January edition of Microsoft’s Patch Tuesday release is a formidable update in its own right, containing updates for 56 CVE-listed flaws including an actively targeted flaw in Office, and critical vulnerabilities in Edge and Internet Explorer.

Microsoft said that CVE-2018-0802, a remote code execution hole in Office, is already being targeted in the wild. The flaw is triggered when the target opens a malformed Word file in Office or WordPad.

As usual, a good chunk of the CVEs (15 in this case) were for vulnerabilities in the scripting engine used by Edge and Internet Explorer. These flaws, none of which have been targeted in the wild yet, would allow remote code execution by way of a specially-crafted website that triggered a memory corruption error.

One flaw catching the eye of security researchers is CVE-2018-0786, a certificate validation bypass.

“This patch addresses a vulnerability in .NET Framework (and .NET Core) that prevents these components from completely validating a certificate,” explained Dustin Childs from Trend Micro’s Zero Day Initiative.

“This is definitely the sort of bug malware authors seek, as it could allow their invalid certificates to appear valid.”

Another flaw in .NET, CVE-2018-0785, leaves users vulnerable to account hijacking by way of a cross-site forgery attack.

“An attacker who successfully exploited this vulnerability could change the recovery codes associated with the victim’s user account without his/her consent,” said Microsoft.

“As a result, a victim of this attack may be permanently locked out of his/her account after losing access to his/her 2FA device, as the initial recovery codes would be no longer valid.”

In addition to the already-mentioned CVE-2018-0802, Word was the subject of nine other remote code execution and memory disclosure vulnerabilities. Updating Office to close up those holes should be among the top priorities for administrators.

Office for Mac should also be updated, as a spoofing vulnerability (CVE-2018-0819) has been publicly disclosed. Because Outlook for Mac does not properly display or handle email addresses, phishing emails could skip past antivirus and spam filters to appear as genuine.

Grab your Android updates – where available

While we’re on the subject of security bugs, don’t forget to patch your Android devices with this month’s code remedies, if you can. Not every device gets every Android update straight away, if at all.

Last week, amid all the Meltdown and Spectre fanfare, Google published its January batch of updates, which included mitigations against Spectre oversights in Arm processors as well as updates to address 38 other CVE-listed vulnerabilities. These exploitable holes include three remote code execution flaws in the Android media framework, and one in the system software.

Just one Flash fix from Adobe

Meanwhile, the lone update from Adobe this month is for an out of bounds read flaw (CVE-2018-4871) that could allow for information disclosure. No active exploits have been reported. Trend Micro Zero Day Initiative was credited with the discovery. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/09/patch_tuesday/

Microsoft’s workaround to protect Windows computers from the Intel processor security flaw dubbed Meltdown has revealed the rootkit-like nature of modern security tools.

Some anti-malware packages are incompatible with Redmond’s Meltdown patch, released last week, because the tools make, according to Microsoft, “unsupported calls into Windows kernel memory,” crashing the system with a blue screen of death. In extreme cases, systems fail to boot up when antivirus packages clash with the patch.

The problem arises because the Meltdown patch involves moving the kernel into its own private virtual memory address space. Usually, operating systems such as Windows and Linux map the kernel into the top region of every user process’s virtual memory space. The kernel is marked invisible to the running programs, although due to the Meltdown design oversight in Intel’s modern chips, its memory can still be read by applications. This is bad because it means programs can siphon off passwords and other secrets held in protected kernel memory.

Certain antivirus products drill deep into the kernel’s internals in order to keep tabs on the system and detect the presence of malware. These tools turn out to trash the computer if the kernel is moved out the way into a separate context.

In other words, Microsoft went to shift its cookies out of its jar, and caught antivirus makers with their hands stuck in the pot.

Thus, Microsoft asked anti-malware vendors to test whether or not their software is compatible with the security update, and set a specific Windows registry key to confirm all is well. Only when the key is set will the operating system allow the Meltdown workaround to be installed and activated. Therefore, if an antivirus tool does not set the key, or the user does not set the key manually for some reason, the security fix is not applied.

In fact, until this registry key is set, the user won’t be able to apply any Windows security updates – not just this month’s patches, just any of them in future. This is bad news. Remember how the infamous WannaCry ransomware spread like wildfire across out-of-date Windows 7 systems last May? Now here’s a load more machines not being updated that will be attacked by the next malware epidemic.

Redmond said it was working with anti-malware software vendors to resolve the issue. Compliance so far is patchy with some antivirus makers in the process of ironing out problem while others have set themselves up in opposition to Redmond’s approach.

The Meltdown and and its cousin, Spectre, are processor-level vulnerabilities that allow user-mode code – such as malware or even malicious JavaScript in webpages – to read off protected kernel memory, which contains passwords, login cookies and other secrets, or other bits of memory it shouldn’t have access to. Meltdown primarily affects Intel processors. Spectre is a design blunder affecting a range of CPU makers.

In response, operating system developers and cloud providers have released and deployed patches to mitigate or block attacks exploiting Meltdown and Spectre.

Anti-malware vendor SentinelOne slammed Microsoft’s handling of the issue, claiming “this is going to leave millions of endpoints exposed.” SentinelOne is upset that “the responsibility of setting the registry key” is shifted to the AV vendor. “While our testing revealed no incompatibilities, we are unwilling to take on the risk of setting this registry key,” the security software house said.

“This is because our customers may have other software products that use unsupported/undocumented APIs that are incompatible with Microsoft’s latest patches. In such a case, our customers may experience stop errors/system instabilities caused by other products that are not compatible with Microsoft fixes,” Sentinel One staff explained in a blog post.

SentinelOne said it planned to give customers the choice of whether to set the registry key. “While some vendors in the market are taking the approach of checking for incompatible software, we do not believe that this approach can be done in a comprehensive manner,” it concluded. The security firm advised customers to test the patch with its agent and their full stack of software applications before flipping the registry key switch.

Other anti-malware vendors want punters to set the registry key themselves, presumably because it absolves the companies of blame if stuff falls apart post-patch. These include Carbon Black, Palo Alto, FireEye and Cylance. Avast, ESET and Kaspersky, among others, are up and running, meanwhile, by setting the registry key, while for others – Trend, McAfee, etc – are still testing their gear.

Kevin Beaumont, a UK-based infosec guru who has been keeping close tabs on the problem, has put together a spreadsheet on which anti-malware products are setting the registry key, and which are compatible with the Meltdown workaround.

Gremlins

Symantec Endpoint Protection users are advised not to apply Microsoft’s Meltdown fix just yet due to a conflict. “After applying Microsoft Windows Security Updates released on January 3rd, 2018, the Symantec Endpoint Protection (SEP) system tray icon reports there are multiple problems. No errors are reported if the SEP client UI is opened,” Symantec said.

When will Symantec’s update get released? “The UI fix is undergoing QA testing this week and will be released soon,” Symantec product manager Adam Licata told El Reg.

Another problem is that malware detection engines may not be able to set Windows registry keys. “The producer can’t just ‘ship an update that sets the key’,” said antivirus industry veteran Vesselin Bontchev. “They’d have to modify the product, maybe substantially, to add such a capability – and that can’t be done quickly.”

Work on that front in underway, but it does add an additional complication to an already messy situation.

Industry pundit Graham Cluley is sympathetic about Microsoft’s handling of the potential conflict between its kernel memory redesign to counteract Meltdown, and security software. Anti-virus vendors have little choice but to comply, he said.

“Microsoft is caught between a rock and a hard place on this one,” Cluley wrote in a blog post. “The last thing they want to do is roll out an update that causes computers to crash. It’s a painful decision, but if they can determine which computers don’t appear to be running a ‘safe’ anti-virus program then they’re probably right not to push out security updates to that PC.

“Anti-virus vendors have little choice. They will have to fix their products to fall into line, as customers won’t be satisfied with being blocked from receiving Microsoft security updates.”

Martijn Grooten‏, editor of industry journal Virus Bulletin and sometime security researcher, reckoned the manual key policy was workable. “I think the manual key approach is justified for vendors with customers who may have multiple AVs running on the same system (more common with next-gens; note that registry key implies all AVs are compatible),” he said.

Beaumont has put together a blog post about Microsoft Meltdown CPU security fixes and antivirus vendors here. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/09/meltdown_patch_anti_malware_conflict/

The deal expands Threatcare’s business beyond its breach and attack simulation platform to include services and applied research.

Vulnerability management platform provider Threatcare announced today it acquired its business partner Savage Security.

The deal, which closed in December, came months after the two companies formed a business partnership. Under the partnership, Threatcare’s Violet breach and attack simulation platform was used with Savage’s Blueprint and Breach Assessment services in which Savage’s clients would simulate attacker actions.

Savage provides security consulting, as well as product testing for vendors and manufacturers. As part of the merger, Threatcare plans to pair Savage’s services with its Violet platform, the company stated.

“Threatcare’s ability to now offer strategic services—in addition to software—enables us to be a one-stop solution for many security teams,” Marcus Carey, Threatcare CEO, said in a statement. Terms of the deal were not disclosed.

Read more about the Savage Security acquisition here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/threatcare-acquires-savage-security-/d/d-id/1330781?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Bricked devices, penetration tests, and virtual reality were among the themes submitted in our latest holiday caption competition. And the winners are …

Charles E. Davis, Master Sergeant in the Pacific Air Forces Command of the United States Air Force (aka chip1805 on Dark Reading), took the top honors and a $25 Amazon gift card for his hysterical virtual reality-themed cartoon for Name That Toon: ‘Tis the Season, penned below by cartoonist John Klossner.

Second prize — a $10 Amazon gift card — goes to Brett Osborne (InfoSecurityMaster) for “FireWALL? I thought you said Pen Test the FirePLACE.“ When Brett is not entering cartoon caption contests, he works in security management in Florida. 

Many thanks to everyone who entered the contest with all their clever puns and observations, and to our loyal readers who cheered the contestants on. Also a shoutout to our judges, John Klossner and the Dark Reading editorial team: Tim Wilson, Kelly Jackson Higgins, Sara Peters, Kelly Sheriden, Dawn Kawamoto, and yours truly. If you haven’t had a chance to read all the entries, be sure to check them out today.

See more caption contest winners:

• Substantially Above Par: DR Cartoon Caption Contest Winners
• Pretty Good Passwords: Cartoon Caption Contest Winners
• Mobile (In)security: Dark Reading Cartoon Caption Contest Winners
• For The Birds: Dark Reading Cartoon Caption Contest Winners

Marilyn has been covering technology for business, government, and consumer audiences for over 20 years. Prior to joining UBM, Marilyn worked for nine years as editorial director at TechTarget Inc., where she launched six Websites for IT managers and administrators supporting … View Full Bio

Article source: https://www.darkreading.com/cloud/tis-the-season-dark-reading-caption-contest-winners/a/d-id/1330777?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Exclusive interview with Windows Security lead on how 2017 was a “return to retro” security threats and 2018 will bring increasingly targeted, advanced, and dangerous cyberattacks.

Unlike security professionals, who have stressed over digital threats for years, most average consumers didn’t recognize the importance of security until 2017.

“Grandmothers and grandfathers and moms and dads are now aware of cyber intrusions,” says David Weston, principal security group manager for the Windows Enterprise and Security team at Microsoft. “It’s amazing, but it also means we have a lot of work to do.”

In an exclusive interview with Dark Reading this week, Weston shared insight on the threats and trends were top of mind for Microsoft last year, and what he’s worried about in the new year.

2017: Ransomware, targeted attacks stand out  

Massive cyberattacks WannaCry and NotPetya, which hit major global brands, drove security to the forefront of consumers’ minds. Weston says the two outbreaks topped Microsoft’s list last year. Both used a ransomware worm, which he calls “a hallmark” of 2017 and describes as a sort of “return to retro” that caught the security community off guard.

From a technical perspective, use of a worm on both occasions was “particularly interesting.” During WannaCry, the Microsoft team “learned a ton about where we need to keep investing,” Weston adds. “Bug classes some of us thought were extinct will be key going forward.”

WannaCry symbolizes a level of destruction that Weston predicts will grow as cybercriminals’ goals shift. This doesn’t necessarily mean more targeted attacks, but it does mean threats will become broader and more advanced as threat actors aim to destroy networks.

“Originally attackers focused on stealth,” he says. “They wanted to exfiltrate information while staying quiet … what you’re seeing with WannaCry, they’re potentially using that to send a statement and do more destructive things. It’s a maturity and evolution of targeted attacks.”

Both attacks used an interesting strategy that Weston says has, so far, been overshadowed.

“They’re automating techniques, which you’d see from a red team or adversary, into their malware or implants,” he explains. “You’re in a situation where, after it gets a foothold, the piece of malware is operating like a full-on red team. That’s actually a big challenge.”

In NotPetya, for example, once the threat landed on a machine it would spread, looking for places to move laterally and credentials to steal. It’s part of evolving threat sophistication, says Weston. Hacking platforms like Metasploit and PowerSploit have research to support red teams, but much of that research is accessible to threat actors who are “using it to great effect,” he adds.

“A smart adversary will take advantage of intelligence and use it,” says Weston. “They’re trying to impact as much of the network as possible, and per-incident impact and cost will go way up. You can’t just defend a single machine, you have to look at it holistically, at a network level.”

2018: Rise of supply chain, cryptocurrency attacks

Weston says supply chain attacks are “of grave concern” this year as criminal groups shift their strategy.

“We’re seeing some of the attack groups that used to use zero-days, moving away from watering-hole types of attacks to compromising large websites that might distribute common utility software and putting their implant in there,” he explains.

It’s a growing technique among attack groups: Infect as many people as possible then sift through the victims to find specific targets. Attackers are hitting supply chain software because it’s easy to hide within a process that vendors will associate with something good. In some cases, supply chain software can bypass app control settings and cause problems for defenders.

Take Operation WilySupply, where an attacker was using a compromised update mechanism for a third-party editing tool to deliver malware. While it didn’t use a zero-day, the attack abused the trust relationship involved with software supply chains. Microsoft discovered the attack attempt early last year.

Defending against supply chain attacks will be tough because each software vendor has a different distribution mechanism and signing infrastructure, says Weston. In the past, companies could put software on a “trusted list” if it had a history of being secure. However, he says, businesses have to realize anything can change from good to bad at any time.

“Getting your software sources from centralized locations where possible is one of the practical means for protecting against supply chain attacks,” Weston adds.

Cryptocurrency will be a growing security issue as more people adopt it. Attackers will target machines to cannibalize their resources and focus on cryptocurrencies, which are getting harder to mine in legitimate ways. Wallets will also become popular among hackers.

“Targeting wallets will become more popular as more people dabble in investing in bitcoins and accessing them,” he explains. “If we get to the point where everyone has a wallet on their machine, there’s an opportunity for cybercriminals on every machine.”

Weston says Microsoft is exploring ways to use analytics in Windows and Azure to determine when a machine is using resources in ways it previously hasn’t. Did you take up a lot of storage space overnight? Does this connection come from a trusted IP? Is it being used for spam? Machine learning, he says, can help establish a baseline of what the PC uses and train on it.

He points out sophisticated threat actors are using similar technologies to identify anomalous behaviors. “They can use the same thing to find gaps in our defenses. They can hire capable engineers, they can hire clouds that scale to their needs.” As attackers build their strategies, defenders must do the same.

Related Content:

• Microsoft Confirms Windows Performance Hits with Meltdown, Spectre Patches
• CISOs’ Cyber War: How Did We Get Here?
• New Cryptocurrency Mining Malware Has Links to North Korea
• Vulnerability Management: The Most Important Security Issue the CISO Doesn’t Own

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/endpoint/microsoft-how-the-threat-landscape-will-shift-this-year/d/d-id/1330782?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

An Office memory corruption vulnerability is the only CVE reported as under active attack for this month’s Patch Tuesday.

Microsoft today released its first wave of Patch Tuesday updates for 2018. This included fixes for a total of 56 CVEs affecting Microsoft Windows, Microsoft Office, Internet Explorer, Microsoft Edge, ChakraCore, ASP.NET, and the .NET Framework. One flaw has been exploited.

Of these 56 vulnerabilities, 16 were ranked Critical, 38 Important, one Moderate and one Low severity. Today’s release includes guidance for mitigating speculative execution side-channel vulnerabilities following the news of Meltdown and Spectre attacks.

The exploited bug patched today, CVE-2018-0802, is a Critical remote code execution vulnerability in Microsoft Office that exists when software doesn’t properly handle objects in memory. An attacker who successfully exploited this could run code in the context of the current user, which would let them install programs, view and edit data, or create new accounts with full user rights. It’s more dangerous for victims with administrative rights.

Exploitation would require a user to open a specially crafted file with an affected version of Microsoft Office or WordPad. A threat actor could conduct a phishing attack by sending the file via email and convincing the target to open it. In a web-based attack, the attacker could host a website (or compromise a website) with a file to exploit the Office bug.

“No details of the attacks are provided by Microsoft, but the lack of industry discussion likely means this is being used in a targeted attack,” writes Dustin Childs of Trend Micro’s Zero Day Initiative Communications. There are multiple Office flaws patched this month, all of which Childs says “should also be given a high deployment priority.”

In its exploitability assessment, Microsoft reports CVE-2018-0802 has been exploited in the wild. It states that at the time of publication, exploitation is unlikely for both its latest software release and older software release. Affected versions range from Microsoft Office 2007 Service Pack 3 to Microsoft Word 2016, 64-bit edition.

Read more details on CVE-2018-0802, including all affected versions of Office, here.

Related Content:

• Microsoft: How the Threat Landscape Will Shift This Year
• Microsoft Confirms Windows Performance Hits with Meltdown, Spectre Patches
• Meltdown, Spectre Likely Just Scratch the Surface of Microprocessor Vulnerabilities
• Vulnerability Management: The Most Important Security Issue the CISO Doesn’t Own

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/microsoft-patches-exploited-office-bug/d/d-id/1330784?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In recent data theft campaigns, the APT group has been downloading malware from what appears to be legitimate Adobe URLs and IP addresses, ESET says.

The Russian-speaking Turla advanced persistent threat group, among whose many victims include the US Department of State, appears to have developed a dangerous new tactic for installing its data-stealing malware on targeted systems.

Security vendor ESET says it has recently observed Turla packaging one of its backdoors with a real Adobe Flash installer and downloading the malware on victim systems from legitimate Adobe URLs and IP addresses.

To targeted endpoint systems, the remote IP address from which the malware is being downloaded belongs to Akamai, the Content Delivery Network that Adobe officially uses to distribute its Flash installer, ESET said in a technical whitepaper Tuesday. That makes it much harder to spot the subterfuge,

Turla has been then getting infected computers to send back sensitive system information to legitimate URLs at Adobe.com. All of the download attempts that ESET observed were made through HTTP and not via HTTPS, the vendor added. “We can state with confidence that Adobe was not compromised,” ESET said in its paper. “These attackers merely use the Adobe brand to trick users into downloading the malware.”

The Turla group has long used social engineering tricks to get victims to install its malware on their systems. Often this has involved the use of fake Adobe Flash installers. The new campaign, which appears to have started sometime in July 2016, marks the first time that Turla or likely any other known threat actor has downloaded malware over HTTP from legitimate Adobe URLs and IP addresses, ESET said.

Most of the victims are located in countries belonging to the former USSR. Targets include embassies and consulates belonging to several Eastern European nations.

“The most likely scenario involves SIGINT capabilities and not a lot of threat actors are known to have this capacity,” says Jean-Ian Boutin, senior malware researcher at ESET.

According to ESET, it has still not been able to determine how exactly Turla actors are distributing their malware through Adobe.com. But there are several possible explanations.

One way they could be doing it is if they have an already compromised system on the victim’s network to perform a local man-in-the-middle attack. In such a scenario, the attackers could be redirecting traffic from a target system through the compromised server and modifying it on the fly. Though the Turla group is not previously known to have tools for pulling off such an attack, it would have been relatively simply for them to build one, according to ESET.

The Turla group actors could also be using a compromised local gateway to conduct a similar man-in-the-middle maneuver. In this situation, they could potentially intercept and modify traffic for the whole organization if needed, even before it exists the intranet. The group already has a rootkit called Uroburos that can be easily modified to intercept traffic on the fly and inject malicious code into it, the vendor said.

Two other but somewhat less likely scenarios are that Turla is executing a man-in-the-middle attack at the ISP level, or BGP hijacking to ensure that malicious traffic does not actually hit Adobe’s servers, according to ESET.

“There are different possibilities that can explain this behavior,” Boutin says. “We believe the most likely scenario involves HTTP manipulation facilitated by an attacker-controlled router, either within the organization or at the ISP level — the former being easier to pull off then the latter.”

One takeaway for organizations is that they more pay attention to how files are downloaded to their network, Boutin says. Turla is downloading fake Flash Player installers through HTTP. “A good way to prevent this initial compromise is to forbid download of executable files over unencrypted connections. It should always be done over HTTPS.”  

If all executable files are downloaded via HTTPS, the traffic interception and modification is much harder as the connection is encrypted, Boutin says.

Organizations should also be ensuring that any Flash Player installers downloaded to their systems are properly signed with a valid Adobe certificate. In addition, ESET has provided IOCs in its whitepaper, which organizations should use to block malicious URLs used by Turla’s malware and to check for signs of previous attacks, Boutin says.

Related Content:

• Russian-Speaking Turla Group Uses New Tools to Target Embassies, Consulates
• APT28, Turla Nation-State Groups Deployed Multiple 0Days in Recent Attacks
• Man-in-the-Middle Flaw in Major Banking, VPN Apps Exposes Millions
• 8 Notorious Russian Hackers Arrested in the Past 8 Years

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/turla-cyberespionage-gang-employs-adobe-flash-installer/d/d-id/1330788?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Your chances of being searched at a US border crossing are now at an all-time high. But the chances that border agents will be pulling data from your devices declined this past week – at least by a little.

A 4 January update in the US Customs and Border Protection’s (CBP) “Border Search of Electronic Devices” directive – its first since August 2009 – now requires that agents have at least “reasonable suspicion” of illegal activity or a threat to national security before they can conduct an in-depth, forensic examination or copy the contents of devices they search at border crossings.

The directive also continues a policy that says without that “reasonable suspicion,” agents can only conduct a so-called “basic search,” which means they can only look at data that’s “physically resident on the phone,” and not stored on a remote server.

This, according to the press release from CBP, not only “enhances the transparency, accountability and oversight of electronic device border searches performed by CBP,” but also:

…preserv(es) the civil rights and civil liberties of those we encounter, including the small number of travelers whose devices are searched, which is why the updated Directive includes provisions above and beyond prevailing constitutional and legal requirements.

All of which had Sen. Ron Wyden, (D-OR) damning the new directive with faint praise. He called it “an improvement,” but said in a statement that it still allows, “far too many indiscriminate searches of innocent Americans.”

He noted that CBP agents don’t need even the “reasonable suspicion” threshold to conduct a basic search of devices, which includes, “looking through their browsing history, photos and messages stored on the device.”

And there are more of those searches being conducted than at any time in history. While the CBP spun the numbers one way, noting that they search the devices of less than one-hundredth of 1 percent of travelers entering the US, and that the large majority (about 80%) of those are of non-citizens, the agency also acknowledged that the number of searches has jumped from 5,085 in 2012 to 30,151 in 2017.

Wyden, ranking Democratic member of the Senate Finance Committee, has co-sponsored a bill with Sen. Rand Paul (R-KY) that would require a warrant for agents to search devices at the border. But that bill was introduced last April, and besides being referred to the Committee on Homeland Security and Governmental Affairs, nothing has happened with it.

Among privacy advocates, the praise was even more faint, and the damning much louder. The Electronic Frontier Foundation (EFF) said while the directive contains “a few improvements” from the previous one, it is still, “full of loopholes and vague language that continues to allow agents to violate travelers’ constitutional rights.”

Staff attorneys Sophia Cope and Aaron Mackey, in a blog post this week said even the “reasonable suspicion” requirement contains a “huge loophole.”

…border agents don’t need to have reasonable suspicion to conduct an advanced device search when “there is a national security concern.” This exception will surely swallow the rule, as “national security” can be construed exceedingly broadly and CBP has provided few standards for agents to follow.

Cope and Mackey also contend there isn’t much difference between “basic” and “advanced” searches – that both are highly intrusive.

…the government obtains essentially the same information regardless of what search method is used: all the emails, text messages, contact lists, photos, videos, notes, calendar entries, to-do lists, and browsing histories found on mobile devices.

And all this data collectively can reveal highly personal and sensitive information about travelers – their political beliefs, religious affiliations, health conditions, financial status, sex lives, and family details.

The new directive also states that, “travelers are obligated to present electronic devices and the information contained therein in a condition that allows inspection of the device and its contents.”

That means the CBP is requiring people to unlock or decrypt their devices, and according to EFF, they have a right to refuse. If they do, however…

…there may be consequences, such as travel delay, device confiscation, or even denial of entry for non-US persons.

Finally, EFF notes that the new directive doesn’t apply to US Immigration and Customs Enforcement (ICE) or to agents from Homeland Security Investigations (HSI), which also conduct border searches…

…so any enhanced privacy protections found in the new policy are wholly inapplicable to searches by these agents.

According to Kevin McAleenan, CBP’s acting commissioner, the new directive means that, “CBP continues to respect the privacy of international travelers while performing its vital law enforcement mission.”

Privacy advocates remain unconvinced – particularly as it applies to US citizens. “Americans’ Constitutional rights shouldn’t disappear at the border,” Wyden said.

Follow @tarmerding2
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Md2gKg63c1g/

On 8 January, Apple made available iOS 11.2.2, which includes a security update for Spectre, one of the CPU-level vulnerabilities making the headlines of late. (If you need a full rundown about what these processor bugs entail and how they work, take a moment to read Paul Ducklin’s comprehensive post on the topic.)

This iOS update specifically addresses CVE-2017-5753 and CVE-2017-5715, two chip-level vulnerabilities collectively known as Spectre. All of the chip-level vulnerabilities including Spectre, at a very high level, take advantage of flaws in hardware to allow an attacker to potentially read or steal data.

Thankfully, these flaws can be mitigated at an operating system or software level when vendors make patches available. The two Spectre vulnerabilities can be triggered via Javascript running in a web browser, so the iOS 11.2.2 update specifically makes changes to Apple’s Safari and WebKit to mitigate their effects.

There were a number of chip vulnerabilities revealed concurrently earlier this month – they’re similar but not the same. Often mentioned in the same breath as Spectre is Meltdown, CVE-2017-5754. While Meltdown affects most types of Intel processors made since 1995 – meaning almost all the world’s desktops, laptops, and servers – Spectre affects an even broader array of processor types, not just Intel, but AMD and ARM as well.

Most of the world’s smartphones, including iPhones and Samsung phones, run on ARM chips. While yes, technically, Spectre makes most of us with a smartphone in our hands vulnerable, thankfully the Spectre flaws have been found by vendors and researchers to be much harder to exploit overall than Meltdown, so it hasn’t been as high a priority for a fix.

So if we got a Spectre patch yesterday and Spectre’s a lower priority, where is the fix for Meltdown? After all, Meltdown is not mitigated by this iOS patch. That’s because Apple already released an update to mitigate Meltdown: The Meltdown fix was in the iOS 11.2 update back in December, though we didn’t know it at the time. (If you check the iOS 11.2 patch notes, you’ll see that the full details on the Kernel-level update, and the CVE addressed, were only added on 4 January.)

In fact, the vast majority of us didn’t know about Meltdown’s existence until January. However, according to the official Meltdown research paper, the researchers who discovered Meltdown were able to effectively work within a responsible disclosure period with vendors to get patches out for OSX, Windows and Linux prior to public disclosure. So kudos to all involved there and hooray for coordinated disclosure.

If you’re an iOS user on iPhone or iPad, this iOS 11.2.2 update should already be available to you to download and install – as always, we recommend you patch as soon as you can. Hopefully you’ve already applied the December iOS 11.2 update to get the fix for Meltdown!

(Are you a Google Android user wondering where your update is? Google issued a patch for you back on 5 January for the two Spectre vulns and the Meltdown vulnerability.)

Follow @mvarmazis
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/fsZvi2gMe-0/

Not long ago trumpeted as the world’s largest biometric database, India’s Aadhaar system covers 1.2bn citizens. Lately, though, it’s acquired a less impressive reputation – that it’s one of the easiest to breach.

In a matter of days, two sets of journalists claimed they’ve bypassed its security with worrying ease, apparently by gaining access to a layer of privileged and admin accounts that have ended up in the wrong hands.

In the most widely-reported incident, a researcher paid Rs 500 ($8) to an anonymous WhatsApp seller for credentials giving access to the name, address, phone number, postal PIN, email address and photograph of anyone in Aadhaar after entering their 12-digit UIDAI (Unique Identification Authority of India) number.

Worse, for a few dollars extra, the researcher was offered software capable of printing this out as a usable Aadhar identity card.

A day later and a second investigation reported being able to acquire access to an admin account for between Rs500 and 6,000 ($95) that conferred the Godlike ability to additional new admins accounts, which in turn could create new admin accounts – and so on.

Which meant:

Once you are an admin, you can make ANYONE YOU CHOOSE an admin of the portal. You could be an Indian, you could be a foreign national, none of it matters – the Aadhaar database won’t ask.

The revelations continued this week with the Times of India reporting that despite November reports that up to 200 Indian government websites were displaying details of Aadhaar identities in public, some continued to do so weeks later.

None of this is good news for Aadhaar’s reputation of course, but the biggest worry could turn out to be the authorities’ confused response.

When confronted with the fact that admin accounts were being traded, one UIDAI regional official seemed shocked:

No third person in Punjab should have a login access to our official portal. Anyone else having access is illegal, and is a major national security breach.

And yet, an official UIDAI statement made to news site Buzzfeed more resembled an angry denial than an admission of problems that need to be fixed:

Claims of bypassing or duping the Aadhaar enrolment system are totally unfounded. Aadhaar data is fully safe and secure and has robust, uncompromised security.

None of Aadhaar’s biometric data was compromised, the source added, while appearing to suggest that criminal charges might be filed against journalists for unauthorised access.

It’s not clear from local media reports how serious this threat is, but if it is it would be deeply counter-productive. If the system has weaknesses, one way they will be uncovered is by researchers and journalists reporting on them.

Indians don’t officially have to register with Aadhaar but can’t access government services without being part of the system. Take up has been hugely successful, reportedly enrolling 99% of Indians over the age of 18.

Not surpringly, successive governments have become heavily invested in its fate and predictably sensitive to reports of security failures which might reflect badly on them.

This is one reason why critics think massive government-backed identity databases carry huge risks. When a private company suffers a breach, in principle it can be held to account by regulators and the force of law. If the same happens to a government-administered database, blame might be temptingly easy to ignore, cover up or shift to junior levels.

It’s too early to declare Aadhaar a broken system but neither, so far, is it exactly proving the pessimists’ predictions wrong.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/R6Mgua2S6Zg/