STE WILLIAMS

Seven hundred and fifty dollars — that is the amount of money it cost a police department in Massachusetts to regain access to its computer files. The culprit of this kidnap and ransom was the now-infamous CryptoLocker, which locked both images and Microsoft Word documents on the department’s computer system.

While precise statistics are hard to come by, researchers at Symantec say they are seeing hundreds of thousands of spam email messages a day distributing the threat, with hundreds of infections per day. Ransomware scams are still in vogue, but where CryptoLocker makes its mark is its use of asymmetric encryption — and don’t be surprised if security vendors are not the only ones taking notice. Other attackers will move in this direction as well.

“It’s not a revolution, but a natural evolution,” says Lance James, head of intelligence at Vigilant by Deloitte. “Putting it bluntly, I think we expected this sooner and should be surprised it took so long. Yes, others will move in this direction, or they will sell CryptoLocker base code to enable the development of related ransomware, thus spawning in the underground a new widespread standard, if you will, for ransomware.”

Unlike other ransomware, CryptoLocker’s authors have properly implemented an asymmetric system (2048 bit RSA) and 256 bit AES-CBC using the native Microsoft Windows crypto system, which is the basis for legitimate tools such as BitLocker, he explains.

“Most encryption uses a symmetric [one key] key system or simply locks access to the files but does not fully encrypt the data,” James says. “A reverse engineer can simply build tools that recover the key or leverage knowledge of how the software works to unlock the files. Encryption mechanisms found in other ransomware are of a homebrew variety — they include errors and vulnerabilities that reversers and infosec professionals can identify, thereby enabling the creation of workarounds to neutralize the intent of the ransomeware.”

Once on the system, the malware can encrypt files located within shared network drives, USB drives, external hard drives, network file shares, and even some cloud storage drives. If one computer on a network becomes infected, then mapped network drives could become infected as well. CryptoLocker then connects to the attackers’ command-and-control server to put the asymmetric private encryption key “out of the victim’s reach,” according to a warning from US-CERT.

“I wouldn’t say it is necessarily any more sophisticated, but perhaps just better executed,” notes Chet Wisniewski, senior security adviser at Sophos. “They aren’t pretending to be the cops. They are simply encrypting your files, demanding money, and mostly honoring their end of the bargain — simple, straight to the point of extortion.”

Ransomware that was popular early in the year didn’t even perform encryption — it just locked the screen with a “scary law enforcement message and demanded money,” he adds.

Ransomware can be a very profitable type of operation. In a paper (PDF) released last year, Symantec estimated that one particular group was extorting nearly $400,000 a month from victims.

Ransomware attacks have been on the uptick for the past several quarters. According to McAfee’s third quarter threat report (PDF), more than 312,000 new, unique samples were detected during that three-month period — less than the previous quarter, but still the second-highest figure the firm has seen.

“Ransomware is not new, but evidently its creators are making money from it, and that is the key to its persistence,” observes Roger Thompson, chief emerging threat researcher at ICSA Labs. “In fact, it seems to have replaced fake antivirus as a common form of monetization. I can’t remember the last time I saw a fake AV. You’d think that the interaction required to pass money would get more people caught, but I suspect it is a function of small amounts combined with multiple jurisdictions. In other words, it seems too much trouble for the police to be bothered.”

The good news, Wisniewski notes, is that businesses and home users can take a number of precautions.

“Keep your antivirus up to date and be sure not to allow EXE files to come in as email attachments,” he says. “Block EXE files inside of archives, like ZIP and RAR, at the mail gateway. CryptoLocker is primarily being installed through existing Zeus/ZBot infections, and Zeus comes in through email and drive-by installs on booby-trapped websites. Do your backups. Don’t pay the crooks or depend on their honesty to decrypt your files. Ensure the important information in your organization is backed up regularly.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/attacks-breaches/cryptolocker-could-herald-rise-of-more-s/240164235

NEW YORK, N.Y. — The days of the once-a-year application vulnerability scan are over. The days of continuous application monitoring have begun.

That was the message delivered by speakers and other experts at the annual AppSec USA conference here last week. The conference, which focuses on application security and secure software development, featured some of the best-known experts in the field. One of their common themes: Application security vulnerabilities can come up at any time, even after software is vetted and deployed.

“Look at the world of health care,” said Jeff Williams, CEO of application security vendor Aspect Security, in a presentation at the conference. “It’s no longer enough, in many cases, to wait for the patient to come in once a year for a checkup. They’re equipping the body with sensors that can measure blood sugar or heart rate, and then send you a warning. In some of those cases, your phone knows you’re sick before you do.

“Application security needs to follow that same model. The once-a-year scan for vulnerabilities isn’t working. Application security needs to happen continuously, in real time, and not just on some apps, but on a portfolio scale.”

Williams advocated the use of vulnerability sensors, which enterprises can develop themselves, to help detect and warn security professionals and developers of newly discovered vulnerabilities in software.

“You can develop sensors to detect clickjacking vulnerabilities or injection vulnerabilities or just about anything,” Williams said. “You can get your developers to build sensors directly into the application that will warn you when a vulnerability occurs, in real time.”

Bala Venkat, chief marketing officer at application security vendor Cenzic, agreed that vulnerability scanning should be a continuous process. “Most enterprises do careful scanning during the predeployment process, but they stop there,” he noted. “Once the application is in operation, they look for vulnerabilities only rarely or not at all. And that’s why so many applications today have vulnerabilities that haven’t been remediated.”

Venkat advocates an ongoing approach to vulnerability scanning that includes analysis not only before deployment, but while the software is operating. “Some IT organizations are afraid to do this because they are worried that scans might affect the performance of an operating application or cause a service interruption. But the risks of not remediating a known vulnerability generally are far greater.”

Veracode, another application security vendor, has implemented an internal process for application monitoring that requires developers not only to do a one-time check for security vulnerabilities, but to continuously monitor for problems throughout the life of the application.

“If you want developers to learn something about security, you have to make sure that you are continuously exposing them to the security issue,” said Chris Eng, vice president of research at Veracode, who also spoke at the conference. “Otherwise, it’s like teaching them a math concept that they learn once and never use again. It has to be part of the process.”

“The technology for finding vulnerabilities is a lot better than it was even a couple of years ago,” noted Robert Hansen, director of product management and technology evangelist at WhiteHat Security. “What we need to do is update the process to reflect that better technology.”

Have a comment on this story? Please click “Add a Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/applications/at-appsec-usa-a-call-for-continuous-moni/240164241

The business case for a multi-tenant, cloud-based Recovery-as-a-Service solution

While the FBI found a Bitcoin wallet worth around $US122 million on the laptop belonging to “Dread Pirate Roberts” (DPR), two Israeli researchers believe that’s only about 22 percent of what the Silk Road kingpin held.

Moreover, the researchers suggest a possibility that there’s a link between DPR, real name Ross Ulbricht, and the mysterious creator of Bitcoin, Satoshi Nakamoto.

The startling accusation comes from the New York Times, which has access to an advance copy of a research paper by the Israel-based Weizmann Institute’s Dorit Ron and Adi Shamir.

While conceding that the link is tenuous, the two researchers say they have identified transactions that link DPR and Bitcoin accounts they tentatively associate with Nakamoto. The transactions are real enough: it’s the connection to Nakamoto that they describe as speculative.

They state that during an analysis of transactions related to Silk Road, they identified a transfer “to an account controlled by Mr. Ulbricht from another that had been created in January 2009, during the very earliest days of the Bitcoin network, which was set up the previous year.”

The transfer in question was for 1,000 Bitcoin, made on March 20, 2013. The New York Times quotes from the research paper:

“Such a single large transfer does not represent the typical behavior of a buyer who opens an account on Silk Road in order to purchase some narcotics (such buyers are expected to make an initial deposit of tens or hundreds of dollars, and to top the account off whenever they buy additional merchandise). It could represent either large-scale activity on Silk Road, or some form of investment or partnership, but this is pure speculation.”

The researchers describe this as suggestive of the DRP-Nakamoto, rather than proof of it.

Their research is based on an analysis of a complete listing of all Bitcoin transactions, which began as an analysis of the statistical behaviour of the cryptocurrency market. ®

5 ways to prepare your advertising infrastructure for disaster

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/25/most_of_dprs_treasure_still_buried_say_researchers/

The business case for a multi-tenant, cloud-based Recovery-as-a-Service solution

Popular horse racing news and gambling portal Racingpost.com has suffered a substantial security breach.

Reg readers have sent us the email they received from the site, which opens with the admission that “Despite our best efforts, the security on racingpost.com has been breached over the last 36 hours, in a sophisticated, sustained and aggressive attack. One of our databases was accessed and customer details were stolen.”

Things get worse, as follows:

“We have now established that a number of customer accounts were accessed. Although all the passwords are encrypted, we believe that there is still a chance that some passwords can be deciphered. As yours is one of the accounts involved, there is a risk of identity theft.”

The good news, if there is any, is that the site says “we do not store your credit card details on our website and these have not been the subject of any theft.”

But things are still bad enough that the site has “turned off the ability to register / log-on to racingpost.com.”

The letter goes on to suggest that members “take all precautions and reset your passwords on any other site which uses the same password as the one you use on racingpost.com as soon as you can.”

The letter offers the following mea culpa:

“Please be assured that we are currently reviewing all of our security measures and will put in place even stronger protection to stop this happening again. Extensive changes have already been made overnight with the assistance of industry-leading cyber-security experts.”

Different cyber-security experts, one hopes, than the ones who built the site’s shieldware the first time around.

Site members will be notified by email when logons are once again possible and the site is sensibly advising those missives won’t include a link, which should make things a little bit harder for Phishers. ®

5 ways to prepare your advertising infrastructure for disaster

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/25/racingpost_hacked/

Twitter is the latest high-traffic social networking site to announce that it has added an extra layer of protection known as forward secrecy to its web servers.

“But wait,” you may be saying. “Didn’t Twitter implement an Always use HTTPS option back in 2011?”

Indeed it did, and that was important because it allowed you to ensure that all your traffic to and from Twitter enjoyed the protection of the padlock in your browser’s address bar.

It might seem slightly odd to be so fussy about encrypting every Tweet while it’s being uploaded, when most users’ intention is to have Twitter shout those selfsame Tweets as far, as wide and as soon as possible.

But secure HTTP, better known as HTTPS, is surprisingly important for any web service that lets you login up front and then stay logged in indefinitely.

That’s because your logged-in status is usually dealt with by a session cookie that is transmitted in the HTTP traffic.

A session cookie is a random string of data that a server sends to your browser as a sort of temporary ID, and that your browser sends back, in the headers of any future requests to that server, to assert that ID.

In short, the server uses the session cookie to recognise that’s it’s you coming back for more.

Without a session cookie, you’d need to login every time you loaded or refreshed a page from the relevant site, which would quickly become tiresome.

Your session cookie can’t be guessed by an attacker, because it consists of many bytes of random data generated uniquely for your session.

But without HTTPS to encrypt the cookie between your browser and the server, an attacker could sniff your traffic, extract the cookie and use it to masquerade as you.

So that’s why Twitter added Always use HTTPS.

→ Three years ago, a freely-available tool called Firesheep was published that allowed even completely non-technical users to sniff session cookies, for example at coffee shops with shared Wi-Fi connections, and use those stolen cookies to publish Tweets or Facebook postings in other people’s names.

Now, of course, there’s a new game in town, which goes a lot further than just sniffing your unencrypted session cookies in order to send embarrassing Tweets from your account.

As we now know, widespread surveillance and monitoring of what we do online means that third parties – from intelligence organisations and the private sector all the way to cybercrime gangs – are sniffing and keeping giant stashes of our internet traffic, just in case.

And although that traffic may be illegible now, thanks to HTTPS encryption, what about tomorrow, or next year, or even next decade?

What if the decryption keys fall into the wrong hands, through fair means or foul, such as: by coercion; due to a legal warrant; or because of a data breach?

Forward secrecy is a way of side-stepping that problem by using temporary encryption keys that are discarded after a short time, such as minutes, hours or days.

Incidentally, techniques for forward secrecy online were supported from the earliest days of HTTPS, but weren’t widely implemented because of extra processing load on the server.

Very greatly simplified, if not actually oversimplified, that’s because plain HTTPS only requires the server to send you a public key to which it has a matching private key, allowing the server to use the same public-private keypair over and over again.

HTTPS with forward secrecy, however, requires the server to send you a public key that is unique to your session, so that the corresponding private key can be destroyed after use.

Generating a keypair for every connection is much costlier that generating one for each server.

→ That’s how the forward secrecy is achieved: once the decryption keys from your session are destroyed, any copies of the encrypted data are effectively “nailed down” into an eternally-encrypted state, like a padlock to which you’ve lost the key.

If this sounds strangely familiar, that’s because it’s how the CryptoLocker ransomware claims to work: the crooks produce a one-off keypair for each victim, and warn you that if you haven’t paid after 72 hours, they delete your private key, and that’s that for your data.

(They’re lying. They practice forward dishonesty, and will sell you your key after more than 72 hours. For a lot more money.)

Of course, as the CryptoLocker private key shenanigans remind us, HTTPS forward secrecy depends on both ends doing the right thing.

It depends on your browser requesting the relevant cryptographic support in the first place; it depends on the server agreeing to provide that support; and it depends on the server doing the right thing by not retaining (or losing) the so-called “ephemeral” key.

But how you keep track of those possibilities is an article for another time!

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Et0SZ-ej9nY/

Email delivery: Hate phishing emails? You’ll love DMARC

The Register can reveal that while the NSA has been infiltrating the highest echelons of the governments of US allies, a counter-infiltration has taken place.

Crack teams of Microsoft marketing droids, sleeper cells of incognito TEDx speakers and the greatest sociologists ever to torture a syntax into confessing to crimes of postmodernism have all been recruited to take the battle back to the spooks by befuddling them with the worst excesses of corporate language-mangling.

The strategy appears simple: by making it impossible for anyone in the NSA to understand what they were being told, the agency wouldn’t be able to wreak too much havoc on the IT sector.

Evidence for the counter-insurgency can be found in this document, published by the New York Times, that shows how Strike Force Linguistic Paralysis had created an NSA in which this is apparently a meaningful statement:

“ubiquitous computing is fundamentally changing how people interact as individuals become untethered from information sources and their communications tools”

El Reg is shaking its head in wonder at the profound professional mediocrity that can describe “the soul-stealing life in which no human is ever permitted to be absent from work or out-of-touch” as “untethered”.

Here are some other gems from the leaked document:

• “We must proactively position ourselves to dominate that environment”
• “Fully leverage internal and external partnerships to collaboratively discover targets”
• “a collaborative information space that mirrors how people interact in the information age”
• “Drive an agile technology base mapped to the cognitive processes”
• “Integrate the SIGINT system into a national network of sensors which interactively sense, respond, and alert one another at machine speed”
• “Collectively foster an environment that encourages and rewards diversity, empowerment, innovation, risk-taking and agility” [Which reminds Vulture South, the Human Resources sector seems to have contributed to the infiltration task-force]
• “Enable better, more efficient management of the mission and business by establishing new, modifying current, and eliminating inefficient, business processes; by strengthening customer relationships; and by building necessary internal and external partnerships.”
• “Align and standardize administrative business processes”
• “Champion the development of a unified NSA/CSS U.S. customer engagement strategy”
• “Counterpoint the surrealism of the underlying metaphor*”

If there’s a serious point in this turbid prose (you think I mean turgid but I don’t), it’s to take a tiny handful of meaningful statements and stir them in mud until they become indiscernible to the naked eye.

The NSA is revealed to be a relentless consumer of the cyber-warfare Kool-Aid, baldly stating that “cyberattacks … may not cause the mass casualties of a nuclear strike, but they could paralyze US society all the same”.

As with many of the NSA leaks, the document appears crafted for an audience that needs to be told “the Agency is omniscient, wonderful, efficient, and under constant threat so give us more money and power”.

The group reveals an intention to try and get the government to rewrite the legal and administrative controls it’s subject to – presumably not in favour of citizens: “legal, policy, and process authorities must be … adaptive and dynamic … we aggressively pursue legal authorities and a policy framework mapped more fully to the information age.”

Noting that the outside world’s cryptographic capabilities are a danger to the NSA’s ability to deploy ubiquitous snoopery against World+Dog, the document says the spooks needs to attack both midpoints and endpoints “to enable cryptanalysis”, says it must “Counter the challenge of ubiquitous, strong, commercial network encryption”.

The obvious strategy? Subvert commercial crypto providers: “Influence the global commercial encryption market through commercial relationships, HUMINT, and second and third party partners”.

With any luck, however, the invasion of the soul-snatchers will render the NSA incapable of carrying out any form of internal communication before that happens. ®

*Bootnote: OK, the last one came from The Hitchhiker’s Guide to the Galaxy. It’s hardly out of place, is it?

ioControl – hybrid storage performance leadership

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/24/linguistic_bodysnatchers_invade_the_nsa/

5 ways to reduce advertising network latency

Rackspace has patched an arbitrary code execution bug in its Windows environment, following an advisory from CloudPassage.

CloudPassage discovered that the Rackspace Windows Agent and Updater allowed unauthenticated users to upload a modified version of the agent binary to Rackspace Cloud Server instances. The modified code would then be treated as a normal update: when the service restarts after the update, an attacker could then execute arbitrary code.

As explained by CloudPassage, the Rackspace-written Windows Agent and Updater handle boot config for Windows guests running on the Xen hypervisor, running as services under the LocalSystem account.

Pre-1.2.6.0 Updater versions allowed unsigned updates using a crafted .NET call to Port 1984 (El Reg presumes the port number is pure coincidence), which sends a .NET serialisable object with a URL and MD5 checksum to the target. The target system would then download a zipfile, check it against the checksum, extract it into the program folder of the Agent service, and restart the service. As its proof-of-concept, CloudPassage used the und3auth tool to put a backdoor into the Agent binary.

The fixed Updater no longer listens on Port 1984, and uses IPC with XenStore. ®

Email delivery: 4 steps to get more email to the inbox

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/24/rackspace_patches_windows_updater_vuln/

Tags: 60 Sec Security, 60 Second Security, 60 Seconds, 60SS, botnet, breach, Breach Notification, brute force, data breach, data leakage, github, lg, password, Smart TV, source code, TV, vbulletin

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/TTcnMdhvHhU/

Tags: 60 Sec Security, 60 Second Security, 60 Seconds, 60SS, botnet, breach, Breach Notification, brute force, data breach, data leakage, github, lg, password, Smart TV, source code, TV, vbulletin

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/tSz2_1fFIEA/

5 ways to prepare your advertising infrastructure for disaster

Twitter says it has rolled out stronger encryption to safeguard its users’ connections from eavesdroppers.

The micro-blogging ad-pusher said it has switched on “forward secrecy” for traffic to and from its desktop and mobile websites and its app interface; this goes beyond the protections afforded by traditional HTTPS.

Specifically, Twitter says it is now using the Elliptic Curve Diffie-Hellman (ECDHE) cipher suites. Simply put, these attempt to thwart a third party from decrypting intercepted network packets even if Twitter is later compromised or pressured by g-men into hand over its private keys. This is done by generating a randomized per-session key that’s shared between the browser (or app) and Twitter’s servers without them exchanging the key in full, even encrypted.

“On top of the usual confidentiality and integrity properties of HTTPS, forward secrecy adds a new property,” Twitter security engineer Jacob Hoffman-Andrews said in a blog post.

“If an adversary is currently recording all Twitter users’ encrypted traffic, and they later crack or steal Twitter’s private keys, they should not be able to use those keys to decrypt the recorded traffic.”

According to Twitter, as much as 75 per cent of its internet traffic is already established using ECDHE; the remaining 25 per cent comes from older third-party clients that do not support the key agreement protocol.

While Twitter did not mention the NSA specifically, the company underscored the need of users to maintain strongly secured connections and protect against possible surveillance by a third party that could tap into a network or listen in on a session.

Such snooping tactics were found to have been employed by the NSA to collect data from the internet’s backbone fibre cabling and the lines connecting major data centers. In the wake of NSA whistleblower Edward Snowden’s revelations, a number of web service providers are stepping up encryption on their packets.

Hoffman-Andrews suggested that the use of security protocols such as those introduced by Twitter should soon become the standard for security protection online. He urged other web application developers to consider placing similar protections on their own sites.

“At the end of the day, we are writing this not just to discuss an interesting piece of technology, but to present what we believe should be the new normal for web service owners,” he said,

“A year and a half ago, Twitter was first served completely over HTTPS. Since then, it has become clearer and clearer how important that step was to protecting our users’ privacy.” ®

Quick guide to disaster recovery in the cloud

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/23/twitter_beefs_up_security_with_added_encryption/