STE WILLIAMS

Email delivery: 4 steps to get more email to the inbox

Former Lavabit proprietor Ladar Levison claims the new Dark Mail initiative he’s cooking up with the team from Silent Circle will enable email that’s virtually spy-proof, but according to at least one expert, the original Lavabit service was never all that secure to begin with.

“After all,” security guru Moxie Marlinspike wrote in a blog post this week, “how is it possible that a service which wasn’t supposed to have access to its users’ emails found itself in a position where it had no other option but to shut down in an attempt to avoid complying with a request for the contents of its users’ emails?”

The main problem with Lavabit’s design, according to Marlinspike, is that each Lavabit user’s private encryption key was stored on the Lavabit server. The key was itself encrypted with a password, true. But every time the user wanted to read an email, that password needed to be transmitted to the server, essentially negating any security.

“Unlike the design of most secure servers, which are ciphertext in and ciphertext out, this is the inverse: plaintext in and plaintext out,” Marlinspike wrote. “The server stores your password for authentication, uses that same password for an encryption key, and promises not to look at either the incoming plaintext, the password itself, or the outgoing plaintext.”

Those “promises,” Marlinspike says, are essentially worthless.

For one thing, because he was in possession of every user’s private key, all Levison would need to do to read your Lavabit email is intercept your password as it came into his server, use it to decrypt your private key, then use the private key to decrypt your mail. This is essentially what the Lavabit server did anyway; Levison just claims he never eavesdropped.

Even if he never did, however (and no one is suggesting he did), an attacker or a rogue employee who gained access to the Lavabit systems might not have been so scrupulous.

“The cryptography was nothing more than a lot of overhead and some shorthand for a promise not to peek,” Marlinspike wrote. “Even though they advertised that they ‘can’t‘ read your email, what they meant was that they would choose not to.”

Finally, an attacker that found a way to eavesdrop the communications between the server and the client would effectively negate all of the security mechanisms on the Lavabit server. The encryption, the passwords, the keys – none of it would really matter to an attacker with the ability to listen in over the wire, who would be able to obtain the user’s password and unlock all of the rest.

Marlinspike says his criticisms of Lavabit aren’t intended as attacks on Levison, but he does worry that the current effort to release the Lavabit code as an open source project will just lead to further vulnerable services that pretend to be secure.

“I think we should celebrate and support Ladar for making the hard choice that he did to at least speak out and let his users know they’d been compromised,” he wrote. “However, I think we should simultaneously be extremely critical of the technical choices and false guarantees that put Ladar in that position.”

The Reg has tried to contact Levison for comment on these matters, but our emails have bounced as undeliverable. ®

Email delivery: 4 steps to get more email to the inbox

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/09/lavabit_not_secure_claims_marlinspike/

A former college student who allegedly transformed run-of-the mill, jealous, prying lovers into powerful hackers who could spy on their cheating lovers with his $89 Loverspy (originally “Email PI”) malware has made it to the FBI’s list of “most wanted” cybercriminals.

Among the five people added to the list this week is the alleged developer, 33-year-old Carlos Enrique Perez-Melara, former San Diego college student.

The FBI wants to apprehend Perez for his alleged involvement in manufacturing the spyware, which they say was used to intercept private communications of about 1,000 victims.

The FBI says that Perez advertised a way to “catch a cheating lover”, which was done via a boobytrapped electronic greeting card, typically sent from his computer, which acted as an intermediary between customers and victims.

According to his indictment, the card installed a keystroke logger onto victims’ computers.

All of the victims’ computer activities, including all sent and received email, visited websites, and passwords were intercepted, collected and sent to the purchaser directly or through Perez’s computers.

Loverspy also gave the purchaser the ability to remotely control a victim’s computer, including accessing, changing and deleting files, and turning on webcams.

Loverspy periodically sent email messages back to the services’ purchasers containing the intercepted data.

The program, initially called “Email PI”, was renamed “Loverspy” in July/August 2003, the FBI says.

Perez allegedly hosted the website as well as having developed the malware, running the operation from his San Diego apartment in 2003.

Perez, a native of El Salvador who was here on a student visa, was indicted, along with four people who bought Loverspy, in 2005.

The fugitive spyware developer was handed up to the FBI’s most wanted list because he’s been so tough to track down.

Last spotted in El Salvador, for the past eight years he’s eluded charges of creating a surreptitious interception device, (i.e., the Loverspy program); sending the program to victims (concealed in an innocuous-appearing electronic greeting card); advertising the program; advertising the surreptitious use of the program; illegal wiretapping; disclosing illegally intercepted communications; and obtaining unauthorized access to the victim computers.

Each of the 35-count indictment carries a maximum penalty of five years in prison and a maximum fine of $250,000 per count.

According to the indictment, 1,000 customers bought Loverspy, then tried to infect about 2,000 computers.

Victims reportedly took the bait only about half the time.

Those who purchased the spyware were charged with illegally intercepting electronic communications. According to FoxNews, most of those cases have apparently resulted in probation and fines.

As Fox News points out, Perez is noteworthy because out of all the big money-makers on the FBI’s list, some of whom are accused of bilking millions of dollars from businesses and internet users worldwide, he made relatively little off his scheme.

What he did manage to do was to turn average computer users into technologically sophisticated stalkers.

Perez is now facing a maximum of 175 years in prison.

Eight years ago, the indictment said that the law had informed all of the victims of spyware that they’d been electronically stalked.

I hope that they’ve learned not to open fishy e-cards by now, and that they all managed to replace their stalker lovers with much better partners.

Follow @LisaVaas

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/4oRMV8vJ1Jo/

Microsoft and Facebook, who already run their own bug bounty programs, have announced that they will now work together to offer cash rewards to white hats who discover flaws in popular software applications as well as across the web at large.

The joint program, known as ‘HackerOne‘, offers bounties in return for bugs found in OpenSSL, Python, Ruby, PHP, Rails and Perl, among others. There is also an additional broad category that allows submission of any bugs affecting ‘The Internet’ as a whole.

The advantages of having such a program in place was highlighted as recently as Wednesday, the day that HackerOne was announced, when Microsoft warned users about a zero-day vulnerability that came about via booby trapped image files.

The HackerOne FAQs says that:

Our collective safety is only possible when public security research is allowed to flourish. Some of the most critical vulnerabilities in the internet’s history have been resolved thanks to efforts of researchers fueled entirely by curiosity and altruism. We owe these individuals an enormous debt and believe it is our duty to do everything in our power to cultivate a safe, rewarding environment for past, present, and future researchers.

Of course curiosity and altruism don’t pay the rent, so aspiring bounty hunters will be pleased to hear that their efforts will be rewarded with cash amounts which start at $300 for finding vulnerabilities in Phabricator apps.

Other programs under the HackerOne umbrella pay from $1,500 to $5,000 and judges can award much higher amounts at their discretion. The more generous among you may also be pleased to hear that some members of the judging panel may increase awards where the recipient opts to donate the money they have earned to charity.

Almost anyone can take part in the bug bounty program with the only noted restrictions applying to individuals currently on US embargo lists, or living in an embargoed nation.

Even minors may submit vulnerabilities, though those under the age of 13 will need to do so through their parents or legal guardians. This is because the collection of data from younger children is prohibited in the US by the Children’s Online Privacy Protection Act.

For a flaw to qualify for a bounty it needs to be discovered in widely used code and either be of a serious or critical nature or unusual in some way.

One potential drawback that bug hunters may want to consider is that once submitted, the vulnerability has to be verified and then the software provider will have 180 days to fix the issue before any disclosure is made or, perhaps more importantly for some, before any monies are paid out.

The panel of judges who adjudicate on the value of awards is primarily made up of Microsoft and Facebook personnel but is complemented by the addition of Chris Evans, a Chromium researcher, Zane Lackey, director of security engineering at Etsy, and Jesse Burns, co-founder of iSec Partners.

This move by Facebook and Microsoft comes at a time when many web-based firms have developed their own programs in order to enhance the security of their products.

Only last month Microsoft paid out its first $100,000 bounty to James Forshaw after he discovered a new type of mitigation bypass technique.

If you are interested in submitting a bug to the HackerOne program then I would suggest that you first read the submission and disclosure guidelines in order to ensure that your efforts are conducted in a responsible and compliant manner.

Follow @Security_FAQs

Follow @NakedSecurity

Image of bug in code courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/cpbZyTvEfqE/

A former college student who allegedly transformed run-of-the mill, jealous, prying lovers into powerful hackers who could spy on their cheating lovers with his $89 Loverspy (originally “Email PI”) malware has made it to the FBI’s list of “most wanted” cybercriminals.

Among the five people added to the list this week is the alleged developer, 33-year-old Carlos Enrique Perez-Melara, former San Diego college student.

The FBI wants to apprehend Perez for his alleged involvement in manufacturing the spyware, which they say was used to intercept private communications of about 1,000 victims.

The FBI says that Perez advertised a way to “catch a cheating lover”, which was done via a boobytrapped electronic greeting card, typically sent from his computer, which acted as an intermediary between customers and victims.

According to his indictment, the card installed a keystroke logger onto victims’ computers.

All of the victims’ computer activities, including all sent and received email, visited websites, and passwords were intercepted, collected and sent to the purchaser directly or through Perez’s computers.

Loverspy also gave the purchaser the ability to remotely control a victim’s computer, including accessing, changing and deleting files, and turning on webcams.

Loverspy periodically sent email messages back to the services’ purchasers containing the intercepted data.

The program, initially called “Email PI”, was renamed “Loverspy” in July/August 2003, the FBI says.

Perez allegedly hosted the website as well as having developed the malware, running the operation from his San Diego apartment in 2003.

Perez, a native of El Salvador who was here on a student visa, was indicted, along with four people who bought Loverspy, in 2005.

The fugitive spyware developer was handed up to the FBI’s most wanted list because he’s been so tough to track down.

Last spotted in El Salvador, for the past eight years he’s eluded charges of creating a surreptitious interception device, (i.e., the Loverspy program); sending the program to victims (concealed in an innocuous-appearing electronic greeting card); advertising the program; advertising the surreptitious use of the program; illegal wiretapping; disclosing illegally intercepted communications; and obtaining unauthorized access to the victim computers.

Each of the 35-count indictment carries a maximum penalty of five years in prison and a maximum fine of $250,000 per count.

According to the indictment, 1,000 customers bought Loverspy, then tried to infect about 2,000 computers.

Victims reportedly took the bait only about half the time.

Those who purchased the spyware were charged with illegally intercepting electronic communications. According to FoxNews, most of those cases have apparently resulted in probation and fines.

As Fox News points out, Perez is noteworthy because out of all the big money-makers on the FBI’s list, some of whom are accused of bilking millions of dollars from businesses and internet users worldwide, he made relatively little off his scheme.

What he did manage to do was to turn average computer users into technologically sophisticated stalkers.

Perez is now facing a maximum of 175 years in prison.

Eight years ago, the indictment said that the law had informed all of the victims of spyware that they’d been electronically stalked.

I hope that they’ve learned not to open fishy e-cards by now, and that they all managed to replace their stalker lovers with much better partners.

Follow @LisaVaas

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/yMrkTgGqHLQ/

Microsoft and Facebook, who already run their own bug bounty programs, have announced that they will now work together to offer cash rewards to white hats who discover flaws in popular software applications as well as across the web at large.

The joint program, known as ‘HackerOne‘, offers bounties in return for bugs found in OpenSSL, Python, Ruby, PHP, Rails and Perl, among others. There is also an additional broad category that allows submission of any bugs affecting ‘The Internet’ as a whole.

The advantages of having such a program in place was highlighted as recently as Wednesday, the day that HackerOne was announced, when Microsoft warned users about a zero-day vulnerability that came about via booby trapped image files.

The HackerOne FAQs says that:

Our collective safety is only possible when public security research is allowed to flourish. Some of the most critical vulnerabilities in the internet’s history have been resolved thanks to efforts of researchers fueled entirely by curiosity and altruism. We owe these individuals an enormous debt and believe it is our duty to do everything in our power to cultivate a safe, rewarding environment for past, present, and future researchers.

Of course curiosity and altruism don’t pay the rent, so aspiring bounty hunters will be pleased to hear that their efforts will be rewarded with cash amounts which start at $300 for finding vulnerabilities in Phabricator apps.

Other programs under the HackerOne umbrella pay from $1,500 to $5,000 and judges can award much higher amounts at their discretion. The more generous among you may also be pleased to hear that some members of the judging panel may increase awards where the recipient opts to donate the money they have earned to charity.

Almost anyone can take part in the bug bounty program with the only noted restrictions applying to individuals currently on US embargo lists, or living in an embargoed nation.

Even minors may submit vulnerabilities, though those under the age of 13 will need to do so through their parents or legal guardians. This is because the collection of data from younger children is prohibited in the US by the Children’s Online Privacy Protection Act.

For a flaw to qualify for a bounty it needs to be discovered in widely used code and either be of a serious or critical nature or unusual in some way.

One potential drawback that bug hunters may want to consider is that once submitted, the vulnerability has to be verified and then the software provider will have 180 days to fix the issue before any disclosure is made or, perhaps more importantly for some, before any monies are paid out.

The panel of judges who adjudicate on the value of awards is primarily made up of Microsoft and Facebook personnel but is complemented by the addition of Chris Evans, a Chromium researcher, Zane Lackey, director of security engineering at Etsy, and Jesse Burns, co-founder of iSec Partners.

This move by Facebook and Microsoft comes at a time when many web-based firms have developed their own programs in order to enhance the security of their products.

Only last month Microsoft paid out its first $100,000 bounty to James Forshaw after he discovered a new type of mitigation bypass technique.

If you are interested in submitting a bug to the HackerOne program then I would suggest that you first read the submission and disclosure guidelines in order to ensure that your efforts are conducted in a responsible and compliant manner.

Follow @Security_FAQs

Follow @NakedSecurity

Image of bug in code courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/BP7u4rhlcyg/

Quick guide to disaster recovery in the cloud

Both cybercrooks and cyberspies have seized on a recently discovered and as-yet-unpatched Microsoft vulnerability to run attacks.

Hackers have seized on the zero-day vulnerability, starring a buggy Microsoft graphics component, to run attacks featuring malicious Word documents.

Microsoft issued a temporary workaround last week, and confirmed at the time that the exploit had been abused in “limited” and targeted attacks “largely in the Middle East and South Asia”. A pre-release notice from Redmond on Thursday confirmed that a patch would not be released in November’s edition of Patch Tuesday.

The vulnerability (CVE-2013-3906) involves the processing of TIFF graphics format files and is present in Microsoft Office 2003, 2007 and 2010 and some of the older Windows Operating Systems.

The one bit of good news is that Microsoft has already released a temporary Fix it that blocks the attack. The temporary workaround doesn’t address the root cause of the vulnerability, as Microsoft itself is up-front in admitting. The fix simply blocks rendering of the vulnerable graphic format that can trigger the bug.

A study by security researchers at Websense discovered that nearly 37 per cent of business users are susceptible to this exploit, which is unlikely to be properly fixed until the 10 December edition of Redmond’s regular Patch Tuesday update cycle.

“Up to 37 per cent of Microsoft Office business users are susceptible to this zero-day exploit,” Alex Watson, director of security research at Websense, explained. While the impact has been limited to date, we have observed targeted email attacks against Middle East and South Asia victims.”

Many millions of business users are potentially vulnerable, which is particularly bad news because TWO hacking crews have latched onto the flaw and exploitation is “more widespread than previously believed,” according to net security firm FireEye.

FireEye’s Research team has found a connection between attacks harnessing the latest zero-day and those previously documented in Operation Hangover. Information obtained from a command-and-control server (CC) used in recent attacks featuring the zero-day exploit reveal that the Hangover group, believed to operate from India, has compromised 78 computers, 47 per cent of which are apparently located in Pakistan.

The Hangover group was previously linked to a sophisticated targeted attack launched from India ultimately designed to steal information from a range of government and private enterprise victims in Pakistan, China and elsewhere. The cyber-espionage campaign was pieced together by Norwegian antivirus firm Norman in the course of its investigation into a cyber attack against Norwegian telco Telenor.

Another group also has access to latest Office exploit but is using it to deliver the Citadel Trojan malware. This group, described as the Arx group by FireEye, may even have had access to the exploit before the Hangover crew got their mitts on the cyber-munition.

Information obtained from CC systems operated by the Arx group revealed that 619 targets (4,024 unique IP addresses) have been compromised. The majority of the targets are in India (63 per cent) and Pakistan (19 per cent). Citadel plants keystroke login Trojans on victims’ machines for the purpose of banking fraud.

FireEye has not yet been able to connect the activities of the two groups but it has published an analysis of the abuse of the vulnerability in the Indian sub-continent. ®

Free Regcast : Managing Multi-Vendor Devices with System Centre 2012

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/08/ms_0day_widely_abused/

Quick guide to disaster recovery in the cloud

Edward Snowden persuaded his NSA colleagues to hand over passwords which he later used to download top secret material and leak it to the press.

According to a report on Reuters, the whistleblower cribbed login details from up to 25 co-workers, who have now all been questioned and moved on to different jobs. It is not known how many people were fired.

Sources said he told other staff he needed the information to carry out his job as a computer systems administrator.

Previously, it was claimed the NSA failed to install the latest version of software designed to identify attempts to download data.

Snowden worked at the Hawaii facility for just a few months before leaking a huge cache of documents relating to mass indiscriminate surveillance by American and British spooks.

Security experts warned that top secret organisations often fail to spot the inside threat.

“In the classified world, there is a sharp distinction between insiders and outsiders. If you’ve been cleared and especially if you’ve been polygraphed, you’re an insider and you are presumed to be trustworthy,” said Steven Aftergood, a secrecy expert with the Federation of American Scientists.

“What agencies are having a hard time grappling with is the insider threat, the idea that the guy in the next cubicle may not be reliable,” he added.

The boss of GCHQ claimed to Parliament’s Intelligence and Security Committee that Snowden’s revelations had directly helped Al Qaeda. ®

Free Regcast : Managing Multi-Vendor Devices with System Centre 2012

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/08/snowden_persauded_nsa_colleagues_to_hand_over_passwords/

Programs that pay security researchers for finding flaws in software have become all the rage, and now a new bug bounty program launched this week rewards finding vulnerabilities in key open-source software platforms as well as the underlying Internet infrastructure.

Microsoft and Facebook — under the auspices of HackerOne — are co-sponsoring The Internet Bug Bounty, a program that pays anywhere from $300 to $2,500 for a new vulnerability found in key open-source platforms, such as OpenSSL, Python, Ruby, PHP, Django, Rails, Perl, Phabricator, Ngix, and Apache httpd. The program also rewards a minimum of $5,000 to researchers who find working flaws in sandbox technologies, and a minimum of $5,000 for bugs found in the Internet’s underlying infrastructure, such as DNS, SSL, or PKI, for example.

“I’m really happy about this program,” says renowned security researcher Dan Kaminsky, who discovered a key DNS bug in 2008 that affected a large portion of the Internet. “The black market has gotten so hot because there are so many players doing criminal activities … more accurately, they are out to compromise systems, and that takes a lot of work even to identify a flaw [to exploit].

“If nothing else, this program provides direct incentive for people to raise the quality of [software] flaw analysis,” he says, pointing to the program’s emphasis on quality vulnerability finds that pose real risks to the Internet community and its well-defined guidelines that promote responsible hacking.

Not all bug discoveries will actually qualify for a bounty payment, either, according to the program’s disclaimer. In the case of Internet bugs, for example, the criteria for a paid flaw is one that affects multiple products, affects a significant number of users, or is “severe” or “novel,” for instance.

There are two rewards for each bug — one for finding it and the other for fixing it. So a researcher could make twice as much money by discovering and repairing a flaw.

Both Microsoft and Facebook, like many major vendors today, have established their own bug bounty programs that pay researchers who find flaws in their products.

“Facebook and Microsoft are funding the initial round, but this is a broader community effort involving participation from a range of backgrounds. We’re all invested in the security of the Internet, and since we’ve all seen the positive benefits from bug bounty programs, it was a natural extension for some of the heaviest users of the Web to partner up to help protect it,” says Alex Rice, product security lead at Facebook.

[How Microsoft’s new bug bounty program will play in the quest for more secure software. See Microsoft’s Big Bucks For Bugs Ups The Ante .]

A panel of volunteers from the security community is charged with managing the program, including Microsoft’s Katie Moussouris, Matt Miller, Roman Porter, and Arthur Wongtschowski; Facebook’s Rice, Neal Poole, and Colin Greene; Chrome’s Chris Evans; iSec Partners’ Jesse Burns; and Etsy’s Zane Lackey.

“The Internet Bug Bounty is accessible to a broad pool of security researchers and has the potential to improve security for a wide variety of technology users,” says Moussouris, senior security strategy lead for Microsoft Trustworthy Security. “This bounty is a great way to support coordinated disclosure of critical vulnerabilities in shared components of the Internet stack.”

Countering the black market for bugs, indeed, is the main incentive for heavy-hitters like Microsoft and Facebook to team up and sponsor a vulnerability reward program for open-source platforms, says Chris Wysopal, CTO at Veracode. “This is a reaction to that” black market for bugs, he says. “This is really trying to disrupt the offensive market. As the offensive side of vulnerability finding has grown, this is counterbalancing it.”

And more secure open-software platforms also benefit those vendors, as well as the entire Internet community, security experts say. “This is definitely helping out those open-source projects,” Veracode’s Wysopal says. “And [the vendors involved] are also helping themselves because they use these products. It’s a win for them and a win for the Internet, in general.”

The closest thing to a bug bounty for finding flaws in open-source software is Google’s new patch bounty, announced earlier this month. Google launched an experimental program that offers rewards for coming up with security improvements to key open-source projects, such as OpenSSH, BIND, Chromium, and KVM.

Open-source software is often considered the weak link in applications, as flaws in open-source code have been targeted by attackers looking for the quickest and simplest way to break into systems. Community software projects typically lack sufficient resources to stay on top of bugs and patches, so the new HackerOne program should help.

Whether this newfound abundance of bug bounty programs will boost or dilute efforts to secure software remains to be seen. Facebook’s Rice says the new program complements existing ones. “We see this program as complementary to existing bug bounty programs, and it’s focused on covering areas of the Web that aren’t currently in scope for existing programs,” he said in an email interview.

Kaminsky, chief scientist and co-founder of fraud prevention startup White Ops, says the bigger problem with many bug bounty programs has been lesser-quality bug finds, and this new program should raise the bar to avoid that. “What’s good about having this overarching program is that it very much puts a stake in the ground that this is what a program should look like, these are the types of good bugs to pay for,” he says.

The Internet Bug Bounty has inspired Wysopal to rethink Veracode’s informal bug bounty program for its own software. The secure code firm currently sends a “thank you package” to a researcher who finds any flaws in its code: It has no official funding for a bounty program at this time. Wysopal says he thinks the program may pressure other vendors to pony up with monetary awards for bugs found in their software, even at Veracode: “Maybe I’ll see if I can get some” funding now, he says.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/new-bucks-for-bugs-program-focuses-on-op/240163714

When David Bianco examined a company’s Web browsing logs, it did not take long for a pattern to appear.

At regular periods, nearly a dozen systems across the network would all request data from the same Web page. Because the company, who Bianco declined to name, captured network data, additional analysis revealed that all of the suspicious systems downloaded small binaries. By running those executables in a virtual machine, Bianco, a network hunter, was able to identify the cause of the problem — an attacker using specialized malware.

Bianco, whose official title is Hunt Team Manager at incident-response firm Mandiant, does not like to wait for automated systems to flag suspicious behavior. As a network hunter, he goes looking for it. It’s a role that more companies should develop because it allows them to run down attackers in their networks before they do damage, he says.

“The goal of hunting is not only to find the evil in your organization,” he says. “The goal of hunting is to explore methods that let you find the evil in your organization, and — when you find those methods — you polish them up so you don’t have to hunt for the same stuff again.”

Companies that only wait for their security information and event monitoring systems to alert them to anomalies are missing a key resource in the fight against online attacks: inquisitive security analysts. By being more aggressive within their own networks and hunting down signs of suspicious behavior, network hunters can minimize the time between infection and detection, says Will Gragido, senior manager of advanced threats research and intelligence for security firm RSA.

“A proactive defense is something that organizations should aspire toward,” he says. “I don’t think there is anything wrong with advocating a proactive defense because it is not the same as hacking back.”

While only organizations with mature network security groups typically have the capability to hunt for anomalies in their networks, it is a skill that should be developed within any security group, he says.

Network hunters exploit weaknesses that hamper all external attackers: The attackers do not know the layout of the target’s network, so they will do things that insiders would never do as they poke around the network and discover its topology, say Dan Kaminsky, chief scientist at White Ops, a firm focused on securing the online advertising business.

“They actually don’t know the network they have broken into; they have to discover it,” he says. “So you want to find these rare signals that reveal the attacker’s actions in real time.”

Companies looking to start developing the needed skills for network hunters should begin at the end of the cyberkill chain, says Mandiant’s Bianco.

Kill-chain analysis models the steps that an attacker must take to achieve his or her objective. The cyberkill chain, a concept first introduced by Lockheed Martin, consists of seven steps: reconnaissance of the target, creating an attack, delivering the payload, exploiting the target, installing tools, establishing command and control, and leveraging access to take action. Most companies embarking on their first hunt should look for the most serious activities at the end of the kill chain: signs of data exfiltration and command-and-control activity, Bianco says.

[For the cybercriminal lions out on the Internet, your company is full of zebras. Defenders should not just protect the herd, but pay attention to those who stray, experts argue. See Five Ways To Better Hunt The Zebras In Your Network.]

Data exfiltration may look like large amounts of traffic from a sensitive server or smaller amounts leaving at frequent intervals. Command-and-control traffic generally is HTTP requests with suspicious or unknown destinations. Where they look depends on what a hunter wants to find, he says.

“It’s like saying, ‘If I’m going to hunt birds, I look in the trees, and if I’m hunting deer, I look at the ground,'” Bianco says.

Once a network hunter finds the attacker or malware in the network, they can turn their knowledge of how to pinpoint the attack into rules for the company’s network and security equipment. By fusing the internal information with external threat data, a company can take an internal investigation and turn it into a rule set that can automatically detect such attacks in the future.

It’s that ability to improve security in the future that makes network hunting so valuable, says Adam Meyers, director of intelligence at security services firm CrowdStrike.

“The big challenge is, how do you operationalize intelligence information?” he says. “When they are hunting for things on their network, that is where they are getting into the operationalization of the data.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/threat-intelligence/from-event-gatherers-to-network-hunters/240163721

Silk Road has reportedly reopened, though it’s anybody’s guess whether the rebirth of the online drugs and weapons black market is for real, or in fact a honeypot.

What Motherboard’s Joseph Cox calls the “online-marketplace-cum-libertarian-movement” found a new home and was scheduled to reopen for business on Tuesday 5 November at 16:20 GMT – a “poetic” time on an auspicious date, notes the dark web-focused site AllThingsVice.

(As it turns out, the Silk Road relaunch, the date and time of which jazzed the drug culture cognoscenti, got pushed back 24 hours to Wednesday – a date that isn’t druggishly auspicious at all.)

The AllThingsVice post was apparently written by a registered user of the original Silk Road or at least by somebody invited by a user to join the new site, given that s/he writes, registration is closed to new members unless they have an invitation from an existing member.

At any rate, according to AllThingsVice, the Silk Road that’s risen from the ashes is “trying its best” to be a remake of the original, which the FBI seized in October, causing much freakout among users over lost Bitcoins, drug shipments and resulting debts to drug sellers.

You can see those themes of lamentation in Reddit comments from the r/SilkRoad subreddit, as published by Business Insider.

Within hours of the arrest of Silk Road’s alleged ringleader, Ross Ulbricht, authorities arrested eight more in the US, the UK and Sweden.

Are more arrests in the works? And is the new site a sticky trap for luring even more drug aficionados?

That’s worth pondering, and it well might continue to rain a cold shower down on the growth of the new Silk Road.

As it is, the FBI affidavit filed in connection with Ulbricht’s arrest indicated that law enforcement got its hands on multiple Silk Road servers, both within and outside of the US, including the server that hosted the site.

The FBI said in the affidavit that as of 23 July 2013, the server showed some 957,079 registered user accounts.

Staffers who held administrative and moderator positions on the old Silk Road might not fear that the seized servers will give them away, or they might not care, given that, as AllThingsVice reports, known and trusted former Silk Roaders have banded together to recreate the market.

They’ve reconstructed the community, s/he writes, and have come up with a new figurehead – i.e., one or more people who fill the shoes of the “Dread Pirate Roberts” persona, who maintains the site’s philosophy.

The changes in the relaunched site are slight and include a new login page that parodies the seizure notice posted by the Department of Justice on the prior Silk Road’s homepage, with the notice that “This Hidden Site Has Been Seized” replaced by the declaration “This Hidden Site Has Risen Again.”

Although AllThingsVice has published the URL for the site, don’t expect to find it unless you can get an invitation.

As noted, it requires new users to be invited, and like all onion sites, it also requires users to sign in via the Tor anonymizing service.

Are users safer on the new site than on the old, or should they still be waiting for the law to show up on their doorsteps?

The relaunched site is now reportedly featuring a new security feature that allows users to use their Pretty Good Privacy (PGP) encryption key as an extra authentication measure.

Would-be drug buyers and sellers should, of course, ponder whether that’s going to shield them from the law.

This FAQ on PGP tackles the question of whether the US National Security Agency (NSA), for one, managed to put a back door into MIT PGP as a prerequisite for its legal status.

The response:

First of all, the NSA had nothing to do with PGP becoming “legal”. The legality problems solved by MIT PGP had to do with the alleged patent on the RSA algorithm used in PGP.

Second, all the freeware versions of PGP are released with full source code to both PGP and to the RSAREF library they use (just as every other freeware version before them was). Thus, it is subject to the same peer review mentioned in the question above. If there were an intentional hole, it would probably be spotted. If you’re really paranoid, you can read the code yourself and look for holes!

As for Tor, we know from Edward Snowden’s leaks of classified documents that US surveillance really, really hates it, given how maddening Tor layers are to unpeel.

Maybe users will be safer on the new site.

Then again, maybe the FBI is still identifying users from the server of the old site, and knocks on doors are in the works.

Follow @LisaVaas

Follow @NakedSecurity

Image of road sign courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/FBvXp_KBwOM/