STE WILLIAMS

On Tuesday, Facebook took yet another stab at transparency in these days of users’ and politicians’ outrage.

It came in the form of the first release of the company’s Community Standards Enforcement Report, and it was stuffed with the type of detail that Mark Zuckerberg told so many Congresspeople he’d need to get back to them on when he was first lightly sautéed and then flame-grilled in two days of testimony.

For years, Facebook has had Community Standards that explain “what stays up and what comes down.”

Last month, for the first time, Facebook published the internal guidelines it follows to enforce those standards.

Tuesday’s release of the first ever Community Standards Enforcement Report is a way to hand over the numbers that have resulted from that enforcement. With that information in hand, Facebook’s thinking goes, we can all judge for ourselves how it’s doing when it comes to getting rid of all those fake accounts and their spammy output… And posts with nudity. Or sexual activity. Or hate speech. Or terrorist propaganda.

Guy Rosen, Facebook’s vice president of product management, said in the post that the company’s disabled about 583 million fake accounts during the first three months of this year, or between 3% and 4% of monthly active users. It’s taken down nearly 1.3 billion over the past six months.

The majority of fake accounts were blocked within minutes of registration, Facebook said, touting its artificial intelligence (AI) auto-flag, auto-destroy technologies. On a daily basis, it crushes millions of fake accounts before they ever hatch.

Take down the accounts, and you’re on the road to wiping out the spam they spew, 837 million pieces of which Facebook found and flagged in Q1 2018. Nearly 100% of that spam was discovered and flagged before anyone reported it, Facebook says.

Taking down fake accounts is important not just to fight spam. It’s also crucial for battling fake news, misinformation, bad ads and scams. For example, following Facebook’s F8 developer conference, the company said that it’s started to use AI to automatically sniff out accounts linked to financial scams.

Numbers on other types of violative content:

• Facebook took down 21 million pieces of what it considers to be adult nudity and sexual activity in Q1 2018. It found 96% of titillating content before it was reported. Facebook estimates that out of every 10,000 pieces of content viewed on Facebook, just seven to nine views were of content that violated its adult nudity and pornography standards… which, by the way, have a history of head-scratching decisions. A few years ago, Facebook found itself having to clarify just what non grata “nudity” is. TL;DR: it has to do with the nuances of nipples.
• For graphic violence, Facebook took down or applied warning labels to about 3.5 million pieces of violent content in Q1 2018, 86% of which was identified by AI before users reported it to Facebook.
• Hate speech is a tough one, not just for Facebook but also for Twitter, YouTube and other platforms. Facebook says its technology “still doesn’t work that well and so it needs to be checked by our review teams.” It removed 2.5 million pieces of hate speech in Q1 2018, 38% of which was automatically flagged before it saw the light of day.

Rosen echoed what Zuckerberg said at F8 recently: “we have a lot of work to do to prevent abuse.”

For example, spotting hate speech is complex, as Rosen described in a detailed post following F8.

From Tuesday’s post:

Artificial intelligence isn’t good enough yet to determine whether someone is pushing hate or describing something that happened to them so they can raise awareness of the issue.

AI also needs to be trained with large amounts of data to recognize meaningful patterns of behavior. Facebook doesn’t always have that much training data, particularly in less widely used languages.

All in all, the report is Facebook’s latest bid to pull itself out of the post-Cambridge Analytica mess it got itself into…

…a user data-sharing fiasco that’s already chalked up two more misbehaving apps: besides Cambridge Analytica, we got a second app posing as a research lamb that turned out to be selling our data to the marketing wolves, and then, this week, we got yet another research app that left users’ intimates out on the laundry line, unsecured, for four years.

But Facebook’s got much, much more to dig itself out of besides the app agonies. For example, one imagines that many of the questions that this report tries to answer have to do with the 2016 US presidential election manipulation spree, replete as it was with Russian trollery, fake news and political ads illegally purchased by overseas entities.

And that’s just part of a more overarching question: namely, is Facebook now too powerful? And can it even keep up with what it calls “sophisticated adversaries who continually change tactics to circumvent our controls?”

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/DA3HYWoGD5k/

Britain’s first permanently based F-35B fighter jets are due to arrive in our green and pleasant land in June.

The news nugget was delivered by defence secretary Gavin Williamson, who informed world+dog that the supersonic stealth jets will arrive at RAF Marham in Norfolk in a few weeks.

The announcement was timed for the 75th anniversary of the famous Dams Raid of the Second World War, which took place over the night of 16-17 May 1943. 617 Squadron RAF bombed dams in Germany’s industrial Ruhr heartland.

Starved of hydro-electric power, Germany’s biggest arms factories took a measurable knock in production. Thousands of German personnel were promptly redeployed to sit around the dams manning flak guns instead of being on the Eastern Front fighting against Russia, at the time a British ally. Instead the German troops were left gazing at the skies in case the RAF came back to have another go.

617 Sqn has been reformed to fly the F-35, becoming one of a number of RAF and RN units that will do so. Currently the squadron is training in America with its new jets, of which the UK currently has 15 on charge. Deliveries to the British Armed Forces are deliberately slow until the Americans have frozen the design and started full-rate production, with Britain hoping not to have to spend millions on upgrades and paying over the odds for early-stage machines.

“Just like those Lancasters which played such a vital role in the Second World War, the F-35B Lightning is based on great British design, operating with futuristic technology to adapt to an increasingly dangerous world,” said Williamson in the inevitable canned quote.

This is a bit of a stretch, to put it politely. The Avro Lancaster was an all-British design, with the possible exception on moral grounds of the Mk.III’s Packard Merlin engines that were built in America to the British blueprints, albeit with some light production engineering tweaks – and, naturally, the defensive armament of US-designed Browning machine guns.

Moreover, the “futuristic technology” that the defence secretary would have us compare the F-35B to consisted of a wooden triangle with two pegs in (the bomb sight for the Dams Raid) and converging spotlights fitted under the wings so the pilot could see when he was at precisely 60 feet, the release height for the famous bouncing bomb used to demolish the dams. Indeed, the bouncing bomb itself was dreamt up by British engineering genius Sir Barnes Wallis, who came up with the idea to ensure that the barrel-shaped weapon would skip along the water’s surface and then roll itself down the wall of the dam before exploding at the right depth. Conventional bombs were unable to reliably stay in contact with the wall before exploding.

Wallis devised the bouncing principle by watching children skim stones off the surface of a pond. It was ingenious but miles from being high-tech. One suspects the ambitious politician was a little too keen to get a soundbite out without doing some due diligence, though El Reg is naturally delighted to be able to help him out.

The F-35B, in contrast to the venerable old Lanc, is an all-American design, though Britain has been permitted to build parts of the airframe in return for buying 138 of the complete product. Most of the operational procedures for the F-35B, which is the short takeoff and vertical landing variant, are derived from British RD work, however.

As we revealed in our in-depth chat with British F-35B test pilot Andy Edgell earlier this year, the level of automation in the F-35 is so great that the aircraft is capable of going from full forward flight to hovering and landing with the touch of two buttons. This is a far cry from the very basic and occasionally faulty autopilot in wartime Lancasters, which 617 Sqn’s commander, Guy Gibson, was particularly scathing about in his book. ®

Damnote

Wing Commander Guy Gibson, 617’s first commanding officer and the man who led the Dams Raid, captured the events in his seminal wartime book Enemy Coast Ahead. Though written under wartime censorship and therefore a little light on detail, it is an excellent read.

Paul Brickhill’s post-war volume, The Dam Busters, gives the full operational history of 617 Sqn from formation to Dams Raid and the war’s end, including the unit’s exploits with the Tallboy and Grand Slam mega-bombs, with the latter weighing in at a hefty 22,000lbs (10,000kg). The unit’s Lancasters had to be fitted with uprated engines, along with having any unnecessary weight stripped out, in order to carry the Grand Slam – with the items removed including the defensive mid-upper gun turret.

Having been formed of hand-picked crews for the Dams Raid, 617 Sqn has retained its legendary status in the RAF as an elite unit. It was equipped with Tornado ground attack jets until a couple of years ago when it was disbanded.

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/05/17/uk_f35bs_arriving_june_raf_marham/

What’s This?

How integrating corporate resources like the IT help desk, system administration, quality assurance and HR can breathe new life into your security program.

In medical treatment there is a concept of an “adjuvant” — an agent that enhances the effect of other agents. It’s not the cure, but it helps the cure be more effective. Adjuvants are added to medicines to enhance their responses and lengthen their effect. We can use this same concept for security work.

How does this work? Security already taps other departments to help with an organization’s security mission. It’s time we recognize that a strong performance by these folks can be a force multiplier. For example, personnel in QA, the IT Help desk, IT Operations, and Human Resources are already pre-approved to do security work. What you need to do is reinforce and extol their efforts. Yes, they will probably do an adequate job without help, but it’s to your advantage to invest in these adjuvants to be more effective and influential in their security work.

What Can a Security Adjuvant Do?
The key is to have adjuvants breathe life into your security controls, so they become integrated into the organizational culture. In many ways, they act as part of the security team to ensure that security policy and process is followed. Because adjuvants are not part of the security team, they have a unique perspective that straddles both security and business goals. When security processes fail, security adjuvants can help diagnose problems. They are also able to double-check that security processes are working as intended—that is, even if the process is being followed, is it meeting the goal? Because of this unique perspective, they can also help bridge the gap between aspiration (the policy) and the execution (the reality).

Enough with the theory, let’s look at how security adjuvants work, beginning with one of the humblest but most essential roles in IT.

IT Help desk
The IT help desk is the front line for security. As the single point of contact for users, it’s the first place they turn to with questions and complaints. Therefore, security needs to provide the help desk with a clear process to follow and open communication paths to resolve questions. The help desk needs a fast escalation path to security to ensure developing situations are spotted early and contained. You want to know right away if a phish has been clicked or a malware outbreak is in progress.

System Administration
The sysadmins are likely to have more knowledge about specific attacks, vulnerabilities, and technical controls than some on the security team. Since sysadmins work with the firewalls, authentication servers, security logs, and encryption systems, they can give expertise to the security team. I’ve always considered it the security team’s job to provide tools and guidelines to help the sysadmins. Sysadmins are also able to give good feedback on why a proposed security change may negatively affect operational stability. They are also often aware when something doesn’t look right, either in a suspicious log entry or how a system is behaving. These are the times when you want sysadmins to be very willing to consult with Security to help in the investigation.

Quality Assurance
The Quality Assurance (QA) team is a great ally for security. Not only do they find the bugs that can lead to security vulnerabilities, they can also frame the fixes in a broader context of improved product quality. Often security holes are dismissed as the security team crying that the sky is falling. When QA flags them, vulnerabilities can be tied to customer experience. This means that QA teams should have a strong understanding of the application threat models. They should also be provided with a method of testing security vulnerabilities, either directly by demonstration or indirectly from test scripts that can be integrated into the test suites.

Human Resources
Outside the technical areas, Human Resources (HR) often is involved in security matters. When new employees are on-boarded, security needs to make sure these employees are educated on security policies and procedures. HR often can help facilitate both policy sign-off and security awareness directly themselves. Since maintaining a close tie to current employees and authorized user accounts is a key security measure, HR needs to integrate processes with IT or Security to ensure new employees get user accounts, and departing employees have their accounts disabled. When there are involuntary terminations, security needs to be in the loop to ensure all credentials are cut off at once. When severe security policy violations occur, HR also needs to work with security to ensure proper documentation and sanctions are applied.

Empowering and Investing in the Security Adjuvants
Partnering with your security adjuvants means more than just assigning them security responsibilities. It means answering their calls and emails in a timely manner, attending some of their meetings, listening to their needs, and providing customized training and documentation for them. This not only helps them do their security work but more importantly, it sends them a message that you’re invested in helping them succeed. You’re sending a message that everyone is working together to improve security. This extra effort with the adjuvants also gives Security a chance to communicate their goals and knowledge of threats on an ongoing basis.

Having committed, capable individuals outside of the security team is a potent adjuvant to help a security program succeed. Another future role for security adjuvants is to recruit them into the security department. Remember, security is a team effort and savvy CISOs should look beyond their own department for assistance.

Get the latest application threat intelligence from F5 Labs.

Raymond Pompon is a Principal Threat Researcher Evangelist with F5 labs. With over 20 years of experience in Internet security, he has worked closely with Federal law enforcement in cyber-crime investigations. He has recently written IT Security Risk Control Management: An … View Full Bio

Article source: https://www.darkreading.com/partner-perspectives/f5/boosting-security-effectiveness-with-adjuvants/a/d-id/1331825?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Hard on the heels of the first network-based Rowhammer attack, some of the boffins involved in discovering Meltdown/Spectre have shown off their own technique for flipping bits using network requests.

With a gigabit connection to the victim, the researchers reckon, they can induce security-critical bit flips using crafted quality-of-service packets.

Last week, we reported on research called “Throwhammer” that exploited Rowhammer via remote direct memory access (RDMA) channels.

In separate research, Meltdown/Spectre veterans Daniel Gruss, Moritz Lipp and Michael Schwarz of Graz University of Technology and their team have published a paper describing Nethammer (their co-authors are Lukas Lamster and Lukas Raab, also of Graz; Misiker Tadesse Aga of the University of Michigan; and Clémentine Maurice of IRISA at the University of Rennes).

Nethammer works, they said, without any attacker-controlled code on the target, attacking “systems that use uncached memory or flush instructions while handling network requests.

“Depending on the location, the bit flip compromises either the security and integrity of the system and the data of its users, or it can leave persistent damage on the system, ie, persistent denial of service”.

Here’s a quick recap of Rowhammer to help understand how Nethammer works: by rapidly writing and rewriting memory, it induces capacitor errors in DRAM, and the resulting data corruption can be manipulated to gain control over the victim’s machine.

In its original form, Rowhammer let an attacker escalate their privilege to kernel level, but you needed access to the victim machine.

Nethammer mounts remote attacks by exploiting the memory used for packet processing, if you can send enough of them.

‘Rowhammer’ attack flips bits in memory to root Linux

READ MORE

“Nethammer sends a crafted stream of network packets to the target device to mount a one-location or single-sided Rowhammer attack by exploiting quality-of-service technologies deployed on the device,” the paper explains.

“For each packet received on the target device, a set of addresses is accessed, either in the kernel driver or a user-space application processing the contents.”

In normal circumstances, caching would make an attack difficult, so the Graz team worked out how to bypass the cache and send their attacks “directly into the DRAM to cause the row conflicts required for hammering”.

If the victim’s machine is susceptible to single-sided hammering and has DDR2, DDR3 or DDR4 memory installed, the group demonstrated working attacks on personal computers and on virtual machines running in cloud environments.

The good news? The best mitigation is to have systems that defend network connections against traffic spikes, because an attacker needs to fire a lot of packets at the target: “In our experiments, we sent a stream of UDP packets with up to 500 Mbps to the target system. We were able to induce a bit flip every 350 ms”, the paper notes.

Brief spikes at high throughput could get past such defenses, however. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/05/17/nethammer_second_remote_rowhammer_exploit/

Already under attack by Russia’s telecommunications regulator, a new source of woe has emerged for crypto-chat app Telegram: malware.

In news that won’t surprise anybody at all, researchers from Cisco Talos say the malware attacking Telegram’s desktop app was written by a Russian speaker.

Vitor Ventura and Azim Khodjibaev explained what they saw in two April attacks involved collecting “cache and key files from end-to-end encrypted instant messaging service Telegram.”

The reason the malware attacked only the desktop version is because it “does not support Secret Chats and has weak default settings” – that’s a feature only of the desktop version, and Telegram warns users and explains why security is absent in that environment.

The attack works “by restoring cache and map files into an existing Telegram desktop installation, if the session was open,” giving the attacker the chance to access the victim’s session, contacts, and previous chats.

The malware readies data for exfiltration. Image: Cisco Talos

The Talos duo’s assessment that the malware’s author is a Russian speaker comes from a YouTube tutorial linked in the Talos post.

They located various handles and repositories associated with the attacker, named variously “Racoon Hacker … Eyenot (Енот / Enot) and Racoon Pogoromist (sic)”.

While Python is Enot’s first language as a programmer, Talos said it’s seen the malware in downloaders written in Go, AutoIT, Python, and a .NET prototype.

The malware scans hard drives on Windows targets for Chrome credentials, session cookies, and text files, which get zipped and uploaded to pcloud.com. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/05/17/talos_telegram_desktop_attack/

Security researcher Marcus Hutchins has moved to throw out phone transcripts and legal documents related to his hacking and fraud cases.

Lawyers for Hutchins, a UK citizen currently facing trial in the Eastern Wisconsin District Court, motioned the court to dismiss both Hutchins’ Waiver of Miranda Rights form and the transcript of a phone call made just after waiving the rights from the ranks of evidence being presented against him.

Crowdfunding scheme hopes to pay legal fees for Marcus Hutchins

READ MORE

The government, meanwhile, is asking that both documents, one taken during his initial meeting with the FBI and the other from a phone call Hutchins made after being arrested, be allowed to be presented in trial as evidence.

According to the defense, both the Miranda Rights waiver and the call were taken during a time when Hutchins was still disoriented and intoxicated and therefore should not be considered to be admissible as evidence.

Hutchins, best known for his work in dismantling the WannaCry Ransomware infection, has been held in the US since August 2, when he was arrested at the Las Vegas airport on his way home from the Defcon security convention. He has been charged with multiple felony counts related to the 2014 development of the Kronos banking trojan.

The call transcript [PDF] in particular could present damning evidence against Hutchins as, while talking with an unnamed associate from jail, he appears to admit to creating malware, at one point saying “I used to write malware, they picked me up on some old shit” and later telling the person “I wrote code for a guy a while back who then incorporated it into a banking malware.”

Now, the defense is seeking to have that call record as well as the rights waiver declared inadmissible as evidence, claiming in their filing [PDF] that Hutchins was in no state to give coherent answers due to having spent the week partying.

“In conducting the custodial interrogation, the government coerced Mr. Hutchins, who was sleep-deprived and intoxicated, to talk,” the defense team writes in the motion [PDF].

“Moreover, because Mr. Hutchins is a citizen of the United Kingdom, where a defendant’s post-arrest rights are very different than in the United States, he did not sufficiently understand any warnings he may have been given or rights being waived.”

The government, meanwhile, has opposed the motions, arguing there is no reason to believe Hutchins wasn’t aware of his rights or unable to think clearly about his situation. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/05/16/hutchins_moves_to_toss_call_records_in_malware_case/

Cisco has issued updates to address a trio of critical vulnerabilities in its Digital Network Architecture (DNA) Center appliance.

The networking giant says DNA Center, a network management and administration box Cisco sells directly to customers, has three flaws that would each potentially allow an attacker to take over the appliance remotely.

Perhaps the most glaring of the flaws is the static administrator credentials Cisco somehow left coded into DNA Center. An attacker who had those credentials would, obviously, be able to completely take over the targeted appliance with ease.

UKFast bit barn yarn: ‘Cisco switch glitch’ leads to service ditch

READ MORE

“The vulnerability is due to the presence of undocumented, static user credentials for the default administrative account for the affected software,” Cisco explains.

“A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands with root privileges.”

This is something of a nagging, and embarrassing, problem for Cisco. Switchzilla was found back in March to have left static credentials in its IOS platform, and hardcoded passwords sitting around in other networking appliances in recent years.

If static admin credentials aren’t your thing, DNA Center can also be pwned via CVE-2018-0271.

That flaw, blamed on bad URL handling, would allow an attacker to embed attack code into a URL field and bypass login controls with “access to critical services”.

Also patched was CVE-2018-0268, a vulnerability in DNA Center’s handling of Kubernetes containers that would potentially allow an attacker to bypass security protections within the container instances themselves.

“An attacker who has the ability to access the Kubernetes service port could execute commands with elevated privileges within provisioned containers,” Cisco writes.

“A successful exploit could result in a complete compromise of affected containers.”

For all three bugs, Cisco is pushing out an update to DNA Center via its on-board System Updates tool. Admins will want to get version 1.1.3 to be sure they have all three security holes addressed. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/05/16/cisco_dna_update/

The US Federal government has got its second conviction in the dismantling of a service that helped malware writers get around security software.

A jury in the Eastern Virginia District Court convicted 37 year-old Ruslan Bondars, on charges of computer intrusion, conspiracy to commit wire fraud, and conspiracy to violate the Computer Fraud and Abuse Act (CFAA).

Bondars, who had been living in Latvia at the time of his arrest, was one of the two men found to have been running Scan4you, an unscrupulous malware scanning service that aided hackers in avoiding detection.

Bondars business partner, Jurijs Martisevs, plead guilty to similar charges back in March in the same court district (fun fact: the Eastern Virginia court is referred to as the “Rocket Docket” due to its reputation for quickly moving cases along.)

Russian anti-antivirus security tester pleads guilty to certifying attack code

READ MORE

Police said that malware writers would pay for the scanning service in order to check their code against known security tools. Because the service allowed anonymous uploading and did not share any of samples, criminals were effectively able to use the service to keep their malware hidden from legitimate security tools.

According to the DOJ, at its height the service was taking money from thousands of malware writers, including the authors of the infamous Citadel malware and the group behind the Target attack.

“Ruslans Bondars helped hackers test and improve the malware they then used to inflict hundreds of millions of dollars in losses on American companies and consumers,” said US acting assistant attorney general John Cronan.

“Today’s verdict should serve as a warning to those who aid and abet criminal hackers: the Criminal Division and our law enforcement partners consider you to be just as culpable as the hackers whose crimes you enable—and we will work tirelessly to identify you, prosecute you, and seek stiff sentences that reflect the seriousness of your crimes.”

Bondars now faces up to 35 years in prison, with sentencing set for September 21. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/05/17/doj_convicts_malware_tester/

Russian-speaking attacker behind new malware capable of lifting credentials, cookies, desktop cache, and key files.

A new form of malware has emerged targeting the desktop version of end-to-end encrypted instant messaging service Telegram.

Cisco Talos researchers attribute the malware to a Russian-speaking attacker “with high confidence” and say it’s mostly targeting Russian-speaking victims. They also found it’s intentionally avoiding IP addresses related to anonymizer services.

What stands out about the malware is not that it affects Telegram Desktop – it’s that it only affects Telegram Desktop, says Cisco Talos threat researcher Vitor Ventura. This is the first threat Talos has detected with the intent of hijacking Telegram Desktop sessions.

“There are other information stealers in the wild,” he explains. “But this one, although it searches for other types of credentials, has a special focus on Telegram Desktop. We think it’s important to point out the fact that Telegram Desktop is not secure by default. And this is what the malware authors are taking advantage of.”

The malware doesn’t exploit a vulnerability in the Telegram service, researchers explain. Instead it abuses weak default settings and lack of Secret Chat support in Telegram Desktop. An attacker can access conversations between desktop and mobile users if the desktop user is infected with this malware; however, mobile-to-mobile conversations are protected.

Mobile-only Secret Chats have guaranteed security because they are bound to the device, locally stored, and equipped with self-destruction tools. These features aren’t on the desktop or Web versions, which store chats in the cloud and don’t enable auto-logout by default.

The combination of cloud-based storage, and lack of auto-logout by default, enable this malware to hijack Telegram sessions and conversations.

When, What, Who

A first version of this malware was detected on April 4, 2018 stealing browser credentials, cookies, and all text files it can locate on the system. A second variant, spotted on April 10, added the ability to gather Telegram desktop cache, key files, and Steam website credentials. It’s unusual to see attackers take Telegram Desktop data to hijack sessions, Ventura says.

“This data allows an attacker to be able to access all contacts and previous chats as long as the owner doesn’t log out,” he continues. “This is a privacy issue [and] accessing Telegram Desktop data is all about privacy and accessing confidential information.”

The malware’s operators use hardcoded pcloud.com accounts to store the information they take from Telegram. Because this data is not encrypted, anyone with access to the authors’ account credentials will have access to the stolen information.

Why snatch this type of data? While he doesn’t know the specific motivation, Ventura explains how he and his colleague, Azim Khodjibaev, determined its Russian attribution. An analysis of the malware linked it to a user who goes by the name of Raccoon Hacker.

The two researchers combined Talos intelligence with online videos to pinpoint the malware’s author, who posted several YouTube clips containing instructions on how to use files collected from Telegram to hijack targets’ ongoing sessions and package them for distribution. If a chat session is open, attackers can access the conversation, contacts, and previous chats.

A Need for Transparency

Ventura points out an opportunity to better inform Telegram users of the desktop version’s shortcomings. During the installation process and start-up, he says, it’s never mentioned that chats are not as secure as they are on mobile, or that Secret Chats are not available. Telegram also doesn’t specify its default setting doesn’t allow sessions to expire.

“It’s understandable that an application prioritizes usability over security, but not acceptable in an application that claims to be a secure messaging platform,” he says.

Related Content:

• US Government Cybersecurity at a Crossroads
• Don’t Roll the Dice When Prioritizing Vulnerability Fixes
• Taming the Chaos of Application Security: ‘We Built an App for That’
• ‘EFAIL’ Email Encryption Flaw Research Stirs Debate

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/endpoint/privacy/newly-discovered-malware-targets-telegram-desktop/d/d-id/1331826?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The average cost of a DNS attack in the US has climbed 57% over the last year to $654,000 in 2018, a survey from EfficientIP shows.

The frequency of Domain Name System (DNS) attacks and the costs associated with addressing them are both increasing sharply, a new survey by EfficientIP shows.

The DNS management vendor recently had research firm Coleman Parkes poll about 1,000 IT managers in North America, Asia, and Europe on the causes and responses to DNS-based threats.

The results showed that the global average costs of DNS attacks have surged 57% over 2017 to $715,000 in 2018. In the past 12 months, organizations faced an average of seven DNS attacks. Some of the victims ended up paying more than $5 million in associated costs. One in five (22%) organizations suffered business losses to DNS attacks.

The costs per DNS attack associated with remediation, recovery, and business disruption tended to vary by region. In North America, organizations in the US had the highest average costs, at around $654,000. Companies in the region also experienced the steepest year-over-year increase in costs at 82%. Overall, though, organizations in France had higher costs associated with DNS attacks than anywhere else, with victims spending an average of $974,000 on one.

“DNS attacks cost so much because consequences are instantaneous, broad, and very difficult to mitigate without the appropriate technology,” says Ronan David, senior vice president of strategy for EfficientIP. “In modern networks, DNS is routing access to almost all applications.”

Contributing to the high attack costs and overall complexity is the fact that DNS is both an attack vector and a target, he says. Attackers can use the DNS infrastructure as a vector for stealing data, for communicating with command and control servers, for setting up malicious phishing and spam domains, and for enabling other kinds of malicious activity. Other attacks, though, are targeted at disrupting DNS services directly, such as DNS distributed denial-of-service (DDoS) attacks.

DDoS attacks against DNS infrastructure in particular can be very costly to remediate, chiefly because such attacks are asymmetric, says Cricket Liu, chief DNS architect at Infoblox. “An attacker just needs to hire a botnet for a few hours to launch the attack, but the organization targeted needs to build excess capacity and maintain it year-round,” in addition to possibly using a DDoS mitigation service, Liu says.

The five most common DNS-based attacks in EfficientIP’s survey included those in which DNS is used as an attack vector and those in which an organization’s DNS infrastructure is the target. Topping the list for 2018 is DNS-based malware followed by phishing, DNS tunneling, domain lock-up, and DNS-based DDoS attacks.

“With 33% of people having suffered data theft, DNS is certainly one of the most powerful attack vectors,” says EfficientIP’s David from. At the same time, the survey also showed that 40% of cloud-based application downtime is caused by attacks aimed at DNS servers and service.

Hackers are developing sophisticated new multivector, multistage, and distributed DNS attacks. The exponential rise of connected devices, Web-based applications, and interconnected networks is giving them a broader surface to attack as well, David says. “DNS is, therefore, a primary vector and target leading to higher damage costs.”

Merike Kaeo, CTO at Farsight Security, says DNS is a more fundamental and complex protocol than most people realize. “It is critical to not only name and address resolution but can also be utilized to define email servers associated with a domain name, identify service locations, specify type of OS or CPU on a host, and other Internet-related activities.”

As attacks against DNS increase and become more sophisticated, it’s no surprise that remediation costs are increasing as well, Kaeo says. What surveys like those by EfficientIP show is that organizations need to start paying attention to their DNS infrastructure, she says.

“Know which domains you use and what can potentially be abused,” Kaeo notes. Pay attention to the security practices of registries and registrars and implement controls for determining changes in DNS traffic patterns and for blocking unknown domains, she says.

Review your existing mechanisms for dealing with DNS threats as well, says David. Most are simply workarounds that are not designed specifically for dealing with DNS threats. As an example, he points to data exfiltration attacks via DNS. The appropriate detection capacity requires real-time and context-aware DNS traffic analysis for behavioral threat detection, he says.

“DNS is by design an open service on the network which is not correctly monitored, and for which a traditional security solution cannot protect efficiently,” he notes. “DNS is mission-critical. When it goes down, the business is down.”

Related Content:

• DNS Hijacking: The Silent Threat That’s Putting Your Network at Risk
• Threat Actors Turn to Blockchain Infrastructure to Host Hide Malicious Activity
• Tips to Protect the DNS from Data Exfiltration
• 7 Key Stats that Size Up the Cybercrime Deluge

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/frequency-and-costs-of-dns-based-attacks-soar/d/d-id/1331828?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple