STE WILLIAMS

Linux, Windows, macOS, FreeBSD, and some implementations of Xen have a design flaw that could allow attackers to, at best, crash Intel and AMD-powered computers.

At worst, miscreants can, potentially, “gain access to sensitive memory information or control low-level operating system functions,” which is a fancy way of saying peek at kernel memory, or hijack the critical code running the machine.

The vulnerabilities can be exploited by malware running on a computer, or a malicious logged-in user. Patches are now available to correct the near-industry-wide programming blunders.

As detailed by CERT on Tuesday, the security cockup, labeled CVE-2018-8897, appears to have been caused by developers at Microsoft, Apple, and other organizations misunderstanding the way Intel and AMD processors handle one particular special exception.

Indeed, CERT noted: “The error appears to be due to developer interpretation of existing documentation.” In other words, programmers misunderstood Intel and AMD’s manuals, which may not have been very clear.

You’re fired (the interrupt, that is)

Here’s a deep dive put as gently as possible. At the heart of the issue is the POP SS instruction, which takes from the running program’s stack a value used to select the stack’s segment, and puts that number into the CPU’s stack selector register. This is all to do with memory segmentation that modern operating systems mostly ignore, and you can, too. The POP SS instruction is specially handled by the CPU so that the stack cannot be left in an inconsistent state if an interrupt fires while it is executing.

An application can set a debug breakpoint for the memory location where that stack selector will be pulled from the stack by POP SS. That is, when the app uses POP SS, it will generate a special exception when the processor touches a particular part of RAM to fetch the stack selector.

Now, here’s the clever trick. The instruction immediately after the POP SS instruction has to be an INT instruction, which triggers an interrupt. These software-generated interrupts are sometimes used by user programs to activate the kernel so it can do work for the running process, such as open a file.

On Intel and AMD machines, the software-generated interrupt instruction immediately after POP SS causes the processor to enter the kernel’s interrupt handler. Then the debug exception fires, because POP SS caused the exception to be deferred.

Operating system designers didn’t expect this. They read Intel’s x86-64 manuals, and concluded the handler starts in an uninterruptable state. But now there’s an unexpected debug exception to deal with while very early inside the interrupt handler.

This confuses the heck out of the kernel, causing it to, in certain circumstances, rely on data controlled by un-privileged user software, as explained by the flaw’s discoverers Nick Peterson of Everdox Tech, and Nemanja Mulasmajic of triplefault.io, in their technical explanation (PDF):

When the instruction, POP SS, is executed with debug registers set for break on access to that stack location and the following instruction is an INT N, a pending #DB will be fired after entering the interrupt gate, as it would on most successful branch instructions. Other than a non-maskable interrupt or perhaps a machine check exception, operating system developers are assuming an uninterruptible state granted from interrupt gate semantics. This can cause OS supervisor software built with these implications in mind to erroneously use state information chosen by unprivileged software.

This is a serious security vulnerability and oversight made by operating system vendors due to unclear and perhaps even incomplete documentation on the caveats of the POP SS instruction and its interaction with interrupt gate semantics.

The upshot is that, on Intel boxes, the user application can control the special pointer GSBASE in the interrupt handler, and on AMD, GSBASE and the stack pointer. This can either be used to crash the kernel, by making it touch un-mapped memory, extract parts of protected kernel memory, or tweak its internal structures to knock over the system or joyride its operations.

Any exploitation attempt is more likely to crash the kernel, rather do any serious harm, we reckon. However, like Meltdown, as bugs go, it’s a little embarrassing for the industry, and it ought to be patched to be on the safe side.

Manipulations

The FreeBSD advisory on the problem explains it further. “On x86 architecture systems, the stack is represented by the combination of a stack segment and a stack pointer, which must remain in sync for proper operation,” the OS’s developers wrote. “Instructions related to manipulating the stack segment have special handling to facilitate consistency with changes to the stack pointer.

“The MOV SS and POP SS instructions inhibit debug exceptions until the instruction boundary following the next instruction. If that instruction is a system call or similar instruction that transfers control to the operating system, the debug exception will be handled in the kernel context instead of the user context.”

The result? “An authenticated local attacker may be able to read sensitive data in kernel memory, control low-level operating system functions, or may panic the system.”

Exploiting such on Windows, according to Microsoft’s kernel advisory, would mean “an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.”

Which – gulp! – isn’t a very far-fetched scenario, unless you run a tight ship of no untrusted code.

Red Hat has patches ready to roll, as does Ubuntu, and Apple for macOS.

The Linux kernel has also been fixed, way back on March 23, 2018. A patch is already present in versions 4.15.14, 4.14.31, 4.9.91, 4.4.125, plus older 4.1, 3.16, and 3.2 branches.

Microsoft’s got it sorted, for Windows 7 through 10 and Windows Server 2008 through version 1803. Xen has patches for versions 4.6 through 4.10. VMware’s hypervisors aren’t at risk, but vCenter Server has a workaround and vSphere Integrated containers await a fix, but both are rated merely “potentially affected.”

See the above CERT link for all affected vendors and their responses, and apply updates as necessary.

All sources are at pains to point out that while this issue derives from an x86-64 instruction, kernel programmers, and not Chipzilla, are to blame. It seems lots of coders have simply misunderstood how to handle debug exceptions, and made similar mistakes over a long period of time.

#Intel released the 67th edition of the Software Developer’s Manuals with interrupt related modifications https://t.co/qh7jNcQQFN pic.twitter.com/XZ6nkHrITV

— InstLatX64 (@InstLatX64) May 8, 2018

The Register expects plenty of OS developers are about to be sent to compulsory reeducation sessions on the x86-64 architecture, now that Intel has updated its manuals to clarify the handling of stack selector instructions, and that readers get to do the emergency patch thing. Which you should be pretty good at by now. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/05/09/intel_amd_kernel_privilege_escalation_flaws/

Patch Tuesday Microsoft and Adobe have patched a bunch of security bugs in their products that can be exploited by hackers to commandeer vulnerable computers, siphon people’s personal information, and so on.

Redmond emitted 68 patches alone, 21 rated critical and at least two being actively exploited in the wild. There are browser and kernel patches you should look into first, check out an Office 365 email filter bypass that isn’t addressed, then Hyper-V if you’re using that, and then the rest.

Overall, there are fixes for Internet Explorer, Edge, Windows, Office and Office Services and Web Apps, ChakraCore, Adobe Flash Player, .NET Framework, Exchange Server, Windows Host Compute Service Shim, and more. Let’s hop right to it.

Hyper-V

Applications running within guest virtual machines on Microsoft’s Hyper-V hypervisor can escape to the host machine and execute malicious code on it. That means software running in, and users logged into, guest VMs can take over other virtual machines as well as the underlying server. The bugs are CVE-2018-0959 and CVE-2018-0961, the latter involves vSMB. This is basically a nightmare scenario for hypervisor developers and administrators.

Edge, Internet Explorer, and Windows VBScript Engine

The VBScript Engine can be exploited, via memory corruption bug CVE-2018-8174, by a malicious webpage to execute arbitrary nefarious code on a system, paving the way to the installation of malware.

Hackers – including nation-state agents – are already abusing this programming cockup right now to compromise computers in the wild and spy on targets. The flaw was discovered and reported by Anton Ivanov and Vladislav Stolyarov of Kaspersky Lab, as well as Ding Maoyin, Jinquan, Song Shenlei, and Yang Kang of Qihoo 360 Core Security.

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website,” Microsoft noted.

“An attacker could also embed an ActiveX control marked ‘safe for initialization’ in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.”

The Chakra Scripting Engine in Edge can also be exploited, via CVE-2018-0943, by evil webpages to run code and malware on a computer visiting said page. See also the following in Edge’s Chakra and Internet Explorer’s scripting engine: CVE-2018-0945, CVE-2018-0946, CVE-2018-0951, CVE-2018-0953, CVE-2018-0954, CVE-2018-0955, CVE-2018-1022, CVE-2018-8114, CVE-2018-8122, CVE-2018-8128, CVE-2018-8130, CVE-2018-8133, CVE-2018-8137, CVE-2018-8139, CVE-2018-8177, and CVE-2018-8178. Phew!

Windows kernel

This particular flaw is also being actively exploited by crooks: malware running on vulnerable systems can use the bug CVE-2018-8120 in the Windows kernel (specifically, the Win32k component) to gain administrator privileges to completely hijack the device. This affects just Windows 7 and Server 2008.

It was found and reported by Anton Cherepanov of ESET.

However, Windows 10 is affected by CVE-2018-8170, a privilege escalation in Windows’ image processing system – if an application throws a dodgy snap at the kernel, it can gain admin access over the machine.

There are also other kernel-level privilege escalation bugs in various releases of Windows, for instance CVE-2018-8134 and CVE-2018-8124, that can be used by applications and logged-in users to gain admin rights.

Exchange and Office 365

Microsoft Exchange has a vulnerability, CVE-2018-8153, that allows Outlook Web Objects to be exploited to direct people to dodgy websites that masquerade as legit sites to steal their login passwords and other information. To pull this off, you’d have to email a victim a dodgy link, or message them in chat, and trick them into following it.

“An attacker who successfully exploited the vulnerability could perform script or content injection attacks, and attempt to trick the user into disclosing sensitive information,” Microsoft explained. “An attacker could also redirect the user to a malicious website that could spoof content or be used as a pivot to chain an attack with other vulnerabilities in web services.

“To exploit the vulnerability, an attacker could send a specially crafted email containing a malicious link to a user. An attacker could also use a chat client to social engineer a user into clicking the malicious link. However, in both examples the user must click the malicious link.”

URL filters

The above fix does not address a security hole reported this month by Avanan, in which you can bypass Office 365’s message filters by splitting a URL to a dodgy site in an email. You can use a base tag in an HTML message to make a clean link actually point to a malicious site. There is, right now, no known mitigation against emails exploiting this weakness in Office 365.

Here’s a video demonstrating how to sidestep Microsoft’s defenses using base tags:

Youtube Video

If you’re relying on Microsoft’s cloud suite to block messages with links to bad websites, bear in mind that miscreants are using this filter bypass in the wild to send people URLs to phishing websites. Redmond is now aware of the problem, and recommends not clicking on links from strangers.

“We encourage customers to practice safe computing habits by avoiding opening links in emails from senders they don’t recognize,” a spokesperson said.

Office and Excel

Opening odious Office documents, including Excel spreadsheets, on a vulnerable machine can trigger the execution of malware and spyware. For example, CVE-2018-8162 in Excel, and CVE-2018-8158 and CVE-2018-8161 in Office, can be leveraged by booby-trapped files to run spyware or ransomware on a system once viewed.

Similarly, Microsoft COM for Windows can be exploited, via CVE-2018-0824, to run arbitrary code smuggled in an email or webpage.

Containers

If you can trick an administrator to import a booby-trapped container image, you can exploit CVE-2018-8115 in the Windows Host Compute Service Shim to trigger the execution of malicious code on the host server.

Domain accounts and others

Someone on your network with a domain account can exploit CVE-2018-8136 to gain administrator privileges. There are also other escalation of privileges bugs, such as in Sharepoint (CVE-2018-8168), the Windows Common Log File System Driver (CVE-2018-8167), and DirectX (CVE-2018-8165). These can be used to go from normal user access to full administrative control on a vulnerable installation.

Azure-powered internet-of-things

Azure’s IoT Device Provisioning AMQP Transport library – a software toolkit that runs on gadgets – does not properly validate security certificates sent from its cloud-hosted backend. That shortcoming, CVE-2018-8119, means miscreants can, in a man-in-the-middle attack, masquerade as Azure servers on a network, and hijack and eavesdrop on supposedly secure connections from IoT devices during provisioning. Good luck patching gizmos in the field using this broken library.

Adobe

Adobe’s software sieve Flash Player, as usual, needs updating on Windows, Macs and Linux systems, lest a malicious Flash file hijack your system. Adobe Connect also needs patching on all platforms to avoid it leaking sensitive information, and Creative Cloud Desktop Application for Windows and macOS needs fixing to thwart attempts to escalate privileges via the software suite.

In summary

Redmond’s overview of its monthly Patch Tuesday update is here. Adobe’s is here. And to break it all down, Dustin Childs at ZDI has summarized the updates here, and Gill Langston of Qualys here.

As always, please apply the patches as soon as it is possible, after testing and what not, to avoid losing control of your systems and data to miscreants exploiting these programming blunders. These remote-code execution and privilege escalation bugs can be abused in a chain to fully compromise a system simply by opening a webpage through social media or an emailed document, and so on.

Bugs within bugs

Bear in mind there are caveats with Microsoft’s May updates. On Windows 10 version 1607, applying the fixes may affect the deployment of earlier feature upgrades. On Windows 10 version 1709, some non-English installations may display the wrong messages when viewing scheduled jobs. And systems running Windows 7 Service Pack 1, or Windows Server 2008 R2 Service Pack 1, may crash with a blue-screen-of-death if their processors do not support SSE2 – which was introduced in 2001, so said machines would have to be really, really old to be affected. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/05/09/microsoft_windows_hyperv_patch_tuesday/

Berkeley boffins reckon the Dyn-based Internet of Things attack that took down Brian Krebs’ Website in 2016 cost device owners over $US320,000.

Since the 2016 hit on KrebsOnSecurity involved devices in their tens of thousands, the costs to individuals (in power consumption and bandwidth charges) only ends up a handful of dollars per hacked device.

The entire thing-owner cost the Berkeley researchers estimated was US$323,973.75.

That’s a problem for the world of IoT: launching an attack like Dyn is cheap for the attacker once they’ve found a big enough population of devices with easy credentials and processing power, and the cost to the thing-owner is small enough to pass unnoticed.

Security man Krebs’ website DDoS was powered by hacked Internet of Things botnet

READ MORE

The research, carried out by the university’s Kim Fong, Kurt Hepler, Rohit Raghavan and Peter Rowland and named Project rIoT, is an attempt to apply the well-known principles of attack cost calculations to consumers instead of business.

To come up with their cost estimates, the researchers infected devices with Mirai and observed their activity. In the lab, the group found that Mirai-infected devices show only small increases in electricity consumption – by far the greater cost to consumers is in the bandwidth stolen by the infected Things.

Of various devices purchased for the study, only two – a Samsung Smartcam SNH-1011N, and Dreambox DM500-C digital video recorder – still permitted the testers to install Mirai, because their firmware still supported Telnet access (they note that a bit of hacking was necessary to turn on Telnet in the Samsung unit – “we were able to exploit command injection vulnerabilities in its web interface to enable telnet”, the report said.

The Dreambox DVR’s power consumption was less than one per cent higher in “Mirai mode”, but the Samsung Smartcam had to work much harder, using upwards of 13 per cent more electricity when infected and connected over Ethernet.

Bandwidth was also pretty trivial on a per-device level: 3 MB over 30 minutes for the Dreambox DVR, more than 6 MB over 30 minutes for the Samsung Smartcam using Ethernet (just under 1 MB when it was connected over WiFi).

However, aggregated over a large botnet, the cost to consumers would have been considerable.

They then applied the lab cost model to the KrebsOnSecuity case study, to reach their estimate of $323,974 in aggregate and around $13.50 per device.

There’s one more outcome of the research: the authors have published their resource monitoring tools at GitHub. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/05/09/berkeley_boffins_infect_things_with_mirai_in_a_good_cause/

The new bunch of Spectre-like flaws revealed last week won’t be patched for at least 12 days.

German outlet Heise, which broke news of the eight Spectre-like vulnerabilities last week has now reported that Intel wants disclosure of the flaws delayed until at least May 21.

“Intel is now planning a coordinated release on May 21, 2018. New microcode updates are due to be released on this date”, Jürgen Schmidt reported on May 7.

Last week, Heise noted that one participant in the planned coordinated release would include a Google Project Zero disclosure, which as far as The Register can discern has not yet happened.

Heise added that the bug affects any Core-i (and their Xeon derivatives) processors using microcode written since 2010; and Atom-based processors (including Pentium and Celeron) since 2013.

Fresh fright of data-spilling Spectre CPU design flaws haunt Intel

READ MORE

If disclosure and patches arrive in May, they won’t complete Intel’s response to the bugs, Schmidt reported. Further patches, tentatively scheduled for the third quarter, will be needed to protect VM hosts from attacks launched from guests.

In addition to microcode fixes from Intel, operating system-level patches will also be necessary.

Ever since the original Meltdown and Spectre bugs were confirmed in January, it’s become clear that speculative execution has been of interest to researchers for some time.

We noted in January 2018 that researcher Anders Fogh had written on abusing speculative execution in July 2017, and shortly after the Spectre/Meltdown story blew up in January, researchers Giorgi Maisuradze and Christian Rossow from German research group CISPA published a broad analysis of speculative execution based on 2017 work separate to the Meltdown/Spectre research.

In April, Intel said some Spectre bugs were not fixable in some older architectures.

Vulture South asked Intel to comment on the Heise report, and received a non-response saying it takes security very, very seriously, is working with anyone who can or should help to fix things. “We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations,” the company said. “As a best practice, we continue to encourage everyone to keep their systems up-to-date.”

Thanks for that last bit of advice, Intel. We can’t imagine anyone thought of it before. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/05/09/spectr_ng_fix_delayed/

Red Hat Summit Red Hat has revealed a plan to to work with CPU-makers so that its wares can take advantage of in-silicon security features such as secure enclaves.

The company today told attendees at its 2018 Summit in San Francisco that it will work with major silicon shops, including Arm, Intel, and AMD, to move operations such as handling security keys into secured enclaves that are inaccessible to the operating system.

In those cases, Red Hat says, only the applications themselves would be cleared to access the information in the enclave, meaning an intruder who had compromised a server or VM (such as via a malware infection or side channel attack) would be isolated from the sensitive data.

The use of secure enclaves to isolate data is growing in popularity, as software vendors find ways to employ isolation to tamper-proof applications and services from side-channel attacks.

Red Hat wants to take things further by encrypting whole virtual machines and has already chatted to AMD about how to help do so to mitigate hypervisor-layer attacks.

Mike Bursell, Red Hat’s chief security architect said malicious actors targeting the VM from within the hypervisor is a particularly nasty risk.

“The reason it is nasty is because allowing that is how hypervisors work, hypervisors can map the memory of VMs, they can write, read, and there is very little you can do about that,” Bursell said,

“That is fine if you trust all of your sys admins, it is fine if you trust everyone who works at AWS, Google, Microsoft or whatever, it is fine if you never have sensitive data. But if you do, if you are running any of that on a system and you don’t have 100 per cent certainty and trust in the sysadmin, you can’t be certain they are not looking into those things and changing them as well.”

Red Hat also has big plans for one of its former partners that is now a subsidiary: CoreOS.

The RHEL roadmap has added tighter integration with the CoreOS container management tools and the company said CoreOS Container Linux will be released into the public domain and subsequent versions under the new brand “Red Hat CoreOS”.

The CoreOS Linux build will also be pitched as the solution for managing Kubernetes containers, eventually replacing the existing RHEL Atomic Host. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/05/08/red_hat_coreos_security/

This month’s updates addressed vulnerabilities in Windows, Office, Edge, Internet Explorer, .Net Framework, Exchange Server, and other services.

Microsoft’s Patch Tuesday arrived with a sense of urgency this month, addressing two vulnerabilities under active attack and 66 other CVEs affecting Windows, Office, Office Services, Internet Explorer, Edge, Visual Studio, Web Apps, ChakraCore, Hyper-V Server, and Azure IoT SDK.

Of the 68 total CVEs addressed, 21 are rated as Critical, 45 are considered Important, and two are of Low severity. In addition to the two under active attack, two were listed as publicly known at the time of release, according to a report from Trend Micro’s Zero-Day Initiative (ZDI).

The CVEs of highest priority are those under active attack. CVE-2018-8174, the more severe flaw, is a Windows VBScript Engine Remote Code Execution Vulnerability. The zero-day was detected and analyzed in April by Kaspersky Lab researchers, who reported it to Microsoft.

“This technique, until fixed, allowed criminals to force Internet Explorer to load, no matter which browser one normally used — further increasing an already huge attack surface,” says Anton Ivanov, security researcher at Kaspersky.

The zero-day bug is located in the VBScript Engine and its attacks are similar to those of browser vulnerabilities. It appears to be moving around as an Office document, likely Word, with an embedded Web page. These embedded pages are rendered by the VBScript Engine, says Dustin Childs, communications director for ZDI, so a user only has to visit an infected site for an attacker to execute code on their machine.

An attacker may also embed an ActiveX control marked “safe for initialization” in an Office doc or application that hosts the IE rendering engine. This appears to be the case here: Attackers send the file to targets; once it’s opened, code execution occurs.

“This is a dangerous bug for a couple of reasons,” Childs explains. “For users of IE, it acts like a standard browser bug – go to a bad website and get owned. However, VBScript Engine bugs have a broader impact since it also touches ActiveX controls and embedded Web pages in Office documents.”

The other bug under active attack is CVE-2018-8120, a Win32k Elevation of Privilege Vulnerability affecting Windows 7, Server 2008, and Server 2008 R2. This bug lets an attacker who is logged onto a system run a specially crafted file to gain privileged access. While it’s being actively used in malware, researchers are unsure how far the malware has spread.

“At that point the attacker would have full permissions to install or remove programs, add users, view, change, or delete data. This type of vulnerability is how a threat actor would elevate their privileges to gain full access to a system they have gained access to,” says Chris Goettl, director of product management for security at Ivanti.

Microsoft issued 17 Critical, and 7 Important, patches for browser bugs. There are several patches issued for Office; the most important are those for Outlook and Sharepoint, ZDI reports. An Exchange update prevents a command injection attack, and the .NET Framework has a couple of patches rated Important.

Gren Wiseman, senior security researcher at Rapid7, points to one vulnerability, CVE-2018-8897 as “a nice example of coordinated disclosure” from OS vendors and the result of nearly all vendors incorrectly addressing debug exceptions stemming from Intel architecture chips. Microsoft, Apple, VMware FreeBSD, and multiple Linux distributions all posted advisories today.

For Microsoft Windows, CVE-2018-8897 could let a local attacker escalate privilege and run arbitrary code in kernel mode, he explains.

Microsoft this month also announced two public disclosures, meaning a vulnerability has been found and there is enough information on how it works to give an attacker the advantage before companies can update. One of these is CVE-2018-8141, a Windows kernel flaw; the other is CVE-2018-8170, a Windows Image bug that could lead to Elevation of Privilege. For both of these, an attacker could need to log on or obtain local access to exploit.

Related Content:

• APT Attacks on Mobile Rapidly Emerging
• Defending Against an Automated Attack Chain: Are You Ready?
• 5 Ways to Better Use Data in Security
• We’re Doing Security Wrong!

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/endpoint/microsofts-patch-tuesday-fixes-two-cves-under-active-attack/d/d-id/1331748?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The 4iQ Identity Breach Report shows a 182% increase in raw identity records discovered by its team between 2016 and 2017.

Threat intelligence firm 4iQ detected and verified more than 3 billion identity records curated from 8.7 billion raw records in 2017. The company today released its 2018 Identity Breach Report, which digs into the details of nearly 3,000 breaches it discovered last year.

As the quantity of breaches has increased each year, so has the number of records exposed in each one. 4iQ collected its data using “automated crawlers and subject matter experts” tasked with monitoring the surface web, social media, black markets, underground communities, and the Deep and Dark Webs. Data is from open sources and exposed to threat actors.

4iQ points out two reasons for the 182% increase in raw identity records discovered by its team between 2016 and 2017. The first is growth in the number and size of breaches affecting personal data, including usernames, passwords, and other confidential information. Within underground communities, these types of breaches made up 44% of the 8.7B record total.

The second is the growth in accidental record exposures that commonly stem from poor security measures, which leave data open to third parties. These slip-ups led to the exposure of 4.9B raw identity records in 2017, researchers report.

Read more details and check out the report here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/87b-identity-records-on-surface-deep-dark-webs-in-2017/d/d-id/1331744?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Quietest first quarter since 2012, according to new report from Risk Based Security.

The early part of 2018 has brought a spot of good news, as reports from first quarter show that the number of publicly reported breaches dropped dramatically compared to the same period of time last year.

“We haven’t seen a Q1 this quiet since 2012,” says Inga Goddijn, executive vice president for Risk Based Security, which today released the statistics from its Q1 2018 Data Breach Trends report. 

The study shows that organizations experienced 686 breaches that exposed approximately 1.4 billion records. That’s nothing to sneeze at, but the good news is that compared to Q1 2017 both numbers have gone down more than half. In the first three months of 2017, the number of exposed records had already added up to 3.4 billion.

Goddijn and the Risk Based Security team are not sure exactly why the numbers have shifted lower, though they have a few theories. First of all, the number of attacks phishing for employee W-2 wage and salary data has plummeted. Last year’s report saw 200 of these incidents in Q1 and this year it’s dropped down to 35. Additionally, the change could also be attributable to the momentum growing in cryptomining activity. 

“We also think the shift toward cryptomining is possibly easing some of the attention on data theft,” says Goddijn. This would reduce the number of publicly disclosed breaches but could represent a jump in malicious activity that’s off the books, so to speak. “It’s still too early to say for sure but it does go to show, malicious activity will follow the best opportunities for making a profit.”

Regardless of shifts in attack trends, Goddijn says that all of the same old security fundamentals still apply to new threats. 

“Take cryptomining for example,” she says. “Many of the same processes that are used to protect against ransomware – like good vulnerability management, restricting code execution, strong email filtering and helping users stay safe on line – are helpful for stopping mining malware too.”

Organizations should also probably keep things in perspective. While the number of incidents is at a six-year low for early year activity, the only reason year-over-year number of breached records dropped is because there was such a huge spike in 2017. The 1.4 billion records exposed early this year is still more than double than the number of records exposed during Q1 of 2014, 2015 and 2016 combined.   

Interestingly, aside from the drop in W-2 phishing incidents, the mix of incident types and victim organization still remains largely static.

“The other metrics we track, such as breach types, who is being impacted, (and) size of breaches, are very similar to recent quarters,” says Goddijn. “We have not observed sizable changes in the type of organizations being breached, the type of data that is being exposed, the number of large events, insider vs outsider activity, breach severity scores or where breaches are taking place. We would have expected other sizable shifts to be evident along with the drop in the number of breaches but that is not the case.”

Related Content:

• 5 Ways to Better Use Data in Security
• How Microsoft, Amazon, Alphabet Are Reshaping Security
• Threat Intel: Finding Balance in an Overcrowded Market

 

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/publicly-disclosed-breaches-down-drastically-in-q1-2018/d/d-id/1331738?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

What’s This?

Lack of security talent, low security awareness among employees, and too much data to analyze tops the list of cyberthreats in the 2018 Cyberthreat Defense Threat Report from CyberEdge group.

Despite companies increasing their security budgets and investing a fortune in the best cybersecurity tools, organizations today are subject to more successful breaches than ever before – with five million data records lost or stolen every day, according to the fifth annual Cyberthreat Defense Report from CyberEdge group and sponsored by Gigamon. A full  77.2% of respondents  report that their company had been successfully breached at least once in 2017, with 27.4% reportedly breached more than six times. More than 62% say they expect to be breached this year.

Even more astonishing is the fact that the high breach counts are occurring despite companies’ large investment in security tools. According to the Cyberthreat report, security currently consumes more than 12% of the overall IT budget globally, with security budgets set to rise nearly five percent this year.

Compounding this problem is a lack of cybersecurity talent. Increasing budgets do no good if you can’t find the right people. In 2017, nearly nine out of 10 organizations experienced a shortage of IT security talent, validating recurring headlines about a global shortage of one to two million cybersecurity professionals. This year, there is a slight improvement in the problem organizations face finding security professions with the right mix of security skills, with only eight out of 10 respondents indicating that their organizations are impacted by the security talent shortfall.

Still, it’s first in a list of the highest-rated cyberthreats.

It all adds up to a scary picture, as – despite increasing security budgets – companies struggle to deal with headaches ranging from low security awareness, lack of management support, small budgets, simply too much data even for new tools to analyze, and little confidence in current investments.

Learn more about the 2018 Cyberthreat Defense Report, including an infographic with some of the statistics we used in this blog post and an executive brief that delivers key findings.

Graham Melville has over 25 years in the security, networking and mobility vendor space. Graham is a marketing executive that can connect technology to business issues with one of his patents being the micro segmentation of traffic on Wi-Fi delivered through virtual AP … View Full Bio

Article source: https://www.darkreading.com/partner-perspectives/gigamon/report-more-breaches-despite-increasing-security-budgets/a/d-id/1331699?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Why organizations need to detect an intrusion in under a minute, understand it in under 10 minutes, and eject the adversary in under an hour.

Cybersecurity breaches continue to capture headlines worldwide, particularly in the wake of nation-state and criminal cyberattacks that impact a wide-range of industries. March 2018 saw major disclosed breaches from Applebee’s (167 restaurants), Orbitz (880,000 payment cards), Saks Fifth Avenue and Lord Taylor (5 million payment cards), and Under Armour (150 million user accounts). These events remind us that organizations still struggle to implement effective security strategies.

As the targeting of public and private industries continues to plague organizations worldwide, it’s obvious that security must be raised to a board-level issue as organizations look to justify increased investment in cybersecurity.

CrowdStrike recently highlighted a new cyber metric based on insights from its 2018 Global Threat Report called “breakout time.” Data was compiled from 30 trillion security events collected in 2017 to analyze attacker trends and to develop best-practice recommendations. Breakout time can be used to understand and contextualize the effectiveness of an enterprise security program. 

So, what is breakout time? It’s the time it takes for an intruder to begin moving laterally outside of the initial beachhead to other systems in the network. The average breakout time analyzed over the previous year came in at one hour and 58 minutes — that’s the tight window during which an organization can prevent an incident from turning into a breach.

Breakout time is so important because the initial machine the intruder compromises is almost never the one he (or she) needs to fulfill his or her objective. The adversary must move laterally so he can burrow deep into the network, perform reconnaissance, and find his targets. One hour and 58 minutes dictates how much time the organization has to detect and eject the intruder. That’s why it’s important to focus on speed when assessing the effectiveness of any security capability.

Key Metrics Every Organization Should Know
Whether an organization is a large government or private enterprise or a small to midsize business (SMB), protecting data is critical and, in many cases, mandated by regulations. Security is a business imperative that is considered a priority at the executive level. However, many organizations struggle with communicating security as a business issue and finding the metrics to demonstrate effectiveness.

These three key metrics can help an organization estimate its readiness to defend against a breach:

1. Time to detection of an intrusion
2. Time to investigate an incident, understanding criticality and scope, and what response actions are necessary
3. Time to respond to the intrusion, eject the attacker, and contain any damage

The most sophisticated organizations in the world strive to meet the following deadlines:

• Detect an intrusion within an average of one minute
• Investigate and understand it in under 10 minutes
• Eject the adversary in under one hour

Organizations operating under this framework are much more likely to eject the adversary before they “break out” of the initial entry point, minimizing impact.

Organizations that rely on legacy solutions focused on prevention remain the most vulnerable to adversaries. Even a series of layered defenses that is 99.9% effective at blocking incoming threats still misses one in 1,000 intrusion attempts. When attacks slip through the layers of defense, prevention-focused solutions leave IT networks unprotected, leading to data loss and other issues such as damaging reputation, ROI, customer value, and more. Verizon’s 2018 Data Breach Investigations Report proves this point, showing that detecting and responding to a successful breach often takes days or longer.

Board Members, C-Levels and Security Visibility
In today’s security environment, it’s critical for boards of directors and CEOs to have visibility into their cybersecurity breach readiness and risk profiles in order to evaluate the effectiveness of their strategies and the proper level of corporate investment. As security budgets continue to increase — Gartner predicts worldwide cybersecurity spending to reach $96 billion this year — business leaders are looking to understand how their spending is reducing the risk exposure of the organization. Today’s boards of directors and the C-suite want more visibility into how their organizations are preparing for an inevitable cyberattack.

Some reasons for this change include:

● More money is being spent on security — but what’s the ROI? As security budgets continue to increase, input from CSOs and CISOs is being requested in the boardroom to justify the spending. Security executives must find ways to communicate technical information within a business context and articulate the value of their departments’ resources at an executive level.

● Large enterprises have experienced alarming breaches. Boards and CEOs feel their organizations may be in attackers’ crosshairs. They now know they are likely to be targeted by sophisticated adversaries at some point and are interested in mitigating risks. They also want to evaluate their options based on quantifiable information, which is where metrics come into play.

● Regulatory violations are costly. According to the US National Conference of State Legislators, 48 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches. In addition, the European Union has updated the General Data Protection Regulation with more stringent rules and substantial penalties for organizations that fail to notify their stakeholders of breaches in a timely manner.

In cybersecurity, as in business, time is money. Given today’s sophisticated threat landscape, it is imperative that C-levels and boards understand the trade-offs between response time and risk. Breakout time is a useful data point that puts your capability today into clear context. The best organizations in the world should strive to beat attacker breakout time and detect an intrusion in under a minute, understand it in under 10 minutes, and eject the adversary in under an hour to effectively combat stealthy cyber threats. Can you compete?

Related Content:

• The Role of KPIs in Incident Response
• Panera Bread Leaves Millions of Customer Records Exposed Online
• 8 Ways Hackers Monetize Stolen Data

Scott Taschler is a 20+ year veteran of the cybersecurity industry, with a strong focus on optimizing workflows in the security operations center. In his current role as Director of Product Marketing for CrowdStrike, Scott works with organizations all around the globe to … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/breakout-time-a-critical-key-cyber-metric-/a/d-id/1331678?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple