STE WILLIAMS

An analysis of free Android apps has shown that developers are leaving their crypto keys embedded in applications, in some cases because the software developer kits install them by default.

Will Dormann, software vulnerability analyst at the CERT Coordination Center (CERT/CC), told the BSides conference in San Francisco that he’d scanned around 1.8 million Android apps and found shocking lapses in operational security in plenty of ’em. PGP keys, VPN codes and hardcoded admin passwords were all readily available.

“I only scanned free apps,” he explained. “Paid apps have similar issues I’m sure but the problem is I’ve downloaded 1.8 million apps and even if they are only 99 cents apiece I’m not paying that much.”

Overall he found nearly 20,000 apps with insecure keys built in, including popular code like Samsung’s “smart” home app. Building passwords into apps is lazy developer policy for some, although he noted some are better than others at obfuscating the practice.

On one end of the scale was an app developer who not only hardcoded his Android and iOS developer login details in the app but also the master passwords for the app itself. Others were sneakier, trying to hide the important data in .png or .apk files.

If you’re using the Appinventor tool to build apps you might want to rethink that strategy. Dormann said the software hardcodes privacy keys in apps by default, although this appears to have been fixed after the app builder got notified about the issue.

Software key stores weren’t much help either. The Java and Bouncy Castle key stores don’t encrypt at a container level but rely on password protection. That’s not bad, but the problem Dormann found was that password security is pathetically bad.

Dormann used two popular password crackers – Jack the Ripper and Hashcat. Running these on GPUs allowed for easy brute-force hacking of many passwords selected by lazy users. Password crackers are getting smarter about exploiting common shortcuts used by humans when it comes to choosing passwords.

“Hashcat is much better at this,” he told The Register. “Not only does it recognise the human habit of capitalising the first letter, it can also checks for exclamation points at the end of a password and also four digits, because a lot of people add dates.”

The key to strong passwords is length and complexity. Go long on passwords, avoid words easily spotted in dictionary attacks and never, ever, use “QWERTY”. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/16/android_apps_prove_a_goldmine_for_dodgy_password_practices/

One of the world’s longest-lived malware networks, EITest, has gone offline.

EITest was part of several infection chains, used by attackers to redirect users from legitimate sites to compromised sites that shipped exploit kits. In 2016, for example, it was part of an attack that used shampoo brand Just for Men to push the RIG exploit kit.

To get rid of EITest, Proofpoint says it worked with researchers from BrilliantIT and Abuse.ch to sinkhole the infection chain.

Proofpoint’s researchers wrote that EITest emerged in 2011, took a brief hiatus between 2013 and 2014, then re-emerged as a traffic seller in malware markets: “In 2014, we found that the actor was selling traffic in blocks of 50-70,000 visitors for US$20 per thousand, generating between $1,000 and $1,400 per block of traffic.”

More recently, it changed focus to concentrate on social engineering and technical support scams.

Proofpoint says it worked with its partners through March to redirect EITest command and control to four domains controlled by Abuse.ch, acting as the sinkhole.

“As a result of generating those new domains, we were able to substitute the malicious server with a sinkhole. We are now receiving the traffic from the backdoors on the compromised websites, freeing them from the EITest CCs and their visitors from the resulting malicious traffic and injects”

Between March 15, 2018 and April 4, the post said, the sinkhole received “44 million requests from roughly 52,000 servers”, most of which were compromised WordPress sites. The three top sources of infection were the USA, the Ukraine, and China. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/16/security_bods_set_free_eitest_malware_slaves/

Cisco and quantum security outfit Isara reckon they’ve got at least as far as alpha stage in one a problem of the future: securing public key certificates against quantum computers.

“Quantum computers will break cryptography” is a popular mass media trope, but the big brains of crypto have been aware of the risk for some time. Academics have therefore pondered quantum-safe crypto schemes for some time.

Deployments are less common at this stage, which is why the Cisco-Isara PQPKI test caught Vulture South’s attention.

The PQPKI test acts as a TLS 1.2 server with post-quantum authentication certificates implemented as one of the ciphersuites available to sign the certificate.

Boffins pull off quantum leap in true random number generation

READ MORE

As the partners explained at the test site, America’s National Institute for Science and Technology has a post-quantum crypto project with around 70 submissions. However, “Most of these schemes have significantly larger public key and/or signature sizes than the ones used today. There are concerns about the effect their size and processing cost would have on technologies using X.509 certificates today, like TLS and IKEv2”.

The PQPKI test has adopted a hybrid approach to the problem, allowing certificates to be tested using post-quantum schemes if machines support them, but falling back to traditional certificate checks if not.

A hybrid scheme would also save certificate authorities and users from having to run duplicate systems, Isara explained.

Cisco’s Panos Kampanakis said: “Once the quantum-safe algorithms are standardised, we may have a very short time frame in order to migrate our systems.”

Isara added that the test server used “Leighton Micali Scheme (LMS) stateful hash-based digital signatures” (described at the International Association for Cryptologic Research in this paper, co-authored by Isara’s Edward Eaton).

Another scheme, SPHINCS+, is planned for a second phase of the test. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/16/post_quantum_pki_test/

B-SIDESSF Barely a decade ago the mere idea of selling vulnerabilities was highly controversial. Today the market is mature, but increasingly complicated – researchers can now choose between making lots of money, being moral and making less, or going fully black.

The 2015 pwning of Italian surveillance-ware-for-governments vendor Hacking Team has allowed an unprecedented view into the economics of the bug bounty market and Brian Gorenc, head of Trend Micro’s Zero Day Initiative (ZDI) bug buyers, explained to the BSidesSF technology conference in San Francisco how best to sell a bug.

Hackers with bugs to sell can chose to work with white, grey and black markrts. White-hat buyers like ZDI will pay a smaller amount than others, but it’s totally legit and you know the security holes are going to be fixed – Trend funds the ZDI program because it can use the data to augment its own security systems but always lets manufacturers know about flaws.

Bug bounty hunters score big dollars and the boom’s only just begun

READ MORE

Then there’s the grey market, where hackers sell to a specific buyer who won’t make the bug public to anyone other than paying clients. These can be private companies, vulnerability brokers or governments.

“Government sales can be very lucrative,” Gorenc said. “If you’re firing off missiles worth hundreds of thousands of dollars then paying $100,000 for a good exploit is small change. But you don’t know how it’s going to be used.”

Payouts can also be a moveable feast. White hat buyers pay up front, as do governments, but vulnerability brokers are adopting a graduated scheme to guard against double dipping. Typically they pay 50 per cent up front, 25 per cent in 30 days if the zero-day flaw is not discovered, and then the final 25 per cent after another 30 days.

Vulnerability brokers also serve another useful purpose – they act as a firewall to keep the identity of the researchers secret. But again, you don’t know how the exploit will be used and/or disclosed.

The pwning of the Italian grey marketeers the Hacking Team in 2015 offered an excellent insight into the economics of this market. Countries like the Czech Republic, Bangladesh and Gulf States were paying Hacking Team tens of thousands of dollars a year (over 80,000 euros in the Czech case) for access to its vulnerability database.

The Hacking Team data leak also drew the attention of ZDI to a hacker called Vitali Toropov, who was named in the Italian company’s files but was also very familiar to the ZDI team.

“He’s a great exploiter,” Goronc said. “He had been submitting to ZDI for many years and he’s very good – we bought 100 per cent of the bugs he submitted, an excellent hit rate.”

So it’s clear researchers can play on both sides of the fence, disclosing some bugs for a quick and honest payout, but also reaping grey market profits. But there’s also the black market – selling directly to online scumbags. Goronc made it clear he did not approve of such sales.

But overall the situation for researchers is looking very good indeed. There are now multiple ways to monetize security research and the industry is benefitting from an army of hackers finding flaws in places no-one had thought to look.

However, this market is now under legislative attack. In the US State of Georgia’s a proposed hacking law could criminalize researchers for doing their job and internationally the ongoing confusion over the new Wassenaar Arrangement also leaves many if they are on the right side of the legal line. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/15/mature_bug_bounty_market_bsidessf/

Roundup It has been a busy week for security, with the CYBERUK 2018 conference in the UK and the industry gearing up for BSides and the RSA conference in San Francisco next week.

But there have been a bunch of smaller stories that may have slipped under your radar, plus all the other bits and pieces we’ve covered this week.

Wreckin’ routers

Last month, Kaspersky warned of advanced malware, dubbed Slingshot, that uses routers to infect networks. Well, here’s some more along those lines. A report [PDF] by Akamai discusses software nasties leveraging vulnerable Universal Plug and Play (UPnP) services offered by routers and gateways to press-gang at least 65,000 boxes.

In all, Akamai estimated that around five million routers could be vulnerable to hijacking via UPnP exploits: miscreants can use the flaws to rewrite networking tables, and turn devices into proxy servers. It has compiled a list of 400 router models from 73 manufacturers that are hackable, and if you’ve got one of these then it’s time to either upgrade your kit or mitigate the risk.

More crap ransomware

Over the past month, a ransomware variant called GandCrab has been popping up on people’s systems. But the writers appear to have cocked up with one variant of the code, according to security researcher Brad Duncan.

The code spreads via infected Word documents but the writers made an error in how VBScript compiles. So when some benighted user clicks on the dummy doc they get a warning about a compiling error instead of a massive bout of file encryption and a ransom demand.

Drupalgeddon!

Two weeks ago engineers at the popular content management system Drupal patched a serious flaw in its platform. As so often happens, the patch has now been reverse engineered.

If you want more details on the mechanics of the bug itself Checkpoint did an excellent analysis of the flaw and its likely effects. Someone in the malware writing community has most likely read it too, because there is now exploit code circulating in the wild.

Daniel Sid, founder of security shop Securi, claims to have found the code and is warning users who haven’t already patched to do so as quickly as possible. The proof of concept code is already up on GitHub and hackers are expected to hit Drupal users hard.

Staff shenanigans

As any security professional will tell you it’s not outside hacking attacks that make up the bulk of issues, but your own staff.

As a case in point take Suzette Kugler, a former database administrator with regional airline PenAir – until she retired in February last year. Apparently unsatisfied with her payoff, Kugler set up a number of dummy accounts on PenAir’s servers and began to make mischief.

Kugler used the accounts to delete critical files and brought down the airline’s booking network. Engineers worked through the night to get systems up and running and then called the cops, who quickly fingered Kugler and arrested her.

A first time offender, Kugler pleaded guilty to one count of fraud and was sentenced to five years of probation, and 250 hours of community service. What should have been a pleasant retirement is now probably going to be spent picking up trash and paying back the near $6,000 it took to fix the system. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/14/security_roundup/

Credit card and social security numbers aren’t the only sensitive information that requires protection.

(Image: Tumisu VIA Pixabay)

As more and more personally identifiable information (PII) has moved online, cybercriminals have been able to gain access to deeper stores of data and build more complete pictures of their victims. Whether the information concerns health, movement, or political views, it adds up to a rich, complete version of an individual that can be stolen, mimicked, or manipulated.

The largest data breach so far, the Yahoo incident, didn’t involve financial data – instead exposing the real names, email addresses, dates of birth, telephone numbers, and security questions of roughly 3 billion people to hackers. The next largest, that of Adult Friend Finder, gave names, email addresses, and passwords to the attackers. In neither of these cases were credit card or social security numbers released, but both were highly damaging to many of those effected and in the case of Yahoo, devastating to the company itself.

This shows that if criminals are willing to attack an organization to gain non-financial information on users and customers, then the IT department should be willing to treat that information as important, too.

Here’s a look at seven data types many companies have collected and hoarded with abandon, and that need to protected just like financial data. If your organization has terabytes of any of these data types sitting in a warehouse, lake, or cluster, then it may be time to start the audit to see just how exposed it — and your company — truly are.

 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/perimeter/7-non-financial-data-types-to-secure/d/d-id/1331507?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Indian Bitcoin exchange Coinsecure has mislaid 438.318 BTC belonging to its customers.

In a statement by parent firm Secure Bitcoin Traders Pvt, posted late on Thursday, the biz said its chief security officer had extracted a bunch of Bitcoin to distribute to punters – and discovered the funds were “lost in the process.”

The vanished Bitcoin stash was worth £2,493,590 ($3,547,745) at the time of publication, and apparently departed Coinsecure’s secure coin servers on April 9.

Earlier this week, folks began to smell a rat as the site went down for an unexpected nap that day:

@Coinsecure

Site shows ”

502 Bad Gateway “.. is site down Date:09.04.2018 Time 13:18

Please respond

— Satish Patel (@patelsatishin) April 9, 2018

Things proceeded to become more alarming for worried customers as Coinsecure stopped accepting deposits due to “backend updates.”

Your website now says: “PS: We will not be responsible for any funds that are deposited into Coinsecure’s addresses until further notice” For the record I had deposited funds before your website went down. Pls confirm my funds are safe. #Bitcoin #cryptocurrency #coinsecure pic.twitter.com/Tigj8dyPTz

— Shrikant Pasari (@SKP_trades) April 10, 2018

We’re told chief security officer Dr Amitabh Saxena and chief exec Mohit Kalra should have been the only ones with access to the wallet’s private keys. Here’s a crime report the biz filled out and submitted to Indian authorities:

With Bitcoin values tumbling after historic highs, it seems the quickest way to lose your cryptocurrency is to, er, deposit it somewhere. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/13/coinsecure_btc_missing_bitcoin/

The UK’s National Health Service has learned from last year’s WannaCry attack – and started putting in place disaster recovery measures that will allow it to maintain services in the face of an even fiercer assault.

The worldwide spread of WannaCry last May hit hospital networks particularly hard and left doctors and nurses unable to use computers, resulting in confusion and the postponement of some non-urgent procedures.

74 countries hit by NSA-powered WannaCrypt ransomware backdoor: Emergency fixes emitted by Microsoft for WinXP+

READ MORE

The high profile incident was “not the be all and end all,” according to Dan Taylor, a director of security at NHS Digital. Contrary to the impression left by media reports, “WannaCry affected healthcare in a small way,” he claimed, with just over 40 organisations affected.

Taylor was not seeking to downplay the effects caused by WannaCry, but rather to provide context by saying as many as 25,000 centres weren’t affected. He also spoke against complacency by arguing that still worse might be possible, so stepped up defences and preparation were crucial. Taylor praised his staff for dealing with the emergency during what he described as a seminal moment in his career.

“WannaCry was a shot across our bows. It was the idea that something could happen, it did happen, and it did affect patient care in many areas,” he said.

“It was the be all and end all incident, in healthcare. Something new will happen and… there will be another WannaCry.”

Taylor made his comments during a panel on disaster recovery, entitled In the Eye of the Storm at the National Cyber Security Centre’s CYBERUK 2018 in Manchester on Thursday.

Official reports by the National Audit Office (NAO) and others after the outbreak faulted the NHS for failures to patch against the known security vulnerabilities exploited by WannaCry. The malware spread through the EternalBlue exploit in Windows systems dumped by The Shadow Brokers hacking crew a few months prior to the attack. Western intel agencies in the UK and US both publicly blamed North Korea for the attack late last year.

Taylor said NHS Digital has developed a much more comprehensive disaster recovery plan since the WannaCry attack before embarking on a rigorous, ongoing testing regime. “The thing we’ve done since that is test, and test, and test again… when [anything] does happen, we’ll be in a much better position.”

S**t happens, deal with it

Contrary to what vendors might claim a security panacea or silver bullet doesn’t exist but threats can still be mitigated with layers of security. Even with those layers and extensive preparation “things will still happen.”

Paul Chichester, director of operations at the National Cyber Security Centre, said that above all organisations need to be prepared to deal with a breach.

“Expect a breach and be prepared by putting in place things such as logging and computer forensics,” Chichester advised. “The mark of the maturity of an organisation is in how they deal with a breach when you call them,” rather than whether or not security incidents – which are nigh on inevitable – happen, Chichester added.

Yochana Henderson, head of digital identity management for the Parliamentary Digital service, gave CyberUK delegates an inside view of a high profile brute force attack against Parliament’s email system during the same panel session.

The “sustained and determined” attack began quite slowly before intensifying once its perpetrators realised it had been detected,” she explained.

An estimated 90 email accounts were compromised on the Parliamentary network last June. The UK government subsequently blamed Iran.

Henderson said that lessons learned included focusing on getting key services back even if other things aren’t working. Parliament has to sit, in the particular case in point, for example. Like her counterparts, Henderson emphasised preparation and disaster planning as the key to been prepared to limit the impact of future attacks. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/13/nhs_wannacry/

Let’s nail this once and for all: Too many Android smartphone makers simply aren’t rolling out Google’s security bug fixes for the mobile operating system.

Germany-based Security Research Labs (SRL) today said that even top vendors – such as HTC, Huawei, and Motorola – leave punters vulnerable by not patching devices for known Android vulnerabilities in a timely fashion, if at all.

You’d hope manufacturers would be quick to test and push out over-the-air firmware and software updates to close down bugs that can be exploited by malicious applications, booby-trapped messages, and dodgy webpages, to hijack, control and snoop on handhelds. But, nope. Not always the case.

It turns out updates issued to some devices are incomplete, leaving unlucky punters open to attack. Now, we’re not advocating buggy and rushed code is forced onto gadgets, but it would be nice if patching was a bit more of a priority. And if manufacturers fessed up to their customers that they were behind in patching, rather than claim everything is all OK and up to date.

“Installing patches every month is an important first step, but is still insufficient unless all relevant patches are included in those updates,” the SRL team – Karsten Nohl and Jakob Lell – noted as part of their presentation to the Hack In The Box security conference in Amsterdam, the Netherlands.

“Our large study of Android phones finds that most Android vendors regularly forget to include some patches, leaving parts of the ecosystem exposed to the underlying risks.”

And, yes, that’s the same Nohl known for pointing out big holes in the world’s cellular networks.

Beyond its own smartmobes, Google leaves it to individual phone vendors to test, cryptographically sign, and distribute updates for their hardware, which includes fixes for security vulnerabilities in drivers as well as the core system software. That reliance on vendors ends up stalling, or completely blocking, the rollout of fixes to people.

The web giant did develop a neat trick, though, in which its Google Play Services code can bypass manufacturers and install some security patches by itself over the internet without any vendor intervention. This should, in theory, get stuff updated quickly. However, the services can’t dig deep into the device and replace low-level faulty software components, such as drivers and system libraries. Hence, some devices get half-complete updates each month. Some from Google, none from the manufacturer.

El Reg can vouch for this first-hand. One of our offices has an Android 7 Samsung Galaxy S8 handset that, despite being “up to date,” can’t fetch any security patches since August last year.

SRL suggests security-savvy users take a look at what is included in the monthly fixes from Google, and at least be aware of any issues that need patching.

The researchers also note that the presence of a vulnerability in and of itself does not mean a device will fall to malware or hackers. Rather, attackers will still likely have to use multiple tactics – such as convincing the user to run a malicious app from an unofficial store – or exploit several vulnerabilities in tandem to escape Android’s sandbox, defeat various defense mechanisms such as ASLR, and ultimately seize control.

“Owing to this complexity, a few missing patches are usually not enough for a hacker to remotely compromise an Android device,” the SRL duo noted.

“Instead, multiple bugs need to be chained together for a successful hack.”

SRL has provided the full slide deck [PDF] of the presentation on its blog if you’re interested in more details. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/13/slow_android_security_fixes/

Security leaders share their top steps to keep in mind as your organization moves data and applications to the cloud.

(Image: Verticalarray via Shutterstock)

The rapid rate of cloud adoption has put the spotlight on security as businesses try to control and secure data and applications. Employees are moving to the cloud regardless of what the security team says, and their habits aren’t changing any time soon.

Cloud adoption has ramped up over the past five years, according to a new Cloud Threat Report released by Oracle and KPMG this week. The percentage of businesses using public cloud services went from 57% in 2013 to 85% in 2018. In 2013, only 21% of organizations said they used infrastructure-as-a-service (IaaS). This year, that number hit 51% – a 143% increase.

This major shift is creating a new wave of cybersecurity challenges, says Akshay Bhargava, vice president of Oracle’s cloud business group. Enterprise cloud users are realizing the complexity of threats to data in the cloud as new devices and identities access cloud environments.

“The biggest finding for us is just difficulty keeping pace at scale,” he explains. “Many organizations are facing a challenge: their cloud adoption is growing significantly faster than their ability to secure their cloud footprint.”

Ninety percent of survey respondents categorize at least half of their cloud-resident data as sensitive. It’s worth noting that “sensitive” is a subjective term but generally, this information includes CRM data, personally identifiable info, payment card data, legal documents, source code, designs, and other types of intellectual property.

Despite the increasing trust in the cloud – 83% of respondents rate cloud security as good or better than on-prem security – companies often fail to take the right steps to ensure they’re secure during the cloud transition. One of these is properly vetting a cloud service provider before doing business with them – a step that challenges many organizations.

Most (98%) of Oracle/KPMG’s respondents conduct formal security reviews of public cloud service providers before doing business with them. However, only 47% conduct these assessments on their own and 52% use a third party. The challenge comes from a lack of industry standard benchmarking providers’ security programs, which creates ambiguity.

If you’re thinking with a cloud-first mindset, you should be making sure all the right boxes are checked before you make the leap. Here, security experts highlight the most important steps to keep in mind while moving to the cloud. Did they miss any? Feel free to add to our list.

 

 

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/cloud/7-steps-to-a-smooth-secure-cloud-transition/d/d-id/1331535?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple