STE WILLIAMS

The dead have no privacy rights.

Corpses can’t assert privacy rights in courts. But they can unlock their iPhones with fingerprint authentication, and that comes in mighty handy when police need to investigate who killed them or who convinced them to go on a stabbing spree with a butcher’s knife.

Forbes has published a report of what it says is the first known case of police using a dead man’s fingerprints in their efforts to get past the protection of Apple’s Touch ID authentication technology.

Note that a previous case from July 2016 involved police making a cast from a dead man’s prints, but not from his actual fingers. They asked for 3D prints to be made from fingerprints they already had on file from having previously booked him.

The landmark case involving actual dead fingers is that of Abdul Razak Ali Artan, an 18-year-old Somali immigrant who plowed his car into a group of people on the Ohio State University campus, attacked victims with a butcher’s knife, and was shot dead by police in November 2016.

FBI forensics specialist Bob Moledor told Forbes that about seven hours after the attacker was killed, an FBI agent pressed Artan’s index finger to the iPhone they found on his dead body. Law enforcement hoped that it would give them access to the phone so they could learn more about the attacker and his motives: namely, had he been radicalized by Islamic State?

It didn’t work. Too much time had elapsed, and the iPhone, an iPhone 5 model, had gone into sleep mode. They’d need a passcode to unlock it.

So Moledor sent the phone to a forensics lab. The lab succeeded in retrieving information from the device, which helped them determine that the failed murders may indeed have been inspired by Islamic State’s radicalization campaign.

Of course, it’s no surprise that the lab succeeded. There are now multiple outfits promising that they can hack iPhones. The most prominent name is that of Cellebrite, widely believed to be the firm that broke into the iPhone 5C belonging to dead San Bernadino terrorist and mass murderer Syed Rizwan Farook.

As Forbes reported last month, Cellebrite recently updated its marketing to claim that it can break the security of…

Apple iOS devices and operating systems, including iPhone, iPad, iPad mini, iPad Pro and iPod touch, running iOS 5 to iOS 11.

A source in police forensics also told Forbes that Cellebrite told him it could unlock the iPhone 8. The source also said that he believed the company could crack the iPhone X, given that security across Apple’s newest devices worked in much the same way. Then too, there’s US startup GrayShift selling a $15,000 device called GrayKey that promises to unlock the iPhone 8 and X.

That’s pricey. Cellebrite is pricier. As The Intercept has reported, a US Drug Enforcement Administration procurement record shows that as of September 2016, a premium unlocking subscription service cost $250,000 a year in the US. One-off hacks were selling for about $1,500 per phone.

Dead people’s fingerprints are a steal.

Marina Medvin, owner of Medvin Law, told Forbes that it’s “entirely legal” for police to try out fingerprints of corpses, if not entirely ethical. Once somebody’s dead, they lose privacy interest in their own body, she said, which takes away their standing in court to assert privacy rights.

Survivors are also likely out of luck trying to stop the police from using the deceased’s fingerprint or other biometrics, Medvin said:

Once you share information with someone, you lose control over how that information is protected and used. You cannot assert your privacy rights when your friend’s phone is searched and the police see the messages that you sent to your friend. Same goes for sharing information with the deceased – after you released information to the deceased, you have lost control of privacy.

Besides the failed attempt to use Artan’s fingerprints to unlock his iPhone, separate sources have told Forbes that it’s now a “relatively common” procedure to press dead people’s fingers to their phones. It’s been used in overdose cases, for example, as police have sought drug dealers.

What’s next up? Likely hacking Face ID with dead people’s faces.

In theory, Apple’s Face ID authentication is supposed to require eye movement to work. But Marc Rogers, researcher and head of information security at Cloudflare, told Forbes that he’s recently discovered that photos of open eyes work just fine.

A few months ago, Vietnamese researchers did the same thing. With a mask.

So much for liveness checks!

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/6le42tclhrY/

Samuel Clemens, better known by his pen name Mark Twain, was probably the first victim of a “dead celebrity” hoax in the global telecommunications era.

While in London on a world speaking tour, a rumour circulated that Clemens was unwell, a hoax that was soon upgraded to say that he had died.

Even back in 1897, the rumour boldly went all over the world, thanks to the international telegraph network, the Victorian era’s equivalent of the internet.

This prompted a letter from Clemens in which he famously quipped that the “the report of my death was an exaggeration.”

Many celebrities have been falsely reported to have died since then, including punchy film stars Chuck Norris and Sylvester Stallone, and Canadian singer Justin Bieber, who didn’t die in in a car crash back in 2013.

The latest member of the fake-death-rumour society is none other than Captain James Tiberius Kirk of the USS Enterprise, also known as Canadian actor William Shatner.

Shatner’s death didn’t follow the typical Facebook scam formula, where fake or hijacked accounts are used to recruit a core of believers who like and share the fake news until it reaches rumour level.

Instead, Shatner’s death notice was delivered in a purposeful, paid Facebook ad – a sponsored post from a company called Avocet Retail Sales – via Facebook Messenger:

@WilliamShatner I thought you might want to know you’re dead. https://t.co/RNqG0OkHni

—
Anthony Brayall (@brayall) March 21, 2018

As if Facebook didn’t have enough people wading into its reputation right now following the Cambridge Analytica data disaster, it got Captain Kirk on its videoscreens, too, as Shatner tweeted at Facebook to ask:

Hey @facebook isn’t this your messenger app? What’s up with you allowing this Acocet Retail Sales ad to pass your m… twitter.com/i/web/status/9…

—
William Shatner (@WilliamShatner) March 21, 2018

Hey @facebook isn’t this your messenger app? What’s up with you allowing this A[v]ocet Retail Sales ad to pass your muster? Thought you were doing something about this?

Facebook, to be fair, pulled the offending ad quickly enough, tweeting back the same day to say so, and drawing a quippy reply from Shatner:

Thank you. I’m not planning on dying so please continue to block those kinds of ads. twitter.com/robleathern/st…

—
William Shatner (@WilliamShatner) March 21, 2018

What to do?

Most of us aren’t celebby enough to attract rumours of this sort, let alone to be featured as drawcards in ads, legitimately or otherwise.

Of course, there’s a flip side to that: most of us aren’t celebby enough to get fake posts about us removed with a single throwaway remark on Twitter.

Nevertheless, the main social networks do have “report violations” pages, so here’s where to turn to on the most popular ones:

• Twitter: Report potential violations of the Twitter Rules and Terms of Service.
• Facebook: Report something on Facebook.
• Instagram: Report violations of our community guidelines.
• Snapchat: Reporting abuse on Snapchat.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/hKxGB9fVu70/

The UK government has published a details-light “cyber security export strategy” intended to help local SMEs win contracts abroad – despite having struggled to boost its own spend with small businesses.

International Trade Secretary Liam Fox, who resigned in disgrace as Defence Secretary under David Cameron, strangely pointed to the on-going cyber threats with the likes of Russia as a potential opportunity.

“Recent events show that the UK faces a diverse range of threats from hostile state actors. So in an increasingly digital world, it’s vital that we improve our cyber capabilities, which are crucial for national security and prosperity”.

He added: “The strategy I am publishing today will support UK companies to export our world-leading cyber security expertise, which will help strengthen our capabilities, and protect our country and our allies from those who wish us harm”.

The government wants to boost the prospects of Blighty’s 800 cyber online security companies.

But just how the document intends to help the plethora of infosec outfits in the UK grow overseas was not apparent. For example, it fails to mention anything about trade missions, or trade agreements.

Three main aims the Department for International Trade has for the sector are: to pursue “priority markets” and act as “a trusted advisor to support UK companies bidding for major opportunities; curate “bespoke offers” for the top buyers in these sectors worldwide; and “showcase the best of UK cyber security” around the globe “alongside new cyber security content on great.gov.uk.”

The UK government is splashing £1.9bn between 2016 and 2021 as part of an update to the UK’s National Cyber Security Strategy.

Arguably, the government’s efforts could be better spent getting its own house in order. It recently emerged that every single one of the 200 NHS trusts in the UK so far assessed for “cyber security resilience” has failed an on-site assessment, according to a Public Accounts Committee hearing.

Meanwhile, the government has threatened the stick of fining infrastructure firms £17m if they do not have adequate cybersecurity measures in place.

One thing the UK government certainly has found a roaring trade for is the publication of meaningless documents. Digital minister Matt Hancock’s “Culture is Digital” (PDF) report published earlier this month; and its equally useful collection of words for a “code of conduct” for IoT makers. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/26/uk_gov_cyber_security_export_strategy/

Use these ideas to sharpen up your home office machine against potential intruders.

(Image Source: Shutterstock via Prostock-studio)

Officially, it became spring early last week, although people in the snowbound Northeast are anxiously awaiting the arrival of the actual spring weather that brings flowers, green grass, and baseball season.

So wherever you live, if you run and manage a home office, now’s a good a time to do some spring cleaning so your devices are less vulnerable to malware and potential threats. While this may seem to affect only a small percentage of workers, it’s really not the case anymore. A Gallup survey from last year found that 43% of employed Americans work from home at least some of the time.

T. Frank Downs, director of SME cybersecurity practices at ISACA, says home workers have to conduct themselves just as they would in the office.

“People have to be aware of their surroundings and operate the same way, being sure not to open up suspicious emails, weird attachments or install thumb drives that might come in the mail,” Downs says.

Russell Schrader, executive director of the National Cyber Security Alliance, adds that cleaning your machine is one thing – keeping it clean is yet another task.

“Once you get your machine clean you’ll want to keep it clean,” Schrader says. “It’s really important to keep on it, always asking if you really want to share that document or download the latest cool application you saw. The idea is to be mindful of security and build habits that will make it easier for you to keep it clean. It’s like your house, once you clean it well one time it’s easier to keep it clean moving forward.”

The eight tips in the slideshow are based on interviews with ISACA’s Downs and NCSA’s Schrader. They offer some practical advice on how to keep applications up-to-date, how to handle public hotspots and keep your home router up-to-date. 

 

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/8-security-spring-cleaning-tips-for-the-home-office----------/d/d-id/1331354?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

N-days — or known vulnerabilities — are a goldmine for attackers of industrial control systems. It’s time for a new defense strategy.

Security Researcher Joseph Pantoga contributed to this article.

Zero-day attacks tend to steal the spotlight when it comes to cybersecurity threats, but it is actually the known vulnerability — the “N-day” — that poses a much larger problem for many organizations and particularly those in the industrial sectors.

Whereas zero-days are a class of vulnerability that is unknown to a software developer or hardware manufacturer, an N-day is a flaw that is already publicly known but may or may not have a security patch available. There are countless known vulnerabilities in existence today, and many large commercial and governmental entities will find they have significant exposure within their broad network footprints.

However, the problem is far more acute for organizations that rely on industrial control systems (ICS) such as the energy, manufacturing, and infrastructure sectors. This is because ICS equipment can be extremely difficult to update and patch. To make matters worse, ICS firmware is often developed with insufficient built-in security controls, and product manufacturers can be slow to fix newly discovered vulnerabilities and threats.

For more than a year, our team analyzed unpatched N-day vulnerabilities in the firmware of widely used ICS devices in order to gain a better understanding of the problem. Some of these findings were recently presented at the S4x18 security conference in Miami. We found that N-days are extremely common in the ICS environment. Nearly all the operators who read this article are likely to have numerous N-days in their systems.

N-Days vs. Zero-Days
N-day vulnerabilities are a goldmine for attackers because the hard work has already been done. In certain cases, active exploits may already exist and be readily available from public disclosure documents. Compare this with zero-days, which are time-consuming and expensive to find and exploit — the reason why their use is declining among criminal groups.        .

While N-days pose a threat to any large network, industrial users are at an especially high risk because of specific circumstances unique to those environments:

1. Systems must always be available. 
2. No standardization. For example, in an ICS, as opposed to a standard computing environment, patching is often a manual proprietary process that requires unique software and knowledge for each vendor. 
3. Patches rarely propagate between vendors that use shared code. This highlights an example we outlined at S4, where a vulnerability was reported to a vendor in the telecom sector, was patched by the software vendor (Intel/Windriver), but patches were not applied by a number of  other large vendors in ICS. 
4. Extended lifetime. Systems are typically deployed in the field for over a decade and well past their support period. Vendors who desire to sell new products are disincentivized to routinely patch and support older products with security updates, even if they are still commonly found in the field.

Real-World Cases Illustrate the Risks
The industry has already seen a number of attacks on industrial targets that have exploited N-day vulnerabilities in ICS devices and protocols. Some examples include: 

• CrashOverride or Industroyer: This malware was used in a December 2016 attack that disrupted operations at a Ukrainian electrical transmission substation. It exploited the known CVE-2015-5374 Denial of Service condition to the Siemens SIPROTEC relays.
• TRITON or HatMan: Discovered in 2017, the ICS malware targets Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers’ emergency shutdown capability.
• BlackEnergy: This malware contained exploits for specific types of HMI applications, including Siemens SIMATIC, GE CIMPLICITY, and Advantech WebAccess. 

High-Risk Vulnerabilities
Many of the N-days we discovered in ICS firmware are critical in nature and could allow a hacker to gain remote access and total control over parts of an industrial operator’s network or facility. These N-days could allow attackers to replicate the effects of CrashOverride, TRITON, BlackEnergy, or even Stuxnet much more easily, and at a much wider scale.

For example, in our research into the VxWorks 5.5.1 vulnerability (discussed above), we found that every major manufacturer had a product that remains unpatched against this N-day. In no case was this vulnerability listed for the individual ICS products, so vendors may not even know these vulnerabilities exist. The vulnerabilities can be exploited for such malicious purposes as manipulating settings and controls, physically damaging or destroying equipment, disrupting key operations, and stealing sensitive information.

Due to the large number of vulnerabilities we discovered and the long lead time on ICS patching (as well as the low patch penetration rate), we decided not to disclose individual vulnerabilities against named devices for fear of arming attackers while device operators would be unable to respond.

Patching Is Not the Answer
ICS N-days are not an easy problem to fix. Solutions are limited by technical complications and a slow-to-act supply chain. Nonetheless, there is a lot the industry can do to address the problem.

To start, the current reactive approach of patching known vulnerabilities is no longer tenable. Every component of the ICS environment should have strong security baked into the software, firmware, and hardware from the very start in order to lower the overall risk of N-days and other problems, and to mitigate or prevent damage from their exploitation.

The best solutions will combine intrusion detection and mitigation techniques to protect against known and unknown attacks without relying on continuous updates. By and large, these features do not exist, so it is incumbent upon manufacturers to develop or source this technology as quickly as possible.

Related Content:

• The Case for Integrating Physical Security Cybersecurity
• Anatomy of an Attack on the Industrial IoT
• Zero-Day Attacks Major Concern in Hybrid Cloud
• 7 Key Stats that Size Up the Cybercrime Deluge

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Use Promo Code DR200 to register and save $200.

Dr. Ang Cui is the founder and CEO of Red Balloon Security in New York City, and a PI on DARPA LADS, as well as various other government agency funded research efforts. Dr. Cui is the inventor of Symbiote, a firmware defense technology for embedded devices, and FRAK, a … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/the-overlooked-problem-of-n-day-vulnerabilities/a/d-id/1331348?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Around 2003, a computer security portent that had been cheerlessly simmering away for years suddenly came to the boil.

This was an era stricken by malware attacks on a scale few had prepared for, running software beset with flaws some vendors seemed disinclined to acknowledge let alone fix.

Vulnerabilities, including high-severity ones, were nothing new, of course, but on the back of the internet megatrend they seemed to be getting more dangerous, causing global trouble in a matter of hours, infamously through fast-spreading worms such as that year’s Blaster and SQL Slammer.

Blaster was a particularly ironic example because the vulnerability it targeted – a buffer overrun in Windows DCOM RPC – had ostensibly been patched a month before the attack. But having a patch and applying it were not, it turned out, the same thing.

What was going on? On the face of it, it appeared that high-rated vulnerabilities – especially ones exploiting the innovation of zero-day flaws – were supercharging malware in ways that were going to require new thinking and far better processes.

Vulnerability numbers quickly grew to thousands each year and migrated from the OS and server layer to mainstream applications. What counted now was response. If attackers could deploy an exploit over a period of hours or days, how long would it take defenders to peg it by deploying a software patch or mitigation?

As Gerhard Eschelbeck, then CTO of vulnerabilities management outfit Qualys, stood up to give a presentation at that year’s Black Hat show in Las Vegas, he thought he had come up with a way of measuring that gap.

Now Google’s vice president security and privacy engineering (CISO), Eschelbeck’s big idea was the Laws of Vulnerabilities (PDF), a way to understand how quickly Qualys’s enterprise customers were patching flaws.

What interested him was vulnerability “half-life”, or how long it took to reduce the occurrence of a flaw by 50 per cent, which in 2003 was an average of 30 days in a world where exploits could appear within days.

“It is quite interesting to look back and realise the Laws of Vulnerabilities are very much applicable more than ten years later, even though vulnerability half-life has shortened substantially,” says Eschelbeck. “What was measured in days a decade ago is now measured in hours. At the same time, vulnerability management has evolved from a tactical tool to a critical component of any sound security strategy, and Common Vulnerabilities Scoring System has become the golden standard for vulnerability prioritisation.”

This MO has at least contained the threat posed by software vulnerabilities. “While the complexity of vulnerabilities found has increased, modern computing paradigms such as cloud computing have shifted infrastructure management to a centralized model, allowing for better scale, and more rapid deployment of security updates.”

Perma-flaws

And yet despite this, vulnerabilities march on with a predictable logic. Having colonised OSes and web and PC applications, the vulnerability problem is now menacing firmware and side-channel microcode through the proof-of-concept (PoC) vulnerabilities such as Meltdown and Spectre.

Just as in 2003, vendors today seem surprised and under-prepared – not this time by attackers armed with malware but by tiny groups of researchers who simply decided to unpick two decades of assumptions.

During 2017, the low-level theme bloomed. In March, Embedi told Intel about a serious flaw in the Active Management Technology (AMT) vPro firmware that is part of the mysterious Management Engine (ME), followed in July by a second “is it a bug or a feature?” weakness in the same interface courtesy of F-Secure.

In June, two Russian researchers at Positive Technologies had given Intel the bad news that they’d found problems in the ME proper stretching back to 2008. Alarmed, Intel ran an audit and found eight serious flaws it eventually made public in November, the same month a Google engineer let slip at a conference that the company planned to rip the ME out of its servers because the idea of a hidden remote management computer-within-a-computer (complete with its own modified MINIX OS, memory, and web browser) didn’t sound like a great idea in cloud data centres.

Popping a cherry on the turd of woe, October saw an urgent security vulnerability in the Infineon Trusted Platform Modules (TPMs) that sit at the root of security in many PCs, laptops and all Google Chromebooks, which would need a power wash to install updates.

All PoC rather than criminal exploits, but as the Meltdown and Spectre superflaws were later to show, it mattered not. None were easy to fix, and in the case of Intel the only meaningful option short of buying new hardware was a series of complex mitigations that, with novel PoC exploits popping up more regularly, will haunt endpoints for years to come.

Software patching half-life is perhaps days to a month or two at worst. On the side-channel, patching or mitigation looks as if it will stretch to years.

Hotel insomnia

The good news, notes Carsten Eiram, chief research officer at vulnerability analysis firm Risk Based Security, is that none so far involves remote code execution, which gives defenders a chance of detecting and blocking them.

Even when fixes are not easy or even possible, mitigations are. It’s messy and slow but liveable providing the industry can quickly fashion a reliable mitigation channel.

“In general, these types of vulnerabilities are very rare compared to the total number of vulnerabilities reported each year,” Eiram says. “The bar is higher than many other types of vulnerabilities.”

The question is how many will emerge this year and how easily they can be mitigated. Eiram expects to see more but not in any numbers. Which is fortunate because: “If a serious vulnerability was disclosed in a low-level component even if the researcher only provided a PoC, there should still be a fair number of actors in this space with the capabilities to potentially turn it into a working exploit.

“If a low-level remote code execution issue is discovered that for some reason cannot be properly mitigated or fixed without replacements, it would be a huge problem.”

What constrains mitigation is the number of moving parts. For Meltdown and Spectre, the hardware maker (Intel) had to push the mitigation to work with what the OS maker (Microsoft) deemed possible. The latter then had to tell antivirus vendors about this in case their products were making unsupported calls into memory that might interfere with OS Kernel Patch Protection (KPP), setting a registry key to indicate compatibility.

Tellingly, Microsoft ended up hosting Intel’s patches to speed distribution in case Intel’s own efforts fell short. Cooperation between industry tiers suddenly mattered.

Liviu Arsene, senior e-threat analyst at AV company BitDefender, reckons we will see more technologies that sit between the hardware and the software.

That will create fresh challenges. Once people run out of plasters, they’ll need something stronger, he says.

“We’ve been trying to get as low level as possible. Security is leaving the operating system to go deeper down the stack… to sit between the CPU and the software,” according to Arsene.

His company last year announced Hypervisor Introspection (HVI), a data centre security technology developed in conjunction with Citrix that protects virtualized servers from the thorny problem of malware exploiting shared memory.

At the time it looked like an interesting sledgehammer for a peanut-sized problem, less so now that people have had time to speculate as to how Meltdown and Spectre-primed malware might escape hypervisors in ways that not long ago sounded hypothetical.

This is not something the company could mashup on its own – Citrix’s involvement was essential to avoid breaking things.

In 2003, security professionals suddenly grasped the size of the challenge facing them and its long-term consequences for development and software management. In hindsight, it’s clear the hardware makers didn’t get the memo, and so the cult of performance-at-all-costs barrelled on.

Now it’s as if the brakes have been applied as the industry re-learns the same lessons all over again.

“While patching is good, that doesn’t address the core issue which is at some point you need to upgrade your hardware,” says Liviu. “If until now we thought of security as exploiting vulnerabilities in code, this goes to prove that this code can run much deeper than we thought.” ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/26/attacks_go_down_the_stack/

A group of Russian “troll factory” operators indicted in February were tagged by Tumblr last year.

The Oath-owned microblogging site said last Friday that it identified the suspect accounts during (northern hemisphere) Autumn 2017.

The outfit’s post said “we uncovered 84 Tumblr accounts linked to the Russian government through the Internet Research Agency, or IRA. These accounts were being used as part of a disinformation campaign leading up to the 2016 U.S. Election”.

Following that discovery the company terminated the accounts, deleted their posts, and notified US authorities.

“As far as we can tell, the IRA-linked accounts were only focused on spreading disinformation in the U.S., and they only posted organic content. We didn’t find any indication that they ran ads,” Tumblr’s post said.

The company will also email “anyone who liked, reblogged, replied to, or followed an IRA-linked account with the list of usernames they engaged with.”

When the 13 Russian nationals were indicted in February 2018, special counsel Robert Mueller said the trolls would fabricate American identities like [email protected] to open PayPal accounts and purchase advertisements, presumably on platforms other than Tumblr.

“We’ve decided to leave up any reblog chains that might be on your Tumblrs — you can choose to leave them or delete them,” Tumblr’s post adds. “We’re letting you decide because the reblog chains contain posts created by real Tumblr users, often challenging or debunking the false and incendiary claims in the IRA-linked original post. Removing those authentic posts without your consent would encroach on your free speech—and there have been enough disruptions to our conversations as it is.”

If the site detects future “state-sponsored disinformation campaigns”, the company said, it will terminate accounts, notify users if they follow, repost, like or reply to a troll account, add the suspect account to the public record, and call law enforcement. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/26/tumblr_bans_russian_trolls/

Roundup Here’s your easy-to-digest round up of information security news beyond everything we’ve already covered this week.

DNC hacker outed as Russian 007

Guccifer 2.0, the hacker busy stealing and leaking emails from US Democratic Party servers amid the 2016 presidential elections, turned out, surprise, surprise, to be a Russian intelligence officer, according to a well-source report.

Said шпион forgot to turn on their VPN to disguise their public IP address and location, when visiting either Twitter or WordPress, we’re told, thus revealing to American investigators their true identity – a member of GRU, Russia’s military intelligence arm.

Guccifer 2.0 claimed he was a Romanian, but showed a troubling lack of knowledge of his professed language. Now it turns out Uncle Sam’s g-men know who is behind Guccifer 2.0 right down to the street of their Moscow government office, according to sources speaking to the Daily Beast.

This is going to make claims that the Russians weren’t involved in American election meddling much more difficult to dodge. Sadly, for some reason or other, President Trump seems unwilling or unable to accept this.

Kaspersky Ka-skewered

While we’re on the topic of all things Russian, Kaspersky Labs has apparently angered some in the Western intelligence community with its report detailing the appearance of the Slingshot software nasty in the Middle East and Africa.

Slingshot was a very advanced piece of malware that infected routers initially, and then the computers of the administrators who configured them. Kaspersky thought that the level of sophistication shown – the software was in its sixth version – and its persistence indicated that it was the work of a state-sponsored hacking team.

Turns out they were right, it seems. Apparently Slingshot was developed here in the US and used to track Daesh-bags and other medieval terror bastards. Now Uncle Sam’s snoops are furious about the Russian security outfit spilling the beans about their work.

The outing also sparked a debate among security professionals about whether Kaspersky should even have published its research into what turned out to be American government spyware, designed to snare barbaric terrorists. The overwhelming view was that the biz had every right to do so, but the kerfuffle probably means the company shouldn’t expect any lifting of the US government embargo of its products.

Dark web gets darker

Reddit decided this week to shut down its message boards devoted to discussing dark web marketplace.

The move was largely symbolic, since there are plenty of other forums for discussing dodgy Tor-hidden souks online, and may actually be counterproductive. After all, such forums provide police with a host of useful information when it comes to crime fighting.

Last month Dutch police gave a presentation about its successful takedown of the Hansa marketplace. Gert Ras, head of the Netherlands National High Tech Crime Unit, recounted with great glee how they hung out on Reddit watching online drug buyers whining about being inconvenienced and detailing their plans to move their trade onto Hansa after Alphabay was shuttered.

Cut me some Slack

Revealing a little too much could also be a problem for Slack users. This week IRC-for-the-2010s Slack changed its terms and conditions so that people and organizations that pay for its premium services can examine all and any private chats in their workspaces without alerting users.

The takeaway from all this is to be careful how you use Slack. Conversing with the boss is all well and good but if you’re also using it to try and set up a union or to have an affair with someone you work with it might be a good idea to use a more secure service like Signal.

Theft and hacking

Secure and private communications are where it’s at these days, and Google-stablemate Jigsaw has produced a tool called Outline that tries to make VPNs easy to set up for the experienced nerd or mildly tech savvy hack.

It’s a good idea – a simple-to-setup system that allows small businesses, journalists, geeks, and other individuals to run their own VPN to encrypted and secure their internet traffic. Such a good idea, in fact, that someone else has already had it: Dan Guido of security shop Trail of Bits has accusing Jigsaw of ripping off ToB’s Algo:

Google sure is good at plagiarizing my work. I released @AlgoVPN, an open-source, self-hosted VPN solution, in 2016. I find it hard to believe @Jigsaw was unaware since I’ve met their engineers more than once.https://t.co/juEq5GtKIF

— Dan Guido (@dguido) March 20, 2018

Since I released @AlgoVPN, it’s attracted ~7500 Github stars, 700 external contributions from 80 contributors, and endorsements from @motherboard, @kennwhite, @TheRegister, @thegrugq, @TechCrunch, @lifehacker, and more.

— Dan Guido (@dguido) March 20, 2018

“So, I guess watch what you say to Google? Like the CII, Jigsaw is intended to buy good PR for @Google, pursue Eric Schmidt’s megalomaniacal regime change ambitions, and distract bored Google engineers from dreary ad sales work. They have no reason to collaborate with you,” Guido said. He added that he met Jigsaw engineers on a number of occasions. If he’s right then they were obviously impressed, maybe too much in fact.

For what it’s worth, our view on VPNs is to not trust third-party VPN providers, especially free ones. Set up one yourself on a machine you control, if you can, or use Algo or Outline to configure one for you, again on your own box that you can trust and secure.

Police pwned

An Australian man is going to be spending the next year in jail after being found guilty of hacking local police radios.

Vaughan William George, 42, pled guilty to illegally operating a radio communications transmitter, operating a transmitter to interfere with police telecommunications, and drug and car theft offences in the Australian state of Victoria.

Apparently police knew he was operating an illegal radio operation, but overlooked it as he wasn’t doing anyone any harm. But then George overrode a police radio broadcast, and told them to stop the pursuit of some thieves. This riled up the plod enough to take action.

DDoS so cheap

In other pwnage news, it appears that it has never been cheaper to launch a distributed denial-of-service (DDoS) attack. A report by security outfit Armor found marketplaces offering to DDoS a target for just $10 an hour, or $500 for the week.

Other offers included $100 WordPress exploits, hacking tutorials for $50, or selling ATM skimmers for $1,500 a pop. It seems it has never been cheaper to become an online scumbag. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/24/security_roundup/

Black Hat Asia Microsoft will prevent Windows Server from authenticating RDP clients that have not been patched to address a security flaw that can be exploited by miscreants to hijack systems and laterally move across a network.

The bug, CVE-2018-0886, was fixed in March’s Patch Tuesday software update, and involves Microsoft’s implementation of its Credential Security Support Provider protocol (CredSSP). A miscreant-in-the-middle on a corporate network can abuse the flaw to send arbitrary commands to a server to execute while masquerading as a legit user or admin.

From there, lateral movement through an intranet becomes possible, and that’s just the sort of thing bad actors love. The flaw was discovered by security company Preempt, which explained it the video below.

Youtube Video

Microsoft’s documentation for the patch reads: “Mitigation consists of installing the update on all eligible client and server operating systems and then using included Group Policy settings or registry-based equivalents to manage the setting options on the client and server computers.

“We recommend that administrators apply the policy and set it to ‘Force updated clients’ or ‘Mitigated’ on client and server computers as soon as possible.”

Cybercrooks are pimping out pwned RDP servers

READ MORE

The Microsoft advisory also mentions two planned actions to address the vulnerability. On April 17, 2018, an update to Microsoft’s RDP client “will enhance the error message that is presented when an updated client fails to connect to a server that has not been updated.” And on May 8, or perhaps later, “an update to change the default setting from vulnerable to mitigated” will arrive.

Preempt personnel today told the Black Hat Asia conference in Singapore this week that the May patches will cause un-patched RDP clients to be rejected by patched Windows Server boxes, so that the vulnerability can’t be exploited.

It seems sensible to keep a close eye on April and May’s Patch Tuesday dump. It’s also worth looking for updates from vendors of third-party RDP clients, as they can also fall foul of this vulnerability. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/23/microsoft_rdp_patch_credential_security_support_provider_protocol/

The US Department of Justice and Department of the Treasury on Friday charged nine Iranians with carrying out a series of internet attacks on more than 300 universities and 47 companies in the US and abroad, as well as federal and state agencies and the United Nations.

The defendants were involved in various capacities with the Mabna Institute, a company based in Iran that, according to the Justice Department, has been coordinating cyberattacks to steal academic data and credentials on behalf of the government of Iran.

“The indictment alleges that the defendants worked on behalf of the Iranian government, specifically the Islamic Revolutionary Guard Corps,” said Deputy Attorney General Rod Rosenstein in prepared remarks delivered at a press conference in Washington, D.C., on Friday.

“They hacked the computer systems of approximately 320 universities in 22 countries. One-hundred forty-four of the victims are American universities. The defendants stole research that cost the universities approximately $3.4bn to procure and maintain.”

The nine defendants – Gholamreza Rafatnejad, 38; Ehsan Mohammadi, 37; Abdollah Karima, aka Vahid Karima, 39; Mostafa Sadeghi, 28; Seyed Ali Mirkarimi, 34; Mohammed Reza Sabahi, 26; Roozbeh Sabahi, 24; Abuzar Gohari Moqadam, 37; and Sajjad Tahmasebi, 30 – are all citizens and residents of Iran, which does not have an extradition agreement with the US.

As was the case with the special counsel Robert Mueller’s recent indictment of 13 Russians for 2016 US election shenanigans, it’s not clear whether or when the defendants will be brought before a judge.

Warning to others

Rosenstein suggested that the indictments have value even if the defendants may be out of reach. He said the indictments highlight the need for organizations to harden their cybersecurity defenses and send a message to others that the US will take steps to protect its interests.

“By bringing these criminal charges, we reinforce a norm that most of the civilized world accepts: nation-states should not steal intellectual property for the purpose of giving domestic industries a competitive advantage,” said Rosenstein.

Rosenstein said the defendants are now fugitives and risk arrest and extradition if they travel to any of the more than 100 countries that do have extradition agreements with the US. He also said the Treasury Department has taken action to limit the ability of the defendants to conduct financial transactions or do business outside of Iran.

In a parallel statement, the Department of the Treasury’s Office of Foreign Assets Control said it has added one Iranian entity (the Mabna Institute) and ten Iranian individuals (the nine defendants among them) to its Specially Designated Nationals List, which blocks their interest in property under US jurisdiction and prohibits US persons from doing business with them.

Timely

The charges were welcomed by officials in the UK, which was also targeted in the attacks. In a statement, Lord Tariq Ahmad, the UK’s Foreign Office Minister for Cyber, said, “The focus on universities is a timely reminder that all organisations are potential targets and need to constantly strive for the best possible cyber security.”

The US indictment, unsealed in a Manhattan federal court on Friday, describes a coordinated effort from 2013 through the end of 2017 involving online reconnaissance of university professors, to determine their research interests, followed by attempted spear phishing.

Spear phishing messages, according to the indictment, would appear to be from another professor inquiring about one of the target’s articles and would include a link. Clicking on the link would take the victim to a confusingly similar domain to the victim’s university and present a fake login page.

Terabytes swiped

With credentials stolen in this manner, the attackers were able to exfiltrate 31.5 terabytes of academic data and intellectual property.

Over 100,000 professors worldwide were targeted in this manner, about half of them in the US. The attackers succeeded in compromising an estimated 7,998 accounts, a success rate of almost 8 per cent.

The Fog of Cyberwar: Now theft and sabotage instead of just spying

READ MORE

In 2016, security biz Cloudmark said that among companies that conduct phishing tests on their employees, the failure rate (success rate if you’re an attacker) is 16 per cent.

The indictment also describes how the defendants allegedly went after private sector companies using a technique referred to as “password spraying.” They would collect names and email addresses for employees and then try lists of commonly used passwords. The indictment does not reveal how many accounts were compromised in this way.

The defendants face charges of conspiracy to commit computer intrusion, conspiracy to commit wire fraud, unauthorized access of a computer, wire fraud, and aggravated identity theft. The resulting sentence could add up to decades behind bars, if any of defendants are actually caught, tried, and found guilty. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/23/iranians_charged_university_corporate_hacking/