STE WILLIAMS

World celebrates, cyber-snoops cry as TLS 1.3 internet crypto approved

A much-needed update to internet security has finally passed at the Internet Engineering Task Force (IETF), after four years and 28 drafts.

Internet engineers meeting in London, England, approved the updated TLS 1.3 protocol despite a wave of last-minute concerns that it could cause networking nightmares.

TLS 1.3 won unanimous approval (well, one “no objection” amid the yeses), paving the way for its implementation in software and products from Oracle’s Java to Google’s Chrome browser.

The new protocol aims to comprehensively thwart any attempts by the NSA and other eavesdroppers to decrypt intercepted HTTPS connections and other encrypted network packets. TLS 1.3 should also speed up secure communications thanks to its streamlined approach.

The critical nature of the protocol, however, has meant that progress has been slow and, on occasion, controversial. This time last year, Google paused its plan to support the new protocol in Chrome when an IT schools administrator in Maryland reported that a third of the 50,000 Chromebooks he managed bricked themselves after being updating to use the tech.

Most recently, banks and businesses complained that, thanks to the way the new protocol does security, they will be cut off from being able to inspect and analyze TLS 1.3 encrypted traffic flowing through their networks, and so potentially be at greater risk from attack.

Unfortunately, that self-same ability to decrypt secure traffic on your own network can also be potentially used by third parties to grab and decrypt communications.

An effort to effectively insert a backdoor into the protocol was met with disdain and some anger by internet engineers, many of whom pointed out that it will still be possible to introduce middleware to monitor and analyze internal network traffic.

Nope

The backdoor proposal did not move forward, meaning the internet as a whole will become more secure and faster, while banks and similar outfits will have to do a little extra work to accommodate and inspect TLS 1.3 connections as required.

At the heart of the change – and the complaints – are two key elements: forward secrecy, and ephemeral encryption keys.

TLS – standing for Transport Layer Security – basically works by creating a secure connection between a client and a server – your laptop, for example, and a company’s website. All this is done before any real information is shared – like credit card details or personal information.

Under TLS 1.2 this is a fairly lengthy process that can take as much as half-a-second:

  • The client says hi to the server and offers a range of strong encryption systems it can work with
  • The server says hi back, explains which encryption system it will use and sends an encryption key
  • The client takes that key and uses it to encrypt and send back a random series of letters
  • Together they use this exchange to create two new keys: a master key and a session key – the master key being stronger; the session key weaker.
  • The client then says which encryption system it plans to use for the weaker, session key – which allows data to be sent much faster because it doesn’t have to be processed as much
  • The server acknowledges that system will be used, and then the two start sharing the actual information that the whole exchange is about

TLS 1.3 speeds that whole process up by bundling several steps together:

  • The client says hi, here’s the systems I plan to use
  • The server gets back saying hi, ok let’s use them, here’s my key, we should be good to go
  • The client responds saying, yep that all looks good, here are the session keys

As well as being faster, TLS 1.3 is much more secure because it ditches many of the older encryption algorithms that TLS 1.2 supports that over the years people have managed to find holes in. Effectively the older crypto-systems potentially allowed miscreants to figure out what previous keys had been used (called “non-forward secrecy”) and so decrypt previous conversations.

A little less conversation

For example, snoopers could, under TLS 1.2, force the exchange to use older and weaker encryption algorithms that they knew how to crack.

grave

OpenSSL alpha adds TLS 1.3 support

READ MORE

People using TLS 1.3 will only be able to use more recent systems that are much harder to crack – at least for now. Any effort to force the conversation to use a weaker 1.2 system will be detected and flagged as a problem.

Another very important advantage to TLS 1.3 – but also one that some security experts are concerned about – is called “0-RTT Resumption” which effectively allows the client and server to remember if they have spoken before, and so forego all the checks, using previous keys to start talking immediately.

That will make connections much faster but the concern of course is that someone malicious could get hold of the “0-RTT Resumption” information and pose as one of the parties. Although internet engineers are less concerned about this security risk – which would require getting access to a machine – than the TLS 1.2 system that allowed people to hijack and listen into a conversation.

In short, it’s a win-win but will require people to put in some effort to make it all work properly.

The big losers will be criminals and security services who will be shut out of secure communications – at least until they figure out a way to crack this new protocol. At which point the IETF will start on TLS 1.4. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/23/tls_1_3_approved_ietf/

  • 23/03/2018
  • adm

City of Atlanta Hit with Ransomware Attack

FBI investigating computer outages in the city’s network possibly tied to Samsam-type ransomware variant.

Computer systems for the City of Atlanta were hit by an apparent ransomware attack that has caused outages and is now under investigation by the FBI.

According to Atlanta’s local news channel 11Alive, the attack appears to have the earmarks of the Samsam variant of ransomware. Some of the city’s customer-facing billing and court information systems have suffered outages due to the attacks.

“At this time, our Atlanta Information Management team is working diligently with support from Microsoft to resolve the issue. We are confident that our team of technology professionals will be able to restore applications soon. Our city website, Atlantaga.gov, remains accessible and we will provide updates as we receive them,” the City said in a statement provided to 11Alive.

According to the report, a screenshot from one of the infected machines showed the attackers demanding ransom of $6,800 “per unit,” or $51,000 to decrypt the entire system.

For more on this developing story, read the report here.

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/city-of-atlanta-hit-with-ransomware-attack/d/d-id/1331360?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 23/03/2018
  • adm

AMD Will Release Fixes for New Processor Flaws in a Few Weeks

Security firm that disclosed flaws accuses chipmaker of downplaying flaws; says timeline is overly optimistic.

Less than 10 days after getting blindsided by a report about purportedly severe vulnerabilities in some of its products, AMD on Wednesday confirmed the issues and said it would have fixes for them in the next several weeks.

In an alert Wednesday, AMD said it had completed an initial technical assessment of the flaws that Israeli security research firm CTS-Labs had reported to it on March 12 and then controversially released publically just one day later.

The assessment confirmed issues associated with the firmware for AMD Secure Processor and the Promontory Chipset used in AMDs Ryzen and EPYC platforms.

However, exploiting the flaws that CTS identified requires an attacker to already have full administrative access to a system, AMD’s CTO Mark Papermaster said. An attacker would need to overcome multiple OS-level controls such as Microsoft’s Windows Credential Guard to gain the administrative access needed to exploit the flaws, he said.

AMD is working on a firmware update for the Secure Processor issue and will release it in coming weeks, Papermaster said, without offering any specific dates. AMD is also working with the third-party manufacturer of the Promontory chipset on appropriate mitigations, he said. No timeline was given for when those mitigations might become available.

AMD’s advisory is its first public update after CTS released details on the vulnerabilities March 13.

It evoked an immediate response from the Israeli firm. In a statement posted on a website describing the AMD flaws, CTS criticized the chipmaker for attempting to downplay the severity of the flaws. It called AMD’s promise to deliver fixes in a few weeks as overly optimistic and said that some of the flaws would take months to fix. The central idea behind Secure Process in fact is to prevent administrators from gaining access to certain data on systems, the company noted.

CTS has come under considerable criticism for its decision to publicly disclose the vulnerabilities without giving AMD the opportunity to review them fully or issue any fixes for them. In a March 13 release, CTS said it had discovered 13 critical security vulnerabilities and manufacturer backdoors in AMD’s Ryzen and EPYC product sets.

The research firm grouped the vulnerabilities under four broad categories and described them as affecting millions of devices, users and organizations worldwide. Among other things, the flaws give attackers a way to permanently install malicious code in AMD Secure Processor and to steal credentials for moving laterally through compromised networks – including those protected by Microsoft’s Credential Guard.

CTS also warned that ASMedia, a Taiwanese company from which AMD sources some of its chipsets, was shipping products with exploitable manufacturer-installed backdoors in them that could allow attackers to inject malware into the chip.

Many faulted CTS for disclosing the flaws without giving AMD proper notice and also for overblowing the severity of the threat posed by them. An independent security research firm that CTS hired to validate its findings described the flaws as extremely hard to exploit even if complete exploit details were available. Others have maintained that the vulnerabilities are a threat only if a system has already been fully compromised, at which point an attacker would be able to do pretty much what they wanted on the system, anyway.

CTS’ decision to go public with its discovery just weeks after the storm over the Spectre and Meltdown vulnerabilities in Intel chips also prompted wide-ranging questions about the motives and the timing behind the vulnerability disclosure.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop ITX and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/endpoint/amd-will-release-fixes-for-new-processor-flaws-in-a-few-weeks/d/d-id/1331362?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 23/03/2018
  • adm

Beware the fake Facebook sirens that flirt you into sextortion

Fake Facebook profiles of hot women who invite targets to join them in sexy webcam masturbation sessions – sessions that lead to image capture and extortion – are part of a “three-tiered, industrial process” that allows a sophisticated criminal network to “find, filter and defraud victims, all the while protecting itself,” according to an investigation done by Radio Canada.

We’ve covered plenty of lone-wolf sextortionists: one who targeted underaged girls until he was caught by investigators’ booby-trapped video; the guy who preyed on Miss Teen USA and 150 others; and a former US Embassy worker who sextorted, phished, broke into email accounts, stole explicit images and cyberstalked hundreds of women around the world from his London office. And there are many others.

Not to downplay the suffering caused by such operators in any way – there have been multiple suicides related to such cases – but those lone wolves are rank amateurs compared with the massive network of fraudulent accounts that catfish male victims using stolen photos of young women and adolescent girls.

To find out how the networks spin their webs, Radio Canada journalists Marie-Eve Tremblay and Jeff Yates – an expert in online disinformation who’s found and mapped the connections between fake profiles to learn how they support each other – conducted a months-long investigation into what he believes is a “massive network.”

They knew that the accounts were fake because the photos had been stolen from Instagram accounts or personal Facebook profiles. Some of the fake accounts are massive: they have 100,000, 200,000, or even 500,000 followers.

Yates believes that the fake profiles are just the first layer of a massive sextortion scheme.

It starts with a friend request from a young, hot babe. Within minutes of an intended victim accepting the request, the fake account will invite the target to join her in a sexy webcam chat, such as on Skype or Google Hangouts.

What hetero man – or anybody else who likes the attention of young, hot women and is innocent enough to fall for the come-on – wouldn’t jump at the chance? Once they do, the first step into a sextortion trap has been taken. If the target can be coerced into taking off their clothes and/or masturbating, images are collected, and the ransom demands soon follow.

Yates, in the Radio-Canada web series Corde sensible, paraphrases a typical sextortion threat:

‘If you don’t give me this or that amount of money, I’m going to tell your girlfriend or your boyfriend or your friends that you’ve been chatting with sexy girls on the internet and that you’ve sent me nude pictures of yourself,’ etc.

To scam the scammers while still protecting Yates from having his photos fall into the crooks’ hands and then getting extorted himself, Radio Canada turned Tremblay into a guy. Using a facial transformation app, the journalists turned her into “William,” a 24-year-old from France who likes soccer and his BMW. They opted for France because they’d found evidence that that’s where the network is based.

To attract the network’s attention, “William” liked fake accounts’ photos and wrote a few comments. That worked quite well, Tremblay said:

Result: friend requests from sexy girls began overloading my inbox.

Private conversations soon ensued. Within an hour, one fake account asked “William” to add her on Skype. After six minutes of chatting, she asked him to turn on his camera so they could have video sex.

Radio Canada didn’t get into the steamy details, but it did talk to a real-life victim whose experience paralleled what the media outlet described.

Cédrick said that within 20 minutes, “you’re already in over your head.” “She” will have taken off her clothes, and/or done a sexy dance, and/or started touching herself, and will have asked her target to do the same. The point is to get a full-body shot, along with the victim’s face, all the better to extort.

Once they have the images they want, everything cuts, and that’s where the intense stuff begins. She starts off by showing you the video, she sends you a link on YouTube.

‘If you disconnect, if you leave, if you block me, I’m sending this videotape to everyone.’

It’s too well-organized for there to be only one person running it, Yates says. To figure out how it was structured, he analyzed around 200 Facebook posts from about 40 fake accounts. Every time one fake profile tagged another, he recorded the source and its target.

Then, using network analysis software, he mapped accounts according to their relationships. He also used a network-detecting algorithm that determines which profiles interact with each other more than with the rest of the network.

What he came up with was a structure comprising three categories: feeder accounts, bait accounts and hunter accounts.

Feeder accounts are on the front line, serving as a gateway into the network. They often have hundreds of thousands of followers, but they themselves don’t share sexy images. Instead, they publish clickbait: phony contests, dummy IQ tests and lifehacks. Radio Canada says the posts often get hundreds or thousands of likes, shares and comments.

The feeder posts, acting as advertisements, tag other fake accounts belonging to the second layer, which is where the “bait” accounts are. Given that those bait accounts appear to belong to beautiful women, the titillated will click on the bait accounts and start following them. That’s how perfect victims self-select: they’re obviously interested in following Facebook profiles of sexy young women and girls, so they venture that much further into the sextortion web.

Bait accounts often share links that purportedly lead to a pornographic video – some of which are promoted as being of underage girls – but Radio Canada says they “invariably” lead to phishing sites where visitors are asked to enter their credit card information. (Radio Canada didn’t click on links purporting to lead to illegal images of minors.)

The second tier isn’t where sextortion takes place. Given that they promote porn, the bait accounts are sometimes flagged and removed by Facebook. It doesn’t matter, though: the gateway feeder accounts stay up, given that no racy material is posted at that initial layer.

Bait accounts entice targets to write comments, either by asking questions such as “Do you think I’m hot?” or by promising to send private photos to those who post a comment. Radio Canada says that this is an important step that leads to the innermost layer where the sextortion trap is sprung: the layer of fake accounts it calls hunter accounts.

Bait accounts have created a perfect environment for sextortion to happen. The users who have commented aren’t afraid of publicly signaling their interest in young girls and, moreover, don’t have the wherewithal to realise that they’re dealing with fake accounts. They are perfect targets for the hunter accounts. These users receive, by the dozen, friend requests from the hunter accounts.

These hunter accounts often get banned, having triggered Facebook algorithms that spot fake accounts by picking out ones that amass a huge number of followers in a brief amount of time. That’s why the “women” in the hunter accounts quickly send private messages to intended victims, trying to hustle them off Facebook as soon as possible: once they’re in a web chat, they’re out of Facebook’s reach and can go after the photos they need for extortion.

Radio Canada focused on one network, but it became clear that there are most likely several interconnected networks “that co-operate to attract a mutually beneficial audience.”

The journalists caught one operator red-handed: it started with a photo of a group of Facebook friends, one of whom went by a name that had been popping up in Yates’ notes for months. The same man was tagged in a second photo, but his tagged name was listed as “Amandine Ponticaud”: the same name as “one of the biggest fake profiles in the network.” Yates noticed that the operator jumped in and out of conversations and arguments under various fake profile names, at one point admitting to publishing “porno links.”

One thing led to another, until the journalists eventually saw a screen capture of a Facebook chat window in which the operator – they referred to him as “Mehdi” – asks a friend to make him administrator of a page:

I’m gonna scam a dude and I just told him that I was admin.

They also found a screengrab of a PayPal transfer worth 500 euros.

The network’s scams are apparently multifaceted. Radio Canada found another part of the network, based in northern France and Belgium, that’s using fake profiles to attract men to certain Snapchat accounts. The accounts seem to be running a cyberprostitution ring, Yates writes…

But that’s a story for another day.

Phew. Yes. There’s plenty here for another year’s worth of days.


Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/uSCHUFnDmuc/

  • 23/03/2018
  • adm

AMD announces Ryzen patch timeline as disclosure controversy rages

January’s disclosure of serious flaws in mainly Intel microprocessors – Meltdown and Spectre – put the issue of vulnerabilities in hardware microcode and firmware front and centre.

Those were, of course, serious issues the industry has been working flat out to mitigate ever since.

But has an unknown Israeli company called CTS Labs tried to exploit worries over this type of flaw for financial gain?

On 13 March, researchers working for CTS Labs published what quickly turned into one of the most contentious security disclosures ever made.

The company said it had uncovered 13 individual flaws, including backdoors, in AMD’s Ryzen chip family which “put networks that contain AMD computers at a considerable risk.”

Echoing the publicity over January’s Meltdown and Spectre proof-of-concept mega-vulnerabilities in mainly Intel designs, the Ryzen flaws were even grouped into families with dramatic-sounding names – Masterkey, Ryzenfall, Fallout and Chimera.

CTS Labs had of course…

…privately shared this information with AMD, select security companies that can develop mitigations, and the US regulators.

While this is correct, it should be noted that AMD were given only 24 hours notice ahead of the disclosure. Responsible disclosure for security flaws should be months not one day, inviting accusations that CTS Labs was behaving unethically.

Scorn quickly followed from many experts, with Linus Torvalds of Linux fame musing about ulterior motives:

It looks more like stock manipulation than a security advisory to me.

A serious accusation, of course, prompted by CTS Labs’ report disclaimer that:

We may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports.

And there was another problem – all of the flaws CTS Labs found required admin access. As numerous experts pointed out, any attacker with this access would already have control of the system even without exploiting security flaws.

A third-party hired by CTS Labs to assess the flaws confirmed it had received proof-of-concept code to exploit them while still concluding:

There is no immediate risk of exploitation of these vulnerabilities for most users. Even if the full details were published today, attackers would need to invest significant development efforts to build attack tools that utilize these vulnerabilities.

Two weeks on, and AMD this week published its own assessment of the vulnerabilities that should reassure alarmed users.

All four classes of flaw would be fixed through BIOS updates “within the coming weeks,” none of which were expected to hurt performance, while systems running on hypervisors would afford an additional layer of protection, the company said.

It would be easy to conclude that this isn’t as big a deal as Meltdown or Spectre because it can be fixed fairly easily.

That might be too complacent. However hyped, the fact that a small research outfit was able to find serious flaws in recent microprocessors, including the Secure Processor that is supposed to carry out integrity checks, is hardly reassuring.

And the issue of having to gain admin access to take advantage of them ignores the fact that should that happen, an attacker wielding one of these flaws might have another avenue to achieve persistence (i.e. the ability to hide on a system without being detected).

A lot now hinges on how quickly and simply AMD mitigates these flaws. As with any security vulnerability, the clock is always ticking.


Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/xlVjoUpAeYU/

  • 23/03/2018
  • adm

The bug that made free money

What would you do if you found a bug that could create money out of thin air?

Dutch web application boffins VI Company found one in popular cryptocurrency exchange Coinbase and used it to net themselves a cool $10,000.

Luckily for Coinbase, the bug finders earned their cash by reporting the issue to the exchange’s bug bounty program rather than by milking its broken code.

The trouble started when VI Company came up with the festive wheeze of giving out ether (the currency used by the Ethereum platform and the world’s second most popular cryptocurrency) as Christmas presents.

…we had some wallets which returned an error when we tried sending Ethereum there. This, in turn, stopped the execution of the smart contract and reversed all transactions as we expected it to do.

… one of our colleagues, who decided to use Coinbase as his wallet, told us he received the Ethereum.

After a bit of testing the company confirmed that it wasn’t a one-off. Every time it attempted to add ether to Coinbase wallets then the money would arrive without ever being sent.

Lo and behold we could reliably reproduce this bug and add Ethereum to our Coinbase wallets without ever sending any.

Although little information about the bug itself has been disclosed it seems that if the Ethereum-based smart contract hit a snag while it was running it would roll back any transactions it had run up to that point, a roll back Coinbase didn’t match.

The Ethereum platform is a complex beast that’s hosted its fair share of bugs-with-consequences.

Ethereum’s highlight reel includes a buggy wallet that froze $300 million, a flaw that was itself introduced by a smart wallet update designed to plug a hole that had been abused to extricate another $32 million.

That happened around a year after another theft of about $55 million from Ethereum’s now infamous DAO (Decentralized Autonomous Organization) program.

The money-for-nothing bug found by VI Company didn’t exist in Ethereum or one of the buggy smart-thingamies that runs in it though, this time the bug was in the Coinbase exchange.

Surprised? Probably not.

If there’s one thing that makes the hair-raising adventures of the Ethereum platform look unexciting, it’s the febrile exchange ecosystem that supports the trading of cryptocurrencies.

Cryptocurrency trading is run through with accusations of insider trading, scams and thieving owners, and it’s punctuated by colossal thefts of surprisingly valuable digital widgets you’ve never heard of. Thefts like Coincheck’s recent loss of half a billion dollars worth of, er, NEMs.

Thankfully, and not by accident, this bug was stomped on before anyone lost their shift.

If cryptocurrency exchanges are going to improve their image, and the chance of users holding on to their cryptocash, then they have to take security seriously, and been seen to do so.

By running a HackerOne bug bounty program Coinbase offer an incentive for people to find bugs and a clear, open channel through which it can learn about them and act.

In this case it moved to fix the flaw within a few short hours of learning about it.


Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/jQKwhrbvRXU/

  • 23/03/2018
  • adm

Crooks infiltrate Google Play with malware in QR reading utilities

Thanks to Chen Yu of SophosLabs for her behind-the-scenes work on this article.

SophosLabs just alerted us to a malware family that had infiltrated Google Play by presenting itself as a bunch of handy utilities.

Sophos detects this malware as Andr/HiddnAd-AJ, and the name gives you an inkling of what the rogue apps do: blast you with ads, but only after lying low for a while to lull you into a false sense of security.

We reported the offending apps to Google, and they’ve now been pulled from the Play Store, but not before some of them attracted more than 500,000 downloads.

The subterfuge used by the developers to keep Google’s “Play Protect” app-vetting process sweet seems surprisingly simple.

First, the apps were, at least on the surface, what they claimed: six were QR code reading apps; one was a so-called “smart compass”.

In other words, if you were just trying out apps for fun, or for a one-off purpose, you’d be inclined to judge them by their own descriptions.

Second, the crooks didn’t fire up the adware part of their apps right away, lurking innocently for a few hours before unleashing a barrage of ads.

Third, the adware part of each app was embedded in what looks at first sight like a standard Android programming library that was itself embedded in the app.

By adding an innocent-looking “graphics” subcomponent to a collection of programming routines that you’d expect to find in a regular Android app, the adware engine buried in the app can effectively hide in plain sight.

For all its apparent innocence, however, this malware not only pops up advertising web pages, but can also send Android notifications, including clickable links, to lure you into generating ad revenue for the criminals.

When you run one of the these infected apps for the first time, it “calls home” for configuration information to a server controlled by the crooks.

Each configuration download tells the malware what to do next:

  • The Google Ad Unit ID to use.
  • How long to wait before showing ads.
  • The URLs to open in your browser to push ads on you.
  • The messages, icons and links to use in the notifications you’ll see.
  • When to call home for the next configuration update.

This makes it easy for the crooks to adapt the behaviour of the malware remotely, changing both its ad campaigns and its aggressiveness easily, without needing to update the malware code itself.

When SophosLabs tested these samples, the first configuration settings pushed out by the crooks were very low-key.

For the first six hours, the list of ads was empty, meaning that the behaviour of the apps was unexceptionable to start with…

…before flooding the device with full screen ads, opening various ad-related webpages, and sending notifications with ad-related links in them, even when the apps’ own windows were closed.

What to do?

As mentioned, Google no longer endorses these apps, and if you install our free Sophos Mobile Security for Android product, we’ll detect and optionally remove these ad-foisting apps if you already have them on your device.

Despite Google’s failure to spot the roguery of these particular “utilities” before blessing them into the Play Store, we nevertheless recommend sticking to Google Play if you can.

Google’s app vetting process is far from perfect, but the company does at least carry out some pre-acceptance checks.

Many off-market Android app repositories have no checks at all – they’re open to anyone, which can be handy if you’re looking for unusual or highly specialised apps that wouldn’t make it onto Google Play (or trying to publish unconventional content).

But unregulated app repositories are also risky, for all the same reasons.


Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/PAHt3eRxqyo/

  • 23/03/2018
  • adm

New Survey Illustrates Real-World Difficulties in Cloud Security

Depending on traditional models makes cloud security more challenging for organizations, according to a Barracuda Networks report.

Cloud security is not as simple as picking up traditional network perimeter appliances and converting them into cloud services, a new study shows. But security may ultimately be better for the change.

Barracuda Networks surveyed 608 participants from organizations around the world. A majority (57%) say that their on-premises security is superior to cloud security, with the percentage answering that way growing in lock-step with the size of their organization.

That’s a problem for many organizations when they begin planning for security in the cloud. 83% say they have concerns about deploying traditional firewalls in the cloud, with 39% naming “pricing and licensing not appropriate for the cloud,” and 34% citing “lack of integration prevents cloud automation” as their primary concerns.

The report is based on a survey conducted by Dimensional Research on behalf of Barracuda. 

Tim Jefferson, vice president of public cloud at Barracuda, says these organizations have reason to be concerned. “Companies that are trying to cut and paste into the public cloud are having trouble. Security has always been around the network and a lot of appliances are built around architectures centralized in the data center,” he says. “Firewalls tend to scale vertically and that’s an anti-pattern for the cloud, where best practice is to keep everything federated and elastic. The tools don’t fit.”

The bigger issue, Jefferson says, is that many of the tools that companies struggle to place into the cloud aren’t really needed for cloud security. “In a public cloud you don’t need a lot of those functions,” he says. “A next-generation firewall isn’t required in the cloud – you don’t have to match the user to the function and filter on that because a properly architected cloud application will do that for you.”

APIs Over Firewalls

Relying on the cloud applications – and to put a finer point on it, the cloud application APIs with their controls and logging capabilities – allows forward-thinking security professionals to have better security in the cloud than they have in their traditional data center architecture, Jefferson says. According to the report, 74% of respondents cite “Integration with cloud management, monitoring, and automation capabilities” as the most beneficial cloud-specific firewall capability.

Integration is key, but organizations are finding it difficult to fully integrate cloud security into their DevOps or DevSecOps, with 93% saying they have faced challenges integrating security into those practices. Jefferson is blunt when he talks about the changes needed for organizations to move past the current difficulties: “All the visibility that’s so difficult to instrument in the data center is built in with the public cloud. It’s all done by API and that can be instrumented to police and monitor security.”

He says it all depends on perspective. “It’s really the lens you look through,” he says. “The traditional enterprise architect has thought of visibility as the instrumentation to see into ports and packets.”

But the problem is that public cloud “can’t provide span ports and access to layer 2. So they see public cloud and say there’s no visibility,” he says.

The public cloud, however, provides a better management tool. The management plane of the cloud can allow a security professional to track every interface and every record – every query, every response. The hard part is that the security professionals must re-think the means to the end of infrastructure security.

Security Hurdles

There are two huge hurdles standing between organizations and security in the cloud. The first is a human component that lies between security professionals’ ears. “It makes the professional uncomfortable,” Jefferson says, referring to security using APIs. “They want the tools they’ve always used.”

The second hurdle may be higher because it involves money. Jefferson says that the traditional licensing model for firewalls and other network security appliances just doesn’t work in a cloud environment where best practice is to spin up many federated instances rather than a handful of highly vertical compute centers.

“Now that things are federated and people may want to deploy hundreds of firewalls, vendors can’t charge vast sums per license,” Jefferson says. If they do, they “end up deploying bad things because they feel they can’t afford the licenses.”

Ultimately, in order to move security to a point where companies feel that cloud security is on a par with or better than on-premises security, both the deployment model and the licensing structure must be based on what works best for the application – not just what the licenses force a company to do.

Following genuine best practices in the cloud provides better security for an organization than pure on-premise environments, he says.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/cloud/new-survey-illustrates-real-world-difficulties-in-cloud-security/d/d-id/1331352?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 23/03/2018
  • adm

Looking Back and Thinking Ahead on Cyberwar, Nation-State Attacks

In the domain of cyber warfare, the effective strategies for fighting yesterday’s cyberattacks will not work against tomorrow’s, experts said.

BLACK HAT ASIA – Singapore – Nation-state threats dominated the themes of this week’s keynotes at Black Hat Asia, where experts dug into past and current cyberattacks, efforts to mitigate nation-state attacks, and the broad and evolving realm of cyber warfare.

Bill Woodcock, executive director at Packet Clearing House, took attendees back to the 1980s and 1990s, when the Internet was a closed community of interests and hadn’t yet gained popularity. At the time, cyberattacks were few and far between, he said in his day one keynote.

“We were doing it because it was fascinating,” he said. “Nobody thought there was any money in it … and because there weren’t a lot of security incidents back then, we had time to investigate.” By the mid-1990s, he continued, nation-state attacks on Internet service providers started to appear, coming from the US and Russian military.

Over time, incidents continued to escalate with Russia attacking Estonia in 2007, for example, and the United States’ 2009 Stuxnet attack against Iran. Cyber offensive military personnel adopted the strategy of buying zero-days and getting their lawyers to say nothing would go wrong. Their idea was to focus on offensive strategies at the expense of ignoring defense.

“We see it play out over and over,” Woodcock explained: militaries thinking they’re the smartest people in the room; believing they’ll be able to use the attacks they purchased any nobody will ever put it on them. “But none of that works out the way they think,” he added.

Nation-state attacks escalated, often with players targeting private-sector trust in tech vendors and the relationship between businesses and consumers. In the 2010 Flame attack, the US government impersonated a Microsoft certificate to claim a fake Windows update was legitimate. China’s 2011 attack on RSA stole SecurID two-factor authentication tokens, he noted.

Woodcock pointed to the grave implications of cyberthreats in the physical world with the 2015-2016 power grid attack targeting Ukraine’s critical infratstructure.

“It’s the kind of thing that causes lives to be lost, through accident or poor preparation,” he said. “As a modern society we’re not prepared to live without power for extended periods of time … saying cyber has no consequence – it’s a little late for that.”

The rapid growth of back-and-forth cyber events drove efforts to curtail attacks. In 1998, Russia proposed a treaty on cyber conflict, which made people skeptical because Russia had been the principal instigator for the problem, Woodcock pointed out. Between 2004 and 2017, there were five efforts to come up with a consensus about how cyberattacks should be addressed. By 2017 it was recognized that nothing was working, and a handful of countries were to blame.

The problem, he explained, was there were three nations, maybe four or five with the additions of Israel and Iran, which value their ability to attack other parts of the Internet more highly than the safety and economic stability of the Internet in their home countries.

“The US, Russia, and China don’t want to agree to any treaty that will limit their ability to conduct offensive cyber operations … because they would do it anyway, and then look bad for violating the treaty they signed,” Woodcock said. It’s tough to get countries to agree to a treaty, he continued, because they have to turn it into local law, which will be different in each place.

Changing the Game in Cyber Warfare

A reflection on past cyber operation efforts is interesting but does little to help build effective strategies for future attacks, said The Grugq, vice president of threat intelligence at Comae. “You can’t expect that what worked last time is going to work the next time,” he explained.

In his keynote on day two of Black Hat, the Grugq dug into the realm of cyber warfare, breaking several misconceptions people often have about fighting in cyberspace – for example, the idea that cyberwar is about skill. He compared cyber warfare with air warfare, noting how planes were created with maneuverability so skilled pilots could beat less-skilled pilots.

That’s not the way you win, he said. The way you win is showing up with more adversaries and overwhelming the target. “It’s not about skill. That doesn’t actually matter,” he emphasized.

Fighting cyberattacks is a team effort, said The Grugq, and teams should prioritize adaptability, agility, speed, creativity, and cohesion. It’s more effective to operate in small teams than in large “megateams.” Small teams provie a “range of capacity,” from elite workers to whose who rely on simple offensive attacks like large-scale phishing campaigns.

“Adaptability is the ability to take a new technology and exploit it for cyber conflict,” he explained, pointing to the example of Facebook as a weapon. “The US has proven itself as very good at developing new technologies, but they have been fairly poor at adapting those technologies for offensive purposes.”

Agility is the ability to take your current situation and make it where you want to be. With respect to speed, the teams with fewer meetings will be the teams who get ahead. Creativity is the ability to create new attacks based on those that exist, and cohesion is the ability to collaborate. The Grugq framed these traits in the context of different nation-states.

The DPRK, for example, has low agility and adaptability; they typically use attacks used by others in the past. They’re cohesive because they all do what their leader wants but they fall short on creativity by reusing the same attacks and copying others’ attacks.

China is “complicated and changing,” he continued. It has loose cohesion for security and deniability reasons, with low adaptability, medium speed, and mixed creativity.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/looking-back-and-thinking-ahead-on-cyberwar-nation-state-attacks/d/d-id/1331355?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 23/03/2018
  • adm

Looking Back to Look Ahead: Cyber Threat Trends to Watch

Data from the fourth quarter of last year shows the state of application exploits, malicious software, and botnets.

Organizations today face an unprecedented volume of increasingly sophisticated threats as they conduct online operations. As the potential attack surface expands and attack volumes increase, it is imperative to track the most popular and successful strategies of cybercriminals to stay ahead of their malicious intentions.

The quarterly Fortinet Global Threat Landscape Report gathers the collective intelligence drawn from FortiGuard Labs’ large array of sensors deployed in live production environments. The research data in the most recent report focuses on three aspects of the threat landscape: application exploits, malicious software, and botnets. It also examines important zero-day vulnerabilities and infrastructure trends to add context about the trajectory of cyberattacks affecting organizations over time.

What the Data Reveals
Below are the key findings from the latest “Threat Landscape Report” that organizations need to know about in order to prepare for what’s ahead.

Application exploits, malicious software, and botnets:

  • Historic Volume: The number of malware families detected in the fourth quarter of 2017 increased by 25% over the third quarter, to 3,317, and unique variants grew 19%, to 17,671. An average of 274 attacks per firm were also detected, a staggering increase of 82% over the previous quarter.
  • Mining for Cryptocurrency: Cryptomining malware increased in the fourth quarter, which seems to be intertwined with the changing price of bitcoin. Cybercriminals recognize the growth in digital currencies and are using a trick called cryptojacking to mine cryptocurrencies on computers using CPU resources in the background without a user knowing. Cryptojacking involves loading a script into a web browser; nothing is installed or stored on the computer.
  • Everything Old Is New Again: Steganography is an attack that embeds malicious code in images. The Sundown exploit kit uses steganography to steal information, and while it has been around for some time, it was reported by more organizations than any other exploit kit in the fourth quarter. It was found dropping multiple ransomware variants.
  • A Ransomware Explosion: Ransomware continues to grow in both volume and sophistication. Several strains of ransomware topped the list of malware variants. Locky was the most prevalent malware variant, and GlobeImposter was second. A new strain of Locky emerged, tricking recipients with spam before requesting a ransom. In addition, there was a shift on the darknet from only accepting bitcoin for payment to other forms of digital currency.
  • Swarm-Based Cyberattacks: The sophistication of attacks targeting organizations is accelerating at an unprecedented rate. For example, they are developing new Internet of Things (IoT)-based botnets with swarm-like capabilities that simultaneously target multiple vulnerabilities, devices, and access points.
  • An Increase in IoT Attacks: Three of the top 20 attacks identified in the quarter targeted IoT devices. New IoT botnets such as Reaper and Hajime target multiple vulnerabilities simultaneously. This multivector approach is much harder to combat. In addition, Reaper’s new flexible framework, built around a Lua engine and scripts, means that Reaper’s code can be easily updated to swarm faster by running new and more malicious attacks as they become available. Exploit volumes associated with Reaper exhibited an early October jump from 50,000 to 2.7 million over just a few days, before dropping back to normal.
  • Sophisticated Industrial Malware: An uptick in exploit activity against industrial control systems and safety instrumental systems suggests these under-the-radar attacks might be climbing higher on attackers’ radar. An example is an attack code-named Triton. It is sophisticated in nature and has the ability to cover its tracks by overwriting the malware itself with garbage data to thwart forensic analysis. Because these platforms affect vital critical infrastructures, they are enticing for threat actors. Successful attacks can cause significant damage with far-reaching impact.

Infrastructure trends:
When it comes to the cyber threat landscape, infrastructure statistics offer a powerful overview because strong correlations exist between infrastructure usage and threat frequency. For example, firms that use a lot of peer-to-peer and proxy apps report seven to nine times as many botnets and malware as those that don’t use them.

In the fourth quarter of 2017, firms also appear to have used more bandwidth and encrypted more web traffic than ever before, but they are actually visiting fewer sites and using fewer applications. There is also a special interest in keeping tabs on the ratio of HTTPS traffic in the network. It’s continuing to trend up.

While helpful for maintaining privacy, higher encryption rates also present challenges to threat monitoring and detection. Inspecting Secure Sockets Layer traffic has a significant impact on the performance of firewalls, which means it can affect the amount of network traffic that is actually being inspected. And organizations — especially those with higher HTTPS ratios — cannot afford to ignore threats that might be lurking within encrypted communications.

Best Practices for Stronger Security
With the volume, velocity, and variety of modern threats increasing, standalone point devices and platforms are rapidly becoming inadequate and ineffective. Organizations need a more unified approach that makes it practical for security teams, large or small, to achieve and maintain a competent security posture.

To protect the network against application exploits, malicious software, botnets, and zero-day vulnerabilities, organizations need to stay abreast of and track popular and successful threats. In addition, automated security measures can help pit swarm against swarm in order to effectively counter and repel an attack.

A unified defense posture can also help companies by detecting known and unknown threats at multiple layers throughout the environment. Growing your capability to detect and sever botnet communications at key choke points in your network is another solid strategy. Additionally, an internal network segmentation strategy will help detect and automatically contain all kinds of threats.

Looking back at data from 2017 reveals that to effectively combat today’s ever-evolving threats, you need to break down siloes and bring many security tools together for a collaborative approach that can help you see everything that’s coming at your network.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Early Bird Rates Expire Friday March 23. Use Promo Code DR200 save $200 .

Derek Manky formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy … View Full Bio

Article source: https://www.darkreading.com/endpoint/looking-back-to-look-ahead-cyber-threat-trends-to-watch-/a/d-id/1331286?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 23/03/2018
  • adm