STE WILLIAMS

A standout field with hysterical puns about security policies, Meltdown, Amazon Web Services, and the right to be forgotten. And the winner is …

Joe Stanganelli, principal at Beacon Hill Law in Boston, took top honors and a $25 Amazon gift card for his apt caption poking fun at AWS cloud services vulnerabilities. The caption is penned below by cartoonist John Klossner.

Joe faced stiff competition from our runners up: “About that Meltdown patch …” by ianrod and “I told him not to print out the security policies …” from DavidRandolph, both of whom will receive a $10 Amazon gift card.

Many thanks to everyone who entered the contest and to our loyal readers who cheered on the contestants. Also a shout-out to our judges, John Klossner and the Dark Reading editorial team: Tim Wilson, Kelly Jackson Higgins, Sara Peters, Kelly Sheriden, Curt Franklin, Jim Donahue, and yours truly. If you haven’t had a chance to read all the entries, be sure to check them out today.

See more caption contest winners:

• Name That Toon: Disappearing Act
• ‘Tis the Season: Dark Reading Caption Contest Winners
• Name That Toon: Screen Sharing

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.

Marilyn has been covering technology for business, government, and consumer audiences for over 20 years. Prior to joining UBM, Marilyn worked for nine years as editorial director at TechTarget Inc., where she launched six Websites for IT managers and administrators supporting … View Full Bio

Article source: https://www.darkreading.com/cloud/disappearing-act-dark-reading-caption-contest-winners/a/d-id/1331228?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A remote access Trojan, in use since 2016, has a new tactic: combining zip files with the SMB protocol to infect target systems.

A previously undocumented remote access Trojan (RAT) has been detected in both narrowly targeted email attacks and massive campaigns. The latest puts a new spin on old cybercrime methods as threat actors explore new ways to make money without using ransomware.

Researchers at Proofpoint most recently detected the FlawedAmmyy RAT as the payload in email campaigns from early March 2018, but they say it has been used in attacks as far back as January 2016. Both the emails and delivery of FlawedAmmyy imply this is the work of TA505, a threat group known for the Dridex, Locky, and GlobeImposter campaigns.

The FlawedAmmyy malware was built on top of leaked source code for version 3 of Ammyy Admin, a legitimate form of remote desktop software used among millions of consumers and businesses to handle remote control and diagnosis on Windows machines. This isn’t the first time Ammyy Admin has been abused; a July 2016 attack also used it to conceal malware.

FlawedAmmy has the same functionality as the software’s leaked source code, which includes remote desktop protocol, file system manager, proxy support, and audio chat. A successfully compromised machine gives the attacker full system access. They can view different services, steal sensitive files and credentials, and spy on audio and keystrokes.

Messages in the early March campaigns were sent from addresses spoofing the recipients’ domain and contained zipped .url attachments. The .url files are interpreted by Windows as Internet Shortcut files, which were designed by the attackers to be “file://” network shares instead of “http://” links. Because of this, when the user clicks “Open,” the system downloads and executes a JavaScript file over the SMB protocol rather than opening the browser.

The JavaScript downloads Quant Loader, which calls FlawedAmmyy as the final payload. Researchers say this is the first time they’ve ever seen the combination of .url files and SMB protocol downloads. “That which is old is new again,” says Kevin Epstein, vice president of Threat Operations at Proofpoint. This attack leverages old technology with a new, slightly tweaked distribution mechanism.

Attachments and URLs have long been used in cybercrime, he says. The combination of zipping a URL as an attachment so it doesn’t look like a link, and using that to obtain a file over SMB instead of http, is an “intricate and new approach” to delivering a Trojan. The scale of distribution is significant here, he says. FlawedAmmyy was seen in targeted attacks on the auto industry and quickly scaled to campaigns including millions of messages.

Epstein says this attack was financially motivated and the new method is a sign that attackers are thinking beyond ransomware for their money-making schemes.

“The use of this approach, to use Trojans vs. malware, is a reflection of the decreasing return-on-investment and profitability of ransomware,” he continues. “When you’re not getting paid as much, you seek other sources of revenue.”

Over the past two quarters, ransomware has declined as cryptocurrency miners and Trojans take its place, Epstein says. Once an effective means of generating funds, ransomware has become too popular to work. Consumers and businesses are wary of it and less likely to pay.

“We see more mechanisms like this, with effectively intricate social engineering,” he explains. “None of the FlawedAmmyy attacks work without a human taking action.” Further, unless they remember opening the malicious email and clicking the link, there’s virtually nothing a user would see that would give the Trojan away once it’s on the target machines.

For users, the best defense is to be suspicious, he says. Human instinct tells us to be helpful and most people don’t think twice about opening documents disguised as bills or invoices, which these often are. If you weren’t expecting it, think twice about opening it.

“‘Enable’ is a dangerous word,” Epstein notes. “No bill or invoice you’re receiving should require you to enable anything.”

The vast majority of cyberattacks are financial motivated and based on the ROI for criminals. “Think like a business and put yourself in the shoes of the attacker,” says Epstein. “The best defense is anything that increases their cost of doing business.”

Related Content:

• What Happens When You Hold Robots for Ransom?
• ‘Slingshot’ Cyber Espionage Campaign Hacks Network Routers
• North Korea Threat Group Targeting Turkish Financial Orgs
• Olympic Destroyer’s ‘False Flag’ Changes the Game

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/endpoint/flawedammyy-rat-campaign-puts-new-spin-on-old-threat/d/d-id/1331248?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Avast discovers ShadowPad tool for use in apparent planned third stage of the targeted attack campaign.

Researchers uncovered another piece of the puzzle in the compromise of the popular Windows utility CCleaner last fall that further points to a targeted cyber espionage campaign: a backdoor that had been deployed in a previous software supply chain attack last year.

Security firm Avast – which acquired CCleaner vendor Piriform on July 18 of last year – recently found that the attackers appear to have had a third stage of their attack planned that used the ShadowPad backdoor for capturing keystrokes and stealing information from infected networks.

ShadowPad traditionally has been the calling card of the so-called Axiom, aka APT17, nation-state group out of China. “ShadowPad is a remote cyber attack platform that cybercriminals deploy in victims’ networks to gain remote control capabilities, and it is known to be used by the Axiom group, which gives us further proof that this group likely are the actors behind the CCleaner attack,” says Martin Hron, a security researcher at Avast.

The compromise of Piriform’s network remained under the radar and unknown until Sept. 12, when researchers from Morphisec alerted Avast of their discovery: that version 5.33 of CCleaner had been hacked to deliver malware, affecting some 2.27 million users in the first stage of the attack, and then just 40 PCs in the second, more targeted stage. When users downloaded that version of the utility, they unknowingly also got malware.

Among the victim organizations in the second stage were Akamai, D-Link, Google, HTC, Linksys, Microsoft, Samsung, Sony, VMware, and Cisco.

That first stage of the attack, between Aug. 12 and Sept. 12, 2017, was all about collecting data on the machines, including system information and running processes. Once the attackers had filtered out their juicy prey, they hit the tech companies and other victims with a second-stage loader that gathered more intel, including IP addresses, hostnames, domain names, and other specific parameters.

“What happened is the attacker was using this giant net,” Craig Williams, senior technical lead at Cisco Talos, told Dark Reading last fall. “In the four days the command and control server had data for, 700,000 victims connected with it … but [the attackers] only wanted a tiny fraction of them.”

Avast’s Hron said he and his team found signs of ShadowPad on four Piriform computers during their inspection of Piriform’s software build environment: the tool had been installed on those machines on April 12, 2017, one month after the stage two infections on March 12.

Kaspersky Lab’s Costin Raiu also had seen Axiom Group ties to the malware injected into CCleaner’s software. According to Avast, Raiu was the first to make the connection between Axiom and the CCleaner malware.

Hron and his team found ShadowPad log files with encrypted keystrokes lifted from a keylogger on one of the infected Piriform machines, and were able to decrypt the log, which included keylogs and showed that the ShadowPad tool had been custom-built.

“By installing a tool like ShadowPad, the cybercriminals were able to fully control the system remotely while collecting credentials and insights into the operations on the targeted computer. Besides the keylogger tool, other tools were installed on the four computers, including a password stealer, and tools with the capacity to install further software and plugins on the targeted computer remotely,” according to a new Avast blog post on the findings. 

ShadowPad Deja Vu

This isn’t the first time ShadowPad was found embedded in software. In August of last year, a ShadowPad backdoor was found in the source code of a Windows-based server management product used by hundreds of organizations worldwide to manage their Linux, Windows, and Unix systems. The victim then was NetSarang Computer’s Xmanager Enterprise 5.0 Build 1232, Xmanager 5.0 Build 1045, Xshell 5.0 Build 1322, Xftp 5.0 Build 1218, and Xlpd 5.0 Build 1220. 

Kaspersky Lab spotted the backdoor during an incident response investigation for a financial institution partner.

The good news about the ShadowPad discovery by Avast is that the backdoor was only in the Piriform’s network and hadn’t yet been deployed to any CCleaner PC victims, according to Hron, who presented Avast’s latest findings on the breach at the Kaspersky Security Analyst Summit (SAS) in Cancun last week.

“We still don’t know how the attackers got onto the Piriform servers. We are still investigating and hope to find out more details soon,” Hron told Dark Reading.

Related Content:

• Server Management Software Discovered Harboring Backdoor
• 10 Security Product Flaw Scares
• CCleaner Malware Targeted Tech Giants Cisco, Google, Microsoft
• Avast CCleaner Compromised Amid Rise in Supply Chain Threats

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here. #InteropITX 2018 Early Bird Rates Expire March 16. Use Promo Code 200KJH to Save an Extra $200.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/endpoint/privacy/chinese-apt-backdoor-found-in-ccleaner-supply-chain-attack/d/d-id/1331250?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

“We’re not looking for a ‘back door’” that breaks encryption, the FBI said on Wednesday. Don’t even know what that is, really, said director Christopher Wray: He thinks it’s some type of “secret, insecure means of access” – is that right?

No, that’s not what the FBI is after, he said during a speech (here are his prepared remarks) at the Boston College/FBI Boston Conference on Cyber Security.

Rather, what law enforcement wants is a secure means to access evidence on devices once they’ve shown probable cause and have a warrant, he said. How that gets done is up to you smart people in technology, the “brightest minds doing and creating fantastic things.”

I’m open to all kinds of ideas. But I reject this notion that there could be such a place that no matter what kind of lawful authority you have, it’s utterly beyond reach to protect innocent citizens.

You’ve got to hand it to Wray: his tone was far more flattering – “brightest minds?” nice! – than when FBI forensic expert Stephen Flatley called Apple a bunch of “jerks” and “evil geniuses” for encrypting iPhones.

But Wray’s tempered remarks can be read as a velvet glove slipped over an iron fist, and that iron fist has been banging at this door for quite a while. The FBI has been battling encryption ever since Apple made it a default on the iPhone in September 2014.

Apple’s encryption is so strong that even Apple can’t break it. That’s made it all the harder to catch criminals and terrorists, the FBI has stressed both inside and outside of courtrooms.

In his speech, Wray picked up from where he left off in January, when he called unbreakable encryption a “public safety issue,” citing 7,775 devices that the FBI couldn’t crack in 2017 – more than half of those that the agency sought to lawfully access…

…which in turn picked up from where his predecessor, James Comey, left off… which also followed Assistant Attorney General Rod Rosenstein having made the same arguments multiple times last year.

From Wednesday’s speech:

Each one of those nearly 7,800 devices is tied to a specific subject, a specific defendant, a specific victim, a specific threat. Last fall I spoke to a group of CISOs and someone asked about that number. He basically said, ‘What’s the big deal with 7,800? There are millions of devices out there.’

We’re not interested in the millions of devices used by everyday citizens. We’re only interested in those devices that have been used to plan or execute criminal or terrorist activities.

Of course you can give us access to encrypted devices without breaking encryption, Wray said. After all, look what’s been done with cloud platforms that users can access from anywhere:

For one thing, many of us in this room use cloud-based services. You’re able to safely and securely access your email, your files, and your music on your home computer, on your smartphone, or at an internet café in Tokyo… That didn’t happen by accident. It’s only possible because tech companies took seriously the real need for both flexible customer access to data and cybersecurity.

Just as the FBI director has again argued the same thing that the bureau has been arguing for years – the same arguments about somehow being able to get past encryption without breaking it, in some way that the FBI doesn’t know because that’s up to the people who build things – the same logic holds on the other side: unbreakable encryption that doesn’t break encryption is not a thing.

Apple CEO Tim Cook has said that a backdoor wouldn’t be such an issue if it were to be used only for catching “bad people,” but he doubts that crooks couldn’t manage to figure out how to exploit a backdoor even if it were only meant to help law enforcement.

Naked Security still says #nobackdoors

Paul Ducklin put it pretty bluntly: “Tim Cook is right: if you put in cryptographic backdoors, the good guys lose for sure, while the bad guys only lose if they’re careless.”

It’s not as if the US hasn’t tried it. It didn’t turn out well.

In the 1990s, the US required American software companies to use deliberately weakened encryption algorithms in software for export, in an attempt to make it safe to sell cryptographic software even to potential enemies because their traffic would always be crackable.

The results:

• International customers simply bought non-US products instead, hurting US encryption vendors.
• EXPORT_GRADE ciphers lived on long after they were no longer legally required, leaving behind backdoors such as FREAK and LOGJAM that potentially put all of us at risk.

As Naked Security and other encryption vendors have repeatedly pointed out, backdoors have a way of being forgotten about, soon end up widely known, often live much longer than anyone imagined, and can be widely misused: all good reasons to avoid them.

SOPHOS STATEMENT ON ENCRYPTION

Our ethos and development practices prohibit “backdoors” or any other means of compromising the strength of our products for any purpose, and we vigorously oppose any law that would compel Sophos (or any other technology supplier) to weaken the security of our products.

Full statement ►

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/I7QjtBcnuZ0/

People would rather spread juicy lies rather than the truth, according to new research from the Massachusetts Institute of Technology (MIT).

Last week, in a writeup of the research, Science reported that claims that are demonstrably false – as in, tweets related to news that had been investigated by six independent fact-checking organizations, including PolitiFact, Snopes and FactCheck.org – are 70% more likely to be retweeted. Bogus claims about politics spread further than any other category of news included in their analysis.

Must be those meddlesome bots, eh? That’s what the researchers preliminarily assumed. But it turned out that it was humans, relishing new (false) information that they hadn’t seen before. The team arrived at its conclusion by using bot-detection technology to weed out social media shares generated by bots.

Even without the busybody bots, fake news still spread at about the same rate and to the same number of people. Specifically, the researchers had found that truth rarely reached more than 1000 Twitter users. The most outlandish fake news, on the other hand, routinely reached well over 10,000 people.

One example was the false reports about the boxer Floyd Mayweather wearing a Muslim headscarf and challenging people to fight him at a Donald Trump rally during the 2016 US presidential election. It originated on a sports comedy website, catching fire as people took it seriously. Fairy tales such as the Mayweather concoction routinely reach over 10,000 Twitter users.

Soroush Vosoughi, a data scientist at MIT, told Science that it was the viral posts after the Boston Marathon bombings – posts that spread rumors about a missing Brown University student thought to be a bombing suspect (he later turned out to have committed suicide for reasons unrelated to the bombing) – that really brought home to him what an effect fake news can have on real lives.

[That’s when I realized] that these rumors aren’t just fun things on Twitter, they really can have effects on people’s lives and hurt them really badly.

If we can’t blame bots for fake news going viral, his team thought, perhaps it has to do with how many followers a disseminating account has?

Nope: people who spread fake news actually have fewer followers, not more.

That left the content of the tweets themselves. What the researchers found was that tweets with false information were refreshingly novel: they had new information that a Twitter user hadn’t seen before, making them feel fresher than true news stories. The fake news tweets were also far more emotionally provocative, eliciting more surprise and disgust in their comments.

Science quotes Alex Kasprak, a fact-checking journalist at Snopes:

If something sounds crazy stupid you wouldn’t think it would get that much traction. But those are the ones that go massively viral.

Unfortunately, crazy stupid can become crazy dangerous. In June 2017, a 29-year-old man who fired a military-style assault rifle inside a popular Washington pizzeria, wrongly believing he was saving children trapped in a sex-slave ring, was sentenced to four years in prison.

The judge said at the time that it was “sheer luck” that Edgar Maddison Welch didn’t kill anybody.

That was a case study in how fake news gets onto Twitter in the first place. It started with hacked emails on WikiLeaks… which got scoured for political wrongdoing in the Clinton campaign staff by a popular Reddit forum dedicated to Donald Trump and 4chan’s far-right fringe message board… and which wound up confabulated into “PizzaGate” by somebody on 4chan who connected the phrase “cheese pizza” to pedophiles, who use the initials “c.p.” to denote child pornography on chat boards.

Thanks to a recent study from the University of Alabama at Birmingham, Cyprus University of Technology, University College London and Telefonica Research, we have a better understanding of how tightly knit, highly active fringe communities on sites such as 4chan and Reddit are an important part of our current news ecosystem and often succeed in spreading alternative news to mainstream social networks such as Twitter and on out to the greater web.

One takeaway from these studies: if we’re getting our news from Twitter, we should bring a healthy dose of skepticism to the table. At the rate it’s going, fake news is elbowing out the truth, and we don’t even have bots to blame: just our own, very human hunger for something new.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/mYXSoQzNJ7Q/

Like it or not, if your website isn’t using HTTPS (the encrypted version of the web’s HTTP protocol) by July then you’re likely to lose traffic.

That’s because in July 2018 Google Chrome, the world’s most popular browser, will start warning users that web pages served over HTTP are not secure (they aren’t).

This isn’t an empty threat, Chrome has been turning the screw on HTTP for a number of years and Google Search already gives sites with HTTPS a boost in its search rankings. You should expect other browsers to follow Chrome’s lead.

In other words, if you’re buying web hosting you’re going to want HTTPS. I wondered if the major web hosting companies were standing by, ready to help.

TLS/SSL

Turning on HTTPS means installing an SSL certificate. (These days they’re actually TLS certificates but the old term, SSL, has stuck and it’s the one the hosting industry uses, so I’ll be using it for the rest of this article.)

With four months to go before Google starts warning users about HTTP being insecure, I wanted to see if the big web hosting companies are making it easy for new customers to dodge this bullet.

I wanted to know what a new, non-technical customer would be faced with: are the hosting companies using terms that buyers spooked by Chrome’s deadline might have seen – terms like SSL, TLS or HTTPS; is SSL now mandatory or opt-out by default in their hosting packages; and what, in a world where free SSL certificates are easily obtained, are the hosting companies charging for SSL?

In short – does the path of least resistance lead non-technical customers to a site protected by HTTPS?

Shared hosting

Web hosting is the place you put your website – if your website were a building then hosting would be the land it’s built on (and your domain would be a signpost telling people where to find it).

In this article I focus on what new customers see when they buy shared hosting, the simplest and cheapest kind of web hosting. Straightforward and popular, shared hosting packages are the kind of thing that somebody might buy for their their small business website.

I looked at SSL support in shared hosting packages offered by five of the top US hosting companies by market share, according to HostAdvice. (Amazon Web Services, RackSpace and SoftLayer are not included because they don’t offer products in the entry-level, shared hosting space.)

The results

The table below displays the following information:

• Host – the company selling the hosting
• Plan – the hosting product
• Offered – is SSL offered as part of the product?
• Opt-out – is SSL mandatory or selected by default?
• Named – are recognisable terms like SSL, TLS or HTTPS used?
• Free – Is the price of SSL included?
• Plan – The cost of 12 months hosting, billed annually after any introductory offers have expired
• SSL – The annual cost of an SSL certificate from this host
• Total – The total annual cost of both hosting and SSL

SSL is widely supported across the shared hosting packages I looked at, although the cost varies enormously and makes a significant difference to the total annual cost of hosting.

For example, 11 and GoDaddy both offer packages costing $95.88 without introductory offers.  11’s SSL is included in the price while GoDaddy’s domain validated SSL certificates – the same kind of validation you get with a free Let’s Encrypt SSL certificate – are an eye watering $75.

In some cases the design of the sign-up process or the language used seems likely to cause confusion.

When I first looked at Bluehost I noticed its selected-by-default “SiteLock Security – Find” option included a “Site Verification Certificate”, which I assumed was an SSL certificate. I later found a separate option for SSL and despite a good look at the SiteLock and Bluehost websites I still don’t know what a site “Site Verification Certificate” is.

Bluehost’s SSL option, Comodo PositiveSSL Bundle, is hidden when the default term of 36 months is selected. It only appears if you select 12 months of hosting, offered for an extra at $39.99.

Its disappearance for longer terms isn’t explained anywhere and it took Bluehost support about 15 minutes to tell me that it’s because SSL is not available for the longer terms:

Looks like it is only for 12 months. My suggestion would br to go for a PRO plan in which you get a free dedicated IP and SSL

So SSL isn’t available if I buy 36 months?

Yes

OK, thanks

This seems unlikely but at least one Bluehost representative thinks it’s true. Either way, the path of least resistance for a new customer isn’t exactly a path of low resistance.

Who’s ready?

Twelve of the thirteen shared hosting plans I reviewed offered SSL and six plans included it in the price of twelve months hosting: DreamHost’s Shared Hosting; 11’s Basic, Unlimited Plus and Unlimited Pro; GoDaddy’s Ultimate plan and HostGator’s Business Plan.

If you have details of SSL support for companies not listed here, feel free to add them to the comments below (no ads please – just address the questions in my chart).

LEARN MORE ABOUT HTTPS

Listen to Naked Security Podcast Episode 2 (HTTPS segment starts at 08’45”):

(Audio player above not working? Download MP3, listen on Soundcloud or access via iTunes.)

Intro music: http://www.purple-planet.com

Closing music: https://thespacelords1.bandcamp.com

Follow @NakedSecurity
Follow @MarkStockley

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/2718Uoc2g84/

DDoS attacks taking advantage of ill-advised use of memcached have begun to decline, either because sysadmins are securing the process, or because people are using a potentially-troublesome “kill switch”.

Memcached is a handy caching tool that can improve database performance but has no security controls because it was never intended to be used on internet-exposed systems. In late February attackers started to take advantage of the fact that memcached is a very effective amplifier of UDP messages, since a 15-byte query returns answers that could be hundreds of kilobytes. Attacks on the cache briefly gave GitHub the honour of the biggest ever DDoS attack at 1.7 Tbps, but within days a US service provider took an even bigger hosing.

Last Wednesday, the risks posed by internet-facing memcached processes took on a new colour, when security vendor Corero explained that a debug command could let a remote attacker retrieve, modify, or insert data into a system.

Corero said that there is a kill-switch it is deploying for clients. The flush_all command does exactly what it says: the process drops all the objects in memory, and the attack ends.

Cloudflare and Arbor Networks, warned eWeek they’re worried about the ethics and legality of someone firing flush_all at someone else’s machine, because changing the contents of a computer you don’t own is illegal in many or most jurisdictions.

The attack volumes kept increasing for most of last week. Qihoo 360 last Wednesday said it had logged 10,000 attack events in the previous week, and identified 7,131 victim IP addresses.

Those included Qihoo, Google, and Amazon, various smut sites, games, security vendors, various National Rifle Association sites, and Brian Krebs’ page.

It seems the slow business of getting memcached hidden behind firewalls is happening at last, however, with no new attacks reported over the weekend. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/12/memcached_cavalry_spotted_on_the_horizon/

A British government agency has been downloading data from iPads and similar devices used by pilots of crashed aircraft, it has emerged.

The Air Accident Investigation Branch routinely recovers data from tablets found in the wreckage of aircraft crashes. Such tablets are normally used by pilots of light aircraft with navigational apps open.

One of the AAIB’s recent investigations was into a fatal helicopter crash in March 2017 where the aircraft flew into the Snowdonia mountain in Wales while in low cloud. The accident report, published a few days ago, reveals how the AAIB’s investigators recovered screenshots from the device of the apps that were in use immediately prior to impact.

“The logic board (containing the memory) and battery were still attached to the base of the iPad, which was slightly bent and dented,” said the report (PDF, 27 pages). “The logic board was removed from the iPad base and slaved into a similar iPad mini whose own logic board had been removed. The memory was downloaded using a commercially available data extraction and analysis software tool.”

An AAIB spokesman told The Register: “While larger commercial aircraft are required to carry flight data and cockpit voice recorders, most smaller private aircraft do not carry these. Many pilots use mapping and other flight applications on personal devices, including phones and tablets. Following an accident, data stored in these can help build a picture of what happened in the runup to an accident, particularly where the occupants of the aircraft did not survive.”

The branch has been downloading data from digital devices over the past few years, as a glance over its reports reveals. A report from November 2016 (PDF, 114 pages long, page 11 onwards) reveals how a pilot’s iPad Mini was interrogated to reveal details of the navigation apps he was using after a fatal crash.

Similarly, a December 2015 report into a botched takeoff (PDF, 18 pages) of a Gulfstream commercial jet also revealed how three iPads and their GPS functionality were used to corroborate the aircraft’s track across the runway edge.

“We need the families’ assistance – such as recalling passwords and PINs – in order to try and access this information,” added the AAIB spokesman. “It often helps answer questions from bereaved family members who need to understand what happened, and is important for improving flight safety.” ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/12/aaib_ipad_data_downloads/

Proposed new connected-product repair laws will provide hackers with more tools to make our lives less secure.

There are times when you see or read something for the first time and it makes sense. But later, after you have had some time to think about it, the idea or proposal might not be as straightforward as you originally thought. This is where I am on connected-product repair legislation that has been introduced in more than 17 states.

At first blush, the proposed bills seem to make sense, both for consumers and for small businesses catering to embedded systems or personal electronics. The bills want to provide consumers with opportunities to have their Internet-connected products fixed. To do so, the bills seeks to mandate that original equipment manufacturers (OEMs) share all source code, operating system, and security schematic information to any product owner.

Wait, what?

While looking at the proposed legislation, I started thinking about products and systems with embedded software. There is much more to today’s connected products than physical parts. For many people, all of their personal and banking data are on their smartphones. Our contacts, emails, texts, pictures, and other information is contained on our phones. Many devices have our biometric information as well. How does this data get protected?

The proposed legislation in many states requires the OEM to provide the operating system, security, and other patches, to anyone. But access to the operating system and other microcode could also allow malware to be introduced into the system without the owner knowing. Some legislation goes further, allowing for the reset of security-related electronic functions — such as passwords, fingerprints, and encrypted data — that could circumvent protections the owner may already have in place. This could lead to sensitive data being exposed or lost due to mishandling.

Requirements for OEMs to provide remote diagnostics, with the ability for setting controls and location identification of the device, can also be used by hackers to wreak havoc.

For example, universal access to the settings make it possible for hackers to add their own fingerprint, face image, or iris scan to any smartphone, thus allowing access to:

• Wallet or other payment apps on the device;
• Location settings for tracking;
• Geotagging to allow location tracking even if it had been turned off by the smartphone owner;
• Backup storage location changes; and
• Mobile hotspot information along with the location information to track an individual and then connect to a smartphone without the user’s knowledge.

If a company has a bring-your-own-device policy and an employee uses a device that has been altered, hackers will have an open door to corporate networks and the ability to steal employee Social Security numbers, trade secrets, and critical customer data. This applies to any Internet of Things (IoT) device, printer, camera, or wireless access point (WAP) that was repaired by a malicious independent repair person.

We know that in the world of the IoT, we are only as strong as the weakest link. In the past, if someone stole your radio, your phone, your car, or your company-issued laptop, the damage was minimal, and the result was mostly a nuisance. But today the ramifications of a security breach are monumental and can put companies out of business. For the IoT to fulfill its promise, the secure and private sharing of treasure troves of data must be built into the foundation of all products. As a result, policymakers need to ensure that all technology legislation, at its core, is focused on security and privacy protections.

When people have a coat altered or a purse repaired, they will first empty all the contents out, especially their ID, credit cards, checkbook, and other private information. Yet all of this data is stored on many Internet-connected products. And now, some legislators are proposing laws that could substantially increase access to this sensitive and valuable information.

At its face, it may appear that these repair bills will protect consumers. But, in reality, such bills may provide hackers with the tools they need to make our lives even less secure.

Related Content:

• IoT Botnets by the Numbers
• Anatomy of an Attack on the Industrial IoT
• Mastering Security in the Zettabyte Era

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Pat Osborne is a Certified Information Systems Security Professional (CISSP) with over 30 years in the IT field. He is the principal – executive consultant at Outhaul Consulting, LLC, and a cybersecurity advisor for the Security Innovation Center. He has experience in … View Full Bio

Article source: https://www.darkreading.com/endpoint/iot-product-safety-if-it-appears-too-good-to-be-true-it-probably-is-/a/d-id/1331227?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The account security firm will use Vaultive’s tech to protect privileged users at heightened risk for cyberattacks.

CyberArk today confirmed it has acquired certain assets of Vaultive, a privately held cloud security provider. The account security firm plans to build on Vaultive’s technology to protect highly privileged account holders, who are frequent targets of cybercrime.

Specifically, CyberArk is focusing on its Privilege Account Security Solution, which already exists to block privileged account exploitation on-prem and in hybrid cloud environments. Vaultive will bring more visibility and control to privileged users and SaaS, IaaS, and PaaS administrators. It also brings a cloud-native and mobile experience to CyberArk’s tool.

Both privileged users and SaaS, IaaS, and PaaS admins use a range of software and services that must be monitored. The idea behind this acquisition, terms of which were not disclosed, is to provide that monitoring in greater detail both on-prem and in the cloud.

Read more details here.

 

 

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/cyberark-buys-vaultive-for-privileged-account-security-technology/d/d-id/1331241?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple