STE WILLIAMS

Data represents the ultimate attack surface. Avoid major data breaches (and splashy headlines) by keeping track of where your data is.

Companies don’t often wind up in the headlines for having their networks or endpoints stolen. Those things get infected or broken into, but they don’t get stolen. Headlines are made — and reputations are destroyed — for stolen data.

You don’t want that to happen to you. So, to protect your business and help it thrive, you must be able to see, track, and analyze every query, modification, deletion, or other data transaction.

That’s not hard, but it may be painful. To achieve this, holistically, you have to understand the organization’s secure development life cycle (SDLC) — at which point, you may find out that the “secure” part is just wishful thinking.

Top-Down Data Hygiene
To find out one way or the other, you start with the organization’s most mission-critical app or apps. (If you’re dealing with a Fortune 500 company with tens of thousands of databases, this may not be entirely practical, but you could at least consider an appropriate sampling.) From there, it’s about understanding how your organization deals with data from beginning to end: starting at the development process and development servers, and proceeding to the test servers, to the quality assurance servers, to production — and so forth from there, presumably all the way back around to the beginning. What data do you have at each stage?

Now take all of that data and categorize it by risk and type, to rate the priority, severity, and criticality of each data point. And then ask whether the data changes as it moves from stage to stage, from server to server.

And what you should almost never find, but you may well find, is that production data — the most critical data you have at your company — goes unchanged. That’s a big red flag. Next, you need to talk to stakeholders about why production data is being exposed outside of production — and they better have a darned good reason. Developers don’t need to know Customer A’s phone number. The business analytics team probably doesn’t need Customer B’s credit card number. And all a business-to-consumer marketing team probably cares about is how many 18- to 25-year-old males in Houston or how many 35- to 44-year-old females in New York City are buying the company’s product. Occasionally, someone will need genuine production data, but you are usually better served by masking it.

Data Masking to Avoid Disaster
Data masking is a process by which copies of data are obfuscated (usually irreversibly) such that they still look realistic enough to remain workable and useful for whoever needs to play with them. “Sally Smith” becomes “Jessica Jones.” Credit card number “4444-3333-2222-1111” becomes “4321-5555-6666-7777.” And so forth. Data masking is essential to not just security, but its inherent pseudonymization is helpful for compliance with data-protection rubrics like the EU’s General Data Protection Regulation.

If your most mission-critical apps are needlessly exposing your production data, you can stop right there because it’s a given that the problem is systemic and that the rest of your apps are also a data liability. There is no “S” in your “SDLC.” Time to roll up your sleeves and get to work.

If your mission-critical apps get a pass, however, then you may want to examine some of the so-called “lesser” apps that still have private data — and see if they are following the same processes. Sometimes, companies will appropriately prioritize around their perceived mission-critical apps by buying technology and implementing it around those apps and their data — but around nothing else. This creates a situation where the front door is bolted shut, but the back door is wide open; just think about how the data used by your “lesser” apps ends up getting copied dozens or hundreds of times across other apps. This is what happened in the Adobe mega-breach of 2013, in which attackers compromised more than 130 million customer accounts by gaining access to a poorly protected, set-to-be-decommissioned backup authentication system.

More recently, Uber confessed to covering up a 2016 breach affecting more than 57 million users. The breach happened after hackers compromised the GitHub credentials of a developer or two — indicating that Uber’s attack surface was needlessly broad; the company allowed its developers to access and copy sensitive data that they likely didn’t need.

Had Uber instead masked its production data accordingly, the hack could have potentially turned into a PR win — wherein the company announces that it had been hacked, but because of the safeguards they place on user data, they were able to prevent exposure while working with authorities to catch the bad guys.

That’s the ride-hailing app I’d rather do business with. Even if they charge a bit more money, at least I would know that they treat my data like their crown jewels. Because that’s what data is.

Related Content:

• Top 8 Cybersecurity Skills IT Pros Need in 2018
• A Secure Development Approach Pays Off
• 6 Cybersecurity Trends to Watch

Terry Ray has global responsibility for Imperva’s technology strategy. He was the first US-based Imperva employee, and has been with the company for 14 years. He works with organizations around the world to help them discover and protect sensitive data, minimize risk for … View Full Bio

Article source: https://www.darkreading.com/putting-the-s-in-sdlc-do-you-know-where-your-data-is/a/d-id/1331185?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

This marks McAfee’s second acquisition since its spinoff from Intel last year.

McAfee has confirmed its acquisition of TunnelBear, a virtual private network (VPN) provider based in Toronto. Neither company disclosed the value of the deal.

TunnelBear is a consumer-focused company founded in 2011 with the idea of making online privacy more accessible to the public. Its cross-platform VPN app, available for both mobile and desktop, reportedly has about 20 million users. Consumers are growing wary of privacy concerns, according to McAfee data: 58% know how to check if a wifi network is secure but less than 50% take the time to do it. Only 19% own a personal VPN solution.

It seems McAfee plans to leverage TunnelBear’s “hardened network” for its own VPN service called Safe Connect, says CEO Chris Young in a statement, noting that the VPN service had built “an engaging profitable direct-to-consumer brand.” McAfee will keep the TunnelBear brand and standalone apps active, reports VentureBeat.

This is the second acquisition McAfee has made since its spinoff from Intel last year. In November 2017 the company bought CASB provider Skyhigh Networks, a move intended to expand its security architecture to include both endpoint and cloud control points.

Read more details here.

 

 

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/perimeter/mcafee-closes-acquisition-of-vpn-provider-tunnelbear/d/d-id/1331217?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Investors alleged that Yahoo intentionally misled them about its cybersecurity practices.

Yahoo has agreed to pay $80 million to settle a class action securities litigation brought against it by shareholders who alleged that the company intentionally misled them about its cybersecurity practices in the wake of massive data breaches in 2013 and 2014 that compromised the personal information of all 3 billion of Yahoo customers.

The 2013 breach was not reported until 2016, and the full extent of the damage was not known until October 2017, months after the investors’ lawsuit was filed. The listed defendants are the company, and its CEO and CFO at the time of the events, Marissa Meyer and Kenneth Goldman, respectively. The settlement class includes all those who purchased or acquired Yahoo securities on the open market between April 30, 2013, and Dec. 14, 2016. 

The settlement must now be accepted by the court. 

A separate class action suit against Yahoo is also being brought by the victims of the breach whose personal data was exposed in the 2013 breach. The incidents forced Yahoo to trim $350 million off the original $4.83 billion asking price when it sold its main assets to Verizon in 2017. 

For more information, see here and here.

 

 

 

 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/risk/yahoo-agrees-to-$80-million-settlement-with-investors/d/d-id/1331219?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The new technique would enable attackers to inject malicious content into Microsoft Edge and other protected processes.

A new attack method lets attackers bypass Microsoft’s Code Integrity Guard (CIG) and inject malicious code into protected processes, including Microsoft Edge. Researchers at Morphisec this week disclosed the details of the technique and proof-of-concept code.

CIG is a mitigation that was first introduced in Windows 10 in 2015, and later became part of Device Guard. It restricts loaded images to those signed by Microsoft, WQL, and in some cases, the Microsoft Store. The biggest benefit of CIG, researchers report, is it stops unauthorized code loading from adware and malware that has already infected the system. If an app is protected with CIG, it’s protected from other compromised parts of the same machine.

This technique, dubbed CIGslip, was discovered by researchers learning how to protect the Edge browser, explains Michael Gorelik, CTO and vice president of RD at Morphisec. The team wanted to see how they would test their protect and load DLL without the process of signing. Edge is protected by CIG, as are several processes in the latest version of Windows 10.

CIGslip bypasses CIG’s security mechanisms while mimicking natural Windows DLL loading from the disk. The technique abuses a non-CIG enabled process, the most popular form of process on Windows, to inject code into a CIG-protected target process. This serves as an entry point for an attacker to load any kind of code, malicious or benign, into Microsoft Edge.

“We found this very easy technique … I’m really surprised no one uses it,” Gorelik says. “This technique allowed us to load any DLL we wanted, any model we wanted, into any protected CIG process without triggering any alert notification.”

CIGslip could have “serious destructive potential” if it gains popularity among cybercriminals, Gorelik writes in a blog post. Windows users are vulnerable in several ways, he reports, and businesses running Windows machines should understand the potential damage.

“We do see CIG as a very important concept that blocked a major amount of adversaries and malware that tried to inject into the Edge browser,” says Gorelik. Attackers could bypass CIG to steal passwords or browser history, or affect processes running outside Edge.

“With this technique I can download the same adware and malware and load it into the Edge browser, or any other process,” he explains.

The CIGslip method is sneaky. “You don’t know you’re attacked unless you’re monitoring and okaying every single process in the system,” Gorelik continues. “You definitely need to do strict detection for this.”

Morphisec approached Microsoft with its findings because “we considered it a very critical and serious vulnerability,” says Gorelik. Microsoft claims CIGslip is “outside the scope of CIG,” he explains, and the company explains its reasoning for this in its bounty terms. While this doesn’t mean Microsoft will never address the problem, it also won’t prioritize it.

The biggest implication is attackers could use CIGslip to inject browser malware or adware. However, there is also potential for vendors to manipulate this method. CIG makes it harder for third-party security vendors to protect Edge because they need a DLL signed by Microsoft for each protective process. Some might inject protective code outside Microsoft’s signing process.

Related Content:

• Cybersecurity Gets Added to the MA Lexicon
• How Guccifer 2.0 Got ‘Punk’d’ by a Security Researcher
• Researchers Defeat Android OEMs’ Security Mitigations
• Privilege Abuse Attacks: 4 Common Scenarios

 

 

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/cigslip-lets-attackers-bypass-microsoft-code-integrity-guard/d/d-id/1331221?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Today is International Women’s Day. And, in celebration of just some of the women working to fight cybercrime, we asked a number of professionals at Sophos about their roles in cybersecurity and what this day means to them.

1. A new problem to solve

Software Engineer, Daphne Allamenou

I work on the Virtualisation team which is responsible for the development and testing of our Sophos for Virtual Environments product. While that may sound like a repetitive cycle, each piece of work is a new problem to solve which challenges me in different ways. The love for my job comes from the satisfaction I get when I overcome these tasks, particularly the more difficult ones.

International Women’s Day for me is about recognising the merits of women, past and present, and emphasising them as role models for younger and future generations. With this exposure, young girls may be inspired enough to venture down paths they would perhaps not have considered.

This day may not be enough to solve the gender balance problem we are facing in the tech sector but I think celebrating and highlighting the strength and ability of women in all areas is a step in the right direction for forging a better world where gender does not define your place or treatment in the world.

2. Technical decisions and strategies

Senior Development Manager, Chloe Acebes

I run a team of 13 software developers and quality assurance engineers to deliver security software for Windows Servers. There are three main aspects to my job: making technical decisions and strategising about the products that the team owns, developing the people in the team, and managing the team projects. Each one of these is challenging and rewarding in its own way, and finding a balance between the three can be particularly difficult – there is no point ensuring we deliver a new project on time if the new feature doesn’t work as expected and the team are unhappy!

I joined Sophos directly from university and decided that a career in cybersecurity was for me when I interviewed for a graduate engineer role. The overriding message I took from that day was how working in cybersecurity allows you to help people. That feeling hasn’t changed in the 16 years I’ve been working at Sophos. I still get a great sense of satisfaction from doing a job that gives me interesting technical challenges whilst delivering software that genuinely benefits people.

For me, International Women’s Day is a great opportunity to try to encourage more females into STEM career paths. I am definitely in the minority in terms of male/female balance in the Engineering team, and in cybersecurity, or even software development, in general. However, this is a great industry to get into – there are loads of opportunities for anyone who likes solving problems. Gone are the days of coders sitting in a corner bashing away at their keyboards and speaking to no one. Being a software engineer nowadays requires a good analytical mind, plenty of collaboration and a thirst to continually learn new things.

3. Ensuring quality

Senior QA Engineer, Manimala Rajeti

I am a senior quality assurance engineer in SophosLabs. This means I have to make sure the quality of VirusData (IDE’s) does not break any product’s scan functionality. I am also a technical lead in the QA team, so I’m there to support my team when they need any technical help.

Working in Labs is very challenging but it gives me lot of opportunities to work on various things, which I love. And, being in this environment allows me to constantly learn and develop my skills and interests.

It’s funny, I never made the decision that I wanted a career in cybersecurity but somewhere along the line I realised how much I enjoy it, because my contribution to the work helps people stay protected against cybercrimes. It gives me lot of satisfaction when I see that a piece of malware has been identified by the data we provide through Sophos products.

I actually don’t believe that the software industry is male dominated, there are plenty of women contributing to the work. For me, International Women’s Day means that everybody should celebrate and recognize women for their contribution everywhere – at work, in the family and in society. Women are not weak, either physically or mentally, but we are often treated as if we were. It would be great to live in a world where women are seen and treated as equal in every sector.

4. Bringing a system to life

Senior Software Engineer, Lily Conlan

International Women’s Day is an opportunity to highlight that women are more than just homemakers and the producers of the next generations – we can choose to have a career as well. It’s also a chance to highlight that the tech industry isn’t just “boys with toys” and that women can play a big part too.

At Sophos I am a Systems Engineer which means that my job is to architect and implement tools, processes and systems. On a day to day basis that translates into getting requirements, designing a system or tool that will do those things and then implementing it. My favourite part is bringing a system to life and seeing it deliver what’s expected. I get excited about seeing code I’ve written doing the job it’s supposed to do.

But how did I get here? My interest in computers started from the age of 5, so when I got the opportunity in university to take the computing stream during my degree I jumped at the chance. This led me to get the job doing what I do now.

I have to admit that cybersecurity wasn’t something that I was aware of until I joined Sophos, but having worked in SophosLabs for some of my time here, I understand the importance of it and the relevance it has in today’s world. It’s an exciting time to work in this industry and to be part of the “good guys” trying to combat cybercrime.

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/hWnnqzUPpuk/

Here’s one of the many problems with spyware: if hackers decide to gang up on the company behind it, both the spyware users and their targets are vulnerable to having their personal data – private photos, messages, GPS locations and more – compromised.

That includes the data of whomever users are legally surveilling – children or employees – or illegally surveilling, including ex-lovers, victims of domestic abuse or stalking victims.

That’s what happened with Retina-X Studios, the company behind PhoneSheriff, TeenShield, SniperSpy and Mobile Spy. It’s been repeatedly hacked, first in April 2017 and again last month.

Retina-X has had it with the hacking. On Monday, it threw in the towel on all of the aforementioned tools. The company put an announcement at the top of its site saying that while no personal data was accessed during the year of attacks, some “photographic material” of TeenShield and PhoneSheriff customers had been exposed.

That’s it, the company said, we’re out of here:

As a result [of the hacks], and to protect our valued customers, Retina-X Studios is immediately and indefinitely halting its PhoneSheriff, TeenShield, SniperSpy and Mobile Spy products.

The company’s going to offer pro-rated refunds to customers with a current contract for the services. Emails with instructions how to get the refund and how to get at data during the shutdown are on the way to customers.

In its announcement, Retina-X said it was working with authorities as they investigate the breaches, which were done by hacktivists who explained to Motherboard that they want to expose what they consider to be an immoral trade.

The first time it was hit, Retina-X denied there’d been a breach. Now, it’s admitted to losing material in the attacks, but contrary to the hacker’s goal, the company isn’t doing any soul-searching about the morality of its products. Retina-X was none too happy about how the media has been used to bring attention to the hacks, either.

From the company’s notice on Monday:

The perpetrators of these illegal acts have been motivated by their unfounded opposition to the private activities of parents and employers on devices they own and with the consent of users of the devices. The perpetrators, who will likely never be identified or brought to justice, have shared their actions with online publications to gain attention. They are cowards who work in the dark and use the media to promote their agenda.

Like we said after news of this most recent attack surfaced, even if you find spyware repugnant, it’s still illegal to hack the companies that make it, for good reason. The hacker wasn’t helping anybody, let alone surveillance victims. By telling others how he did it, putting out blueprints and encouraging them to do the same, he and other spyware-focused hackers are putting those victims at that much greater risk of having their personal data accessed.

Besides, he might well have helped push one company out of this line of work – and for all we know, the company could be exiting for other reasons besides being plagued by hackers – but there are plenty more such software companies out there that will fill the Retina-X void.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/FLBAinGLkdI/

We’ve got smart cars (that would be connected vehicles, or CVs, in smart-transportation lingo). We’ve got a US Department of Transportation (USDOT) pilot program that, since 2016, has been testing traffic lights that rely on data sent wirelessly from those cars.

If it all were to play nicely together, eventually, a smart car helped out by smart traffic lights could encounter a smooth sequence of green lights, driving through intersections without getting stuck in traffic jams or wasting fuel as drivers idle, waiting for the light to change.

But no, we can’t have nice things like smooth, smart, algorithmically timed sailing through intersections – at least, not with the current state of traffic technology. A team of five researchers from the University of Michigan have found that the DOT’s I-SIG (Intelligent Traffic Signal System) is way too easy to spoof with bad data.

In fact, the researchers said in a paper recently published on Internet Society that the current signal control algorithm has been designed and implemented to be “highly vulnerable” to data spoofing attacks from even one, single, solitary attack vehicle.

By constructing practical exploits and evaluating them in real-world intersection settings, the researchers found that data-spoofing attacks can even cause a blocking effect to jam an entire approach to an intersection.

I-SIG, the CV-based traffic control system they were attacking was developed in the DOT’s Dynamic Mobility Applications (DMA) research program and takes in real-time vehicle trajectory data to best control traffic lights.

I-SIG has been tested in real intersections in Anthem, Arizona and Palo Alto, California, where it’s managed to cut vehicle delays by 26.6%. Well, kiss those time savings goodbye: the research team’s spoofed-data attack was so severe, they found that 22% of vehicles would need to spend over seven minutes for what would normally be a half-minute trip – a jam-up that makes the trip 14 times longer.

In other words, the vulnerabilities in I-SIG can be exploited to completely erase any benefit it attains, by slowing down traffic to make it 23.4% worse than if no such system had been adopted in the first place.

All they needed to turn smart into stalled: a device in a CV that’s been compromised so an attacker can send malicious messages to the I-SIG system. From the paper:

The only attack requirement in our study is that attackers can compromise the vehicle-side devices on their own vehicles or other people’s vehicles, and send malicious CV messages to the I-SIG system to influence the traffic control decisions.

They didn’t set out to crack the I-SIG’s messaging system; rather, they chose to generate the fake messages from a real vehicle. They also assumed that only one attack vehicle would need to be at an intersection. The attack car could be parked elsewhere: one of the team’s illustrations show the attacker parked at a nearby gas station.

Vehicles can request a green light for their arrival, and I-SIG decides whether this will be granted based on the queue it’s created of all incoming requests. The data-spoofing attack’s focus was to manipulate the values in an “arrival table” that I-SIG uses to manage queues, spoofing the attack vehicle’s predicted arrival time and the requested phase of the traffic lights.

From the paper:

The attacker can change the speed and location in its BSM [Basic Safety Message] message to set the arrival time and the requested phase of her choice and thus increase the corresponding arrival table element by one [second].

On average, the attack success rate is 94%, and it causes delays to increase by 38.2%, the team found.

The best way to harden I-SIG’s defense is to boost the robustness of the signal control’s algorithm, the researchers said. Another step would be to employ data-spoofing detection, with sensors controlled by the infrastructure that can detect and filter spoofed messages. As it is now, the I-SIG system is only relying on car-trajectory messages sent by the smart cars themselves – as in, messages that attackers can control.

To ensure high effectiveness, data spoofing detection on the infrastructure side needs to rely on data sources that attackers cannot easily control, e.g., infrastructure-controlled sensors, to cross validate the data in BSM messages.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/yA8UAsAk9EU/

Fraudsters operating on the dark web could buy a person’s entire identity (“fullz” in the cybercrook lingo) for just £820.

Bank account details, Airbnb profiles and even Match.com logins are worth money to bidders that reside on the murkier side of the internet, a study by virtual private network comparison site Top10VPN.com found.

While online bank details are currently worth around £168 to dark web bidders, and Paypal logins a higher price of about £280, passport details fetch as little as £40. Hacked web accounts – such as access to your Match.com profile, Facebook and even Deliveroo – give criminals a backdoor into identity theft for less than a fiver.

Even eBay accounts with their broad scope for fraud fetch just £26 on the dark web. Compromised PayPal accounts are among the most widely traded items.

The average person has dozens of accounts that make up their online identity – all of which can be hacked and most of which can be sold on. Top10VPN.com reviewed tens of thousands of listings on three of the most popular dark web markets – Dream, Point and Wall Street Market – in putting together its Dark Web Market Price Index.

So you’re thinking about becoming an illegal hacker – what’s your business plan?

READ MORE

Communications services, such as Skype logins, are worth less than £10 despite their utility as a way of sending links to phishing sites or attempting other cons against the contacts of users of compromised accounts.

Even logins to dating sites like Match.com have some value, and tend to earn dark web sellers on average £2.24, because they offers criminals the opportunity to “catfish” potential matches, sparking up relationships to manipulate people for financial gain.

Despite the importance that some attach to social media, compromised Twitter and Instagram logins are among the least valuable on the dark web – even though they offer a useful backdoor to fraudsters planning to commit identity theft.

Simon Migliano, head of research at Top10VPN.com, said: “Some of the accounts we found for sale open the door to even more ingenious scams. A hacked Airbnb account, for example, could allow a scammer to pocket hundreds in booking fees or even stay at high-end properties as a guest and burgle the hosts. At less than £6 initial outlay, that’s very appealing to a cybercriminal.

“Our research is a stark reminder of just how easy it is to get hold of personal info on the dark web and the sheer variety of routes that fraudsters can take to get hold of your money. This really underlines the importance of two-factor authentication and more generally secure use of websites and apps,” he added.

Top10VPN.com doesn’t offer a view of whether dark market personal info prices are going up or down but security experts who keep tabs on assorted deep web malfeasance suspect the latter.

Raj Samani, chief scientist at McAfee, commented: “It seems like the prices are a little lower than when we wrote our paper in 2015. However, there are certainly more services on offer than before.

“Validity rates are not included so like-for-like comparisons are challenging.” ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/08/dark_web_market_price_index/

Security expert and former Illinois state senate candidate John Bambenek details his two months of online interaction with the ‘unsupervised cutout’ who shared with him more stolen DCCC documents.

KASPERSKY SECURITY ANALYST SUMMIT 2018 – Cancun, Mexico – Veteran security researcher John Bambenek purposely broke one of the first rules of OPSEC when he decided to reach out to Guccifer 2.0 in order to gather intel on the 2016 presidential campaign hacks: never expose your true identity to the adversary.

For a two month period in late 2016 – not long after the infamous Guccifer 2.0 online persona first appeared online and began leaking data to the media and via Twitter from stolen documents from the Russian hacks of the Democratic National Committee (DNC) and Democratic Congressional Campaign Committee (DCCC) – Bambenek reached out to Guccifer 2.0 via a Twitter direct message (DM), using his real name and actual party affiliation as an Illinois Republican.

“I didn’t think it would work,” says Bambenek, who contacted the mysterious online persona with the premise of requesting access to other stolen DCCC documents Guccifer 2.0 had in his possession. Bambenek at the time was working for Fidelis Cybersecurity and investigating the Russian hacks of the DNC and the DCCC, and had hoped to gather more intelligence and insight on the Russian state hacking and election influence operation via interactions with Guccifer 2.0. He is also a former Illinois state senate candidate and currently serves on the state’s board of higher education as well as its community college board.

Using his real name was a calculated risk that Bambenek knew at worst could halt his communications with Guccifer 2.0 if the Kremlin were to discover that he was a security researcher, but at best the ruse would provide him quicker online access to Guccifer 2.0. Surprisingly, it apparently took Guccifer 2.0 nearly two months to realize he had been duped even though Bambenek’s job information was included in his Twitter profile, according to the researcher.

Whether Guccifer 2.0 was truly fooled or playing along with the ruse remains unclear, but Bambenek observed that he mostly appeared to be eager to share with and show off the stolen data he requested. “It would be odd that he played dumb that long, but deception is the primary tool in the intel tool belt,” Bambenek notes.

From Aug. 12 to mid-Oct. 2016, Guccifer 2.0 fed Bambenek stolen DCCC documents that included background on the 17th District and 8th District races in Illinois, call logs from the DCCC chair, “path to victory” documents, and other data points about various races in the state. One such stolen file was a call sheet addressed to then vice-president Joe Biden from the DCCC chair about contacting a possible Democratic candidate for the Illinois 10th District race. Bambenek in turn handed each message and document he obtained to the FBI.

But it was obvious to Bambenek that Guccifer 2.0 didn’t understand or have any knowledge of the relevance of the stolen data, which included unremarkable documents on unopposed primaries, for example. “He never had anything overly useful,” he says. “They probably had some stuff and didn’t know how to make hay with it.”

Guccifer 2.0 in online blog posts and leaks during the campaign took credit for the DNC hack and denied any link to Russia. In an interview with Motherboard in June of 2016, Guccifer claimed to be a hacker from Romania who had exploited a security flaw in a software-as-a-service provider platform that the DNC uses that ultimately gave him access to its servers. Security experts at the time, including Fidelis and CrowdStrike, had identified  Russian nation-state groups Cozy Bear and Fancy Bear as the attackers.

No ‘Adult Supervision’

In his initial DM to Guccifer on Aug. 12 of last year, Bambenek, said: “I am interested in any other docs you may have” and, noting that he was a “Republican operative,” asked for “emails that can affect an election, well, they’d be used for maximum impact.”

Bambanek, now vice president of security research at ThreatSTOP, says his interactions with Guccifer 2.0 over Twitter DMs and email revealed that this was a low-level operative not closely supervised by the Russian government. “He was an unsophisticated cutout without adult supervision and any media savvy,” he says. Guccifer 2.0’s main goal was to leak to media and Republican officials.

“If we were to pick him up at the airport, we would not be excited about the intel we would get” from him, Bambenek says.

Bambenek couldn’t determine definitively just who Guccifer 2.0 was, nor if the online persona was actually multiple people posing as one individual. He lacked insight and knowledge of the content of the DCCC documents and never actually provided the leaks in any “narrative form” indicating their usefulness: it was up to researchers and reporters to connect any dots, Bambenek observed.

Most likely, Bambenek says, Guccifer 2.0 is a young person (or persons) who doesn’t speak fluent English, based on some linguistic clues he culled. “It looked like the same person [the whole time], but I don’t know if I can make a strong conclusion one way or the other,” he says, adding that Guccifer 2.0’s errors in the verb “to be” are indicative of a non-native speaker. He was not able to determine a physical location for Guccifer 2.0, but believes he operated on behalf of Russian state actors.

Guccifer 2.0 was basically given the documents to dump “and go forth and troll,” he says.

But Guccifer 2.0 did remain well-masked during Bambenek’s interactions with him. He used Proton email, a privacy-concious email protocol, for example. “One of the things we were doing as researchers was giving him real-time feedback on his tradecraft mistakes … then he stopped making metadata mistakes” in his document dumps, Bambenek says.

On Oct. 4, 2016, Guccifer 2.0 DM’ed Bambenek with a message that indicated he was on to the ruse: “r ur company gonna make a story about me?”

“He had realized I was playing him,” says Bambenek.

Guccifer 2.0 for the most part appeared to be under pressure to generate online controversy and news articles about the dumped documents. At one point, Bambenek asked if he had any Democratic Governors Association documents or documents on Democratic senators. “Either he didn’t take the bait, or he didn’t have it,” he says.

“For the most part, the influence operation by the Russians was more lucky than smart. They had a lot of information that they didn’t know how to package or what to do with,” he says. “My takeaway is that [in] 2016 they were not fully invested. They threw out cutouts and told them to go and have fun.”

Bambenek in a presentation here today will present takeaways from his interactions with Guccifer 2.0.

He expects Russia to employ more Guccifer 2.0-type activity in this year’s and the 2019 campaigns. “This was about undermining institutions and getting us to war with ourselves as a country. And it was radically successful.”

Meanwhile, Bambenek reached out to Guccifer 2.0 via email to give him (or them) a heads up about today’s talk at SAS. “Just to see if he’d click a link and show signs of life and to see if he’s paying attention,” Bambenek says. As of this posting, no response from Guccifer 2.0. 

Related Content:

• Guccifer 2.0: Red Herring Or Third DNC Hacker?
• Lone Hacker Taking Credit For DNC Breach Is Likely Russian, Says Researcher
• Putin Directed Cyberattack, Propaganda Operation To Influence US Election
• 8 Nation-State Hacking Groups to Watch in 2018

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/how-guccifer-20-got-punkd-by-a-security-researcher/d/d-id/1331213?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

IBM has rewritten its C++ homomorphic encryption library and claims it now goes up to 75 times faster.

Homomorphic encryption is a technique used to operate on encrypted data without decrypting it. This would make sensitive operations much more secure: for example, companies could encrypt their cloud-hosted databases, and work on them without converting records back to plaintext.

IBM has worked on homomorphic encryption for some time, and released the first version of its HElib C++ library three years ago, but as we reported in 2016, the technology has always suffered huge performance penalties.

IBM’s first attempts at homomorphic encryption, under the hand of its inventor Craig Gentry, ran “100 trillion times” slower than plaintext operations. It later accelerated by a factor of two million times, running on a 16-core server.

Microsoft researchers smash homomorphic encryption speed barrier

READ MORE

Hence Big Blue’s ongoing work on HElib. Released at GitHub, the latest version gets its performance kick from a “re-implementation of homomorphic linear transformations”, making it between 15 and 75 times faster.

In this paper at the International Association for Cryptologic Research, IBM’s Shai Halevi and Victor Shoup (the latter also with New York University) explain how they improved speed.

“In the linear transformation algorithms currently implemented in HElib, the bulk of the time is spent moving data among the slots in the encrypted vector,” they wrote.

This is done with “special automorphisms” (a mathematical operation that maps an object to itself), and the computational cost comes from how many times the automorphisms have to loop around.

“The main cost of applying such an automorphism to a ciphertext is actually that of “key switching”: after applying the automorphism to each ring element in the ciphertext (which is actually a very cheap operation), we end up with an encryption relative to the “wrong” secret key; by using data in the public key specific to this particular automorphism — a so-called “key switching matrix” — we can convert the ciphertext back to one that is an encryption relative to the “right” secret key” the paper said.

“So the main goals in improving performance are to reduce the number of automorphisms, and to reduce the cost of each automorphism.”

In more accessible English, the new library implements a new strategy for calculating those automorphisms (achieving between 15 and 20 times speedup); the researchers refactored many of the necessary computations; and some of the calculations are shifted out of the library’s main loop (getting a 6-8 times speedup).

The way public keys are constructed for homomorphic encryption is also expensive because of the aforementioned key-switching matrix. Each matrix adds several megabytes to the public key, and in HElib there could be several hundred such matrices in a public key. The researchers say for common operations, they were able to cut the size of the matrix by 33-50 per cent.

HElib is still a research-level project. As stated on the GitHub page: “At its present state, this library is mostly meant for researchers working on HE and its uses. Also currently it is fairly low-level, and is best thought of as ‘assembly language for HE’. That is, it provides low-level routines (set, add, multiply, shift, etc.), with as much access to optimisations as we can give. Hopefully in time we will be able to provide higher-level routines.” ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/08/ibm_faster_homomorphic_encryption/