STE WILLIAMS

Cryptocurrencies are killing people in a “fairly direct way” because of how they’re used to fund terrorism and to buy fentanyl and other dangerous drugs, Bill Gates said in a Reddit Ask Me Anything session last week.

Asked by one user for his opinion on the currencies, Gates said that what he called their main feature – anonymity – is the main problem:

The main feature of crypto currencies is their anonymity. I don’t think this is a good thing. The government’s ability to find money laundering and tax evasion and terrorist funding is a good thing.

Right now crypto currencies are used for buying fentanyl and other drugs so it is a rare technology that has caused deaths in a fairly direct way. I think the speculative wave around ICOs [initial coin offerings] and crypto currencies is super risky for those who go long.

Gates isn’t the only insanely rich guy who’s bearish on the currencies. In January, Warren Buffett, CEO of Berkshire Hathaway and an investor who’s renowned for his acumen, said he didn’t understand Bitcoin, can’t fathom other blockchain-based digital assets, and swears he’ll never invest in any of it.

Many Reddit users were, predictably enough, not impressed by Gates’ leeriness about cryptocurrencies.

One, Suuperdad, said sure, you know what else is used to fund terrorism, buy fentanyl and other drugs? The US dollar.

Other users piled on:

[–]Always_Question 73 points 4 days ago
Terrorists breath air too, so we should ban that. Tennis shoes as well.

They also suggested that Gates doesn’t fundamentally understand how the technology works. One, RemingtonSnatch, replied that it’s “fairly difficult” to maintain anonymity, given the blocks – which are groups of transactions that function like digital ledgers – that track transactions:

One would have to make their initial transaction in person to avoid signing up with an exchange (and the requisite very-unanonymous bank transfer). And if at any point your person is tied to your address, your entire transaction history and the flow of every “penny” you ever spent is easily and immediately known. It’s easier than traditional currency to trace at that point, because the ledgers are public to the world…there are no institutional barriers.

While I would wager that a lot of illegal transactions are made using the likes of Bitcoin because people THINK it protects their identity, I would also wager that in the coming years, as law enforcement becomes more versed in crypto, a lot of those people will find themselves in prison. Remember, the trail they’ve left behind is permanent.

As the MIT Technology Review reported last year, some researchers agree with that assessment. Steven Goldfeder, at Princeton University, and others on his team have found that ordinary Bitcoin purchases leak information that makes it straightforward to link individuals with their transactions, even when purchasers use additional privacy protections such as CoinJoin.

From the writeup:

The main culprits are web trackers and cookies – small pieces of code deliberately embedded into websites that send information to third parties about the way people use the site. Common web trackers send information to Google, Facebook, and others to track page usage, purchase amounts, browsing habits, and so on. Some trackers even send personally identifiable information such as your name, address, and email.

In this way, information about a transaction leaks onto the web, where governments, law enforcement agencies, and malicious users can readily collect and analyze it.

In fact, researchers recently managed to exploit the careless ways people use social media and specialist forums to unmask people who bought or sold goods on the dark web, via their Bitcoin transactions.

Other Reddit users said that it’s “absolutely not true” that you can’t stay anonymous while using cryptocurrencies. One, Profetu, pointed out that it’s the slip-ups that strip anonymity, including how Silk Road captain Ross W. Ulbricht was caught through (what the FBI claimed to be) misconfiguration or (what others have claimed was) misuse of the site’s server address.

At any rate, back to Bill Gates. As the BBC notes, the founder of Microsoft may not like cryptocurrency now, but he sure liked it in the past: in 2014, he told Bloomberg TV that Bitcoin “was better than currency” because it’s “cheap.”

What’s more, both Gates’ foundation and his former workplace are cozy with it.

The Bill and Melinda Gates Foundation has sponsored the development of blockchain (the technology that underpins cryptocurrencies) for merchants in Kenya, while Microsoft is also working on blockchain technology that will verify digital identity.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/wA-z_R6GRtQ/

What has been tagged the largest DDoS attack ever disclosed slammed into the servers of software development site GitHub at 17:21 UTC last Wednesday.

Large DDoS attacks have become occasional events in recent years but the statistics on this one were memorable, hitting a peak of 1350 gigabits per second with a follow-up reaching 400 gigabits per second.

The previous record attack was on DNS provider Dyn in 2016, whose estimated 1000 gigabits per second peak blast caused visible disruption to services such as Netflix, Twitter and, funnily enough, GitHub.

According to GitHub Engineering, last week’s disruption lasted nine minutes.

At 17:21 UTC our network monitoring system detected an anomaly in the ratio of ingress to egress traffic and notified the on-call engineer and others in our chat system. … Given the increase in inbound transit bandwidth to over 100Gbps in one of our facilities, the decision was made to move traffic to Akamai.

Good news – DDoS mitigation defence worked as designed – but the interesting theme of the attack has turned out not to be its size at all, but what fuelled its extraordinary size.

The attack exploited amplification, a technique we’ve seen before in previous mega DDoS incidents, this time hitting a target called Memcached.

Memcached is a popular technology designed to speed access to sites running big web application databases by caching data in RAM for rapid access.

By default, it allows unauthenticated external connections on UDP port 11211, which means the attackers were able to generate large amounts of traffic simply by sending servers left in this weak state a simple “stats” command from a spoofed IP address.

Memcached stats responses turn out to be huge, said GitHub:

The amplification factor is up to 51,000, meaning that for each byte sent by the attacker, up to 51KB is sent toward the target.

This compares favourably with previous amplification attacks such as the 2013 DNS-themed assault on Spamhaus, which boosted responses 50 times to 300 gigabits per second peak.

A year later it was the NTP protocol’s turn to be abused in a 400 gigabits per second attack on French hosting company OVH that exploited an amplification rate of 500 times.

The mitigation companies seem to have suspected something unpleasant was brewing, which might explain why Akamai’s Prolexic division shut it down so rapidly.

Luckily, it’s not that hard to stop using perimeter firewalls to block UDP on the named port or disabling UDP on Memcached servers altogether.

And yet, as with previous amplification attacks, the underlying problem is once again poorly-secured infrastructure – estimates of the number of vulnerable Memcached servers range up to around 100,000, with almost all being in the US and China.

Akamai warned:

Akamai has seen a marked increase in scanning for open Memcached servers since the initial disclosure.

And:

Because of Memcached reflection capabilities, it is highly likely that this record attack will not be the biggest for long.

Someone will now have to persuade the owners of all those vulnerable Memcached servers to close the vulnerability or risk intervention by large ISPs.

Perhaps this time the attackers were testing out a new idea. It has even been suggested it was a ransom attack because there appeared to be an embedded demand for the Monero virtual currency.

The best hope is probably that the speed with which the attack was quelled will put the bad guys off a sequel.

Follow @JohnEDunn
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/DbAW_LJMcbw/

The European Commission (EC) on Thursday suggested what it called the one-hour rule: as in, that’s the timeframe within which social media companies and European Union (EU) member states should remove terrorist content.

It’s not a new law. Rather, it’s just a recommendation at this point – and it’s just a “general rule,” at that. The one-hour rule is one of a set of operational measures the EC suggested.

Those recommendations come in the wake of the commission having promised, in September, to monitor progress in tackling illegal content online and to assess whether additional measures are needed to ensure such content gets detected and removed quickly. Besides terrorist posts, illegal content includes hate speech, material inciting violence, child sexual abuse material, counterfeit products and copyright infringement.

Voluntary industry measures to deal with terrorist content, hate speech and counterfeit goods have already achieved results, the EC said. But when it comes to “the most urgent issue of terrorist content,” which “presents serious security risks”, the EC said procedures for getting it offline could be stronger.

Rules for flagging content should be easy to follow and faster, for example. There could be fast-tracking for “trusted flaggers,” for one. To avoid false flags, content providers should be told about decisions and given the chance to contest content removal.

As far as the one-hour rule goes, the EC says that the brevity of the takedown window is necessary given that “terrorist content is most harmful in the first hours of its appearance online.”

While it’s just a recommendation at this point, it could someday become law.

German lawmakers last year okayed huge fines on social media companies if they don’t take down “obviously illegal” content in a timely fashion. The new German law gives them 24 hours to take down hate speech or other illegal content and imposes a fine of €50m ($61.6 million) if they don’t.

The UK has been talking about shortening takedown time for a while. In September, during a summit with the French president and the Italian prime minister, Prime Minister Theresa May urged internet companies to get terrorist content taken down within two hours, down from the average 36 hours it takes to get illegal content taken down.

Although the one-hour rule is only a recommendation, companies and member states still have requirements: they’ll need to submit data on terrorist content with three months and on other illegal content within six months.

As you might imagine, the affected companies and member states aren’t thrilled with the EC’s recommendations.

EdiMA, a European trade association whose members include internet bigwigs such as Google, Twitter, Facebook, Apple, and Microsoft, acknowledged the importance of the issues raised by the EC but said it was “dismayed” by its recommendations.

They could do more harm than good, EdiMA said, describing this as “a missed opportunity for evidence-based policy making”.

Our sector accepts the urgency but needs to balance the responsibility to protect users while upholding fundamental rights – a one-hour turn-around time in such cases could harm the effectiveness of service providers’ take-down systems rather than help.

The trade group also pointed out that it’s already shown leadership through the Global Internet Forum to Counter Terrorism and that collaboration is underway via the Hash Sharing Database.

Here’s what Facebook told TechCrunch:

We share the goal of the European Commission to fight all forms of illegal content. There is no place for hate speech or content that promotes violence or terrorism on Facebook.

As the latest figures show, we have already made good progress removing various forms of illegal content. We continue to work hard to remove hate speech and terrorist content while making sure that Facebook remains a platform for all ideas.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/tSxTk1JUmDo/

Pivotal’s Spring Data REST project has a serious security hole that needs patching.

Pivotal’s Spring Framework is a popular platform for building web apps. Spring Data REST is a collection of additional components for devs to build Java applications that offer RESTful APIs to underlying Spring Data repositories. These interfaces are widely used.

The critically rated remote code execution vulnerability (CVE-2017-8046) was discovered by security researchers at Semmle, who went public with their findings last week. Pivotal issued a patch for a flaw it refers to as DATAREST-1127 as part of its Spring Boot 2.0 update.

Pivotal’s advisory crediting Semmie/lgtm for uncovering the vulnerability came out in late September.

In response to queries from El Reg, lgtm.com chief exec Oege de Moor explained why researchers had delayed for months before going public with details of the vulnerability.

“We worked closely with Pivotal on the timeline for publishing the blog post. Due to the severity of the issue, Brian Dussault (the director of engineering for Pivotal) wanted to make sure all users of Spring Data REST had sufficient time to update. So the delay is due to the Semmle/lgtm team taking its responsibilities extremely seriously.”

The fix is a candidate for early triage not least because the remote code execution vulnerability it addresses is similar to the weaknesses found in Apache Struts, which was determined as the root cause of the infamous Equifax breach.

The critical flaw affects various projects in Pivotal Spring. Left unresolved, it allows attackers to execute arbitrary commands on any machine that runs an application built using Spring Data REST.

RESTful APIs are commonly publicly accessible, creating a mechanism for hackers to easily gain control over production servers and obtain sensitive user data.

The vuln was found by security researcher Man Yue Mo at Semmle — the team behind the QL code inspection tool lgtm.

This vulnerability is caused by the way Spring’s own expression language (SpEL) is used in the Data REST component. Unvalidated user input leads to an attacker being able to execute arbitrary commands on any machine that runs an application built using Spring Data REST. This vulnerability has been assigned CVE-2017-8046, and is referred to by Pivotal in their release notes as DATAREST-1127.

Pivotal’s Spring Framework is a popular platform for building web applications. Spring Data REST is a collection of additional components for developers to build Java applications that offer RESTful APIs to underlying Spring Data repositories. These interfaces are widely used.

“Virtually every modern web application will contain components that communicate through REST interfaces, ranging from online travel booking systems, mobile applications and internet banking services,” Semmle said.

The following Spring products and components are affected:

• Spring Data REST components, versions prior to 2.5.12, 2.6.7, 3.0RC3
• • (Maven artifacts: spring-data-rest-core, spring-data-rest-webmvc, spring-data-rest-distribution, spring-data-rest-hal-browser)
• Spring Boot, versions prior to 2.0.0M4
• • (when using the included Spring Data REST component: spring-boot-starter-data-rest)
• Spring Data, versions prior to Kay-RC3

Users are strongly advised to upgrade to the latest versions of those components. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/05/rest_vuln/

Far from helping organizations defend themselves, hacking back will escalate an already chaotic situation.

The Internet is a modern day Wild West.

It is a largely lawless territory with still-uncharted potential.

We all find ourselves confronting modern and often elusive thugs — like the famous outlaws of the American West in the 19th century, such as Jesse James, Billy the Kid, Butch Cassidy, etc. — waging digital stagecoach robberies and worse (usually after the fact). 

 

The past two years specifically have been a cornucopia of accelerating malice and resulting chaos: attempted Olympic disruption, American election interference, global ransomware worms, central bank heists, credit bureau pillaging, global business losses, cryptocurrency exchange thefts; and these are only the highlights of what has been publicly reported. 

Individuals, businesses, and governments face extraordinary challenges protecting themselves in the digital Wild West, and history has shown that law enforcement is under-resourced to tackle all but the most pressing criminal cases. What’s the answer?

U.S. Congressional Representatives Tom Graves and Kyrsten Sinema are proposing legislation — the Active Cyber Defense Certainty Act — with good intentions, aimed at reforming the Computer Fraud and Abuse Act (CFAA) – 18 U.S. Code § 1030. The CFAA is outdated (signed in 1986) and doesn’t provide an adequate disincentive to cybercrime.

However, hacking back is not the answer. The Internet crosses national boundaries in milliseconds, and attackers routinely encrypt and disguise their traffic between compromised servers and victim machines in multiple geographies. Adversaries reuse existing code and tools to plant false flags and confuse attribution efforts.

For example, the origins of the recent Olympic Destroyer malware is still the subject of debate within the security community. Should the Olympics organization have engaged in a “hack back” campaign? The malware used hard-coded credentials from a major IT and telecommunications company. Does that present a green light to “hack back” against the IT company?

Similarly, India’s City Union Bank was recently the victim of an unauthorized SWIFT transfer, resulting in a $2 million loss, two years after the Bangladesh Central Bank heist. The two attacks bear the same hallmarks. If the victim bank was American, should they employ offensive investigative techniques against the DPRK (Lazarus Group)? The answer should be a resounding “no.” If the US is going to allow businesses to hack back, it won’t take international businesses long to follow suit.

If Congress opens the hacking-back Pandora’s Box, defenders’ jobs become even harder. It will become impossible to differentiate malicious activity. Far from helping organizations defend themselves, hacking back will escalate an already chaotic situation. Companies should not be initiating even basic fact-finding missions if unauthorized access is required.

There is too much nuance and potential for error when committing unauthorized access of Internet-connected information systems. Allowing — and even going so far as to encourage — “hacking back” will result in vast unintended outcomes, the consequences of which cannot be fully anticipated.

Congress should reform CFAA, but including a “hacking-back” provision is misguided and will only prolong the digital Wild West era.

Related Content:

• New Tool Debuts for Hacking Back at Hackers in Your Network
• Is a Good Offense the Best Defense Against Hackers?
• 6 Personality Profiles of White-Hat Hackers

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Levi Gundert is the vice president of intelligence at Recorded Future, where he leads the continuous effort to measurably decrease operational risk for customers. Levi has helped position Recorded Future as the international leader in universal threat intelligence. Levi has … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/hacking-back-and-the-digital-wild-west-/a/d-id/1331153?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Roundup Here’s a quick summary of infosec news from this week, beyond what we’ve already covered.

Cloud security shop Cyren surveyed 500,000 websites over the past four months, and said it saw a 725 per cent increase in the use of surreptitious crypto-coin mining code. The bulk of that code has shown up in the past two months, and it’s clear the rising price of Monero and the ease of installation of JavaScript mining code on pages is proving an attractive combination.

We’re still only talking about 1.4 per cent of the websites surveyed actually running coin-crafting scripts, but in some areas the use of coin mining software is becoming very popular. Based on numerous reports, if you’re visiting illegal streaming sites or pornography channels, it’s likely that your PC will be running on overdrive making coin for others.

But that’s not enough for some. The Qihoo 360 Netlab team has found an advertising network that is also bundling currency mining code in adverts – it’s not enough to bombard you with pitches it seems, now these people want more.

The sneaky scumbags at this ad network use an algorithm to obtain and use randomly generated web domains, evading ad blockers that filter out adverts and mining code by domain name.

It’s clear crypto-mining code isn’t a fad anymore, and the easy availability of the software to do it from Coin Hive (who despite their protestations are making bank from its customers) is making it very easy indeed.

All change on the job front

There has been a crushing lack of good security staff around, which has had companies complaining and cybersec professionals grinning as salaries and bonuses rise.

This week (ISC)² published the details [PDF] of its latest survey of IT security staff and the results aren’t looking good for their employers. 84 per cent of those surveyed said that they were open to new job opportunities and 14 per cent of those said they were actively on the hunt for pastures new, with only 15 per cent saying they were happy where they were.

The former group certainly has temptations, since recruitment consultants are hunting hard for them. Of those security gurus not looking for jobs, 18 per cent reported getting multiple recruitment calls a day from headhunters looking to see if they’d jump ship and about a third of all staff get at least a couple of calls a week.

One slightly surprising finding came in the choice of future employers. 54 per cent said they would be fine working for a firm that had suffered a data breach in the past, but this rose to 64 per cent if the company in question publically disclosed the breach. People like forthright employers it seems.

Furthermore, a whopping 85 per cent of those surveyed said that they would do an in-depth scan of a potential employer’s networks before considering working there. The message is clear – pay recruits well, be honest, and make sure you have your house in order before pitching for new staff.

Red faces at RSA

Another year, another RSA conference and the city of San Francisco is about to get flooded out by security salesfolks, grandstanding CEOs, and the occasional person who knows what they are talking about when it comes to locking down networks and catching crooks.

As someone who has been going to RSA conferences for nearly 20 years, the show has been fairly useless for years from a security news standpoint. The keynotes are largely self-serving drivel, the few interesting talks are drowned out in a sea of crap, and the exhibition floor is a zoo.

The conference has had its problems in the past. Back in 2014, after it came out that RSA may have been paid $10m by the NSA to push a backdoored encryption engine, an alternative conference was organized.

But this year the organizers blundered into a tone-deaf cockup. After a year where more and more attention has been focused on diversity, opportunities for women in the industry, and the #metoo movement, the conference organizers only managed to find and book one woman headliner. And that woman was none other than Monica Lewinsky.

Now Lewinsky is an excellent speaker in her area – namely online harassment. She was one of the first people in the internet age to be monstered online, and has gained considerable knowledge on tackling cyber-abuse, as well as a firm understanding of never trusting your friends and the importance of using a dry cleaner once in a while.

But at a computer security conference it was a tad disappointing that this was the best RSA could come up with. Facebook’s chief security officer Alex Stamos wasn’t alone in pointing out that RSA had missed out on some serious talent and even Lewinsky expressed her surprise at being the only one at the show’s main presentations.

Dear @RSAConference,

Here are some women who could give a great keynote.

Your biggest fan,

Alex@laparisa@granick@zeynep @__apf__ @bcrypt @AmyZegart @NicoleOzer @k8em0 @argvee @evacide @Susan_Hennessey@window@jilliancyork @justinembone @LilyAblon @hyperelliptic

— Alex Stamos (@alexstamos) February 27, 2018

The outcry caused a fast reverse ferret from the organizers, who said the keynote list wasn’t final and it had other women on the shortlist, notably US Homeland Security Secretary Kirstjen Nielsen. It then went on to blame the industry.

“A diverse speaking program starts with increasing diversity within the technology sector, which needs to be addressed by the industry as a whole,” spokesman Ben Waring told USA Today.

If that’s the best the organizers could come up with then this year’s conference looks to be even more awkward and stunted than usual. Thankfully BSides is also running, so we’ll have some good security news that week as well.

Reality not a Winner over court smears

Meanwhile, Reality Winner was also in court this week fighting her prosecution under America’s Espionage Act.

Winner is accused of smuggling a classified NSA memo out of her job which detailed election machine hacking. She leaked it to The Intercept, which gave a copy to the authorities to verify, making it easy for agents to apparently identify her.

On Tuesday Winner was back in court and – extraordinarily – was led in clad in an orange jumpsuit and manacled at the hands and feet. As national security journalist Kevin Gosztola noted, that’s highly unusual – even Chelsea Manning didn’t get that kind of treatment, and it looked like a ploy to make her seem guilty in the judge’s eyes.

Winner’s lawyers argued that when 11 FBI agents turned up at Winner’s house to interview her, she wasn’t read her Miranda rights – and her confession to the g-men at the time, that she stole and leaked the document, is inadmissible.

The FBI admitted that she wasn’t read her rights: for example, she was not told she was “free to leave.” The agents felt it wasn’t necessary.

In any case, the judge refused to grant Winner bail, and with her trial being pushed into early 2019, it means Winner will likely spend another year behind bars before her fate is even decided.

Memcachers take to ransoms

Finally this week has seen the largest-ever distributed denial of service attack, with GitHub the unlucky recipient of 1.35 terabits per second of network traffic. But on Friday, hackers went nuclear.

The attack exploits unsecured internet-facing memcached database servers, tricking them into amplifying small network packets into a tsunami against a victim. This hands criminals massive denial of service capabilities.

As the day progressed it became clear that lots of people had got the wrong sort of message from the GitHub attack, and decided to get in the game, blasting sites and servers using commandeered memcached databases. To add insult to injury, ransom demands were also included in the attack payloads.

Some Memcrashed server contains Ransom Note : pic.twitter.com/dSmuqwAmGf

— Ug_0 Security (@Ug_0Security) March 2, 2018

The demand, for over $17,000 in Monero to end the attacks, is very steep and there’s no reason why you should pay it. Simply block off traffic on UDP port 11211 at the border, or upstream, and watch the assault die. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/04/security_roundup/

Lockheed Martin, makers of the F-35 and various other bits of defence hardware, has been handed a $150m contract by the US Navy to build two bloody great laser cannons.

The laser weapons will be delivered along with a long-range intelligence, surveillance and reconnaissance “capability” and are specified to be capable of dazzling drones (“counter-UAS capabilities”, in the military argot).

“The HELIOS program is the first of its kind, and brings together laser weapon, long-range ISR and counter-UAS capabilities, dramatically increasing the situational awareness and layered defense options available to the US Navy,” said Michele Evans, vice president and general manager of LM’s Integrated Warfare Systems and Sensors division, in a canned quote. HELIOS is one of those endearingly American backronyms – it stands for High Energy Laser and Integrated Optical-dazzler with Surveillance.

Exactly how the “high energy fibre laser” cannon will bring intelligence-gathering abilities to naval battles of the future is not specified, though Lockheed says data from the weapon will be displayed on the company’s proprietary Aegis warship operating system.

One laser will be strapped to an Arleigh Burke-class destroyer for seaborne trials, with the other used for land testing at the White Sands Missile Range in New Mexico.

The drone-dazzling capability is a bit behind what the UK has specified for its rival Dragonfire zapper, as is being delivered by EU defence conglomerate MBDA’s British subsidiary. The Dragonfire zapper is explicitly specified to be capable of destroying drones, building on work by MBDA’s German arm which used proof-of-concept weapons to destroy drones at distances of 2.5km (1.6 miles).

No information was given about sharks accompanying the Lockheed Martin weapons.

The company has also recently been awarded a contract by BAE Systems to install Mk.41 missile silos into the Royal Navy’s new Type 26 frigates. Those Vertical Launch System silos will consist of three cells with each housing up to eight missiles. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/02/lockheed_martin_laser_us_navy/

A newly discovered strain of Android malware makes live recordings of ambient audio around an infected device.

The RedDrop nasty also harvests and uploads files, photos, contacts, application data, config files and Wi-Fi information from infected kit. Both Dropbox and Google Drive are being used as temporary storage by the attackers.

Infected devices submit expensive SMS messages to a premium service, enriching crooks in the process. Hundreds of infections related to the malware have been spotted by security firms, with Chinese users among the most heavily affected.

Enterprise mobile security firm Wandera discovered the malware when an employee from a US-based “Big Four” consulting firm used their mobile web browser to click on a link displayed on Chinese search engine Baidu. The user was then directed to a site displaying adult content, which was detected as suspicious and blocked.

Upon further investigation, Wandera discovered 53+ innocent-looking apps that front-end the malware, as well as an intricate distribution network of 3,000+ hosting locations, used to maximise reach to end-user devices. “We believe that the multiple distribution URLs, the distinct web properties used to host the APKs and the countless versions of each bit of added functionality all point to the attacker’s attempt to keep the malware from becoming stale and subject to signature-based blocks,” Wandera said.

Apps ranging from business tools to games have been contaminated to carry the malware, according to Wandera. Chinese search giant Baidu.com and the Sky Mobi Android app store are both being abused to distribute the nasty.

RedDrop Android malware infection cycle [Source: Wandera]

The threat is one of the most advanced examples of Android malware Wandera has seen. “From the download sites and referrers to the CC and data exfiltration, the attackers who built this malware planned it well,” the firm concludes. “On the device itself, the malware was designed to be resilient and to persist across system changes and updates.”

Security watchers at Kaspersky Lab are less impressed by the threat, which they reckon has largely been a problem for Chinese smartphone users searching for smut.

“Kaspersky Lab is aware of this threat since September 2017,” said security research staffer Victor Chebyshev. “RedDrop is malware capable of spying on its victims (it can collect data about a victim’s device, including data from memory card and contacts list) and discreetly make a device buy paid-for subscriptions, which can result in users facing financial risk.

“We have seen hundreds of unique RedDrop detections across the world, mostly from Chinese users. The malware is spreading via third-party platforms that disguise the software as adult applications. Kaspersky Lab products have successfully detected and blocked RedDrop from September 2017.” ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/02/reddrop_android_malware/

Software security shouldn’t be an afterthought. That’s why the secure software development life cycle deserves a fresh look.

News headlines abound with stories of well-known companies falling victim to cyberattacks and data breaches. Some attacks — such as 2017’s WannaCry ransomware — cause global mayhem and an immediate reaction from businesses, which scramble to issue and install patches. But there’s a far bigger problem than the headlines would lead you to believe. It’s a problem that is part of the approach that has, so far, been taken to software development, and one that is leaving tiny imperfections deep inside the infrastructure of organizations across the world.

Typically, software development follows a set process: the software development life cycle (SDLC). It’s a best-practice plan that’s been adapted over the years and dictates how software should be developed, maintained, and updated. Historically, security was an afterthought throughout the process until a few years ago when an additional “S”: for “secure” was added, and those in DevOps found themselves with a new buzzword — secure software development life cycle, or SSDLC — and adopted manual security processes as part of the life cycle. But simply adding the S, without making any changes of the process, meant that code testing remained the priority instead of building in a specific security review of the code.

Although the distinction might sound minor, it’s the difference between building software that is inherently secure from the start and building software that contains flaws that are discovered too late — or, in some cases, not at all.

So, although SSDLC isn’t a new concept, we need to change the mindset on how it’s implemented. Many businesses developing software believe that they’re doing so securely. They’re using tools like Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST), which can be useful at the implementation stage and testing phase, respectively, and have the benefit of ensuring that security is in the process at all (which is better than the traditional SDLC process). But by this point, it may well be too late — flaws can easily be missed, and those that are caught may not be easily fixable without time and expense.

The New Wave of SSDLC
The answer is to bring security into the development process from the very beginning — but DevOps and security have not, historically, been comfortable bedfellows. There’s often a belief that security slows down the development process, which ultimately affects time to delivery. But by avoiding security until the end of the process, there’s a huge risk that vulnerable products will be released. Clearly, neither option is ideal.

This is where automation comes in. Ideally, you need transparent integration and full automation of the security solution at all stages of the development process. As opposed to conducting the process manually, automating the process will provide findings and feedback continuously with every alteration in the code analyzed without the need for human intervention. The code can then either be returned to developers or virtually fixed, and a patch issued for the source code — all automatically.

Automation solves a number of the old problems associated with traditional SSDLC processes — it means security is a core element throughout and doesn’t slow down DevOps. However, it also needs a level of oversight. Once the code is built and DevOps integrates testing tools and development tools, security metrics have to be defined — with no build approved unless it complies. During the requirements phase, security metrics will be drawn up, which match to the organization’s high-level confidentiality, availability, and integrity objectives. This may include reference to regulations such as the EU’s General Data Protection Regulation and the Payment Card Industry Data Security Standard, and security experts have to be involved to assist with threat modeling and review during the design and requirements phase.

What’s more, true software security isn’t only about ensuring the software itself is secure, but also securing the systems on which software runs. Software security needs to be part of an application security program that takes into account any concerns at the beginning of the development life cycle in a holistic way. Although a lot of the security requirements and processes are often relatively simple, and, to security specialists, fairly obvious, software developers often don’t have the knowledge of security processes in as much depth as is required to meet the rigorous standards. Such metrics need to be overseen by a head of application security or security expert to add a layer of checks and balances.

Software security shouldn’t be an afterthought. With ever-increasing instances of criminals taking advantage of flaws and vulnerabilities, bringing security into the development life cycle at the very beginning will ensure a far more robust end product. It might take slightly longer to deliver the software, but, in the long run, it will pay off.

Related Content:

• 7 Ways to Maximize Your Security Dollars
• Security Development: Better Together
• ‘Shift Left’: Codifying Intuition into Secure DevOps

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Leigh-Anne Galloway started her career leading investigations into payment card breaches, where she discovered her passion for security advisory. Her keen eye for new technology has led her to work with companies such SilverTail Systems (acquired by EMC) and vArmour where she … View Full Bio

Article source: https://www.darkreading.com/application-security/a-secure-development-approach-pays-off/a/d-id/1331154?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Special counsel is compiling a case against the hackers who breached the DNC and John Podesta’s email account, NBC News reports.

Another shoe could soon drop: special counsel Robert Mueller reportedly is putting together a criminal case against Russian hackers behind the breach and leak of emails of the Democratic National Committee (DNC) and Clinton campaign chair John Podesta during the 2016 presidential campaign, according to an NBC News report.

That means a potential indictment or multiple indictments that could provide some of the first public details of the people and methods used by Russian state actors to hack the DNC email system and Podesta’s account, as well as how they then leaked information via WikiLeaks. Last month, Mueller dropped an indictment on 13 people involved with The Internet Research Agency, a Russian organization that “had a strategic goal to sow discord in the U.S. political system, including the 2016 U.S. presidential election,” according to that indictment.

A source told NBC News that if Mueller issues this second indictment, it could include information on any Americans who assisted or were duped into assisting the Russian hacking operation. Most likely, the indictment would refer to those Americans as “unnamed” individuals, however.

Read more here. 

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/mueller-may-indict-russians-who-hacked-dnc/d/d-id/1331179?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple