STE WILLIAMS

The Irish Data Protection Commissioner received 79 per cent more complaints last year than in 2016, while data breach notifications rose 26 per cent.

The figures, released in the commissioner’s annual report for 2017 (PDF), show that the DPC’s office received a record 2,642 complaints in 2017.

That’s a 79 per cent increase on the 1,479 received the previous year, and much greater than in 2013, 2014 or 2015, when there were on average 930 complaints each year.

Some 52 per cent (1,372) of the complaints in 2017 were about access rights, while 312 were about unfair processing of data, 77 about the use of CCTV footage, and 21 were related to the right to be forgotten.

The office received 215 complaints about electronic direct marketing, and 146 were investigated – of these 80 were related to email marketing, 58 to SMS and just eight to phone.

Overall, the office concluded some 2,594 complaints, meaning there were 556 outstanding at the end of the year. At the moment, the office has 40 days to resolve a complaint; this drops to one month under the European Union’s General Data Protection Regulation, which comes into effect in May.

Meanwhile, some 2,973 data security breaches were reported in 2017, of which 178 were classified as non-breaches. The 2,795 valid breach reports represented a 26 per cent increase on 2016’s figure.

Most breaches – about 59 per cent – were related to unauthorised disclosures, and the majority of there were in the financial sector, the commissioner said.

Some 6 per cent of all reported cases were in the telecommunications sector, which was 25 per cent more than in 2016; there was also an increase in the number of network security compromises – these rose from 23 to 49, and usually included ransomware and malware attacks.

The report said that the commissioner’s multinationals team had investigated 19 data breaches in 2017, noting that its investigation into the Yahoo! data breach was “largely concluded” in 2017 and would be finalised in the first half of this year.

A central part of that work will assess the extent to which the EMEA controller – Yahoo! EMEA in Dublin – had complied with its obligations to ensure that the processing of EU users’ personal data by its processor, Yahoo! Inc., was sufficiently secure in terms of technical and organisational measures to safeguard the data.

Elsewhere, the report set out the main issues it had faced in 2017 and plans for 2018.

Among these, it noted the ongoing litigation between Facebook and Max Schrems, which the Irish High Court agreed to refer up to the Court of Justice of the EU but has yet to finalise the specific questions.

The report also noted the extra cash the government has promised the body, which rose to €7.5m in 2017 and will increase again to €11.7m this year, allowing it to recruit an extra 55 staff on top of the existing 85.

However, it was – rather unsurprisingly – GDPR that topped commissioner Helen Dixon’s agenda.

“The phrase ‘game-changer’ is so frequently used that it has to some extent lost its potency,” she wrote in the foreword.

“I truly believe that May 2018 will be a seminal milestone in ensuring that the rapid technological change and importance of data in our daily lives is now backed by a transparent and flexible but robust regime for the protection of individuals.” ®

* Grumbling and complaining – from the Gaelic olagón (lament).

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/02/28/irish_data_protection_watchdog_annual_report/

What’s This?

As companies move to the cloud and depend less on physical servers and network connections, their reliance on VPNs for security will eventually evolve, if not disappear altogether.

Virtual private networks (VPNs) have for a generation been viewed as the connectivity solution for the distributed enterprise, enabling secure remote access for mobile workers and branch offices back to the business-critical data at headquarters. While these connections are viewed as far more secure than the public Internet, VPNs are no longer the only solution for securely vetting enterprise traffic – let alone the most efficient one.

In reality, the days of ubiquitous VPNs may be numbered. These and other backhaul configurations make network management unnecessarily cumbersome as more and more remote workers and mobile devices flood enterprise networks, requiring their own dedicated VPN tunnels. The drawbacks of such complicated configurations are innumerable, and only get compounded every time a new device joins the network.

Security Left to the User
VPNs are designed to increase network security, but their functionality does little more than act as a standard web proxy. This means that advanced threat protection capabilities still need to be deployed on top of VPNs to assure traffic entering the network is secure.

Often, for instance, remote users will access the network using unsecured devices – like a personal laptop – that may already be infected with a malicious software. Once the user has authenticated their access request and successfully logged into the servers at headquarters, the malware could compromise network data.

This threat is difficult for network administrators to manage because they are forced to rely on responsible users to ensure that the network remains secure. This also illustrates one of the limitations of the VPN: most don’t differentiate traffic based on origin or device, but simply grant access to users who enter the right credentials. In addition, if an employee is given a device to be used exclusively for the company’s business, there can be no guarantee that the employee will do so.

Performance Lags
By nature, VPNs can slow down performance since they require proper authentication to be completed before users can access the network. But it’s trickier when the connectivity of remote users doesn’t move at the same speed as others on the network. In truth, VPNs are only as fast as the slowest Internet connection between two endpoints.

Adding to the performance lag is the fact that most IP applications were designed for low-latency and high reliability network environments. This means that network performance issues will only become more apparent as more real-time and interactive applications begin leveraging the enterprise network.

Complexity Breeds Budget Busters
VPNs require an array of equipment, protocols, service providers and topologies to be successfully implemented across an enterprise network – and the complexity is only perpetuated as networks grow. Purchasing the excess capacity and new Multiprotocol Label Switching (MPLS) connections needed to support effective VPNs can weigh heavily on IT budgets, while managing these networks will require greater reliance on personnel.

Rather than limit the number of devices on their networks, organizations need to seek out solutions that simplify network management as companies continue embracing mobile and remote workforces. Even businesses that continue to rely on VPN or backhaul networks to protect their data need to employ a defense-in-depth approach to security, since VPNs, on their own, only offer the baseline protections of a standard web proxy.  

As more solutions move to the cloud and enterprises rely less and less on physical servers and network connections, the need for VPNs will eventually evolve, if not disappear altogether.

Chris Park brings more than 13 years of experience in corporate network security to his position as CIO at iboss, where he is responsible for creating and driving the company’s IT strategy. As resident expert in all aspects of iboss solutions and infrastructure, Chris is … View Full Bio

Article source: https://www.darkreading.com/cloud/virtual-private-networks-why-their-days-are-numbered/a/d-id/1331138?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

More than 80% say they are ‘open’ to new job offers, while 15% are actively on the search, a new (ISC)2 survey shows.

It’s still a seller’s market in cybersecurity, where recruiters are aggressively contacting prospects and the majority of workers are keeping their options open for a better job offer.

A new global survey of security professionals by (ISC)2 shows that while just 14% are actively on the job hunt, 84% say they would consider a new position this year. Some 46% say recruiters contact them weekly, and around 18% get daily calls even though they are not actively seeking new employment. Nearly 40% of those who are on the hunt get multiple pings from recruiters daily.

“It’s a great place to be if you’re an experienced cybersecurity pro. You can write your own ticket these days,” says Wes Simpson, COO at (ISC)2. The talent gap in the industry remains unfilled, and that makes security professionals even more valuable and in hot demand – especially those with five or more years’ worth of experience, he says.

There will be some 1.8 million unfilled security positions worldwide by 2020, according to Frost Sullivan.

Overall, one in five pros get a minimum of one recruiting call or email each day, the (ISC)2 survey found, and most of these workers have three- to 10 years’ experience. C-level executives make up nearly one-fourth of those who get multiple recruiter contacts per day.

Meanwhile, salary was not the top-ranked requirement for taking a job. Some 68% say they want a position at an organization where their opinion is valued; 54% say their current jobs fit that bill. Some 62% say they want a job where they can protect people and their data; 58% say their current jobs provide that. Next in the rankings is working at a place with a “code of ethics” (59%), with 54% saying their organization satisfies that requirement.

Nearly 50% say they want the “best salary,” and 39% say they are satisfied with their current pay. That doesn’t mean salary is not a factor, the report says, since 55% of security pros with no job-hunting plans are happy with their salaries.

“Job seekers in cybersecurity are just so mission-oriented. They care about really fighting back, being the professional, and being able to help and protect an organization and their data. They just want to have a sense of ownership and belonging … and that they are being listened to and consulted,” Simpson says.

Security pros also are discerning about job descriptions: some 52% say a vague and unclear job description indicates to them that the organization does not understand the industry. “Vague language and descriptions that don’t seem to accurately reflect the job are definite turnoffs,” the report says. 

Job position descriptions typically are written by the HR department, which often employs a template for the wording. “These job descriptions are written by the HR folks and not the hiring manager,” says (ISC)2’s Simpson. “The problem is a lot of great candidates probably never even get a chance because the job description is written so poorly.”

There’s also a lack of consistency among different companies’ descriptions and names of various job titles in security, too, he says. “As a profession we can be more standardized around job descriptions or lexicon,” he says.

A recent study by the Jane Bond Project report, commissioned by security talent recruiting firm CyberSN, found that organizations know their HR generalists are not equipped to recruit and hire cybersecurity talent, and that flawed salary data complicates their ability to issue the best job offers. Half of the organizations in the study had to up the compensation offers from the job description in order to finalize an offer to a candidate because the original salary offer used by HR was inadequate.

(ISC)2’s report, which polled 250 cybersecurity professionals within the US and Canada, also asked security pros what they value in an employer. They say it’s “very important” for them to work for companies that: invest in training and certification (88%); train their employees in security (75%); use clear and concise job descriptions (63%); and invest in the latest security technologies (50%). It’s very or somewhat important that the company have clearly defined responsibilities among cybersecurity staff (100%); a large dedicated staff (88%), and a CISO on board (88%).

Related Content:

• Best Practices for Recruiting Retaining Women in Security
• An Action Plan to Fill the Information Security Workforce Gap
• Death of the Tier 1 SOC Analyst
• Cybersecurity’s ‘Broken’ Hiring Process

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/nearly-half-of-cybersecurity-pros-solicited-weekly-by-recruiters/d/d-id/1331151?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Attackers have discovered a new amplified denial-of-service attack vector, and have launched attacks reaching hundreds of gigabits per second in Asia, North America and Europe.

Former Internet Systems Consortium CEO and now Akamai principal architect Barry Raveendran Greene has detailed the reflected DOS attack on his blog and explained it can make it look like the incoming traffic comes from a service provider’s router.

The attack abuses the memcached distributed in-memory caching utility, used to speed up dynamic Web applications by sharing around the database load.

The utility isn’t meant to be installed on Internet-facing systems, because it has no security mechanism, but as SANS, Cloudflare, Arbor Networks and Akamai have all observed, there are a lot of memcached exposed instances out there.

As SANS’ Johannes Ulrich wrote: “Apparently people are exposing memcached to the internet. For many other services, I would qualify that statement: ‘without access control’. But for memcached there is no access control. This is by design.”

The mechanism attackers have used was to send memcached instances a request for statistics over UDP, apparently coming from the spoofed victim’s IP address. The stats request is 15 bytes long, but the reply is between 1,500 bytes up to hundreds of kilobytes.

There’s the amplification factor: 15-byte requests sent to a bunch of memcached instances, and the target is hosed.

Qrator Labs reckons it’s seen attacks reach 500 Gbps.

If you’re under attack, there are two things to do: block all traffic from port 11211, and if you can, get help from your ISP to block the traffic.

Operators are being asked to help block the attacks as well. A note to Australian Network Operators’ Group (AUSNOG) suggests implementing Exploitable Port Filters as per these instructions.

And if you’re a sysadmin whose memcached server is outside the firewall, get it inside, configure it so it doesn’t listen on UDP, and strap yourself to the butt-kicking machine, because as Ulrich pointed out, the utility’s config file told you not to put it on the Internet. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/02/28/memcached_reflected_dos_attacks/

DNSSEC, which secures the ancient domain name system, is important to Internet security and privacy, but as APNIC luminary Geoff Huston wrote last week, there’s evidence that its use could be declining. “From the validation perspective, the use of DNSSEC appeared to have peaked in early 2016 and has been declining since then”, his post stated.

Now SIDN, the domain registration foundation for The Netherlands, which has spent four years on the issue, believes one key to improving DNSSEC uptake is to eliminate validation errors.

Validation errors occur when information in the authoritative nameserver doesn’t match what’s held by a registrar. When that happens users are told the lookup has failed (that is, they can’t reach the site), and that’s a bad look. They might believe someone’s blocked a site, or they might blame the service provider’s infrastructure.

According to a 2017 study (PDF) by the Asia-Pacific Network Information Centre (APNIC), only one per cent of .com, .net, and .org domains were signed, and even those had a 30 per cent misconfiguration rate. Those misconfigurations would return validation errors.

SIDN’s approach, implemented over the last two years, was to document validation errors in the .nl namespace, to decide whether that country’s ISPs could use a validation service.

As the country’s DNSSEC partnership wrote: “In the period 2013-2014, validation errors were an important obstacle to the further development of DNSSEC in the Netherlands. The pioneering role that the .nl domain had (and has) in the signing of domain names has been at the expense of validation. The result is a strong imbalance between these two complementary components of DNSSEC.”

Too many domains, the post said, had registered information with SIDN that didn’t match the information held on DNSSEC authoritative servers.

After contacting the registrars that generated the most errors, SIDN then launched a validation monitor in 2015 – yet, it complained, access providers were still citing validation problems as their reason for not supporting DNSSEC.

Which leads to the authority’s final project, a two-year pilot of its own DNS resolver in partnership with broadband outfit OpenFibre, to collect hard data about validation errors.

Its conclusion: “The most important outcome of this pilot is that validation errors almost no longer occur,” SIDN’s Sebastaan ​​Assink says in the post. The rate of validation error is now 30 per million DNSSEC lookups.

Alas, even if validation errors no longer stand in the way of DNSSEC, SIDN claimed The Netherlands’ biggest ISPs – KPN and Ziggo among them – still resist deployment. Assink said this is “a brake on innovation. New applications on DNS / DNSSEC – think of DANE , DKIM, DMARC and SPF – therefore do not come into their own”.

As APNIC noted in last year’s study, registrars also remain another roadblock. As of December, among 20 major registrars only three – GoDaddy, NameCheap and OVH supported DNSSEC for domains they manage. Only 11 registrars (including the three already named) will let an external nameserver run DNSSEC.

Huston wrote that browser vendors are another roadblock, because they’re “obsessed by wanting to shave off the few milliseconds that need to be spent in validating the name against the name’s public key when using DNS”.

Apart from the applications identified by Assink, DNSSEC also gives users an important protection against DNS spoofing (also known as DNS cache poisoning). It seems, however, that more incentives will be needed to get service providers to play along. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/02/28/dutch_name_authority_dnssec_validation_errors_can_be_eliminated/

Various single-sign-on systems can be hoodwinked to allow miscreants to log in as strangers without their password, all thanks to bungled programming.

Specifically, the vulnerable authentication suites mishandle information submitted in the XML-like Security Assertion Markup Language (SAML). These weaknesses can be potentially exploited by hackers to log into systems, masquerade as other users, and access their accounts.

Single-sign-on systems (SSOs), for those who don’t know, are typically used by enterprises, and large websites, to allow users and customers to log into lots of different services using one username and password pair – plus any two-factor authentication methods, of course. It means folks can sign into apps on phones, webpages on their desktop PCs, and so on, using one set of credentials.

According to the US Homeland Security-backed CERT, the Duo Network Gateway, OneLogin’s python-saml and ruby-saml, Clever’s saml2-js, the OmniAuth-SAML, and the Shibboleth openSAML C++ SSO toolkits are vulnerable to authentication bypass attacks. Vendors of similar technology are potentially affected, too.

The security shortcomings were first discovered by Duo in its own product, and follow up work revealed that other makers of SSO software were also affected. This is therefore a new class of bug, lying within the processing of SAML data.

Duo worked closely with US-CERT and the aforementioned developers since December to patch the bugs, and went public with its findings on Tuesday now that all the fixes are, we’re told, available.

Cryptographic

According to CERT: “A remote attacker can modify SAML content for a SAML service provider without invalidating the cryptographic signature, which may allow attackers to bypass primary authentication for the affected SAML service provider.”

That sounds as though any unauthenticated scumbag can gain control of any account. However, Duo’s Kelby Ludwig noted that to practically exploit this class of security hole, an attacker has to be logged in. Thus, the flaws allows a rogue user or customer to impersonate another person on the system, which still isn’t very nice.

“This vulnerability can allow an attacker with authenticated access to trick SAML systems into authenticating as a different user without knowledge of the victim user’s password,” explained Ludwig.

Ludwig’s advisory has the full technical details, but to briefly summarize: when signing in, the system that performs the identity check produces a SAML response, which is sent to the system providing the service. This response contains, among other things, the account ID of the user logging in, and a digital signature of the data. That signature is supposed to ensure the information is tamper-proof: a tweaked response will not match its signature, and thus will be discarded.

It is, however, possible to log into an identity system, and carefully alter the valid SAML response so that it has a stranger’s account ID instead of your own, all while keeping the signature valid. This modified access key is then presented to the service provider, and it appears to be legitimately generated by the identity checking system, due to the valid signature. Thus, you can log in as the stranger using this forged SAML response.

The trick is to exploit the fact that XML comments are skipped when generating the signature, but are not fully skipped when extracting the user account ID string. Oops.

Coordinated

Steve Manzuik, director of security research at Duo Security, told El Reg that the advisory is in “no way an attempt to criticize competitors’ products. In fact, the coordinated disclosure alongside our own customer notification is intended to do the exact opposite.”

“This vulnerability was identified during an internal review to vet possible software dependencies,” he explained. “It was after we identified that issue, that we felt other SAML libraries could be affected by the same or similar issues. That hypothesis turned out to be correct. We found a vulnerability that affects multiple SAML libraries. These libraries can be used by organizations to enable, for example, Single-Sign-On between websites in their organization.”

So: check your SSO library or provider for any security updates, and apply them when you can, ideally before miscreants start to exploit this class of bug. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/02/28/sso_sys_flaw/

NSA boss Mike Rogers told a US congressional panel today that Russia’s online mischief-making in America’s elections is not going to stop – because Uncle Sam isn’t hitting back.

“I believe that President Putin has clearly come to the conclusion there’s little price to pay here, and that therefore I can continue this activity,” Admiral Rogers told the Senate Armed Services Committee.

“Everything, both as the [NSA] director and what I see on the US Cyber Command side, leads me to believe that if we don’t change the dynamic here, this is going to continue, and [the 2016 elections] won’t be viewed as something isolated. This is something that will be sustained over time.”

WATCH: NSA Director Rogers on Russian cyberattacks: “I believe that President Putin has clearly come to the conclusion there’s little price to pay here, and that therefore I can continue this activity.” pic.twitter.com/3c5gGLvrAS

— NBC News (@NBCNews) February 27, 2018

Despite repeated testimony from US intelligence officials stating that Russia has waged a years-long campaign to destabilize the US by spreading disinformation, discourse and divisive messaging online, very little action has been taken as President Trump maintains the issue is overblown. Congress voted for a serious crack down on Russia with the Countering America’s Adversaries Through Sanctions Act, but so far the White House has chosen not to follow through and take punitive action.

Admiral Rogers said his cyber-warriors had taken some steps to “begin some specific work” on tackling the Kremlin’s interference, but that more offensive action would need a direct order from the President or the Secretary of Defense. He said so far no orders had been forthcoming.

Rogers has a point. Any non-trivial actions taken by US Cyber Command, overseen by the NSA, could be considered an act of war, and as such would require some serious authorization. The agency needs the President’s approval to attack, knacker, or shut down a foreign government’s computer systems. Not that we’re advocating a full-blown cyber-war or anything; just letting you know the admiral’s thinking.

“Rogers requires an order from Trump to conduct computer network operations,” explained New York Times cybersecurity guru Nicole Perlroth. “Without that order, NSA cannot proactively address Russian cyber threats.”

White House press secretary Sarah Huckabee Sanders disagreed with Admiral Rogers’ views. In a briefing, Sanders claimed Rogers had all the authority he needed.

“Nobody is denying him the authority” to take action, the spinner suggested. “We are focused on looking at a variety of different ways. Department of Homeland Security [Secretary] Kirstjen Nielsen met with a number of state, local and federal officials on all the ways we can best prevent things. We are looking at a number of different options.” ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/02/27/nsa_russia_election_hacking/

Intel slipped out a new Microcode Update Guidance on Monday, revealing that lots of Haswell and Broadwell Xeons can now receive inoculations against the Meltdown and Spectre CPU design flaws.

The new document (PDF) says Broadwell processors with CPUIDs 50662, 50663, 50664, 40671, 406F1, 306D4 and 40671 are ready for their reaming.

Updates for Haswells numbered 306C3, 4066, 306F2, 40651 and 306C3 have also hit production.

The CPUs mentioned above include Xeon and Core silicon.

Broadwell debuted in 2014 and Haswell the year before, so these updates show Intel is working backwards through its catalog. The Update Guidance also lists 16 processor types for which Intel is still in the planning stage, meaning Intel has no schedule for delivering a fix. The affected CPUs are mostly oldies. A further 9 CPU types are listed as “Pre-beta”, meaning microcode is being tested by partners under non-disclosure agreements.

Oracle’s also visited its past in the pursuit of Meltown/Spectre patches: late last week it offered patches for version 5.x of its Linux. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/02/28/new_intel_meltdown_spectre_microcode_releases_haswell_broadwell/

New CrowdStrike report shows blurring of state-sponsored and cybercrime hacking methods.

A wave of surprising twists in both nation-state and cybercrime-related cyberattacks in the past year along with increasing overlap in their tools and tactics has ushered in a new era where all is not what it seems.

Positively identifying the actual threat group behind a cyberattack as well as its true intentions is getting harder than ever as nation-state hacker groups out of North Korea and Russia, for example, in 2017 employed tactics typically used by their cybercriminal counterparts, and vice versa. In May of last year, North Korea’s massive ransomware campaign WannaCry at first appeared to be the handiwork of traditional financially motivated hackers, while Russia’s data-destruction attack via NotPetya initially presented itself as a pure ransomware attack.

The cloak and dagger feature of NotPetya, for example, reflects a Russian military doctrine called “maskirovka,” which is all about deceiving and confusing the victim, while also hiding the actual intent of the operation, according to CrowdStrike. “Although NotPetya was eventually revealed to be a wiper, the veneer of ransomware delayed this initial assessment,” the security firm wrote in its new Global Threat Report published this week, which analyzes findings and trends from its incident response investigations and data from its cloud-based Falcon endpoint detection system in 2017.

The destructive NotPetya attack was a data-wiping campaign against Ukraine that also hit companies in the US (Merck and Federal Express), Russia’s top oil company Rosneft, Danish shipping giant A.P. Moller-Maersk, Russian metals manufacturer Evraz, as well as Ukraine’s Boryspyl Airport. In rare public attack attribution statements, the US, UK, Canada, New Zealand and Australia, this month all pointed the finger at Russia as the culprit.

The security research community for some time had suspected Russia behind the attacks, but the “Five Eyes” nations all calling out Russia comes with potential wide political and diplomatic ramifications. “When we were in the heat of investigating of NotPetya, a lot of people we talking ‘is this an act of war?’ NATO talked about Article 5. We are in uncharted territory,” says Adam Meyers, vice president of intelligence at CrowdStrike. “We don’t know what the next steps are,” he says, with both ID’ing Russia and the ongoing Mueller investigation into the Trump campaign and administration’s dealings with Russia.

According to reporting this week by The Washington Post, US intelligence officials said Russia’s GRU military hacking unit was behind cyberattacks on the 2018 Winter Olympics network, attempting to appear as attackers out of North Korea, using North Korean IP addresses and other false flags. The GRU hackers had infiltrated some 300 computers tied to the Olympics, according to the report. Some researchers initially ID’ed North Korea as the culprit, while others dismissed that theory.

“We concur with the assessment that Russia likely conducted these attacks, and were most likely motivated by retaliation against the Olympics for the banning of Russian athletes,” say John Hultquist, director of intelligence analysis at FireEye, which earlier this year predicted a Russian attack on the Games that would be staged to appear as the handiwork of another nation, such as North Korea. “Similarly, we attribute a number of recent compromises against Olympic and other international sporting entities to the Russia-nexus APT28.”

Destruction

But NotPetya was a gamechanger, with Russian threat actors posing as ransomware attackers looking to make some cash. But NotPetya ultimately had no decryption key, and destroyed kidnapped files.

“The fact they’re doing it using ransomware as a cover … effectively gives nation-states the ability to create destructive attacks that are not attributable,” CrowdStrike’s Meyers says.

The Russian attackers behind NotPetya made a serious attempt to hide their origins and intent, he says. “There was a ransom note, but no way to recover the data,” he says. It became clearer of their actual targets when the infections were traced to a popular Ukrainian accounting software program. The non-Ukrainian victims were basically collateral damage, but with a catch: “Any organization doing business with Ukraine that may have been impacted would be thinking twice about” that relationship after the attacks, he says.

Russia of course is not the only nation-state waging destructive attacks under the guise of cybercrime: North Korea long has employed that tactic, first with the Dark Seoul and other DDoS attacks on South Korea and the US that camouflaged actual data theft, and then with its brutal hack, doxing, and data-wiping attack on Sony in 2015. Its WannaCry ransomware campaign had the look-and-feel of a cybercriminal campaign until researchers started connecting the dots to known North Korean code. There was no data destruction element, however. “North Korea was actually trying to generate revenue with WannaCry,” and not to destroy data, Meyers notes.

WannaCry, of course, weaponized EternalBlue, an NSA-built exploit that was stolen and leaked online, to spread wormlike among Windows machines around the world. “The result of trickle-down in the field of cybersecurity has been a proliferation of military-grade weaponry for cyber warfare being pushed down into the masses and commoditized” such as EternalBlue, CrowdStrike’s report says.

Nearly 40% of all attacks spotted by CrowdStrike last year didn’t use malware. And CrowdStrike’s incident response data shows that now it takes hackers less than two hours to move from patient zero to other machines in the victim’s network.

“Based on observed incidents, CrowdStrike established that the average “breakout time” in 2017 was one hour and 58 minutes. Breakout time indicates how long it takes for an intruder to jump off the initial system they had compromised and move laterally to other machines within the network,” the report says.

Related Content:

• White House: Russian Military Behind NotPetya Attacks
• Cyberattack Aimed to Disrupt Opening of Winter Olympics
• 8 Nation-State Hacking Groups to Watch in 2018
• WannaCry? You’re Not Alone: The 5 Stages of Security Grief

 

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/nation-state-hackers-adopt-russian-maskirovka-strategy/d/d-id/1331150?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

US media giant Forbes is making a bold claim: the FBI can now unlock every iPhone in existence.

Actually, that’s not exactly what Forbes said – the headline used the slang term “Feds”, referring not just the FBI, but to law enforcement in general and, by obvious association, to the world’s various intelligence services, too.

And, to be precise, Forbes put the word “probably” in the headline, too, neatly wrapped in brackets in a way that probably made the Forbes lawyers much happier.

So, according to Forbes, law enforcement agencies may be able to unlock many or most iPhones in use out there.

Is it true?

The company that caused Forbes to make this dramatic claim is one we’ve mentioned before on Naked Security: Cellebrite.

Cellebrite is headquartered in Israel, but owned by Suncorporation, a Japanese company broadly associated with video gaming and the pachinko industry. (A pachinko machine is a type of slot machine popular in Japan.)

You may recall that the FBI famously (or infamously, depending on where you stand in the phone unlocking debate) broke into the iPhone 5C of the dead San Bernadino terrorist and mass murderer Syed Rizwan Farook.

At first, no one quite knew how the FBI did it.

We speculated that there were several approaches the cops might have used:

• Perhaps the passcode was 0000 or 2580, and the FBI got lucky?
• Perhaps autowipe after 10 wrong guesses was off, so the FBI had more than 10 goes?
• Perhaps the iPhone had enough unencrypted data left in RAM to help the investigation?
• Perhaps the FBI could re-write RAM and flash storage to allow repeated guesses?
• Perhaps the FBI purchased a zero-day vulnerability in iOS?
• Perhaps the FBI recovered the code using fingerprint marks on the screen?

In the end, it seems that Cellebrite helped out in the San Bernadino case, in a phone hack that was claimed to have cost close to $1,000,000 in total, and that involved a system that worked only on a “narrow slice of phones,” apparently including the iPhone 5C but not the iPhone 5s or later.

What now?

Now, if Forbes is to be believed, Cellebrite has extended the range of phones it can successfully unlock, according to the company’s own marketing material:

Devices supported for Advanced Unlocking and Extraction Services include:

Apple iOS devices and operating systems, including iPhone, iPad, iPad mini, iPad Pro and iPod touch, running iOS 5 to iOS 11.

Google Android devices, including Samsung Galaxy and Galaxy Note devices; and other popular devices from Alcatel, Google Nexus, HTC, Huawei, LG, Motorola, ZTE, and more.

Of course, Cellebrite isn’t openly promising that it can always get everything off the systems listed above, merely that those devices “are supported”.

And Cellebrite isn’t saying which sorts of device it’s willing to take a go at – newer ones generally have more secure hardware to enforce the security coded into the software.

You have to send the device to a Cellebrite office; it’s sent back unlocked, if possible – obviously, Cellebrite can’t guarantee to unlock any phone out there, not least because a confiscated device could, in fact, already be irreparably damaged.

But would Cellebrite go to the trouble of inviting law enforcement agencies to send “devices of interest” to a Cellebrite lab if it didn’t think it had a fair chance of getting in?

Does Cellebrite have an exploitable vulnerability up its sleeve that neither Apple nor the jailbreaking community has yet discovered?

Despite Forbes’s bullish (or bearish, depending on where you stand in the phone unlocking debate) claims, we simply can’t say.

What to do?

Let’s assume the worst – namely that Cellebrite does have a pair of iPhone and Android zero-day aces in the hole.

In a way, there’s some good news in that scenario: you can bet your boots (and your trendy phone case) that Cellebrite will go many miles out of its way not to let those zero-days become known, because they’re the geese that lay the golden purchase orders.

So, even if Cellebrite is willing to have a go at cracking phones, for a fee, your device still isn’t wide open to just anyone.

In other words, the following simple precautions are well worth taking:

• Patch early, patch often. This can be tricky in the divided and inconsistent Android ecosystem, but it’s pretty easy in the iPhone world: when there’s an iOS update, install it right away. You’ll be protecting against plenty of new security holes that have recently been reported – and, who knows, if Cellebrite really does have a secret security hole of its own, sooner or later you’ll neutralise that one, too.
• Use the longest phone lock code you can manage. A 10-digit lock code is a mild irritation for a while, but soon starts to feel like a virtuous and more secure choice than 4 or 6 digits – because it is.
• Set the shortest lock period you can tolerate. A phone that automatically locks itself after a minute will annoy you from time to time, but it will annoy any prospective “hit and run” crooks (or mischievous friends and colleagues) a whole lot more.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/GnPQDeKbQYI/