Security Articles - H 2020 1 2 3 4 5 6 7 8 9 10 Security List - H 2021 2020 2019 2018 1 Security blog Security blog
US Judge Ordered Google to Hand Over Emails Stored On Foreign Servers to FBI
7.2.2017 thehackernews Security
In this world of global mass surveillance by not the only US, but also intelligence agencies across the world, every other country wants tech companies including Google, Apple, and Microsoft to set-up and maintain their servers in their country to keep their citizen data within boundaries.
Last year, Microsoft won a case which ruled that the US government cannot force tech companies to hand over their non-US customers' data stored on servers located in other countries to the FBI or any other federal authorities.
However, a new notable ruling just goes against the court judgment last year, raising concerns regarding people's privacy.
A US magistrate reportedly ruled Friday that Google has to comply with FBI search warrants seeking customer emails stored on servers outside of the United States, according to Reuters.
U.S. Magistrate Judge Thomas Rueter in Philadelphia noted that transferring emails from outside servers so FBI could read them locally as part of a domestic fraud probe didn't qualify as a seizure because there's "no meaningful interference" with the account holder's "possessory interest" in the data sought.
Here's what Judge Rueter says:
"Google regularly transfers user data from one data center to another without the customer's knowledge. Such transfers do not interfere with the customer’s access or possessory interest in the user data. Even if the transfer interferes with the account owner's control over his information, this interference is de minimis [minimal] and temporary."
In August 2016, the search engine giant was ordered to comply with two FBI search warrants related to criminal investigations, but Google provided only the data stored on its US servers.
So, the government filed a motion to compel Google to hand over the rest of the information to the FBI.
When the company referred to the last year's ruling in favor of Microsoft by the US Court of Appeals for the Second Circuit in a similar case, the judge said Google was found processing its foreign-stored data in a way that made it impossible for the US government to ask a foreign state for legal assistance.
However, Google made it clear that a search warrant, if granted, can give the government access to email content, while subpoenas and court orders only let them access non-content data, like an account creation number, phone number, and sign-in IP address.
According to the new ruling, the search engine giant receives over 25,000 requests every year from United States authorities for disclosures of user data in criminal matters.
Google is obviously unhappy with the result and intends to fight it back.
Darknet Marketplace Hansa Launches Bug Bounty Program
6.2.2017 securityweek Security
The darknet marketplace Hansa announced last week the launch of a bug bounty program with rewards of up to 10 bitcoins, currently worth more than $10,000.
Hansa allows users to buy and sell various types of items, including drugs, fraud-related services, jewelry, counterfeit products, electronics, and IT services. The marketplace is designed to minimize the risk of scams operated by vendors and Hansa administrators, and claims to guarantee that users will not lose their funds in case of a hack or law enforcement operation.
In an effort to minimize the chances of the website getting hacked, Hansa’s owners have decided to launch a bug bounty program. The highest rewards, up to 10 bitcoins, will be paid out for vulnerabilities that could “severely disrupt Hansa’s integrity,” such as flaws that expose IP addresses or user information.
Hansa has promised 1 bitcoin, worth roughly $1,000, for bugs and vulnerabilities that are not critical. Users can also earn 0.05 bitcoins ($50) for reporting simple display bugs or unintended behavior.
“To be eligible, you must demonstrate a security compromise on our market using a reproducible exploit. Should you encounter a bug please open a ticket and inform us about your findings,” Hansa administrators wrote in a Reddit post announcing the bug bounty program.
Users who submit vulnerability or bug reports must not make their findings public before the issue has been fixed, and they must refrain from conducting any tests that could have a negative impact on the website or its users. Hansa has advised users to provide detailed proof-of-concepts (PoCs) to increase their chances of receiving a reward.
Hansa has promised to respond to vulnerability and bug reports as quickly as it can, and provide updates while it works to address the problem.
In the Reddit post announcing the launch of the bug bounty program, two users said they had already submitted reports describing vulnerabilities that could have serious consequences if exploited.
Last month, someone reported finding a vulnerability that exposed the private messages exchanged by users of the popular darknet marketplace AlphaBay. The individual who discovered the security hole claimed to have created a bot that collected more than 200,000 private messages.
The same individual also said he had identified a flaw in the Hansa marketplace, which allegedly allowed him to obtain 240,000 Hansa usernames.
Security Intelligence Automation Startup LogicHub Emerges from Stealth
3.2.2017 securityweek Security
Machine learning and artificial intelligence seem to be the way forward in cyber security; nearly all new companies and products boast that capability. But one new company, emerging from stealth on Wednesday, is a little different. Most current security systems seek to automate knowledge; this one seeks to automate intelligence -- the 'how' over and above the 'what'.
LogicHub announced its arrival with news of an $8.4 million Series A funding round led by Storm Ventures and Nexus Venture Partners. Its purpose is to build a new type of threat detection system based on human security intelligence rather than simply big data analysis. This is based on one primary observation: a top grade human analyst is better at detecting threats than the current generation of threat detection systems.
"We have done what we call cyberhunt challenges with 75 companies," CEO and co-founder Kumar Saurabh told SecurityWeek. "We provided a volume of data containing a threat, and asked each company if its automated system would find it. In only two out of the 75 challenges did the organization say its systems had more than a 50% chance of doing so. But they also said their in-house expert analyst would find it with 90+% confidence."
But when he next asked if they could find the threat in two minutes, the response was resounding: it would take more like two hours. "This is what I hear again and again," he said: "the systems are not clever enough, and the analysts are not fast enough." His solution is to develop a system that can combine the intelligence of analysts with the speed of machines.
"At the end of the day," says Saurabh, "experienced cyber analysts are much better at detecting threats and triaging false alarms than the security tools available, but given the magnitude of the challenge, most teams can only inspect a tiny fraction of all security events collected in-depth. To combat this, LogicHub has found a way to capture and automate the knowledge and expertise of the most skilled cyber analysts, which results in much deeper threat detection."
This is the conundrum that LogicHub has set itself to solve: automating the human expert analyst's threat hunting process rather than just generating and maintaining more and more rules on recognizing known threat indicators. By capturing expertise into a security intelligence 'brain', that expertise can then be used by lower grade analysts in the future. Furthermore, if the expert analyst is tempted away by a higher salary elsewhere, his or her expertise does not entirely leave at the same time.
It requires a different type of architecture, and Saurabh points to Google Search as an example. It is fast, clever, and able to 'predict' user requirements. "One of the key things Google did a couple of years ago," he explained, "was they built a knowledge graph. And that knowledge graph has tens of millions of entities and relationships. They use that knowledge graph to link entities by relationships so that it understands the data it contains."
In fact, in October 2016, City University of New York professor Jeff Jarvis tweeted, "Google knowledge graph has more than 70 billion facts about people, places, things. + language, image, voice translation."
"The difference between Knowledge Graph and the security solutions available today is that they don't understand the data," said Saurabh. "They do nothing to tell the user how to navigate the data." It's like the difference between modern GPS and a road atlas, he continued. "With the atlas, you have the data, but you have to figure out what that data means by yourself."
In threat analysis, there are very few people who really understand what the data means. "Since that understanding is trapped in their heads, it can only be leveraged in a very limited way. With automation, we can take the expertise that is trapped in their heads and turn it into a system so that what one analyst knows and applies can be shared with ten other people on the security team. Over time you can build a system that is more available as a service, and can be used by hundreds of companies -- it becomes a security brain."
Developing that security brain is what LogicHub is doing. It has an augmentation tool that automates that capture of analyst methods, so that different analytical method from different analysts can be combined into the intelligence automation tool. "A security analyst with our security intelligence automation platform can become equal to ten analysts. You have to use the augmentation tool to get there; but it has that potential."
This system will be offered as an on-premise solution for those companies not yet comfortable with the cloud and sharing data, and as a cloud service that combines and shares analytical expertise with all cloud customers.
How much trust do you put into your Gmail inbox messages?
3.2.2017 securityaffeirs Security
Given the high trust we have on Gmail we tend to believe that all messages that fall into our inbox are legit and safe, but there is something to know …
1. Introduction
Taking good care of e-mail messages is certainly among the first recommendations of any information security policy and user awareness program. The involved risks range from SPAM to Spear Phishing attacks, generally aimed to steal information or infect the victim’s computer. Most malicious messages are filtered by anti-“everything” engines before ever being delivered to the user’s mailbox, although some bypass those filters and require the user’s perspicacity to be detected.
Generally, our trust on the technology security filters is proportional to the reputation of the service provider. The higher our belief on the provider, the lower tends to be our attention to the risks. Given the high trust we have on Gmail we tend to believe that all messages that fall into our inbox are legit and safe.
It turns out that, based on our findings this week at Morphus Labs, this “trust” logic should be revisited. We realized that a message that appears in your Gmail inbox folder even with an important sign, coming from one of your Gmail contacts with no spoof or security alert, may have been forged and impersonated by a fraudster or a cybercriminal. As few people may be aware of this possibility, we decided to shed light on this problem with this article.
This document is divided into four parts. First, it presents a contextualization on e-mail spoofing. Then, it passes through to our e-mail spoofing experiment scenarios involving Gmail and Yahoo. Next, it presents an extra Gmail behavior and finally, it presents advices on how users could identify Gmail spoofed messages and final words.
2. E-mail Spoofing
In this section, we will pass through some SMTP concepts and how e-mail sender spoofing occurs. If you are familiar with those concepts, you can skip to the next section.
The Simple Mail Transfer Protocol (SMTP) is the standard protocol used for email transmission over the Internet. Considering the technology evolution rate and today’s security requirements, we may say that this protocol is, at least, anachronistic. Its first version was defined in 1982 by the RFC 821 [1] and has not evolved much since – mainly in security aspects.
As stated in the previous paragraph, the SMTP protocol defines the message transport, not the message content. It defines, therefore, the mail envelop and its parameters, such as the message sender and recipient. The message content (body) and headers are defined by the standard STD 11 (RFC 5322) [2].
Basically, a SMTP transaction consists of three commands:
Mail From: establish the message return address in case of delivery failure;
Rcpt to: establish the message recipient. In case of multiple recipients, this command may be repeated for each one;
Data: this command sign the SMTP server to receive the content of the message which consists of the message headers and body.
To make it clear, let’s look at a very basic sample of a SMTP transaction in the Figure 1.
Figure 1: Simple SMTP transaction sample
Note that the directive “From:” is part of the message content and is normally equivalent to the value used in the SMTP command “mail from:”, but not necessarily. Its value can be freely specified by the system or person issuing commands to the SMTP server. Using the same sample, but now spoofing the message sender, it would be enough to change the “From: “ to the desired value, as seen in Figure 2.
Figure 2: A sample SMTP transaction with a spoofed sender
In this case, the message delivered to recipient@domain.com will look like it has been sent by SpoofedSender@anydomain.com rather than sender@domain.com. This open space for message impersonation or sender spoofing. And this is exactly the way it is done by cybercriminals or fraudsters to trick its victims to click on malicious links, for example.
Note that by using this kind of impersonation, if the recipient replies the message, it will be delivered to the spoofed address. For the example above, it would be delivered to SpoofedSener@anydomain.com.
It turns out that changing the “From:” to the desired value will almost certainly trig the recipient’s mail server anti-spam or anti-phishing to reject or quarantine the sent. If the message bypasses those filters, it will depend on the recipient to detect that the message was forged by analyzing the message headers.
Trying to avoid those filters, some spammers configure ad-hoc mail servers in a way to send spoofed messages on behalf of a certain domain by changing the “Mail from:” SMTP command and “From:” header to the desired value. This spoof strategy can be combated by the owners of the Internet domain by applying spoofing protection mechanisms, like SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail) and DMARC (Domain Message Authentication Reporting & Conformance). By using SPF, for example, you can specify the IP addresses of the mail servers that are allowed to send e-mail messages on behalf of your domain. Once this policy is stablished, it will be up to the recipient’s mail server to check the policy and reject messages coming from non-authorized servers.
3. Experiments
After some basic concepts on SMTP protocol and how e-mail spoofing occurs, it’s time to check the resilience of Gmail and Yahoo against mail spoofing. We are going impersonate the “From:“ message header value. The “Mail from:” SMTP command will be issued using an address of a generic domain owned by us.
For the experiments, we created a very simple scenario:
For the source of the spoofed messages, we used a generic “.com” domain owned by us and registered roughly a year ago that has not been used to host content nor to send e-mail;
For the mail server, we hired and configured a Linux server at Amazon EC2 with minimum resources running a Postfix default installation with the address *.*.123.26;
The accounts in Gmail and Yahoo we are going to use as recipients and senders of the spoofed messages were created for the experiments. They are: temporaryrecipient@gmail.com, temporaryrecipient@yahoo.com, temporarysender@gmail.com and temporarysender@yahoo.com.;
All the tests were done by connecting directly to our SMTP server (port 25) and issuing SMTP commands manually to make it easy to collect the evidence to this report.
Let’s get started.
3.1. Trying to spoof without SPF
In this experiment, we are going to try this scenario:
Try to impersonate Gmail and Yahoo accounts sending spoofed messages to the respective provider’s recipients. I.e.: temporarysender@gmail.com to temporaryrecipient@gmail.com and temporarysender@yahoo.com to temporaryrecipient@yahoo.com.
The SMTP server’s IP address is not allowed in SPF policy of our generic “.com” domain to send e-mails on behalf of it, as seen on Figure 3.
Figure 3: No SPF policy associated to the experiment domain
3.1.1. Trying to spoof a Gmail to Gmail message
This experiment itself consisted in sending an e-mail message to temporaryrecipient@gmail.com pretending to be from temporarysender@gmail.com. It is to be observed that email@our-generic-domain.com was set as the “Mail from:” SMTP parameter while the “From:” header was set to the forged value temporarysender@gmail.com, as seen in Figure 4.
Figure 4 – Trying to spoof Gmail to Gmail message with no SPF policy
As the result of this experiment (Figure 5), the Gmail servers rejected our spoofed message (ID: 7A14D2452C) with the error code 421-4.7.0 followed by the message “To protect our users from spam, mail sent from your IP address has been temporarily rate limited.” We can also see the error 421-4.7.0 and the message “Our system has detected that this message is suspicious due to the very low reputation of the sending IP address.”.
Figure 5 – Gmail servers rejecting the spoofed message
3.1.2. Trying to spoof a Yahoo to Yahoo message
Now, let’s see what happened in the Yahoo spoofing scenario. Similarly to Gmail scenario, we tried to send a message to temporaryrecipient@yahoo.com pretending it to be from temporarysender@yahoo.com, as seen in Figure 6.
Figure 6 – Trying to spoof Gmail to Gmail message with no SPF policy
As the result for this experiment, we verified that our Postfix mail server couldn’t deliver the message (ID 4259245CE). The error 421-4.7.0 followed by the message “suspicious due to the very low reputation of the sending IP address” was triggered as seen in Figure 7.
Figure 7: Mail rejected by Yahoo servers during the spoofed message delivery
3.2. Trying to spoof with SPF
In this experiment, we are going to try this scenario:
Try to impersonate Gmail and Yahoo accounts sending spoofed messages to the respective provider’s recipients. The same as the previous experiment.
Configure our domain’s SPF policy to allow our SMTP server to pass e-mail on behalf of it, as seen in the Figure 8. Our intention is to verify if this configuration, besides being a kind of self-authorization, could interfere in the Gmail and Yahoo anti-spoofing filters.
Figure 8: SPF policy allowing our SMTP Server
3.2.1. Trying to spoof a Gmail to Gmail message
As the previous experiment, we try to send an e-mail message to temporaryrecipient@gmail.com pretending to be from temporarysender@gmail.com. In the Figure 9, you can see the commands issued to our SMTP server in order to send the spoofed message.
Figure 9: Spoofing Gmail to Gmail with SPF policy allowing our SMTP server
In Figure 10, you can see the logs from our SMTP server while delivering the message (ID EBE852452C) to Gmail servers.
Figure 10 – SMTP logs
Unlike what happened when the SPF policy wasn’t authorizing our SMTP server, this time Gmail servers accepted our message delivery. Remains to know if the message was tagged as SPAM or something like that. To our surprise, the message was delivered to the recipient’s inbox folder, as seen in Figure 11. We got really surprised about that.
Figure 11 – Spoofed message in the recipient’s inbox folder
As you can see in Figure 12, by opening the message, the only detail that may draw the user’s attention to a suspicious “non-Gmail” message is the “via our-generic-domain.com” near the sender’s address. As it’s not an alert and it doesn’t have any warn sign, users may not pay enough attention to this detail and believe the message is legit. It’s important to note that if the user receives this message on iOS mobile app, this detail does not even appears as shown in Figure 13. The Gmail app for Android offers user the option to see the security details of the message.
Figure 12 – Spoofed message in the Gmail Web app
Figure 13 – The spoofed message seen from the Gmail iPhone mobile app
By observing the message headers, in Figure 14, we can see that the SPF check PASS and besides the unsuccessful DMARC check, the e-mail was properly delivered to the inbox folder of the recipient. Technically speaking, the DMARC test depends on SPF and DKIM tests. If both tests return Ok, DMARC will PASS. [3]
Similarly to SPF, DMARC is a configuration done at DNS zone level that informs what the recipient’s e-mail server should do with a message that does not comply to its policy. If it should be “rejected” to drop the message, “quarantine” to isolate the message or “none” if you want to inform that the message should be delivered.
Figure 15: Spoofing Yahoo to Yahoo with SPF polity SMTP transaction
Unlike Gmail, Yahoo rejected our spoofed message during the SMTP transaction with the error 554 5.7.9 followed by the message “Message not accepted for policy reasons.”. It is not clear, but the message was probably blocked because of the @yahoo.com e-mail address in “From:” message header sent from a non-Yahoo server.
Figure 16 – Spoofed message rejected by Yahoo servers
3.3. Trying to spoof message between corporative domains hosted by Google Apps
Given we had success spoofing messages between @gmail.com accounts, we became curious if the same strategy would work for corporative domains hosted by Google. For this scenario we had help from two companies that host their e-mails with Google and tried to send a spoofed message between user accounts.
The same steps from section 3.2.1 (spoofing Gmail to Gmail with SPF) were used. The results in this more sensitive scenario showed us concerning results. Not only the message was delivered without security warnings to the recipient’s inbox folder, but also the spoofed account profile picture.
3.4. Extra findings
During our experiments, we’ve found a curious scenario in which Gmail detects the spoofed message. It happened when we tried to spoof an address that apparently does not exists on Gmail user base.
In this situation, unlike the successful scenarios, Gmail forwarded the message to Spam folder and adds a special security alert informing that they could not verify if the message was really sent by gmail.com, as seen in Figure 17.
Figure 17 – Behavior when the spoofed sender is a non-existing Gmail account
Take a look at the same message at the Gmail app for iOS on Figure 18. Beyond the alert, it shows a fish hook icon as an allusion to a phishing attack.
Figure 18 – Spoofed message on Google mobile app for iOS
Another interesting finding is related the spoofed email avatar. Google loads the real spoofed email associated profile image, which increases the legitimacy perception by the message recipient, as seem in the Figure below.
Figure 19 – Spoofed sender profile picture
4. How to identify Gmail spoofed messages
Given the spoofed message is delivered to your inbox, without security warning, may have been flagged as important, shows the picture associated with the spoofed email and may not show that the message was sent through a non-google server, what can an user do to protect itself?
In this section, we give advices on how users may identify Gmail spoofed messages and avoid risks.
4.1. Examine message details on Gmail
Be aware of messages in your inbox coming from “@gmail.com” via another servers or domains. Normally, @gmail.com messages are delivered directly from the Gmail servers. Unfortunately, the “via” tag is available only in Gmail Web Application. In the mobile (Android and iOS) apps this information is not present making it harder to identify fake messages.
Additionally, you may take a look at the message details. This feature is available at Gmail Web application by clicking on the “down-arrow” near “to me”, as in Figure 20
Figure 20 – Examining message details
4.2. Examine message source
By examining the message details, you may notice the first signs of a spoofed message, but, only by examining the full message headers you can make sure about that.
You can access the message source by clicking on the drop down button near the “reply” button on Gmail Web application and choosing the “Show original” option as seen in the Figure 21.
Figure 21 – Opening message source/original
Note that the value of the field “Return-Path” in the message headers is an address of a non-Gmail domain. The value in this field is exactly the same used in the “Mail from: “ SMTP command when we forged this message.
So, suspect Gmail messages you receive with improper address on this field, as seen in Figure 22.
Figure 22 – Observing the message source
It is worth noting that, as Gmail marks messages with the “via” tag, obviously there are situations in which the message was sent by another mail server and yet is legit. Thus, not all messages marked with the “via” tag are malicious.
4.3. Report malicious or spam messages to Gmail
Finally, as you identify malicious or spoofed messages, report it to Gmail. By doing this, you will help Gmail improve its message filters. The report spam/phishing functions are available on the drop down button near the “reply” button on the Gmail Web application.
5. Final considerations
As we can see, if you have a “self-authorized-email-server” by your own domain SPF policy, you can deliver spoofed messages pretending to be any existing @gmail.com address to the inbox folder of any other @gmail.com account with no security warning.
As per the results of section 3.3, it was also possible to spoof messages between corporative domains hosted by Google Apps. Beyond the malicious actions that may target a regular Gmail account, this possibility may put at risk entire businesses.
We’ve privately contacted Google Security team informing the possibilities that we have found and the potential impact to users. They gave us a rapid feedback informing that our submission won’t be tracked as a security bug.
Although it has not been considered a security bug, in our opinion, it would be better if Gmail could at least adopt the same behavior we saw when trying to spoof a non-existing Gmail account. The alerts used in this case could prevent users from a variety of malicious actions. Additionally, we suggest to add the possibility to view message security details within the Gmail IOS app, as today users have no options to verify if they are being spoofed.
It’s worth to mention that, as per our experiments, Yahoo rejected spoofed messages in both cases. We didn’t document Outlook.com tests, but the spoofed messages we tried to send were forwarded to recipient’s SPAM folder.
As it can be used by cybercriminals or fraudsters to make victims among Gmail users, we decided to publish this article to make people aware of this possibility and protect themselves.
Passwords Are Not Dead; There Are 90 Billion of Them, Report Says
2.2.2017 securityweek Security
The Total Number of Passwords Will Likely Grow from Approximately 90 Billion Today to 300 Billion by 2020, Report Says
There are 90 billion instances of something-you-know (that is, some flavor of the password mechanism) being used around the globe as the primary form of protecting cyber secrets today. This is a huge attack landscape that is frequently broken; but despite repeated claims that the password is dead -- for example, by Bill Gates in 2004, by IBM in 2011 and by Google in 2013 -- passwords show no sign of going away.
This is the conclusion of a new research report (PDF) from Cybersecurity Ventures and Thycotic. Not only is the password here to stay for the foreseeable future, its use will increase by threefold to around 300 billion instances by 2020. "Passwords are absolutely not dead -- they are not even declining -- and there is currently no technology that is replacing them," explains Thycotic's Joseph Carson, co-author of the report. "The current rate of growth is significant and the threat landscape for passwords will, by 2020, be three times what it currently is."
That growth will be fueled by more people coming online, by more people using social media logons and generating 'hidden' passwords in the process, and perhaps above all by the internet of things.
Part of the study included examining alternative technology that could replace passwords, such as biometrics. "We could find nowhere that biometrics have ever replaced passwords," said Carson. "They have complemented passwords, but have never replaced them. And they bring their own problems: processing power, storage costs, potential data protection issues (because they identify an individual rather than the possessor of an item of knowledge), and because they cannot be changed once compromised."
Carson is not a supporter of biometric authentication. "Once my fingerprint is disclosed, I can no longer use it. For example, the DHS collects all fingerprints during immigration. If they were ever breached and the fingerprints were disclosed, you would never be able to use any of your fingers again as a method of authentication." The same problem, he added, exists with retina and facial biometrics. "Many facials can be broken by using videos or recordings. So biometrics are good; but once they're compromised you can never use them again." Some are simply unreliable. "Heart rate and pulse, voice and others, can be impacted by the environment -- such as altitude, current health etc. Or you could injure an eye or finger and you always get back to the back-up -- the password."
Carson's argument is that if passwords are here to stay and there is no technology currently capable of replacing them, they need to be better supported. "Passwords are good," he said. Provided they are done correctly, "they work and are effective." But they can always, eventually, be broken by brute force computing power, "so depending on the sensitivity of what you are protecting, you will need to consider additional protections on top of the password."
So there are two ways forward: to improve the use of passwords at the user level, and to support the operation of passwords at the system level. He advocates the use of password managers to offset user password fatigue, and he believes that where multi-factor authentication is used, it should be mandated, not simply recommended. "We found in a separate study that in 2016 less than 10% of people and companies are actually managing their passwords, so this needs to be done more effectively and more efficiently."
One increasing option that Carson rejects is the use of social media logons to simplify user effort. Counter-intuitively, it increases the number of passwords in play, increases the threat level, and can have privacy implications for the user. "When we visit an airport or hotel or anywhere else that offers wifi that asks 'would you like to login using your Facebook account?' and we say yes, then it creates an application password in the background. Whenever this happens," he warns, "all those sites and applications can continuously profile the information in our social media account. Most people don't realize or know about that. But now we're creating this continuous growth of application passwords that don't expire, that don't change, but have continuous access to our data -- and there is no easy way to revoke them. Single sign on and social media is a convenience, but from a security perspective it is a major security risk. Those application passwords can be obtained by attackers and used against us."
One of the problems is that there is little consistency in either recommendations or options. For example, in September 2015 the UK's GCHQ issued password guidance that included, "Regular password changing harms rather than improves security, so avoid placing this burden on users."
"GCHQ's recommendations are good in one sense," said Carson, "but they differ from Australia's recommendations, they differ from security researchers' recommendations, and in the end, they just add to the global inconsistency. We really need a global collective approach. Right now there is too much inconsistency regarding policies, and multi-national companies end up having to deal with multiple national password policies. Personally, I'm more of a mandate person. Recommendations are good, but unless they are mandated, nobody really takes it seriously."
At the system level, he believes that we will begin to see behavioral analytics increasingly being used to support passwords. "I'm not a big fan of things that use my physical ability as a measure of behavior," he said, "but I do like things based on predictability. Humans are by nature repetitive -- we tend to do the same things many times. For example, when we access an application or service we typically use the same browser from mostly the same location and we generally open applications in the same order -- so we tend to have a repetitive behavioral pattern. If this pattern changes, then that means there should be a challenge to verify that we really are who we say we are." Identity systems could be used for this, and Carson is a firm believer in government controlled identities.
"If the challenge comes back with a valid response then the new behavior can be added to the behavioral pattern. Behavioral analytics will become a major and important part of complementing passwords in organizations' future security posture."
Weaponizing of the insider in the Dark Web, a dangerous phenomenon
1.2.2017 securityaffairs Security
A study revealed how hackers in the dark web are arming insiders with the tools and knowledge necessary to help steal corporate secrets.
The dark web is the right place where to buy and sell corporate secrets, experts at the risk management firm RedOwl and Israeli threat intelligence firm IntSights made an interesting research titled “Monetizing the Insider: The Growing Symbiosis of Insiders and the Dark Web.”
The research is disconcerting, hackers are operating services in the dark web to arm insiders with the tools and knowledge necessary to help steal corporate secrets, commit fraud, and conduct other illegal activities without leaving any tracks.
The researchers accessed the hidden service Kick Ass Marketplace (http://kickassugvgoftuk.onion/) and collected evidence of staff offering for sale internal corporate secrets to hackers, in some the unfaithful staff offered its support to attackers to compromise the network of their company.
The research revealed that at least in one case, someone at an unnamed bank was helping crooks to remain hidden in the corporate networks by using a malicious code.
The subscription for the service is of up to one bitcoin a month for access to corporate information offered in various threads.
The administrator of the service who goes with online moniker “h3x,” claimed that Kick Ass Marketplace has seven administrators, three hackers and two trading analysts that check the integrity of stolen data.
Months ago, the administrator claimed that its service boasted 15 investment firm members and 25 subscribers.
According to the researchers, the Kick Ass Marketplace is posting about five high confidence insider trading reports a week that allows the hidden service to pulls roughly US$35,800 a week. The analysis of the associated bitcoin wallet confirmed a total of 184 bitcoins that accounts for US$179,814.
The researchers also analyzed another hidden service dubbed The Stock Insiders (http://b34xhb2kjf3nbuyk.onion.to/) that allows its clients to recruit retail staff as mules to help cash out stolen credit cards for reliably-resellable goods like Apple iPhones.
” Another forum (see Figure 3), called “The Stock Insiders,” is also dedicated solely to insider trading. The forum was opened in April 2016. Its objective was to “…create a long-term and well-selected community of gentlemen who confidently exchange insider information about publicly traded companies.”
The report is very interesting, it includes posts used by crooks to recruits money mule in charge of cashing out the stolen card data buy goods.
Below key findings of the report:
“By studying dark web forums focused on recruiting and collaborating with insiders, we found:
The recruitment of insiders within the dark web is active and growing. We saw forum discussions and insider outreach nearly double from 2015 to 2016.
The dark web has created a market for employees to easily monetize insider access. Currently, the dark web serves as a vehicle insiders use to “cash out” on their services through insider trading and payment for stolen credit cards.
Sophisticated threat actors use the dark web to find and engage insiders to help place malware behind an organization’s perimeter security. As a result, any insider with access to the internal network, regardless of technical capability or seniority, presents a risk.”
Insider illegal activities are devastating for the victims, they can fully compromise entire organizations due to the disclosure of company secrets, the weaponizing of the insider is a criminal phenomenon that must carefully monitor.
Google Paid Out $9 Million in Bug Bounties Since 2010
31.1.2017 securityweek Security
Google has awarded researchers more than $9 million since the launch of its bug bounty program in 2010, including over $3 million paid out last year.
According to the company, more than 1,000 payments were made last year to roughly 350 researchers from 59 countries. The biggest single reward was $100,000 and over $130,000 were donated by the search giant to charity.
Google also said it had paid out nearly $1 million each for vulnerabilities affecting the Android operating system and the Chrome web browser. In June, one year after the launch of its Android bug bounty program, the company decided to increase rewards for Android flaws.
In 2016, the company opened its Chrome Fuzzer Program to the public. The program allows experts to run fuzzers at large scale and they receive rewards automatically.
Google also highlighted the stories of an expert who donated his rewards to a Special Olympics team in the U.S., and an Indian researcher who funds his startup with bug bounty rewards.
The “2016 year in review” report also shows a proof-of-concept (PoC) video submitted by Frans Rosén, in which the researcher’s actions are synchronized to the background music. The video demonstrates a cross-site scripting (XSS) vulnerability in the payments.google.com domain.
Google has been involved in third-party hacking competitions such as Pwn2Own and Pwnfest, but it also runs its own events. A contest that will run until March 14, named The Project Zero Prize, offers significant rewards to anyone who can achieve remote code execution on Nexus 6P and Nexus 5X smartphones by knowing only their email address and phone number.
Google Launches Its Own Root Certificate Authority
29.1.2017 securityweek Security
Google announced on Thursday the expansion of its certificate authority (CA) efforts with the launch of a root CA that will allow the company to independently handle its certificate needs.
The company has been on the frontline of efforts to make the Internet safer by getting all web services to use HTTPS, including by boosting secure pages in search results and by tracking the use of HTTPS on the world’s top 100 websites.
Google has been operating the subordinate certificate authority GIAG2, signed by the GeoTrust Global CA, and the next step is to gain the ability to issue root certificates for products on its own. The new entity responsible for operating the CAs on behalf of Google and Alphabet is Google Trust Services.
Google Trust Services
In an effort to start issuing certificates as soon as possible, Google has decided to acquire two existing root CAs, namely GlobalSign R2 and R4. The company will also continue to use its GIAG2 certificate authority as it transitions to an independent infrastructure.
“If you are building products that intend to connect to a Google property moving forward you need to at minimum include the above Root Certificates. With that said even though we now operate our own roots, we may still choose to operate subordinate CAs under third-party operated roots,” Ryan Hurst, security and privacy engineer at Google, said in a blog post. “For this reason if you are developing code intended to connect to a Google property, we still recommend you include a wide set of trustworthy roots.”
Commenting on Hacker News, some applauded Google’s decision, while others pointed out that the search giant is gaining more and more control over the Internet.
Over the past years, Google has identified several CAs that had issued unauthorized certificates for its domains. The list includes the China Internet Network Information Center (CNNIC), India's National Informatics Center (NIC), Turkish firm TURKTRUST, and Symantec.
Last year, the company announced the introduction of a new Certificate Transparency (CT) log for CAs that have been removed from trusted root programs.
Google becomes its own Root Certificate Authority
28.1.2017 thehackernews Security
Google Root Certificate Authority
In an effort to expand its certificate authority capabilities and build the "foundation of a more secure web," Google has finally launched its root certificate authority.
In past few years, we have seen Google taking many steps to show its strong support for sites using HTTPS, like:
Giving more preference to HTTPS websites in its search rankings than others.
Warning users that all HTTP pages are not secure.
Starting an industry-wide initiative, Certificate Transparency − an open framework to log, audit, and monitor certificates that CAs have issued.
However, Google has been relying on an intermediate Certificate Authority (Google Internet Authority G2 - GIAG2) issued by a third party, with the latest suppliers being GlobalSign and GeoTrust, which manages and deploys certificates to Google's products and services.
Google announced Thursday the creation of its own certified, and independent Root Certificate Authority called Google Trust Services, allowing the company to issue its own TLS/SSL certificates for securing its web traffic via HTTPS, instead of relying on third party certs.
"As we look forward to the evolution of both the web and our own products it is clear HTTPS will continue to be a foundational technology," writes Ryan Hurst, product manager at Google, in a blog post. "This is why we have made the decision to expand our current Certificate Authority efforts to include the operation of our own Root Certificate Authority."
The newly established Google Trust Services (GTS) will issue certificates on behalf of Google and parent company Alphabet.
Like others, Google Trust Services can now be used to sign other subordinate certificates to authenticate the identity of other websites.
However, the process of embedding root CAs into products can take time, so Google acquired two existing Root Certificate Authorities from GlobalSign: R2 and R4.
The acquisitions will allow independent certificate issuance from the company "sooner rather than later."
Developers, who will have to include the new Root Certificates into their services, can head to the Google's official announcement for more details about the newly established Google Trust Services (GTS).
Business Driven Security: The Case of Building an Advanced Security Operations Centre
28.1.2017 SecurityAffeirs Security
In the journey towards business-driven security one of the niche weapon is the roadmap to Advanced Security Operations Centre (ASOC).
Now that we have gotten over from new year’s greetings– let’s get to the basics to refresh as what is required in terms of achieving maturity within your organisations. There is no doubt that this year will bring more sophisticated & coordinated attacks aimed specifically towards the supply chain. Organisations must integrate the concept of business-driven security where security is seen as business enabler rather than operational hindrance. The investment from preventive measures need to move swiftly towards pre-empted and intelligence driven response.
In the journey towards business-driven security one of the niche weapon (if we are allowed to say this) is the roadmap to Advanced Security Operations Centre (ASOC).
Most large organisations nowadays have some level of security monitoring for their networks; even SME’s have security staff although, they tend to be IT Operations staff wearing two hats. If you are managing a Security Operations Centre or are a board member considering their security organisation, there are a few fundamental questions that you must ask yourself.
What have we done to Detect and Respond to advanced integrated attacks?
Do I know how we address Processes and Procedures relating to Incident Management?
Actually do we have any Processes and Procedures???
What do we do if we are breached?
What do we need to do to reduce the Breach Exposure Time?
Is our security program aligned against the threats we face?
Do we have a plan in place for the security of our data over the next few years?
These are the sort of questions which will generate some of the answers you are looking to drive the Advanced Security Operations Centre program.
So just what is an ASOC? Is it just a marketing term to get organisations to buy more equipment or is it more of a shift in the way we do our day to day business and Incident Response? I guess for us it is one’s understanding of the difference between a SOC and an ASOC.
A SOC is designed to detect and respond to threats against a network. Put a couple of IDS boxes and Logging/SIEM in place with staff to monitor it and you have a SOC. An Advanced Security Operations Centre is more of a program where every piece of the defence of the organisations networks is reviewed, understood and proactive appropriate controls, procedures, training (hunting capability) and management are put in place to protect an organisation. In fact it is a whole operational security life cycle for an organisation.
Another term which has been labeled against an ‘ASOC’ is that of an Intelligence Driven SOC. This is mainly because of the interpretation of Intelligence Analysts and use of the information gained to assist with their SOC program. Another popular interpretation is that all their Security Infrastructure is integrated and the SOC is taking a proactive approach to their security. These statements are partially correct, but they don’t form the whole picture. This blog aims to pull all of the pieces together into one (hopefully) holistic view (bed time story book for the new year )
So let’s take a look at an ASOC program which will give us our new build.
The key to an ASOC is understanding both the Business Requirements (which include regulatory considerations), and the Business Risk. These two elements drive everything else within an ASOC program. Once the Business issues have been identified, the Mission for the ASOC can be drafted which will frame all of the other activities which will drive the program.
Next we have to identify the assets we are looking to protect. Whilst a portion of this will have been identified in the Business Risk assessment we are now looking at exactly where we have to place our detection capability. In most cases this is going to involve some level of IDS/IPS or Full Packet Capture (FPC) at the network Gateway(s) (preferably on the inside of the network – although an additional feed from the outside is desirable to identify what threats are “knocking on the door”) and at pinch points within our Enterprise network. We should also identify the log sources and Netflow required for detection Use Cases.
Having identified the technical detection capabilities which are required to initialise a monitoring capability the next step is putting the “Advanced” into the Advanced Security Operations Centre. This is done by taking our Business Risk and Requirements and using them to define a Threat Centric approach to our Business Security Monitoring. To do so we must:
Identify attack vectors and TTP’s (Tools, Techniques and Procedures) to build out Attack Scenarios
Use these Attack Scenarios to enable us to create individual Use Cases and ultimately build a Use Case Library
Whilst we covered off Use Cases in an earlier blog post (which gave the individual requirements to build your Use Case) we will focus here on the Library itself.
Building Use Case Library enables us to identify the required data sources. This may sound trivial and be viewed as a typical requirement for building any SOC however, in taking a view of the entire library we are building, it enables us to identify where we have weaknesses in our detection capability (and as such where we should invest in new equipment or controls). In the example below we can see that Use Case 4 is capable of being deployed with all required data sources available, however to deploy Use Case 3 we require DHCP and VPN logs neither of which is available to the Security Operations Centre at this time. Use Cases 1 and 2 also have a requirement for DHCP and VPN logs but have additional detection capabilities and whilst not ideal can be deployed without DHCP and VPN Logs. Mapping out all of the Use Cases in this way will identify to Management just where our detection capability is compromised and what must be implemented/purchased to resolve these issues.
Advanced Security Operations Centre
Having built the Library and now having alerts flow into the ASOC we must turn to our staffing and this is by far the most important differentiator between a SOC and an ASOC. Typically SOC’s are reactive in their posture whereas ASOC’s are actively looking to develop their detection and hunting capability at all times. To do this a number of traditional SOC roles are utilised but with an addition set of staff and hunters:
Traditional
L1 & L2 Analysts
Platforms Engineers
SOC Management
Advanced Security Operations Centre Requirement
L3 Analysts
Malware Analyst
Forensic Analyst
Content (Use Cases, Signatures & Rules) Engineer
Threat Intelligence Analysts
Data Scientist
Hunters
Whilst all of these roles do not have to be deployed to give us a greater increase in our detection and response capability, the more that are, the better the Advanced Security Operations Centre service will be. For instance Malware and Forensic Analysis could be outsourced whilst keeping the Content Engineers and Threat Intelligence analysts as an internal resource (focused on the specific threats to our organisation). As to when to hire these individuals that would be established in the Target Operating Model (TOM).
The TOM acts as a visual representation of an organisations ASOC and its continuing design decisions. The focus of the TOM is upon the day to day structure of the Advanced Security Operations Centre, how it is managed and governed. It acts as a roadmap for the development of the services as it is gapped at (typically) 6 months, 12 months, 18 months and 24 months with key development aims mapped out over the months and years. Portions of the TOM include:
SOC Structure and Roles
Staffing
Shift Cycles
Resource Skills
Training
Performance Management
Processes
Incident Response Plan
Technology is a defining factor in any Security Operations Centre but to take this all together and deliver an Advanced package we must look at working smarter, and by that delivering all our tools into “One Single Pane of Glass”. To do so we would use an Incident Management tool which will pull all of our Alert and Incident Information into one centralised location (allowing a global view of the ASOC program (depending on the User Access rights)). Using a centralised tool also allows us to create Incident Response Procedures aligned against the detection rules (as part of our defined Use Cases) which will automatically be added to a new Incident for our analysts to follow. The other advantages of a centralised IM tool are:
Ease of Incident Escalation
Metrics for the entire ASOC Program
Secure Information store of Incident Information (No more e-mails!)
Enrichment of Incident data from external sources such as CMDB
Automated Integration with other ticketing systems for teams external to ASOC i.e. IT Ops
Bespoke Dashboards per User Roll
A word of warning though; No IM is disastrous, but a badly managed IM is even worse! Make sure that when planning your Use Cases that you identify just how many “typical” Incidents are expected. Implementing an IM which replicates every single alert you have is a recipe for failure (and an expensive one at that). Plan your ASOC and hire new staff as is required for your Use Cases and TOM.
However no single tool is ever going to be our “Silver Bullet” and even if it was we still have to make sure that our staff will utilise it in the manner that we as managers are expecting. Which brings us onto our Policies and Procedures. Now just asking one of your technical staff to write a procedure will make their face go ashen “ OH Paperwork!!!!”. To enable our ASOC to work in a standard and repeatable fashion we must lay out our Standard Operating Procedures which cover everything from turning on the lights in the morning to procedures for Malware Analysis and Forensics. Having these documents pre-produced will allow the ASOC staff to function more effectively and in a targeted fashion to the perceived threats to the organisation. This will also allow smooth on-boarding of new team members and harmonisation among staff with different skillsets and experience. The requirement date for production of these documents can also be aligned in the TOM.
Next we have to look into constantly improving our ASOC and the results that are being given to the company. Metrics play a large part in an ASOC (which any manager or C Level executive will be glad to hear!). Peter Drucker once wrote “What’s measured improves” and this is entirely true of an ASOC. In an age where the one metric everyone wants to know “Have my systems been compromised? Yes/No” you can bet that there are going to be a lot more requests for data if the answer is yes! And rest assured that the answer is always yes!
Just before we get into the sort of things we would look to add to any ASOC Metrics program lets have a look at why we need good metrics:
Situation Overview
Analyse where the attacks are coming from
Regional Trends
Where our organisation is most vulnerable
Increased visibility of the Security Program (which is a GOOD thing)
Performance
Identifies which security devices are giving us our best value for detection
Identifies analysts which are struggling and require additional training
Measures the effectiveness of our Controls
Improvements in Patch Management
Decrease in Threat Landscape
Identifies the Business Units being targeted the most and which reacts better to attacks.
Resource Allocation
Allow staff planning in line with attack patterns
Identify new rolls for recruitments
Identify which security devices are no longer adequate for a given throughput of traffic.
Target the correct detection capabilities for future purchases.
And the best bit about all of this……. When you require investment for future enhancements in your Security Program you have all of your historical evidence to back it up.
Below are the main subsections for a Metrics program you would require with a few of the typical metric types included:
Incidents Metrics
Source of Incidents Created
Incident % False Positive
Incident % Escalated from L1 to L2
Incidents Created & Closed
Incident Count by Monitored Company/Organisation
Heat Maps
…
Categorization and Classification Metrics
Actors: Origin
Actors: Motive
Actions: Vector
Actions: Malware.Variety
…
Performance Metrics
Incidents Remediated Count by Analyst ID
Longest Open Tasks
…
Information from Logs and Packets
EPS Rates
Top 10 Source Addresses of Alerts
Top 10 Alerts
Top 20 Denied Inbound by Address
…..
Tool Efficacy
Number of Incidents detected with # Tool
Number of Incidents missed with # Tool
…
The above are just a little introduction to what Metrics would be required as part of an ASOC program (we will delve further into this in a later blog post).
And that is your basic introduction to an ASOC (or at least what we can fit into a Blog post!). We will dig into this subject in greater depth over our forthcoming book. https://www.amazon.co.uk/d/Books/Advanced-Cyber-Security-Intelligence-Corporate/1118997646 ( Dave Gray is the contributing author around threat intelligence and use cases framework). Please remember that Planning out your ASOC build is crucial. To quote an old RAF phrase “Prior Planning Prevents P*ss Poor Performance”.
Does Trump Executive Order Threaten EU/US Business? Probably Not.
27.1.2017 SecurityWeek Security
U.S. President Donald Trump's executive order titled 'Enhancing Public Safety in the Interior of the United States' appears to threaten the future of the EU/US Privacy Shield, but that may not be the case.
Privacy Shield is the agreement that allows US organizations to store personal data of EU citizens on servers in the US. Without it, US companies trading with Europe will almost certainly and automatically be in breach of the General Data Protection Regulation (GDPR).
Sec 14 of the executive order states "Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information."
Privacy Shield does not directly rely on the US Privacy Act, but rather on the Judicial Redress Act which extends benefits of the Privacy Act to Europeans and gives them access to US courts. The executive order phrase, 'to the extent consistent with applicable law', consequently provides some wiggle room but remains ambiguous. If 'applicable law' implies that European PII is still protected, then all might still be well.
The European Commission seems to be optimistic. In a statement, it says, "The US Privacy Act has never offered data protection rights to Europeans... [We] are following closely any changes in the U.S. that might have an effect on European's data protection rights."
But other European politicians are more concerned. Sophie in ‘t Veld Veld, an MEP, has written to the Commission saying, "It is therefore urgent that the Commission provides clear answers with regards to the exemptions to the US Privacy Act and their impact on the legality of transatlantic transfer of personal data."
Jan Philipp Albrecht, the European Parliament's rapporteur for the GDPR, is more forthright, tweeting, "If this is true @EU_Commission has to immediately suspend #PrivacyShield & sanction the US for breaking EU-US umbrella agreement."
The stakes are high. If Privacy Shield is revoked, then any US organization using it to allow the removal of European PII to the US will immediately be contravening European law. In the most extreme interpretation, this would mean that Facebook, Google, Microsoft and a host of commercial enterprises, around 1500, would have to cease European operations or risk GDPR fines.
"The Privacy Shield agreement," wrote the WSJ this morning, "which replaced the Safe Harbor data-sharing pact that was struck down in October 2015 by Europe's top court, may no longer apply since the executive order was signed on Monday."
"Moreover," writes Michael Geist, "the order will raise major concerns in the European Union, creating the possibility of restrictions on data transfers as it seemingly kills the Privacy Shield compromise."
It is more than possible, however, many that people are making a rapid emotional judgment on the executive order rather than a considered legal judgment.
Dr. Brian Bandey, a Doctor of Law specializing in Computer Law and the International application of Intellectual Property Law, suggests that Section 14 needs to be considered in the context of the full executive order. Executive orders are specifically designed to aid the management of existing legislation. The first paragraph of this order specifies that it is designed "to ensure that our Nation's immigration laws are faithfully executed."
Dr. Bandey also points out that Section 1 of the order specifies, "The purpose of this order is to direct executive departments and agencies (agencies) to employ all lawful means to enforce the immigration laws of the United States."
He also notes that Section 18 repeats 'applicable law' condition. Sec. 18 (b) states, "This order shall be implemented consistent with applicable law and subject to the availability of appropriations."
"I suspect strongly," Dr. Bandey told SecurityWeek, "that it can be argued that the Executive Order is a creature of Immigration Law and is directed to illegal (and other) aliens present in the US." If he is correct, and if it is interpreted within US law to be so, then Section 14 has nothing to do with European personal information stored within the US under Privacy Shield. But he added, "I also strongly suspect that nobody, right now, really knows one way or the other."
The Application Security Testing Conundrum
27.1.2017 Securityweek Security
It is my humble opinion that we have allowed our daily rush into an increasingly digital world to negatively affect our ability to address challenges. We look at the world in the sharp, square and discreet lens of digital and ignore the smooth and contiguous thinking of analog.
This phenomenon can be readily seen in the world of software security, where there is a preponderance of binary sounding decisions that may have an analog solution. Static application security testing or dynamic application security testing? On premises or managed services? The answer may simply be “yes” with lots of shading based on each organization’s needs.
The funny thing about the rush to apply digital thinking to software security is that at its heart, software security is fighting a very analog pursuit. Yes, software is a digital manifestation, but identifying and exploiting flaws and bugs in software is a highly creative and largely human endeavor. In other words, it is a very analog exercise. Logic would say that to stop an analog exercise, analog thinking might be in order.
Code AnalysisLet me take the managed service versus on premises deployment question for example. My experience, validated by my discussions with industry analysts, is that organizations with a mature software security initiative (SSI) tend to use both methods. For high profile, high risk applications, they likely will do testing on premises with their own team and a set of tools. For the other applications in their portfolio, they use managed services to provide them full breadth of portfolio coverage without the need to invest in staff and additional products.
The analog answer in not just for mature organizations - An organization getting started with a testing program may have on premises as their goal. However, installing a new product, ramping up staff, establishing expertise, and building processes and procedures take time and push back the benefits of testing the software. The organization can use managed services to offload some of the initial testing while they ramp up the on premises testing machine, and slowly transition off managed services over time.
Back to the static versus dynamic question - It is well known that static and dynamic find very different vulnerabilities, and even when combined leave some vulnerabilities un-identified. Savvy organizations have learned how to use a mix of the two testing types to increase their coverage and lower their risk. They go even more analog by varying what test is applied to what application based on factors like risk.
How did we get to this digital thinking? As the software security market emerged and evolved, vendors appeared with solutions to the problem of testing applications, each taking a unique angle to the problem. Some were SAST, some DAST. Some on premises, some managed services. Then the marketing machines kicked in employing a derivation of Maslow’s Law of the Instrument - If your only tool is a hammer then every problem looks like a nail. The vendors set out to convince the market that their problem – the nail – could only be driven by a very specific hammer, which was of course their product or service. I often refer to the RSA Conference as a hammer salesperson convention.
In my previous article, “Make a New Year's Resolution to Get Serious About Software Security”, I threw out several challenges. One was to challenge your application security testing vendor portfolio to ensure you have not been lulled into a status quo. Look for partners that take a more smooth and contiguous approach that blends multiple products and services so you are not artificially locked into digital thinking.
I also warned against the Box Checker mentality, which can also breed a highly digital mindset. This is because many organizations limit themselves to running tests simply to satisfy a regulatory mandate or another compelling event and are happy just to check the box. Such an approach naturally puts you on the path of least resistance where you seek the easy button product that will get the box checked. It lulls you into digital thinking.
My challenge for those involved in software security is to step away from a digital mindset and embrace some analog thinking. Walk away from the sharp edges and embrace a more open minded approach. Blend multiple products, offerings and approaches to what best fits the needs of your organization. Use the flexibility of this mindset to enable agility so the organization can quickly adapt to market conditions, emerging threats, and the evolution of the business. Eschew a cookie cutter approach for the right stuff for the job outlook. Don’t be afraid to engage new technologies to see what value they can bring your organization.
Take it to the next level - Consider how to break out of the traditional testing cycles and push testing deeper into the development cycle. Or get really analog and build security into every application by starting with secure architecture and design. You may find that some smooth, contiguous thinking puts you and your organization in a much better place to reduce risk and eliminate many of the common bugs and flaws found in software.
Hiding in Plain Sight: Why Your Organization Can't Rely on Security by Obscurity
27.1.2017 Securityweek Security
Attackers Don't Examine Market Size When Deciding Whether or Not to Target an Organization or a Person
Recently, on a trip to visit potential customers in one of Europe’s smaller markets, I ran into a recurring theme. When I speak to any audience about security, including potential customers of course, I tend to focus on concepts and ideas, rather than specific products and services. Choosing the components of a solution is important, but can only be done once an approach is well understood. This comes much later in the discussion. Not surprisingly, most people prefer this approach, particularly when they are able to map between the concepts and ideas and the specific problems and challenges they face.
As you can imagine, one of the concepts I often discuss is the identification, prioritization, and mitigation of risk. As I’ve discussed previously, this is one of the most critical components of a mature and successful security program. This particular trip was no different from most others in that I broached this particular topic with nearly everyone I met with. What was different on this trip, however, was one response I received repeatedly: “We are in a small market. No one will attack us.” This surprised me quite a bit.
Cybercrime Indeed, I have heard this line of reasoning many times in the past. What surprised me was not that people would be inclined to think this way, but that they would be inclined to think this way in 2017. It is surprising given how interconnected the world is, how we’ve repeatedly seen that no target is too small or too remote for the motivated attacker, and how organizations that do not come to terms with this reality ultimately pay for it, sometimes dearly.
Sadly, market size isn’t the only way in which people lure themselves into a false sense of security. Let’s take a look at a few of the different ways in which people convince themselves that they do not need to understand the threat landscape they face and mitigate the risk it presents them with.
Organizational Size
Some people, organizations, and boards seem to think that if their organization is under a certain threshold (either employee-wise or revenue-wise), then the organization can simply fly under the attacker radar. This line of reasoning is reminiscent of the old “security by obscurity” way of thinking. As experienced security professionals know, this is a dangerous way of thinking that generally winds up producing disastrous results.
Attackers have shown time and time again that they care about one thing and one thing only: the location of the prize they are after. It doesn’t matter if that prize is money, information, disruption, or any of the other ends that motivate attackers. If an organization has what the attackers are after, they will go after it. It doesn’t matter if the organization has 10 employees or 10,000 employees.
Geographic Isolation
There is a somewhat natural tendency to feel safe and secure due to geographic isolation. If we look at the history of kinetic wars and the kinetic battlefield, it is easy to understand why this is the case. But this sense of security does not and should not translate to the virtual world.
Whereas to commit a physical crime in a given city, I generally need to be in that city, this is obviously not the case in the virtual world. I can sit on one side of the world and commit cybercrime on the other side of the world. Similarly, I can just as easily attack targets in places that may be geographically isolated as I can attack places that may be just around the corner from me. Unfortunately, there is really nowhere to hide in the virtual world.
Language Barriers
There are many languages that a relatively small number of people speak. In the countries that speak these languages, people may be inclined to think that they are not at risk. For example, people may think that because all intellectual property, customer data, employee data, or other sensitive data is written in a language that is not widely spoken, then no one will ever be able to target, navigate to, and exfiltrate that data. This is another type of “security by obscurity” that is a dangerous way of thinking. Unfortunately for those native speakers, this could not be farther from the truth. Attackers have shown tremendous creativity and resourcefulness when it comes to gaining access to the information they are after, regardless of the language it is written in and how many people speak that language.
Market Size
As I mentioned above, being in a smaller market does not protect an organization from attack. No matter how small the market, there will still be people, organizations, and information that attackers will want to target. To be quite frank, it doesn’t much matter where information resides nowadays. The fact that it exists in an interconnected world puts it at risk. Attackers do not examine market size when deciding whether or not to target an organization or a person that has a specific piece of information they are after. They simply go after it.
My purpose in this piece isn’t to cause panic or present a doom and gloom scenario. Rather, I’m hoping that the clever reader will see in this piece an opportunity to help educate management, executives, the board, and others of the need to approach security strategically, regardless of organization size, geographic location, spoken language, or market size. Any of the points I’ve raised above can be countered and mitigated by approaching security as a risk mitigation exercise complete with a robust security operations and incident response capability. No one should rely on security by obscurity and expect to fly under the radar of the modern attacker. It’s just too risky.
Microsoft Unveils Windows Defender Security Center
24.1.2017 Securityweek Security
The upcoming Windows 10 Creators Update was designed to make available security protections easily accessible via a new experience called the Windows Defender Security Center, Microsoft says.
Last month, the tech giant shared some information on the security enhancements that the upcoming platform upgrade will bring. Microsoft is now providing more details on Windows Defender Security Center, a core feature of the operating system.
Since announcing Windows 10, Microsoft claimed that it was the most secure Windows version ever, but already proved that there was room for improvement with the release of Windows 10 Anniversary Update. One of the most important enhancements included mitigation techniques to stop the exploitation of new or undisclosed vulnerabilities.
The Windows Defender Security Center in Windows 10 Creators Update should make it easier for users to view and control the security protections the platform has to offer. The main functionality, Microsoft says, is to help users better understand and use the security features protecting them and their Windows 10 devices, even if they lack advanced knowledge on the matter.
As Rob Lefferts, Partner Director, Windows & Devices Group, Security & Enterprise, notes in a blog post, Windows Defender Security Center includes five “pillars” that users can take advantage of for controlling and keeping track of their device’s security, health and online safety experiences.
The first of these pillars is Virus & threat protection, where users can view information on their anti-virus protection, regardless of whether it is Windows Defender Antivirus or another application. For those who use Windows Defender Antivirus, scan results and threat history are available there. Those using a different anti-virus application will be able to launch it from there.
The second pillar is Device performance & health, where users can access a single view of Windows updates, drivers, battery life, and storage capacity. It also provides a Refresh Windows feature for those who want to get started with a clean install of Windows. The option maintains personal files and some Windows settings intact, but removes most apps for a fresh start that can offer performance improvements.
By going to Firewall & network protection, users can view information on the network connections and active Windows Firewall settings and can access links to network troubleshooting information. For those interested in adjusting SmartScreen settings for apps and browsers, App & browser control is the option to go to. It should prove useful to those looking to stay more informed and to remain safe online, as it warns them of potential malicious sites, downloads and unrecognized apps and files on the web.
Finally, there will be Family options, to link users to information about parental controls and to provide them with options for setting up good screen time habits and activity reports of kids’ online activity. It will also be useful for the management of controls for purchasing apps and games, as well as to view the health and safety of other family devices.
“Our goal with the new Windows Defender Security Center is to help you become more informed and make safety simple. It is equally important to us that you are protected by default and continuously protected – never giving the bad guys an opportunity to harm you. This new experience naturally supports customer choice in selecting an AV product,” Lefferts notes.
Since the upcoming experience is also meant to ensure that users are always protected, it will keep track of antivirus subscriptions and expiration dates and will automatically launch Windows Defender Antivirus when that happens. According to Lefferts, the new option should provide users with increased control over their PC, allowing them to choose the protection software and services that they like best.
“We believe the new Windows Defender Security Center lives up to these principles and we are committed to working with you, as well as security experts and organizations throughout the technology industry to create safer experiences for everyone with Windows 10,” Lefferts concluded.
China makes VPNs illegal to tighten its Great Firewall
24.1.2017 thehackernews Security
China is long known for its strict Internet censorship laws through the Great Firewall of China – China's Golden Shield project that employs a variety of tricks to censor Internet and block access to various foreign websites in the country by its government.
The Great Firewall has blocked some 171 out of the world's 1,000 top websites, including Google, Facebook, Twitter, Tumblr, Dropbox, and The Pirate Bay. Therefore, to thwart these restrictions and access these sites, hundreds of millions of Chinese citizens use virtual private networks (VPNs).
But now, the Chinese government has announced the mass shutdown of VPNs in the country, making it harder for internet users to bypass its Great Firewall, according to a report published by the South China Morning Post.
'Clean-Up' of China's Internet Connections
Calling it a "clean-up" of China's Internet connections, the Ministry of Industry and Information Technology said on Sunday that it had launched a 14-month-long crackdown on the use of unsupervised internet connections, including VPNs.
VPN services encrypt your Internet traffic and route that traffic through a distant connection so that web surfers in China can hide their location data and access websites that are usually restricted or censored by the country's so-called Great Firewall.
The new rules make it illegal to use or operate a local VPN service without government approval, and require all VPNs and leased cable lines operating in China have a license from the government.
According to the ministry, "all special cable and VPN services on the mainland needed to obtain prior government approval—a move making most VPN service providers in the country of 730 million Internet users illegal."
Moreover, every internet service provider (ISP), cloud services provider and VPN reseller are also required to carry out "self-inspections" for any illegal activity taking place on their servers.
VPN Ban will Remain until March 31, 2018
In a statement, the ministry said that the country's VPN and cloud computing market "has signs of disordered development that require urgent regulation and governance" and that the crackdown is designed to "strengthen cyberspace information security management."
The ban on VPNs and cable connections would begin immediately and will remain in place until March 31, 2018.
Besides the VPNs ban, China's IT ministry also said the government would be investigating ISPs, content delivery networks and internet data centers for failing to receive the right business permits and operating in areas that exceed their intended scope.
The move is the latest in a long series of attempts by the Chinese government to stop its citizens using VPNs and other filter-busting systems, which made them unable to have a tight grip on their people.
Mozilla Internet Health Report calls for more security and privacy
23.1.2017 securityaffairs Security
The Mozilla foundation has published its first Internet Health Report to analyze the dangers of the Internet that we can consider as a global commodity.
The Mozilla foundation has published its first Internet Health Report to analyze the dangers of the Internet that we can consider as a global commodity.
The oligarchy of internet companies. internet monitoring, censorship and new threats posed by Internet of Things devices every day menace our privacy.
Mozilla aims to track the health of the Internet focusing on aspects such as the Open Innovation, Digital Inclusion, Decentralization, Privacy and Security and Web literacy.
“We want to work with people and organizations that care about a healthy internet to engage the general public in caring more deeply about ‘internet health,’ in the way that the environmental movement was able to grow mainstream using terms like ‘global warming’ that no one previously had heard of,” explained the editor Solana Larsen.
Positive news from the security and privacy perspective, communications over the Internet is more secure thanks to the efforts of organizations and private companies.
The Internet Health Report appreciates the adoption of end-to-end encryption by messaging apps and other web services and welcomes the upcoming new version of the Transport Layer Security (TLS 1.3) cryptographic protocol that will make the web more secure and fast.
“More messaging apps, including WhatsApp, now offer end-to-end encryption, meaning that conversations are protected from eavesdroppers, including the service provider.” states the report.
“Web traffic encryption is rising too. One factor is the launch of Let’s Encrypt, a new certificate authority that makes it easy and free to add HTTPS to any website. This helps protect the privacy of users, and offers some guarantee they are not looking at spoof pages. Also driving adoption, search engines and browsers are now subtly rewarding HTTPS websites.
Unknown to most, Internet communication will be more private, and possibly also faster, due to an upcoming new version of the cryptographic protocol called Transport Layer Security (TLS 1.3) that is used to secure all communications between Web browsers and servers.”
Unfortunately, snooping powers continues to grow, several states continues to spend a significant effort in surveillance activities threatening users’ privacy.
“There is more public scrutiny of surveillance laws than before, but it hasn’t stopped greater snooping powers from being proposed in Britain, Pakistan, France and several other countries,” states the report.
The report also warns of the risks related to a rapid and uncontrolled diffusion of unsecured IoT device. The lax of security is the root cause for the success of botnet like Mirai and open the door to surveillance and hacking activities.
“In November 2016, a malware program called Mirai mobilized 100,000 connected devices, including webcams and baby monitors, in a distributed denial-of-service attack (DDOS) that briefly took down parts of the internet,” states the report.
“The owners of those compromised devices may never know (or care) what happened, and cheap and insecure devices will continue to be manufactured, unless safety standards, rules and accountability measures take hold,” they said.
Mozilla Foundation is calling to action everyone to improve and ensure security and privacy.
“Above all, we should be more critical about what information we share voluntarily. Will the online dating profile you posted 6 years ago ever get deleted? How long do the online ads you view track you? Even if you’d like to know the privacy conditions of online platforms, they are usually not written in English,” closes the report.
Lavabit, the Snowden recommended encrypted email service, is back
21.1.2017 securityaffairs Security
Lavabit, the Snowden recommended encrypted email service, is back. Its CEO Ladar Levison announced new privacy-enhancing features.
Do you remember Lavabit? It was the US Encrypted Email Service used by the popular whistleblower Edward Snowden.
Lavabit was an encrypted webmail service founded in 2004 by Ladar Levison, it closed on August 8, 2013 after the US authorities ordered it to turn over its Secure Sockets Layer (SSL) private keys to order government surveillance activities. The US Government was interested in spying on the Edward Snowden‘s emails.
In March 2016, a redaction error in the court-ordered release of Lavabit case files confirmed that Edward Snowden was the target of the FBI that caused the termination of the secure email service.
Snowden was using the Lavabit encrypted email service and that FBI drove the company into closure because it refused to serve the US Government’s requests.
The US Government ordered to install a surveillance implant on the Lavabit servers and later to turn over Lavabit’s encryption keys allowing the Feds to access Snowden’s messages. The court order also revealed that the US Government ordered not to disclose the surveillance activity to third-party entities.
After a few weeks of legal dispute, Levison shuttered Lavabit refusing to become not become complicit in criminal surveillance operated by the US Government.
“After 38 days of legal fighting, a court appearance, subpoena, appeals and being found in contempt of court, Levison abruptly shuttered Lavabit citing government interference and stating that he would not become “complicit in crimes against the American people”.” reported the Guardian.
US authorities revealed the mysterious circumstances behind the Lavabit shut down by publishing a collection of case files that were not correctly redacted allowing to discover the target of the FBI activity, the email address Ed_Snowden@lavabit.com.
The document was integrally published by Cryptome, it is visible the Snowden’s email address was left unredacted.
The documents were publicly disclosed in the result of Levison’s battle against the US Government, he filed a motion in December 2015 that prompted the court to order the release of files related the Lavabit case.
Now, Levison has announced that he is reviving the Lavabit service fixing the SSL issue and implementing new privacy-enhancing features.
The Lavabit CEO is releasing the source code for an open-source end-to-end encrypted global email standard, dubbed Dark Internet Mail Environment (DIME). The code aims to avoid government surveillance and hides the metadata.
“Developed by Lavabit, DIME is an open source secure end-to-end communications platform for asynchronous messaging across the Internet. DIME follows in the footsteps of innovative email protocols, but takes advantage of the lessons learned during the 20-year history of PGP based encrypted communication. DIME is the technological evolution over current standards, OpenPGP and S/MIME, which are both difficult to deploy and only narrowly adopted. Recent revelations regarding surveillance have pushed OpenPGP and S/MIME to the forefront, but these standards simply can’t address the current privacy crisis because they don’t provide automatic encryption or protect metadata. By encrypting all facets of an email transmission (body, metadata and transport layer), DIME guarantees the security of users and the least amount of information leakage possible. A security first design, DIME solves problems that plague legacy standards and combines the best of current technologies into a complete system that gives users the greatest protection possible without sacrificing functionality.” states the description of the standard published by Lavabit.
The Dark Internet Mail Environment (DIME) the standard will be available on Github along with a mail server application dubbed Magma that was designed to allow users with existing email clients to easily use Lavabit service.
“To learn more about DIME & Magma we invite you to join the Dark Mail Technical Alliance https://darkmail.info/ where you can find the latest code & specifications, provide feedback, and contribute to the development effort.”
DIME: https://darkmail.info/spec
DMAP: https://tools.ietf.org/id/draft-melnikov-dmap-00.txt
STACIE: https://tools.ietf.org/id/draft-ladar-stacie-00.txt
MAGMA: https://github.com/lavabit/magma
LIBDIME: https://github.com/lavabit/libdime
The DIME standard implements the ‘Trustful’ encryption mode that requires users to trust the server to manage the encryption and their keys.
“The server performs the encryption on your behalf, and as such, you must trust that the server will not be rewritten in such a way that it captures your password, or peeks at your messages during processing,” Levison said.
The DIME standard also implements a more strictly control over their encryption keys, it allows the users to choose the Cautious Mode and Paranoid Mode, for example, Paranoid means Lavabit will never store a user’s private keys on its server.
Lavabit service will only be accessible to existing customers in Trustful mode, others can pre-register and wait for it.
Security1
Report Examines State of Security Operations Centers
20.1.2017 Securityweek Security
Security Operations Centers
Security Operations Centers (SOCs) are failing to meet the maturity level necessary to provide optimum security and efficiency. The 2017 State of Security Operations report finds that 82% of SOCs worldwide fail to achieve optimum maturity (a score of 3 on the Security Operations Maturity Model).
Worldwide, there has been a 3% improvement over last year; but no geographical region yet meets an average score of 2. To put this in context, North America scores 1.52 while different parts of Europe range between 1.26 and 1.47 (Benelux stands out at 1.79). Clearly there is considerable room for improvement in many SOCs; and without that improvement enterprises will remain vulnerable in the event of an attack.
The State of Security Operations report is an annual study compiled by Hewlett Packard Enterprise (HPE). It comes from the study of 137 discreet SOCs and 183 in-depth assessments. It analyzes why organizations' SOCs fall below optimum maturity, and what can be done to improve matters. Sometimes cause and remedy seem counter-intuitive -- but one difficulty keeps emerging: the difficulty in recruiting and retaining adequate security talent. Lack of qualified staff frequently leads to less than optimum solutions.
One example is in the use of a managed service provider. The immediate effect could be improved security, a reduction in costs, and reduced strain on staff recruitment. But this will decline over time without continuous management of the MSP. The use of an MSP -- which is no bad thing -- should be an active choice to improve security rather than a defensive response to reduce costs.
HPE suggests that where companies need to augment security but cannot afford the additional staff to do so, they should consider a hybrid MSP/internal integrated solution. Internal operational capability can more appropriately manage risk; will be better able to coordinate incident response; and can better align security with the organization's business objectives. In all cases the organization needs to go beyond the MSP's standard SLA to ensure that security can be or remain integrated with business objectives.
The staffing issue resurfaces with automation. The difficulty in finding and keeping quality analysts persuades some organizations to consider replacing front line analysts with automation -- but while this is good in theory, it is not always good in practice. Effective automation requires a high degree of confidence in configuration management, and organizations often have a lack of maturity in information about the applications, users, systems, and data residing in disparate repositories.
The risk of breaking something that has not been well documented then persuades some organizations to turn to an alternative but equally ineffective method: automated ticket generation. This isn't always bad, suggests HPE, but "when dealing with the behavior of an advanced threat actor and coordinated campaigns that span time, this approach usually turns the analyst into a myopic responder." In short, SOCs should think hard before eliminating front-line analysts in favor of automation.
A variant of the staffing issue returns in the growing tendency for SOCs to rely on open source tools. As with MSPs, this can provide an immediate increase in security and a reduction in costs -- but once again it usually doesn't last. OSS rarely comes with the support, documentation or metrics that can ensure compliance and security objectives remain sustainable.
Furthermore, OSS solutions frequently require customization and ongoing maintenance. Staff, however, tend not to stay as long as the software. HPE claims that security leadership usually turns over every 18 months -- and key staff can move on even sooner. Staff churn has a negative effect on the OSS maintenance, and this in turn can reduce the effectiveness and maturity of the SOC. This doesn't mean that OSS should be abandoned, but that organizations need to be aware of the ongoing commitment.
Overall SOC maturity remains well below optimal levels. HPE can find no direct correlation between high maturity and enterprise size: while some large enterprises have good maturity, other multinationals remain poor. Here the difference seems to be in management attitude and willingness to spend (which itself is linked to risk perception).
In terms of verticals, service organizations have replaced technology organizations as the more mature. The telecom industry continues to have poor maturity, partly because its primary concern is service availability. HPE expects this to improve over the next few years with the emergence of a new breed of telecommunication company. Government, however, continues to struggle -- and again it is partly the staffing issue. Rigid structures slow down implementations, while rapid staff turnover stops them even being started. As a result, for example, Government metrics tend to be based on staffing rather than maturity and effectiveness.
The whole problem is, of course, exacerbated by the rapidly changing threat landscape. The emergence of destructive malware and ransomware has demanded closer ties between SOCs and DRBC teams. New General Data Protection Regulation (GDPR) will also present new issues. Although organizations are aware of the implications, the necessary changes have not yet been implemented. The requirement to detect and inform EU citizens of personal data compromises within 72 hours will drive new SOC detection and response use cases and investment for compliance around the globe.
Given these problems, the 3% overall improvement in SOC maturity over last year is an achievement.
ProtonMail announced that its Tor Hidden Service is online
20.1.2017 securityaffairs Security
The popular encrypted email provider ProtonMail has launched the Tor Hidden Service to provide further protection to its users.
ProtonMail is the world’s largest encrypted email provider with over 2 million users worldwide. Its popularity exploded just after the US presidential election, its users include journalists, activists, businesses, and normal people that want to protect their security and privacy. The service is a free and open source, featuring strong end-to-end encryption and protected by Swiss privacy laws.
Implementing a Tor hidden service for ProtonMail Tor has numerous advantages for end-users, communications are protected by supplementary layers of encryption, user’ IP address is masqueraded by the anonymizing network, and such kind of service is able to bypass government censorship.
“There are several reasons why you might want to use ProtonMail over Tor. First, routing your traffic to ProtonMail through the Tor network makes it difficult for an adversary wiretapping your internet connection to know that you are using ProtonMail. Tor applies extra encryption layers on top of your connection, making it more difficult for an advanced attacker to perform a man-in-the-middle attack on your connection to us. Tor also makes your connections to ProtonMail anonymous as we will not be able to see the true IP address of your connection to ProtonMail.” a onion site,” ProtonMail explained in a blog post.
“Tor can also help with ProtonMail accessibility. If ProtonMail becomes blocked in your country, it may be possible to reach ProtonMail by going to our onion site. Furthermore, onion sites are “hidden” services in the sense that an adversary cannot easily determine their physical location. Thus, while protonmail.com could be attacked by DDoS attacks, protonirockerxow.onion cannot be attacked in the same way because an attacker will not be able to find a public IP address.”
The onion address for the ProtonMail Tor service:
https://protonirockerxow.onion
Just for curiosity, the above address was generated by the company used spare CPU capacity to generate millions of encryption keys and then hashed them aiming to generate a more human readable hash. The address it can be easily remembered as:
proton i rocker xow
ProtonMail published detailed instructions on how to setup Tor and how to access the service over Tor. For example, in order to use the ProtonMail hidden service is it necessary to enable Javascript.Tor Browser disables Javascript by default, but you will need it for our onion site. You can do this by clicking the “NoScript” button and selecting “Temporarily allow all this page”:
“Tor Browser disables Javascript by default, but you will need it for our onion site. You can do this by clicking the “NoScript” button and selecting “Temporarily allow all this page”” reads the ProtonMail page.
The ProtonMail hidden service only accepts HTTPS connections, it uses a digital certificate issued by Digicert, the same CA used by Facebook for its Tor hidden service.
The ProtonMail hidden service could be reached via a desktop web browser and both iOS and Android apps.
DHS Publishes National Cyber Incident Response Plan
20.1.2017 Securityweek Security
The U.S. Department of Homeland Security has published the National Cyber Incident Response Plan (NCIRP), which aims to describe the government’s approach in dealing with cyber incidents involving public or private sector entities.
The DHS started working on the NCIRP shortly after President Barack Obama released the Presidential Policy Directive on Cyber Incident Coordination (PPD-41) in July last year. After making available a draft in September, the DHS has now announced the release of the final version.
The NCIRP has three main goals: define the responsibilities and roles of government agencies, the private sector and international stakeholders; identify the capabilities required to respond to a significant incident; and describe how the government will coordinate its activities with the affected entity.
“The National Cyber Incident Response Plan is not a tactical or operational plan for responding to cyber incidents,” explained Homeland Security Secretary Jeh Johnson. “However, it serves as the primary strategic framework for stakeholders when developing agency, sector, and organization-specific operational and coordination plans. This common doctrine will foster unity of effort for emergency operations planning and will help those affected by cyber incidents understand how Federal departments and agencies and other national-level partners provide resources to support mitigation and recovery efforts.”
The NCIRP focuses on four main lines of effort: threat response, asset response, intelligence support, and affected entity response.
The lead federal agency for threat response is the Department of Justice through the FBI and the National Cyber Investigative Joint Task Force (NCIJTF). Threat response includes mitigating the immediate threat, investigative activity at the affected organization’s site, collecting evidence and intelligence, attribution, finding links between incidents and identifying other affected entities, and finding opportunities for threat pursuit and disruption.
Asset response is handled by the DHS through the National Cybersecurity and Communications Integration Center (NCCIC). Activities in this line of effort include providing technical assistance to help affected entities protect their assets, reducing the impact of the incident, mitigating vulnerabilities, identifying other entities that may be at risk, and assessing potential risks to the affected sector or region.
Threat and asset response teams have some shared responsibilities, including the facilitation of information sharing and operational coordination, and providing guidance on the use of federal resources and capabilities.
The lead agency for intelligence support is the Office of the Director of National Intelligence (ODNI) through the Cyber Threat Intelligence Integration Center (CTIIC). The agency is tasked with providing support to asset and threat response teams, analyzing trends and events, identifying knowledge gaps, and mitigating the adversary’s capabilities.
If a significant cyber incident involves a federal agency, that agency is responsible for managing the impact of the incident. This can include maintaining business or operational continuity, protecting privacy, addressing adverse financial impact, breach disclosure and notification, and handling media and congressional inquiries.
If the incident affects a private entity, the role of the government is to be aware of that entity’s response activities and assess the potential impact on private sector critical infrastructure.
Critical Infrastructure Security: Risks Posed by IT Network Breaches
19.1.2017 Securityweek Security
Critical infrastructure security
There have been several incidents recently where a critical infrastructure organization’s IT systems were breached or became infected with malware. SecurityWeek has reached out to several ICS security experts to find out if these types of attacks are an indicator of a weak security posture, which could lead to control systems also getting hacked.
Security incidents involving critical infrastructure organizations
There are only a few publicly known examples of cyberattacks targeting an organization’s industrial control systems (ICS), including the recent Ukraine energy sector incidents and the 2010 Stuxnet attacks. However, there are several known incidents involving the IT networks of critical infrastructure organizations.
One recent report comes from Japan, where attackers last year stole the details (report in Japanese) of more than 10,000 employees of Taiyo Nippon, the country’s largest industrial gas producer and one of the world’s top gas suppliers. The breach, which took place in March 2016, did not affect any control systems, the company said.
In April, we learned that two widely used pieces of malware, namely Conficker and Ramnit, had been found on systems belonging to a German nuclear energy plant in Gundremmingen. Experts believe these systems were likely infected by accident rather than as a result of targeted attacks.
Also in April, the Board of Water and Light (BWL) in Lansing, Michigan, was hit by a piece of ransomware, but the organization said the malware only affected the corporate network, with no disruption to water or energy supplies.
The Grizzly Steppe report published recently by the U.S. government in an effort to help organizations detect attacks launched by Russia-linked threat actors has led to the discovery of suspicious traffic at two organizations: the Burlington Electric Department in Vermont, and the Hydro One electricity distributor in Canada. Both organizations said the electric grid was never at risk.
Experts comment on the risks posed by such incidents
SecurityWeek has reached out to several industrial cybersecurity companies to find out if more damaging attacks may be possible given the holes in these organizations’ security.
Robert M. Lee, CEO and founder of Dragos, Inc., believes poor security practices and poor network segmentation can lead to a number of control system issues.
“Often if the pathways into the IT side of the network are easily taken advantage of, you will find that pathways into the ICS are also easily taken advantage of; however this is not the case in every site and we have seen a significant increase in security by many organizations out there,” Lee said.
Lane Thames, software development engineer and security researcher at Tripwire, also believes that a weak security posture on the IT side can lead to breaches on the OT side, particularly in the case of organizations that have started migrating OT systems to communication technologies (e.g. Ethernet, IP networking, Wi-Fi).
“For example, I have seen a single advanced manufacturing system with over 50 Ethernet ports, each one assigned its own IP address, that was controlled through a web based interface. If an attacker can penetrate the web server hosting the interface, then it is possible to penetrate the physical manufacturing device,” Thames said.
However, Lee and Thames agree that a security incident does not necessarily imply a poor security posture – even organizations with good security practices can get breached.
Opportunistic vs. targeted attacks
While critical infrastructure organizations may be breached by opportunistic threat actors that launch attacks indiscriminately for financial gain, experts believe some of these incidents could represent the reconnaissance phase of a targeted operation; although they have pointed out that targeting ICS is not the same as targeting IT networks.
“The sophistication of some of the attacks on certain industrial facilities points to actors far more capable than your opportunistic hacker,” said Eddie Habibi, CEO of PAS. “If cybersecurity is going to be the new WMD (weapons of mass destruction) in the future, which we believe it has the proclivity to be, you have to also believe that every nation is right now trying to build both their offensive and defensive cyber capabilities. That includes reconnaissance, spyware, Trojan horse and more.”
SAVE THE DATE: ICS Cyber Security Conference | Singapore - April 25-27, 2017
Thames explained, “Reconnaissance is really always in the picture. Further, mainstream attacks are also always in the mix. However, on the industrial side you will also see attacks that are more tailored to the target industry with very specific objectives driving the attack. For example, manufacturing organizations will often be targeted with a goal of stealing sensitive information and intellectual property.”
Despite the differences, experts believe industrial networks are not necessarily more difficult to attack.
“Cyber attacks on industrial control networks are very different from attacks on IT networks because the infrastructures are inherently different. ICS networks contain specialized technologies that operate the different processes. Therefore reconnaissance is always an important phase in which the attacker carefully learns which technologies are in place and how they are operated,” explained Barak Perelman, CEO of Indegy. “This doesn’t make industrial networks more difficult to attack. On the contrary - it is quite easy to attack them.”
Lee has pointed out that the only targeted attacks covered by the mainstream media in 2016 were the ones aimed at Thyssenkrupp and Ukraine’s energy sector. However, the expert said there were a number of targeted threat incidents last year that were not made public.
Securing ICS systems vs. securing corporate networks
SecurityWeek has asked experts about the differences between an organization’s approach when securing their business network versus securing their OT network.
Stephen Ward, Claroty: “The OT domain was not purposely built with security in mind - it was built with reliability, safety and up-time at the core. It is a very complex environment that is sensitive to any potential disruption. When looking at security solutions for the OT domain, organizations have to ensure that no potential harm is introduced into the OT network - they're incredibly concerned with this and in the past this has resulted in IT security people introducing potential controls but OT network personnel disqualifying those approaches. OT security solutions need to be just that - purpose built with an understanding of the complexities of these networks. Passive security solutions - such as real-time monitoring and detection - are on the top of the list for OT security improvements as a result.”
Lane Thames, Tripwire: “Often, there are differences within the organizations themselves (at least that has been the case historically). OT focuses on “mission assurance” whereas IT focuses on “information assurance”. These two objectives are vastly different, and, based on my discussions with practitioners in the industry, it creates communication breakdowns and barriers when an organization with IT and OT approaches security operations. For example, a control engineer could care less about data loss whereas an IT system administrator could care less about air-gapping the battery backup units (UPSs).”
Eddie Habibi, PAS: “The difference is stark. Folks who are focused on protecting business networks concern themselves with protecting information. OT cybersecurity personnel are singularly focused on protecting the physical process plant and safety. These approaches lead to very different cybersecurity decisions. An OT system, for instance, may never have a patch applied if there is a perceived risk it will disrupt production. Instead, they will add security controls in front of that system to mitigate risk. A zero day vulnerability can become a forever day vulnerability. In an IT approach, the patch is applied in real-time. Policies are in fact in place to make sure patches are kept up to date.”
Robert Lee, Dragos: “There must be largely different approaches and processes for securing the OT networks than the IT networks. Simply put, these networks have more serious consequences that can occur from bad practices and they often cannot be secured in the same way. As an example, simply deploying antivirus to the ICS would not significantly contribute to security, and may actually detract from it, whereas that is a common practice in IT security. There need to be tailored methodologies, processes for authorization and ownership of problems, and a different view of the risk management.”
Barak Perelman, Indegy: “There is a huge difference in approaches. OT networks involve different technologies and have different security gaps that should be addressed. Even the network activity is different and uses different protocols. In addition, process stability, safety and continuity is a top priority in these environments. Therefore, any modifications that could impact operations are indefinitely postponed. This means that patches, upgrades and other changes are rarely made.
[...] Implementing network security in ICS environments poses unique challenges since it requires in-depth understanding of the intricacies of OT network activity.”
In 2017: Cool New Tech, Ominous Cyber Threats & Increased Terrorism in the West
31.12.2016 securityaffairs Security
A lot of new and exciting technology will emerge or become more prominent in 2017 and the following is just a glimpse of what is anticipated.
IoT & Smart Home Tech
Smart home technology had been in the works for years before finally getting off to a relatively slow start. But, now that large companies like Apple, Amazon and Google have jumped onboard, smart home tech is expected to significantly pick up the pace in 2017.
VR & AR
In 2016, Oculus Rift was released, following which thousands of virtual reality (VR) games and apps were released on the market. And, augmented reality (AR) game, Pokémon Go, exploded on the market with over 100 million downloads. In 2017, however, VR and AR are expected to really take off.
Machine Learning
Machine learning will advance in 2017, paving the way for it to become a fixture in the workplace. This type of artificial intelligence (AI) is expected to become a component of every type of technology. For instance, robotic journalists have been in circulation for a couple of years now and this trend is expected to expand exponentially in the white collar arena. It will have a lot of impact on the job market because some positions will no longer be needed. But, the combination of automation and machine learning will usher in groundbreaking efficiency in the workplace.
Autonomous driving
More advances from makers of self-driving cars are expected. For example, since initially introducing its ‘Autopilot‘ feature in 2015, Tesla has been continuously tweaking the autonomous capabilities of its vehicles. This highlights the far-reaching capabilities self-driving technologies hold for the future. Additionally, Uber recently acquired self-driving hardware developer Otto and has subsequently put its first fleet of self-driving trucks on the road. In Pittsburgh, Uber has also conducted some real world self-driving tests with its cabs.
Chinese Technology Will Make More Significant Inroads Into the West
As an increasing number of Chinese companies are focused on European and US markets, they will continue to maintain their customer base in China. “Huawei, already a fairly well-known brand in the west, is pushing its Honor brand as a way to drop the budget image for a new demographic. And software firms are getting in the game too. Tencent, makers of WeChat (that’s ‘China’s WhatsApp’, for those playing along at home), is pushing hard into the west, taking on Facebook at its own game.”
And, what cyber threats are coming down the line in 2017?
* Old breaches surfacing – A more dangerous trend than the malware that emerged in 2016 is that of past breaches surfacing. The information in historical breaches has often been sold on the darknet for some time before the breach’s existence comes to light. That is essentially what happened to Yahoo and it happened twice in one year, when the data breaches from 2013 and 2014 resurfaced. The breaches impacted a billion and half a billion accounts respectively. As The Guardian aptly explains it: “Because data breaches can happen undetected, fixing your cybersecurity in 2016 isn’t just locking the stable door after the horse has bolted; it’s locking the stable door without even realizing the horse made its escape years ago.”
* Cyberwar – As was the case with the Stuxnet virus which destroyed Iranian nuclear centrifuges and the US Office of Personnel Management hack, the thing that makes launching a cyberwar attack appealing is that attribution is difficult. The incidents are usually explained away with hunches as opposed to being able to provide conclusive evidence. “Rock-solid attribution to not just a nation but a chain of command is almost impossible,” The Guardian’s Alex Hern has noted. And, according to security expert Hitesh Sheth, head of cybersecurity firm Vectra, “US businesses and the US government should expect an increase in the number and severity of cyber-attacks, led by select nation states and organised political and criminal entities.”
* More innovative hackers – According to Adam Meyer, chief security strategist at SurfWatch Labs, “2017 will be the year of increasingly creative [hacks].”
* Step aside single-target ransomware. Make way for the self-propagating worms of the past, such as Conficker, Nimda, and Code Red, which will return to prominence—but this time around they will carry ransomware payloads capable of infecting hundreds of machines in an astoundingly short period of time.
* DDoS attacks on IoT devices – Hackers will target all types of internet-connected endpoints and employ them in DDoS attacks, but at a higher rate than before. Network World reports that, “in the rush to roll out all manner of IoT devices, security has taken a back seat. That means more serious incidents such as the denial of service attack on domain lookup service Dyn, are highly likely. The Mirai botnet was cited as the culprit, exploiting 50 to 100 thousand IoT devices.”
* DDoS will also bourgeon into a “weapon of mass obstruction” – DDoS attack firepower in 2016 catapulted to frightening levels – rising from 400Gbps bandwidth to 1Tbps or more. This was due to millions of IoT devices lacking even the most basic security. That same firepower can be utilized to take down critical infrastructure and even the internet infrastructure of whole countries. This may be done in conjunction with a physical military attack.
* Inexperienced, albeit dangerous hackers who will not need a skill set – There are now tools that are relatively easy to access, for those who are willing to pay for them. CSO Online predicts, “this trend will continue to spark the rapid growth of cybercriminals in the wild. Whether someone is politically motivated, disgruntled about something, or a career criminal, off-the-shelf hacking tools make it easier for them to make their mark and will cost companies millions in 2017.”
* Malware via third-party vendors – Third-party vendors are a potential gateway to their connected customers. So, no matter how great a business’s security system is, if that business doesn’t hold all of their third-party partners to the same level of scrutiny, their customers will always be at risk. Consider the situation involving Wendy’s in which over 1,000 franchised locations were compromised by a Point-of-Sale (PoS) malware attack. You can count on more, similar activity in 2017 and that will be the case until companies address third-party risk management.
* Shortage of IT security professionals – This is not a new issue, of course, but with more than a million vacant positions worldwide, there have never been more jobs available in cybersecurity.
* State-sponsored hackers – A concern for both organizations and governments now is the steadily growing cadres of state-sponsored hackers, who have an endless array of resources.
* The cloud & mobile computing – Applications and data are moving to the cloud. This, no doubt, will create a new aggregation of vulnerabilities. It stands to reason, though, since “the ‘cloud’ is just someone else’s computer, and by moving and sharing information across more devices and people, the attack surface grows—and so does the opportunity for attackers.”
* Drones will be used not only for attacks, but for espionage, too – Threat actors will be moving in the direction of leveraging capabilities that will allow hacking into drone signals and “dronejacking.”
* An onslaught of attacks on open source – Hackers have come to the realization that applications are an easily exploited weak spot in most organizations. Couple that with the lax job most companies are doing with securing and managing their code–even when patches are available! Hence, these types of exploits will increase in 2017–against sites, applications, and IoT devices.
* Phishing expeditions – Employees are the weakest link in security. Almost all enterprise hacks begin with phishing. However, as noted by Taylor Armerding, writing for CSO Online, “they will need to pay closer attention to the rise in popularity of free SSL certifications paired with Google’s recent initiative to label HTTP-only sites as unsafe. That will weaken security standards, driving potential spear-phishing or malware programs.”
* Hacking Cars – Automobile manufacturers don’t really know much about the software installed in the cars they make because it comes from third parties. In addition to that, this will most likely include open-source components with security vulnerabilities–a hacker’s paradise. This will also likely lead to a large-scale automobile hack, which could include “cars held for ransom, self-driving cars being hacked to obtain their location for hijacking, unauthorized surveillance and intelligence gathering, or other threats.”
* Potential for cyber attacks on grids and nuclear facilities – Again, emphasis should be placed on the human element. The Stuxnet incident demonstrated how a tenacious hacker can overcome cyber protection efforts simply by targeting vulnerable employees. This applies to both grids and nuclear facilities. And, the cybersecurity of both has been abysmally lacking.
Terrorism Trends in the West
According to a report by IHS Jane’s Terrorism and Insurgency Centre (JTIC), recent attacks by ISIS illustrate its use of returned foreign fighters to launch attacks, called for by the terror group’s central leadership. “Western members of the group in Iraq or Syria would communicate with supporters back in their home countries in order to directly encourage, support, and direct attacks therein.”
Moreover, the recent escalation in terror attacks in the West will likely continue in 2017. And, the trends contributing to the current level of terror, that have been building up for years, have not yet peaked. ISIS has exhibited a clear operational presence in Europe and it will take years to come to eliminate the threat posed by these terror groups and the individuals they recruit.
The new year will bring with it fascinating innovations in technology, which in turn will provide hackers and terrorists a multitude of new ways to launch attacks.
Police Ask for Amazon Echo Data to Help Solve a Murder Case
28.12.2016 thehackernews Security
Police seek Amazon Echo Data to solve a Murder Case
Hey, Alexa! Who did this murder?
Arkansas police are seeking help from e-commerce giant Amazon for data that may have been recorded on its Echo device belonging to a suspect in a murder case, bringing the conflict into the realm of the Internet of Things.
Amazon Echo is a voice-activated smart home speaker capable of controlling several smart devices by integrating it with a variety of home automation hubs. It can do tasks like play music, make to-do lists, set alarms, and also provide real-time information such as weather and traffic.
As first reported by The Information, authorities in Bentonville have issued a warrant for Amazon to hand over audio or records from an Echo device belonging to James Andrew Bates in the hope that they'll aid in uncovering additional details about the murder of Victor Collins.
Just like Apple refused the FBI to help them unlock iPhone belonging to one of the San Bernardino terrorists, Amazon also declined to give police any of the information that the Echo logged on its servers.
Collins died on November 21 last year while visiting the house of Bates, his friend from work, in Bentonville, Arkansas. The next morning, Collins' dead body was discovered in a hot tub, and Bates was charged with first-degree murder.
As part of the investigation, authorities seized an Amazon Echo device belonging to Bates, among other internet-connected devices in his home, including a water meter, a Nest thermostat, and a Honeywell alarm system.
Always-ON Listening Feature
Echo typically sits in an idle state with its microphones constantly listening for the "wake" command like "Alexa" or "Amazon" before it begins recording and sending data to Amazon's servers.
However, due to its always-on feature, it's usual for the Echo to activate by mistake and grab snippets of audio that users may not have known was being recorded.
Some of those voice commands are not stored locally on Echo but are instead logged onto Amazon's servers.
Presumably, the authorities believe that those audio records that the Echo device might have picked up the night of the incident and uploaded to Amazon servers could contain evidence related to the case under investigation.
Amazon Refused (Twice) to Hand over its User's Data
Amazon, however, denied providing any data that the authorities need. Here's what a spokesperson for the company told CNBC:
"Amazon will not release customer information without a valid and binding legal demand properly served on us. Amazon objects to overbroad or otherwise inappropriate demands as a matter of course."
While the online retail giant has twice refused to serve police the Echo data logged on its servers, Amazon did provide Bates' account information and purchase history.
The police said they were able to extract data from Echo, though it's uncertain what they were able to uncover and how useful that data would be in their investigation.
According to court records, Bates' smart water meter shows that his home ran 140 gallons of water between 1 AM and 3 AM the night Collins was found dead in Bates' hot tub. The prosecution claims that the water was used to wash away evidence after he killed Collins.
Should Amazon Share the Data or Not?
The authorities in the Collins murder case are asking for data on Amazon's servers that could help bring a criminal to justice. If so, authorities should get access to it.
In the case of Apple vs. FBI, Apple was forced to write a backdoor software that could bypass the security mechanism built into its iPhone, while the company already handed over the data stored on its server.
The broader takeaway: IoT devices automating your habits at home could be used for or against you, legally.
The Collins murder case appears to be a first-of-its-kind, and we are very much sure to see more such cases in the future.
It will be interesting to see how the companies that make smart home devices would serve its customers while maintaining a balance between keeping their customers' privacy safe and aiding the process of justice.
Nintendo announced its bug bounty program for 3DS Consoles. Rewards up to $20,000
6.12.2016 securityaffairs Security
Nintendo presented its bug bounty program for 3DS consoles, the company is willing to pay between $100 and $20,000 for vulnerabilities found in the product.
Good news, Nintendo joins the club of the “bug bounty program,” companies that decide to exploit this mechanism to involve ethical hacking communities.
The company is the last in order of time to adopt a similar strategy, HackerOne already hosts bug bounty program launched by Kaspersky, Qualcomm, Uber, and also the “Hack the Army” promoted by the U.S. Army.
The bug bounty program has been hosted on the HackerOne platform, in this phase is it limited to 3DS consoles as explained by the giant.
“Nintendo’s goal is to provide a secure environment for our customers so that they can enjoy our games and services. In order to achieve this goal, Nintendo is interested in receiving vulnerability information that researchers may discover regarding Nintendo’s platforms.” reads the announcement published on HackerOne. “Currently, in the context of the HackerOne program, Nintendo is only interested in vulnerability information regarding the Nintendo 3DS™ family of systems and is not seeking vulnerability information regarding other Nintendo platforms, network service, or server-related information.”
The company will pay for 3DS vulnerabilities that allow to take over the console or a privilege escalation on ARM11 and ARM 9 processors.
Nintendo aims to prevent illegal activities such as piracy, cheating, and dissemination of inappropriate content to children.
The giant is willing to pay also hardware vulnerabilities regarding the Nintendo 3DS family of systems, including low-cost cloning and security key detection via information leaks.
Nintendo will pay rewards from $100 USD to $20,000 USD, of course, it will determine at its discretion whether a flaw has to be rewarded. The company doesn’t provide details on the process of evaluation for each flaw.
“A report is evaluated to be high quality if you show that the vulnerability is exploitable by providing a proof of concept (functional exploit code is even better),” continues Nintendo. “If you don’t yet have a proof of concept, or functional exploit code, we still encourage you to report to us sooner rather than later such that you do not to lose the opportunity to become the first reporter; you can then submit a proof of concept or functional exploit code later (within three weeks of the initial report) and it will be considered to be a part of the report.”
Nintendo intends to prohibit hackers from disclosing vulnerability information even after a patch becomes available.
Nintendo announced its bug bounty program for 3DS Consoles. Rewards up to $20,000
6.12.2016 securityaffairs Security
Nintendo presented its bug bounty program for 3DS consoles, the company is willing to pay between $100 and $20,000 for vulnerabilities found in the product.
Good news, Nintendo joins the club of the “bug bounty program,” companies that decide to exploit this mechanism to involve ethical hacking communities.
The company is the last in order of time to adopt a similar strategy, HackerOne already hosts bug bounty program launched by Kaspersky, Qualcomm, Uber, and also the “Hack the Army” promoted by the U.S. Army.
The bug bounty program has been hosted on the HackerOne platform, in this phase is it limited to 3DS consoles as explained by the giant.
“Nintendo’s goal is to provide a secure environment for our customers so that they can enjoy our games and services. In order to achieve this goal, Nintendo is interested in receiving vulnerability information that researchers may discover regarding Nintendo’s platforms.” reads the announcement published on HackerOne. “Currently, in the context of the HackerOne program, Nintendo is only interested in vulnerability information regarding the Nintendo 3DS™ family of systems and is not seeking vulnerability information regarding other Nintendo platforms, network service, or server-related information.”
The company will pay for 3DS vulnerabilities that allow to take over the console or a privilege escalation on ARM11 and ARM 9 processors.
Nintendo aims to prevent illegal activities such as piracy, cheating, and dissemination of inappropriate content to children.
The giant is willing to pay also hardware vulnerabilities regarding the Nintendo 3DS family of systems, including low-cost cloning and security key detection via information leaks.
Nintendo will pay rewards from $100 USD to $20,000 USD, of course, it will determine at its discretion whether a flaw has to be rewarded. The company doesn’t provide details on the process of evaluation for each flaw.
“A report is evaluated to be high quality if you show that the vulnerability is exploitable by providing a proof of concept (functional exploit code is even better),” continues Nintendo. “If you don’t yet have a proof of concept, or functional exploit code, we still encourage you to report to us sooner rather than later such that you do not to lose the opportunity to become the first reporter; you can then submit a proof of concept or functional exploit code later (within three weeks of the initial report) and it will be considered to be a part of the report.”
Nintendo intends to prohibit hackers from disclosing vulnerability information even after a patch becomes available.
Caribbean scuba diving with IT-security in mind
25.11.2016 Kaspersky Security
Dare to submit your research proposal before December 1, 2016 to dive into undiscovered and uncharted cybercrimes, hacks, espionage and much more at the Security Analyst Summit – April 2-6, 2017 on the Caribbean island of St. Maarten.
There are four months left before Kaspersky Lab’s Security Analyst Summit on the Caribbean Island of St Maarten, an invitation-only conference. If you still haven’t submitted your individual proposal, you’d better hurry up. There’s only one week left before the SAS17 program committee will start evaluating the abstracts. The summit will welcome those with new studies and tools, vulnerability reports, creative ideas, concepts or their results; insights into nation state cyber-espionage and government surveillance; research into attacks against financial institutions and critical infrastructure; mobile systems the IoT cyber risk landscape observations.
You’ll join the leading voices in the IT security industry – the chosen few – for knowledge and information sharing: senior executives from business organizations, global law enforcement agencies and CERTs, independent researchers and journalists. Previous events were joined by members of leading global companies, such as Samsung, Adobe, Microsoft, BlackBerry, CISCO, Boeing, Interpol, the World Bank, Team Cymru, The ShadowServer Foundation, ICSA Labs and Fidelis Cybersecurity Solutions. And every year SAS proves that IT security has no borders.
Requirements for submissions:
Individual proposals should be no more than 350 words in length. SAS has a ground rule: nobody gets to speak from the stage for more than 30 minutes — this is the longest duration allowed for a keynote presentation — while everyone else gets 20 minutes maximum.
Proposals should include the title of the paper and should clearly spell out the focus and goal of the presentation.
The deadline for submissions is December 1, 2016.
You can send your abstract directly to sasCFP@kaspersky.com. The Program committee consists of six independent members, who evaluate the papers separately. They are Kaspersky Lab and external experts who share the SAS core value: uncompromising research. Have you been good this year? Santa The program committee will check soon.
Submit your abstract, find SPF20+ sunscreen, join the SAS family, follow @KasperskySAS and see how much fun it is — SAS2014, SAS2015 and SAS2016!
WordPress Plugins could expose online shoppers on Black Friday and Cyber Monday
23.11.2016 securityaffairs Security
Black Friday and Cyber Monday are upon us, Checkmarx published a report analyzing the security of some of the top WordPress plugins.
The Black Friday and the Cyber Monday are upon us and security experts from Checkmarx are questioning the security of some of the top WordPress e-commerce plugins that are currently used in more than 100,000 commercial websites.
Checkmarx analyzed the top 12 WordPress e-commerce plugins discovering that four of them are affected by severe vulnerabilities, including reflected cross-site scripting, SQL injection, and file manipulation flaws.
“Out of the 12 plugins we are scanning we have detected high-risk vulnerabilities in at least four of them. One plugin contained three vulnerabilities while the other three each contained one. Of the found vulnerabilities so far, Reflected XSS was found on three plugins, an SQL injection was found on one plugin, Second Order SQL Injection found on one plugin with File Manipulation also being detected on one plugin.” reported the analysis published by Checkmarx. “Of the vulnerabilities that we have detected so far, if they were exploited, the users of over 135,000 websites could find their personal data threatened by malicious parties or cyber criminals.”
The document includes an explanation for most popular flaws affecting WordPress based websites such as reflected cross-site scripting, SQL injection, and file manipulation flaws.
The report doesn’t refer specific e-commerce plugins used by WordPress sites and doesn’t provide information about the commercial platform using it.
Businesses powering e-commerce platform based on WordPress should download plugins only from trusted sources (WordPress.org).
The researchers also suggest scanning the source code of the plugins with a static source code analysis solutions to discover if they are affected by the above vulnerabilities.
Patch management assumes a crucial importance to secure e-commerce websites running on the WordPress CMS, administrators have to constantly maintain plugins up to date.
The report provides useful suggestions to cyber Monday and black Friday shoppers such as:
Use simple passwords.
Never use passwords on more than one site or platform.
Enable two-factor authentication.
Check the validity of the SSL Certificate exposed by the e-commerce platform.
Be aware phishing emails.
'Web Of Trust' Browser Add-On Caught Selling Users' Data — Uninstall It Now
8.11.2016 thehackernews Security
Browser extensions have become a standard part of the most popular browsers and essential part of our lives for surfing the Internet.
But not all extensions can be trusted.
One such innocent looking browser add-on has been caught collecting browsing history of millions of users and selling them to third-parties for making money.
An investigation by German television channel NDR (Norddeutscher Rundfunk) has discovered a series of privacy breaches by Web Of Trust (WOT) – one of the top privacy and security browser extensions used by more than 140 Million online users to help keep them safe online.
Web of Trust has been offering a "Safe Web Search & Browsing" service since 2007. The WOT browser extension, which is available for both Firefox and Chrome, uses crowdsourcing to rate websites based on trustworthiness and child safety.
However, it turns out that the Web of Trust service collects extensive data about netizens' web browsing habits via its browser add-on and then sells them off to various third party companies.
What's extremely worrying? Web of Trust did not properly anonymize the data it collects on its users, which means it is easy to expose your real identity and every detail about you.
The WOT Privacy Policy states that your IP address, geo-location, the type of device, operating system, and browser you use, the date and time, Web addresses, and browser usage are all collected, but they are in "non-identifiable" format.
However, NDR found that it was very easy to link the anonymized data to its individual users.
The reporters focused on just a small data sample of around 50 WOT users, and were able to retrieve a lot of data, which included:
Account name
Mailing address
Shopping habits
Travel plans
Possible illnesses
Sexual preferences
Drug consumption
Confidential company information
Ongoing police investigations
Browser surfing activity including all sites visited
This data belonged to just 50 users, and WOT has more than 140 Million users. From here, you can imagine why the whole matter is of huge concern.
Mozilla has already removed the WOT extension from Firefox Add-ons page, and WoT, in turn, removed the extension from the Chrome Web Store as well.
In a statement, WOT said "we take our obligations to you very seriously. While we deployed great effort to remove any data that could be used to identify individual users, it appears that in some cases such identification remained possible, albeit for what may be a very small number of WOT users," claiming that they are taking these steps:
Reviewing our privacy policy to determine which changes need to be made to enhance and ensure that our users' privacy rights are properly addressed.
For the user browsing data used to enable WOT website reputation service, we intend to provide users the ability to opt-out of having such data saved in our database or shared. This opt-out will be available from the settings menu, as we want to provide each user with a clear choice at all times.
For people who agree to let us use their browsing data to support WOT, we will implement a complete overhaul of our data 'cleaning' process, to optimize our data anonymization and aggregation objectives to minimize any risk of exposure for our users.
For now, anyone using the WOT extension is strongly recommended to immediately uninstall the extension right now. WOT also has a mobile app that will not be immune to this data collection.
Databases of Indian embassies leaked online. Too easy hack them
6.11.2016 securityaffairs Security
The databases of the Indian Embassies in Switzerland, Mali, Romania, Italy, Malawi, and Libya were leaked online by two grey hat hackers.
Today I was contacted by a security pentester who goes online with the moniker Kapustkiy who revealed me to have breached the Indian Embassies in Switzerland, Mali, Romania, Italy, Malawi, and Libya. Kapustkiy and his friend Kasimierz (@Kasimierz_) told me that they were initially white hats in the past, but decided to change to grey hats to get the media attention and force many administrators of websites online to seriously consider cyber security.
The duo exploited SQli injection flaws in the targeted websites and gain access to the databases. They confirmed me that many Indian embassies are vulnerable to such kind of attack.
They breached a total of 7 databases containing names, surname, email addresses and telephone numbers.
The duo leaked online the content of the hacked databases. The data are available on Pastebin at the following URL
http://pastebin.com/GqJcwSSc
Unfortunately, such kind data leaks are very dangerous, especially for the security of diplomatic personnel. We cannot forget that the personnel working in the embassies are privileged targets of nation-state actors conducting cyber espionage campaigns.
In May, security experts from PaloAlto Networks collected evidence that the Operation Ke3chang discovered by FireEye in 2013 is still ongoing. Back in 2013, the security researchers at FireEye spotted a group of China-Linked hackers that conducted an espionage campaign on foreign affairs ministries in Europe. The campaign was named ‘Operation Ke3chang,’ and in March the same hacking crew was spotted targeting personnel at Indian embassies across the world.
The Operation Ke3chang is only one of the numerous campaigns that targeted diplomats worldwide, for this reason, it is important to ensure a proper security posture to secure data managed by embassies across the world.
Now the data belonging to the personnel working in the Indian Embassies in the above countries are available online.
I had no opportunity to check the authenticity of the data, I tried to reach the embassy online but at the time I was writing the website of the Indian Embassy in Rome is unavailable.
Chinese Hackers won $215,000 for Hacking iPhone and Google Nexus at Mobile Pwn2Own
27.10.2016 thehackernews Security
Chinese Hackers won $215,000 for Hacking iPhone and Google Nexus at Mobile Pwn2Own
The Tencent Keen Security Lab Team from China has won a total prize money of $215,000 in the 2016 Mobile Pwn2Own contest run by Trend Micro's Zero Day Initiative (ZDI) in Tokyo, Japan.
Despite the implementation of high-security measures in current devices, the famous Chinese hackers crew has successfully hacked both Apple's iPhone 6S as well as Google's Nexus 6P phones.
Hacking iPhone 6S
For hacking Apple's iPhone 6S, Keen Lab exploited two iOS vulnerabilities – a use-after-free bug in the renderer and a memory corruption flaw in the sandbox – and stole pictures from the device, for which the team was awarded $52,500.
The iPhone 6S exploit successfully worked despite the iOS 10 update rolled out by Apple this week.
Earlier this week, Marco Grassi from Keen Lab was credited by Apple for finding a serious remote code execution flaw in iOS that could compromise a victim's phone by just viewing "a maliciously crafted JPEG" image.
However, a tweet from Keen Team indicated it was able to make the attack successfully work on iOS 10.1 as well.
The Keen Lab also managed to install a malicious app on the iPhone 6S, but the app did not survive a reboot due to a default configuration setting, which prevented persistence. Still, the ZDI awarded the hackers $60,000 for the vulnerabilities they used in the hack.
Hacking Google's Nexus 6P
For hacking the Nexus 6P, the Keen Lab Team used a combination of two vulnerabilities and other weaknesses in Android and managed to install a rogue application on the Google Nexus 6P phone without user interaction.
The ZDI awarded them a whopping $102,500 for the Nexus 6P hack.
So, of the total potential payout of $375,000 from the Trend Micro's Zero Day Initiative, the Keen Lab Team researchers took home $215,000.
Chinese Electronics Firm to Recall its Smart Cameras recently used to Take Down Internet
25.10.2016 thehackernews Security
You might be surprised to know that your security cameras, Internet-connected toasters and refrigerators may have inadvertently participated in the massive cyber attack that broke a large portion of the Internet on Friday.
That's due to massive Distributed Denial of Service (DDoS) attacks against Dyn, a major domain name system (DNS) provider that many sites and services use as their upstream DNS provider for turning IP addresses into human-readable websites.
The result we all know:
Twitter, GitHub, Amazon, Netflix, Pinterest, Etsy, Reddit, PayPal, and AirBnb, were among hundreds of sites and services that were rendered inaccessible to Millions of people worldwide for several hours.
Why and How the Deadliest DDoS Attack Happened
It was reported that the Mirai bots were used in the massive DDoS attacks against DynDNS, but they "were separate and distinct" bots from those used to execute record-breaking DDoS attack against French Internet service and hosting provider OVH.
Here's why: Initially the source code of the Mirai malware was limited to a few number of hackers who were aware of the underground hacking forum where it was released.
But later, the link to the Mirai source code suddenly received a huge promotion from thousands of media websites after it got exclusively publicized by journalist Brian Krebs on his personal blog.
Due to the worldwide news release and promotion, copycat hackers and unprofessional hackers are now creating their own botnet networks by hacking millions of smart devices to launch DDoS attacks, as well as to make money by selling their botnets as DDoS-for-hire service.
Mirai malware is designed to scan for Internet of Things (IoT) devices – mostly routers, security cameras, DVRs or WebIP cameras, Linux servers, and devices running Busybox – that are still using their default passwords. It enslaves vast numbers of these devices into a botnet, which is then used to launch DDoS attacks.
Chinese Firm Admits Its Hacked DVRs and Cameras Were Behind Largest DDoS Attack
More such attacks are expected to happen and will not stop until IoT manufacturers take the security of these Internet-connected devices seriously.
One such IoT electronic manufacturer is Chinese firm Hangzhou Xiongmai Technology which admitted its products – DVRs and internet-connected cameras – inadvertently played a role in the Friday's massive cyber attack against DynDNS.
The Mirai malware can easily be removed from infected devices by rebooting them, but the devices will end up infecting again in a matter of minutes if their owners and manufacturers do not take proper measures to protect them.
What's worse? Some of these devices, which include connected devices from Xiongmai, can not be protected because of hardcoded passwords, and the fact that their makers implemented them in a way that they cannot easily be updated.
"Mirai is a huge disaster for the Internet of Things," the company confirmed to IDG News. "[We] have to admit that our products also suffered from hacker's break-in and illegal use."
The company claimed to have rolled out patches for security vulnerabilities, involving weak default passwords, which allowed the Mirai malware to infect its products and use them to launch massive DDoS attack against DynDNS.
However, Xiongmai products that are running older versions of the firmware are still vulnerable. To tackle this issue, the company has advised its customers to update their product's firmware and change their default credentials.
The electronics components firm would also recall some of its earlier products, specifically webcam models, sold in the US and send customers a patch for products made before April last year, Xiongmai said in a statement on its official microblog.
Hackers are selling IoT-based Botnet capable of 1 Tbps DDoS Attack
Even worse is expected:
The Friday's DDoS attack that knocked down half of the Internet in the U.S. is just the beginning because hackers have started selling access to a huge army of hacked IoT devices designed to launch attacks that are capable of severely disrupting any web service.
The seller claimed their botnet could generate 1 Terabit of traffic that’s almost equal to the world's largest DDoS attack against OVH earlier this month, Forbes reported.
Anyone could buy 50,000 bots for $4,600, and 100,000 bots for $7,500, which can be combined to overwhelm targets with data.
Hacker groups have long sold access to botnets as a DDoS weapon for hire – like the infamous Lizard Squad's DDoS attack tool Lizard Stresser – but those botnets largely comprised of compromised vulnerable routers, and not IoT devices like connected cameras, toasters, fridges and kettles (which are now available in bulk).
In a separate disclosure, a hacking group calling itself New World Hackers has also claimed responsibility for the Friday's DDoS attacks, though it is not confirmed yet.
New World Hackers is the same group that briefly knocked the BBC offline last year. The group claimed to be a hacktivist collective with members in China, Russia, and India.
Well, who is behind the Friday's cyber attack is still unclear. The US Department of Homeland Security (DHS) and the FBI are investigating the DDoS attacks hit DynDNS, but none of the agencies yet speculated on who might be behind them.
The DynDNS DDoS attack has already shown the danger of IoT-based botnets, alarming both IoT manufacturers to start caring about implementing security on their products, and end users to start caring about the basic safety of their connected devices.
Kaspersky Lab launched the new Lab ICS-CERT
25.10.2016 securityaffairs Security
Kaspersky Lab has launched a new global computer emergency response team (CERT), the Kaspersky Lab ICS-CERT, focusing on industrial control systems (ICS)..
Kaspersky has anticipated launching an Industrial Control Systems CERT. Of course, I’m joking, anyway I always sustained that the creation of a similar structure represents an important achievement for the cyber security of any government.
Kaspersky has presented the Kaspersky Lab ICS-CERT, an infrastructure that aims to share the knowledge of cyber threats and in securing industrial systems. The Kaspersky Lab ICS-CERT will coordinate the exchange of information between stakeholders, making more efficient the adoption of countermeasures and the rapid response in case of security incidents.
“Industrial Systems Emergency Response Team is a special Kaspersky Lab project that will offer the wide range of information services, starting from the intelligence on the latest threats and security incidents with mitigation strategies and all the way up to incident response and investigation consultancy and services. In addition to the latest intelligence about threats and vulnerabilities, Kaspersky Lab’s Industrial CERT will share expertise on compliance. Being a non-commercial project, ICS CERT will share information and expertise to its members free of charge.” wrote Kaspersky on the Kaspersky Lab ICS-CERT page.
Like any other CERT, also the Kaspersky Lab ICS-CERT will share information of the current threat landscape reporting and share information on the latest threats, vulnerabilities, security incidents, mitigation strategies, compliance, and investigations.
It is important to highlight that the initiative launched by Kaspersky is a non-commercial project, the experts of the company will share information for free.
Of course, it is essential for the success of the initiative that ICS product vendors, government agencies, critical infrastructure operators, and other actors will provide their precious contribute.
Everyone benefits of the contribution made to this type of initiative, it will be particularly important for any organizations using ICS-SCADA systems that will find all the information aggregated in a single portal, on their hands they could share any experience related to cyber threats increasing the level of awareness of the overall community.
“Today’s approach to cyber security highlights the importance of accumulating intelligence on the latest threats, in order to develop protection technologies. This is especially true for industrial infrastructure, which has specific threats, highly customized hardware and software, and strict requirements for reliability,” explained Andrey Doukhvalov, head of future technologies and chief security architect at Kaspersky.
“As a security vendor, we have years of experience analyzing threats and helping industrial operators with threat prevention and detection, incident response, staff training, and the prediction of future attack vectors. We are confident that sharing intelligence, or, in a broader way, exchanging knowledge between vendors and operators, is an important step towards more secure critical infrastructure,” “By establishing ICS-CERT we are expanding the availability of the industry’s expertise in a way that no other private security vendor has done before.”
Experts devised a method to capture keystrokes during Skype calls
20.10.2016 securityaffairs Security
A group of security experts discovered that the Microsoft Skype Messaging service exposes user keystrokes during a conversation.
A group of researchers from the University of California Irvine (UCI) and two Italian Universities discovered that the popular Skype Messaging service expose user keystrokes during a call.
The researchers have devised a method to record the acoustic emanations of computer keyboards during a Skype call in order to reassemble them as a text.
The method leverage on the profiling of the user’s typing style and doesn’t request a proximity to the victim in order to capture keystrokes.
The experts devised a new keyboard acoustic eavesdropping attack based on Voice-over-IP (VoIP).
The VoIP software is able to eavesdrop acoustic emanations of pressed keystrokes and transmits them to the interlocutors involved in the VoIP call.
The attack is possible because each brand of keyboards emis distinct sounds, such as the various letters on the same keyboard. The technique presented by the researchers is able to discriminate these sounds and discover the typed text with an accuracy that depends on the knowledge of the user’s typing style.
Clearly, this attack poses a serious threat to the users’ privacy.
According to the researchers, Skype conveys enough audio information to allow attackers to reconstruct the victim’s input with an accuracy of 91.7% when it is known the target typing style.
“In fact, we show that very popular VoIP software (Skype) conveys enough audio information to reconstruct the victim’s input – keystrokes typed on the remote keyboard.” states the paper published by the experts. “In particular, our results demonstrate that, given some knowledge on the victim’s typing style and the keyboard, the attacker attains top-5 accuracy of 91.7% in guessing a random key pressed by the victim. (The accuracy goes down to still alarming 41.89% if the attacker is oblivious to both the typing style and the keyboard).”
The researchers highlighted that the attack is not effective when the victim uses a touchscreen or a and keypad.
The real element of innovation for this technique is the fact that VoIP technology allows bypassing the need to be in proximity of the victim that was requested by other techniques.
Ops also the Trump Organization uses insecure e-mail servers
19.10.2016 securityaffairs Security
According to a security researcher, the Trump Organization’s mail servers run on an outdated version of Microsoft Windows Server.
Hillary Clinton is over in the storm for the violation of its private email server, even Trump has used the case to attack the rival.
The irony of fate, now we are here discussing because also Trump’s staff has some problems with his email servers. According to the security researcher Kevin Beaumont, the Trump Organization’s mail servers run on Microsoft Windows Server 2003 version with Internet Information Server 6 that is no more supported by the company. The researchers also discovered that servers are configured with minimal security.
What does it mean?
Simple, they are an easy target of hackers that can access to the organization’s e-mails servers.
Visualizza l'immagine su TwitterVisualizza l'immagine su Twitter
Segui
Kevin Beaumont ✔ @GossiTheDog
Quick update on Trump corp email servers - all internet accessible, single factor auth, no MDM, Win2003, no security patching.
00:44 - 18 Ott 2016
1.283 1.283 Retweet 1.286 1.286 Mi piace
Beaumont also discovered the Organization’s Web email access page, he explained that until yesterday morning, the Trump Organization allowed Outlook Web Access logins from webmail.trumporg.com.
According to Sean Gallagher of Ars, the e-mail access page webmail.trumporg.com displays the header for Microsoft Exchange Outlook Web Access (OWA). The analysis of the page HTML source code reveals that site is using an outdated application i.e. March 2015 build of Microsoft Exchange 2007 (SP3 RU16), which is a version known to be affected by many security issues. The login page reveals that the webmail site was running Microsoft Exchange 2007.
Beaumont pointed out that the email service doesn’t use two-factor authentication.
Below the comment sent via email by a spokesperson for the Trump Organization to the Motherboard website, he seems to downplay the problem.
“The Trump Organization deploys best in class firewall and anti-vulnerability technology with constant 24/7 monitoring. Our infrastructure is vast and leverages multiple platforms which are consistently monitored and upgraded using current cyber security best practices.”
Security experts released an anti-reconnaissance tool dubbed NetCease
15.10.2016 securityaffairs Security
A Microsoft security duo released a new tool dubbed NetCease designed to make hard for attackers to conduct reconnaissance.
Microsoft experts have released a tool dubbed NetCease that was designed to make hard reconnaissance activities of hackers.
The NetCease tool was developed by two researchers of the Microsoft Advanced Threat Analytics (ATA) research team, Itai Grady and Tal Be’ery.
The security experts will present the tool at the Black Hat Europe where they will explore the concept of “offensive cyber defense” methods.
The application is not classified as an official Microsoft tool, but it has been made available on Microsoft’s TechNet Gallery under the default license terms for “Software on Documentation Portals.”
The reconnaissance is a critical phase of an attack, attackers gather information of the potential targets identified target machines, potential bridge components for lateral movements and privileged users.
Once the attacker has identified the targets, he can use the NetSessionEnum function to retrieve information about sessions established on domain controllers (DC) or other servers in the network.
A NetSessionEnum could allow attackers to discover device name, IP address, the username that established a session, and the duration of each session.
This data are essential for attackers to move laterally within their victim’s network.
Any domain user has the permission by default to execute the NetSessionEnum method remotely. Anyway, it is possible to harden the access to the NetSessionEnum method by manually editing a registry key. The NetCease is a PowerShell script that modifies this registry key modify to forbid the execution of the NetSessionEnum.
“Net Cease” tool is a short PowerShell (PS) script which alters Net Session Enumeration (NetSessionEnum) default permissions. This hardening process prevents attackers from easily getting some valuable recon information to move laterally within their victim’s network.” reads the NetCease description.
“The NetCease script hardens the access to the NetSessionEnum method by removing the execute permission for Authenticated Users group and adding permissions for interactive, service and batch logon sessions,” the experts explained. “This will allow any administrator, system operator and power user to remotely call this method, and any interactive/service/batch logon session to call it locally.”
NetCease is simple to use, administrators have to run the PowerShell script as administrator on the machine they need to harden (i.e. a Domain Controller), then restart it.
Here’s how Tor Project and Mozilla will make harder de-anonymizing Tor users
14.10.2016 securityaffairs Security
Tor Project and Mozilla are working together to improve the security of Tor users and make harder for attackers to unmask them.
Intelligence and law enforcement agencies continue to invest in order to de-anonymize Tor users. In the past, we received news about several techniques devised by various agencies to track Tor users, from the correlation attacks to the hack of a machine with the NIT script.
In many cases, authorities and cyber spies targeted individual users’ computers for this reason the experts the Tor Project alongside with the experts from Mozilla’s Firefox involved in the project are working on a series of improvements to make harder the exploitation of flaws in the browser component of the Tor architecture.
The improvements aim to block malware from trying to gather information to unmask users.
Tor Project
“We’re at the stage right now where we have created the basic tools and we’re working on putting them together to realize the security benefits,” Richard Barnes, Firefox Security Lead, told Joseph Cox from Motherboard via email.
The Tor Browser is composed of two components, a modified version of the Firefox browser, and the Tor proxy which implements routing functionalities in the Tor network. An attacker can try to hack the browser component forcing it to connect to other than the legitimate Tor proxy part, for example, a server set up by the attacker that gathers user data.
“That means if an attacker can compromise the Firefox half of Tor Browser, it can de-anonymize the user by connecting to something other than the Tor proxy,” Barnes said.
Barnes a series of improvements, including the use of Unix domain sockets that are data communications endpoints for exchanging data between processes executing on the same operating system.
This will allow the Tor Browser to securely communicate with the FireFox component without underlying the network protocol. In this was the experts will sandbox the Firefox component, any manipulation or attacks will have no effects on the user’s privacy because the Tor Browser wouldn’t be able to make a network connection to de-anonymize the user.
Basically the intent of the experts at the Tor Project is to sandbox the Tor browser to insulate our users from attacks such as the NIT and similar ones. According to Motherboard, the Tor developer Yawning Angel just finished an experimental prototype that will likely appear in some versions of the Tor Browser later this year.
“That means that you could run it in a sandbox with no network access (only a Unix domain socket to the proxy), and it would still work fine. And then, even if the Firefox half of Tor Browser were compromised, it wouldn’t be able to make a network connection to de-anonymize the user,” added Barnes.
As explained by Barnes such kind of security measures is actually supported only on platforms that have implement Unix domain sockets, such as Linux and Mac OS.
The experts are now working to extend it to Windows platforms.
Trust me, I have a pen
13.10.2016 Kaspersky Security
Earlier today we became aware of a malicious website delivering Petya through the Hunter exploit kit. While there is nothing special about yet another exploit kit page, this one caught our attention because it mimics the index page of our sinkhole systems.
A malicious webpage faking one of our research systems
With cybercriminals increasingly trying to exploit trust relationships in cyberspace, it’s easy to get fooled by such attempts. We believe the criminals attempted to mimic our sinkhole systems in order to avoid being shut down by other researchers.
Just last week we were investigating a case of a serious attack that potentially breached a company. When we collected proof of the attack, we had to contact the company to help them isolate compromised systems and remediate. This brought us to a problem we commonly see today: the problem of trust.
The first reaction you normally have when someone calls you and attempts to convince you must arouse suspicion. In our investigations we normally deal with security personnel, who are highly paranoid people and do not trust anyone by nature. So far, the reaction of the company’s security staff was spot on: get the name of the caller, the company and department name, look up the company contacts using an independent, trusted, verifiable source, contact the company and confirm the facts, asking to connect to the researcher in the office immediately to do additional voice recognition. When that is done, the conversation can be resumed. Such a reaction and verification process is what we consider standard in our business. Unfortunately, we haven’t seen the same level of cautiousness among regular users.
A typical strategy for cybercriminals is to try to hide their tools, exploit kits and other malicious files on a compromised legitimate website or inject a malicious payload into a hijacked banner network account. Attackers also will rip entire websites, or just replace links to redirect visitors to attacker controlled sites, as we observed with the StrongPity watering holes. In this case, they simply counted on the confusion caused by visual appearance.
The fake webpage looks exactly the same as the original one from our research server and there is no point in finding even minor differences. Every webpage on the web can be copied and made to look identical to the source, except for the page’s original address or validated SSL certificate. PGPHtml is an alternative possibility, with each page explicitly stating its host domain or IP and then signed and verified with a public key. The server in question has been reportedly serving the Pony Trojan, hosting the Hunter Exploit Kit and distributing Petya ransomware.
We believe that this was the act of Russian-speaking cybercriminals, who send messages to our side every time their activities are affected by the work we do. We are bringing this to your attention to make you a little bit more cautious. Having said that, our first reaction was laughter, because it brought back some memories of an excellent short video on this matter shot by our colleagues from the security industry. And, because of this history of receiving messages from malware authors in their code and on sites, we think it is unlikely that this site is a watering hole targeting security researchers.
Unfortunately, this game of shadows is a well-known method not only in the criminal world but also in the world of advanced targeted attackers. We have seen in the past that some APT groups use deceiving tactics in order to try to confuse security researchers into wrong attribution. We have seen malware samples in the past where attackers from one group implanted decoys, trying to mimic the behaviour of their rivals. This is done to harden the research process or consume extra time. The attribution process, being the hardest part of any computer investigation, can easily be driven in the wrong direction. However, we have been looking at these attempts for a long time and learned to recognize such false flags. Now we would like you to be cautious and verify everything you see.
Related to this topic, our colleagues recently presented a more in-depth analysis of these techniques at VB 2016. You can read their entire paper here: Wave your false flags!
Signal is Most Secure Messenger, 'Useless Data' Obtained by FBI Proves It All
7.10.2016 thehackernews Security
Do you trust your messaging app even though it uses end-to-end encryption?
As I previously said end-to-end encryption doesn't mean that your messages are secure enough to hide your trace.
It's because most of the messaging apps still record and store a lot of metadata on your calls and messages that could reveal some of your personal information including dates and durations of communication, as well as the participants' phone numbers.
Apple's iMessage app is the most recent and best example of this scenario. Just recently it was reported that the company stores a lot of information about its end-to-end encrypted iMessage, that could reveal your contacts and location, and even share this data with law enforcement via court orders.
But if you are using open source end-to-end encrypted Signal app, you are on the safer side. Trust me!
As we previously reported that the Signal app, which is widely considered the most secure of all other encrypted messaging apps, stores minimum information about its users.
This was just recently proved when the app was put to the test earlier this year when an FBI subpoena and gag order demanded a wide range of information on two Signal users, but the authorities got their hands on information that’s less or no use in the investigation.
Open Whisper Systems, the makers of Signal, revealed Tuesday that the company had received a federal subpoena earlier this year for records and other details on two of its users as part of a federal grand jury investigation in Virginia.
But unfortunately for the government, Signal keeps as little data as possible on its users, and therefore Open Whisper Systems was unable to hand over anything useful to the FBI agents that could help them in their investigation.
Here's what the FBI demanded on the two suspects, seeking a subpoena:
Subscriber name
Payment information
Associated IP addresses
Email addresses
History logs
Browser cookie data
Other information associated with two phone numbers
The request was made in the first half of this year, the court documents unsealed last week showed.
And here's what the company turned over to the FBI:
signal-data
"As the documents show, the government's effort did not amount to much—not because OWS refused to comply with the government's subpoena (it complied), but because the company simply does not keep the kinds of information about their customers that the government sought (and that too many technology companies continue to amass)," the ACLU said in a post. "All OWS was able to provide were the dates and times for when the account was created and when it last connected to Signal's servers."
You can see a number of court filings related to the subpoena published by the American Civil Liberties Union (ACLU), which is representing Open Whisper Systems in the fight.
Much information about the subpoena is still secret — including the case number, the date the subpoena was served, and other details of the underlying case — but it's very much clear that the FBI sought detailed information on two suspects who used Signal app.
Open Whisper Systems is also the force behind the Signal Protocol that powers the encryption built into WhatsApp, Facebook Messenger, and Google Allo's Incognito mode.
Yahoo – The Reuter’s article is misleading and the surveillance tool doesn’t exist
8.10.2016 securityaffairs Security
A few hours after the Reuters reported the existence of a surveillance tools used by Yahoo for email massive scanning, the Tech giant denied it.
This week the Reuters reported Yahoo reportedly scanned all of its users’ incoming emails with a secret software program that is designed to gather information for the US Government agencies.
According to the Reuters agency, the software was created last year and it was used by IT giant to search emails in hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency and FBI.
“Yahoo Inc last year secretly built a custom software program to search all of its customers’ incoming emails for specific information provided by U.S. intelligence officials, according to people familiar with the matter.” reported the article from the Reuters Agency.
“The company complied with a classified U.S. government demand, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI, said three former employees and a fourth person apprised of the events.”
Now Yahoo has replied to the Reuters saying that such kind of surveillance systems doesn’t exists within the Yahoo architecture.
“The article is misleading,” the statement reads “We narrowly interpret every government request for user data to minimize disclosure. The mail scanning described in the article does not exist on our systems,” reads an email sent by the company.
The email sent by Yahoo, however, didn’t provide any further details about the story reported by the Reuters agency.
The article publishe dby the Reuters also claims that the former Yahoo CISO, Alex Stamos, left the company after his team discovered the surveillance program installed in the company architecture with the authorization of the CEO.
“When Stamos found out that Mayer had authorized the program, he resigned as chief information security officer and told his subordinates that he had been left out of a decision that hurt users’ security, the sources said. Due to a programming flaw, he told them hackers could have accessed the stored emails.” reported the Reuters “Stamos’s announcement in June 2015 that he had joined Facebook did not mention any problems with Yahoo.”
Stamos, however, refused to comment the article.
While Snowden’s leaked documents about the PRISM surveillance program demonstrate the collaboration between the US Government the US IT giants, the companies said they had never received pressure to conduct massive surveillance through the email scanning.
“”We’ve never received such a request, but if we did, our response would be simple: ‘no way’.” Google said according to CSOonline.
Apple, Facebook and Twitter offered similar statements and said they would challenge such an order. Microsoft also said it had never engaged in the secret scanning of email traffic described in the Reuters article.”
yahoo-data-breach
While Yahoo continues to deny the existence of the surveillance tool mentioned by the Reuters, according to a New York Times, the company was ordered by the US Foreign Intelligence Surveillance Court to scan users’ emails for “digital signatures.”
It seems that the scanning was performed by introducing additional features to the actual security software used to examine all incoming email traffic for malicious activities.
“Two government officials who spoke on the condition of anonymity said the Justice Department obtained an individualized order from a judge of the Foreign Intelligence Surveillance Court last year. Yahoo was barred from disclosing the matter.
To comply, Yahoo customized an existing scanning system for all incoming email traffic, which also looks for malware, according to one of the officials and to a third person familiar with Yahoo’s response, who also spoke on the condition of anonymity.” reported The New York Times.
“With some modifications, the system stored and made available to the Federal Bureau of Investigation a copy of any messages it found that contained the digital signature. The collection is no longer taking place, those two people said.
The order was unusual because it involved the systematic scanning of all Yahoo users’ emails rather than individual accounts; several other tech companies said they had not encountered such a demand.”
Let me close with the position of the US intelligence, the NSA chief, Admiral Michael Rogers, speaking at the Cambridge Cyber Summit yesterday called the article “a bit speculative,” CNBC reports, adding that dragnet email surveillance “would be illegal.”
“We don’t do that. And no court would grant us the authority to do that. We have to make a specific cast. And what the court grants is specific authority for a specific period of time for a specific purpose.”
Turkey Blocks GitHub, Google Drive and Dropbox to Censor RedHack Leaks
10.10.2016 thehackernews Security
Turkey Blocks GitHub, Google Drive, Dropbox & Microsoft OneDrive To Censor RedHack Leaks
Turkey is again in the news for banning online services, and this time, it's a bunch of sites and services offered by big technology giants.
Turkey government has reportedly blocked access to cloud storage services including Microsoft OneDrive, Dropbox, and Google Drive, as well as the code hosting service GitHub, reports censorship monitoring group Turkey Blocks.
The services were blocked on Saturday following the leak of some private emails allegedly belonging to Minister of Energy and Natural Resources Berat Albayrak — also the son-in-law of President Recep Tayyip Erdogan.
Github, Dropbox, and Google Drive are issuing SSL errors, which indicates interception of traffic at the national or ISP level. Microsoft OneDrive was also subsequently blocked off throughout Turkey.
The leaks come from a 20-year-old hacktivist group known as RedHack, which leaked 17GB of files containing some 57,623 stolen emails dating from April 2000 to September this year. A court in Turkish confirmed the authenticity of the leak.
The move to block aforementioned services is seemingly to suppress circulation of these stolen emails and to stop Internet users from hosting the email dumps on their accounts, which may allegedly reveal a widespread campaign of propaganda and deception.
According to Turkey Blocks, Google Drive had already been unblocked on Sunday, while other services are still unavailable in the country.
Like China, Turkey has long been known for blocking access to major online services in order to control what its citizens can see about its government on the Internet. In March, the country banned its people from accessing Facebook and Twitter, following a car bomb explosion in Turkey capital Ankara.
The same happened in March 2014, when Twitter was banned in Turkey after an audio clip was leaked on YouTube and Twitter about the massive corruption of Turkey Prime Minister Recep Tayyip Erdoğan instructing his son to dispose of large amounts of cash in the midst of a police investigation.
Also, it is not the first time when some group of hackers has exposed personal emails of the member of Turkey government. A few months ago, personal details of almost 50 Million Turkish citizens, including the country's President Recep Tayyip Erdogan, was posted online.
Mozilla plans to ban the Chinese CA WoSign due to trust violations
30.9.2016 securityaffairs Security
Mozilla is at the point of banning Chinese certificate authority WoSign due to a number of severe violations that could impact Internet users.
Mozilla is at the point of banning Chinese certificate authority WoSign due to a number of violations, including backdating SHA -1 certificates in order to subvert deprecating certs from being trusted.
According to a report published by Mozilla on Monday, WoSign failed to report its acquisition of SmartCom and has also been accused of mis-issuing digital certificates for GitHub, allowing arbitrary domain names to be securely signed without ever performing any type of validation.
“Mozilla’s CA team has lost confidence in the ability of WoSign/StartCom to faithfully and competently discharge the functions of a CA,” they went on to add “Therefore we propose that, starting on a date to be determined in the near future, Mozilla products will no longer trust newly-issued certificates issued by either of these two CA brands.” Reads the report published by Mozilla.
In order to avoid impacting existing users, Mozilla has said that they will only distrust newly issued certificates as both CAs have to date issued a large number of certificates.
“Mozilla believes that continued public trust in the correct working of the CA certificate system is vital to the health of the Internet, and we will not hesitate to take steps such as those outlined above to maintain that public trust,” Mozilla said. “We believe that the behavior documented here would be unacceptable in any CA, whatever their nationality, business model or position in the market.”
SHA-1 has been long considered a weak algorithm and most of the major players in the browser market are taking steps to phase out its integration.
Microsoft looks poised to phase out the outdated algorithm on their Edge and Internet Explorer products in February of next year, with Mozilla’s Firefox and Google’s Chrome browsers not trusting any SHA-1 certificates with a notBefore date of January 1st 2016.
Mozilla commented that unscrupulous Certificate Authorities could backdate their certificates in order to bypass this restriction, something that WoSign have been found culpable of on 62 certificates that were issued in 2016.
Their investigation reported that a number of certificates were found containing as issue date of December 20th 2015 which contradicts their typical patterns of assignment during working days.
“We think it is highly unlikely that WoSign employees decided to go to work on that particular Sunday for a marathon 24-hour period and approve an unprecedented number of Type Y certificate requests,” Mozilla said. “We think it is more plausible that for those certificates, the notBefore date does not reflect the actual date of certificate creation, and that these certificates were created in 2016 (or the last day of 2015) and back-dated.”
As of October 5, automatic OAuth 2.0 token revocation upon password reset
23.9.2016 securityaffairs Security
Google announced a change to its security policy to increase the account security that includes the OAuth 2.0 token revocation upon password reset.
Google has finally announced a new OAuth 2.0 token revocation according to its security policy, the company will roll out the change starting on Oct. 5.
The change to the Google security policy was announced last year by Google, the company explained that OAuth 2.0 tokens would be revoked when a user’s password was changed.
Google decided not to move forward with this change for Apps customers and began working on a more admin-friendly approach.
The company has implemented the OAuth 2.0 authentication protocol in 2012 with the intent of boosting the security of its services like Gmail and Google Talk.
Google aims to improve users’ security limiting the impact on the usability of its application, at least in this first phase so although initially planned for a wider set of applications, the OAuth 2.0 token revocation rule will be limited to the email mail service.
Google confirmed that the App Script tokens and apps installed via the Google Apps Marketplace are not subject to the token revocation.
“To achieve the security benefits of this policy change with minimal admin confusion and end-user disruption, we’ve decided to initially limit the change to mail scopes only, and to exclude Apps Script tokens. Apps installed via the Google Apps Marketplace are also not subject to the token revocation.” reads the Google announcement. “Once this change is in effect, third-party mail apps like Apple Mail and Thunderbird―as well as other applications that use multiple scopes that include at least one mail scope―will stop syncing data upon password reset until a new OAuth 2.0 token has been granted. A new token will be granted when the user re-authorizes with their Google account username and password.”
After the change will be effective, third-party mail applications that include at least one mail scope will no longer sync data when the user password is reset. The data syncing will start again after a new OAuth 2.0 token has been granted.
The change will impact also mobile users, it will affect for example mail applications. The Apple iOS users who use the mail application included in the mobile OS will have to re-authorize it with their Google account credentials when they change their password.
This is nothing new for Gmail apps on both iOS and Android the already require to grant a new OAuth 2.0 token upon password reset, but Google will enforce the change also to third-party apps.
For further information on the new OAuth 2.0 token revocation rule give a look at the post published by Google that includes also a list of FAQ
A mistake allowed us a peek into North Korea Internet infrastructure
21.9.2016 securityaffairs Security
A mistake allowed us a peek into the North Korea Internet infrastructure, a security researcher discovered that Pyongyang has just 28 websites.
The North Korea is one of the countries that most of all is investing to improve its cyber capabilities and that has one of the largest cyber armies.
But North Korea is also known for its limited exposure on the Internet, it fears cyber attacks from foreign Governments against its infrastructure.
Until today no one had any idea of the number of websites registered by the country for its top-level domain, .kp.
This week something is changed, likely due to an error in the configuration of a North Korean nameserver. The apparent mistake has revealed a list of all the domains for the top-level domain .kp and related info.
Segui
Nicolas Krassas @Dinosn
North Korea accidentally leaks DNS for .kp: only 28 domains https://github.com/mandatoryprogrammer/NorthKoreaDNSLeak …
12:31 - 20 Set 2016
Photo published for mandatoryprogrammer/NorthKoreaDNSLeak
mandatoryprogrammer/NorthKoreaDNSLeak
NorthKoreaDNSLeak - Snapshot of North Korea's DNS data taken from zone transfers.
github.com
30 30 Retweet 36 36 Mi piace
According to leaked zone files, the North Korea has only 28 registered domains
“Now we have a complete list of domain names for the country and it’s surprisingly (or perhaps unsurprisingly) very small,” Matt Bryant, the expert who has found the mistake, said to Motherboard
After Bryant discovered the mistake, he downloaded the data from the domain name servers.
Some of the sites in the list are not reachable, experts speculated that they were flooded with the traffic of curious netizens and went down.
The list of domains includes commercial and educational websites like the one of the state Air Koryo airline or the Kim Il Sung University.
The leaked info also revealed the site of the official newspaper of North Korea’s communist party which is considered the core of the Government propaganda machine.
The leaked list also includes a social network website, the state version of Facebook, friend.com.kp.
and portal.net.kp that is the equivalent of the Yahoo.
Below the complete list:
airkoryo.com.kp
cooks.org.kp
friend.com.kp
gnu.rep.kp
kass.org.kp
kcna.kp
kiyctc.com.kp
knic.com.kp
koredufund.org.kp
korelcfund.org.kp
korfilm.com.kp
ma.gov.kp
masikryong.com.kp
naenara.com.kp
nta.gov.kp
portal.net.kp
rcc.net.kp
rep.kp
rodong.rep.kp
ryongnamsan.edu.kp
sdprk.org.kp
silibank.net.kp
star-co.net.kp
star-di.net.kp
star.co.kp
star.edu.kp
star.net.kp
vok.rep.kp
Now just for a second try to think if the North Korean Government will host an exploit kit leveraging on a zero-day exploit on one of the above domains 🙂
NIST issues the Baldrige Cybersecurity Excellence Builder cybersecurity self-assessment tool
19.9.2016 securityaffairs Security
The National Institute of Standards and Technology (NIST) has issued a draft of a self-assessment tool named Baldrige Cybersecurity Excellence Builder.
The tool is based on the Baldrige Performance Excellence Program and the risk management mechanisms of NIST cybersecurity framework.
The Baldrige Cybersecurity Excellence Builder was designed to help enterprises to measure the effectiveness of their implementation of the cybersecurity framework and improve the risk management.
“The builder will strengthen the already powerful cybersecurity framework so that organizations can better manage their cybersecurity risks,” said Commerce Deputy Secretary Bruce Andrews that presented the tool at an Internet Security Alliance conference.
The development of the draft of the Baldrige Cybersecurity Excellence Builder is the result of a the collaboration between NIST and the Office of Management and Budget(link is external)’s Office of Electronic Government and Information Technology(link is external), with input from private sector representatives.
NIST
The Baldrige Cybersecurity Excellence Builder tool was devised to help organizations ensure that their cybersecurity program (systems and processes) supports their activities and functions.
“These decisions around cybersecurity are going to impact your organization and what it does and how it does it,” says Robert Fangmeyer, director of the Baldrige Performance Excellence Program. “If your cybersecurity operations and approaches aren’t integrated into your larger strategy, aren’t integrated into your workforce development efforts, aren’t integrated into the results of the things you track for your organization and overall performance, then they’re not likely to be effective.”
The NIST explained that the use of the Baldrige Cybersecurity Excellence Builder tool allows organizations of any size and type to:
Identify cybersecurity-related activities that are critical to business strategy and the delivery of critical services;
Prioritize investments in managing cybersecurity risk;
Assess the effectiveness and efficiency in using cybersecurity standards, guidelines and practices;
Evaluate their cybersecurity results; and
Identify priorities for improvement.
The Builder guides users through a process that details their organization’s distinctive characteristics and strategic situations related to cybersecurity. Then, a series of questions helps define the organization’s current approaches to cybersecurity in the areas of leadership, strategy, customers, workforce and operations, as well as the results achieved with them.
The approach behind the Baldrige Cybersecurity Excellence Builder is simple, the tool uses a series of questions that help the organizations assess their strategies tied to the cybersecurity. The areas assessed by the survey leadership, strategy, customers, workforce, and operations.
As a last step of the assessment, a rubric lets users evaluating the cybersecurity maturity level of their organization.
“The tool’s assessment rubric helps users determine whether their organization’s cybersecurity maturity level is reactive, early, mature or a role model, according to NIST. The completed evaluation can lead to an action plan for upgrading cybersecurity practices and management and implementing those improvements.” reads the announcement published by the NIST. “It also can measure the progress and effectiveness of the process. NIST recommends organizations use the builder periodically so they can maintain the highest level of cybersecurity readiness.”
GCHQ plans to protect the country with a national firewall
18.9.2016 securityaffairs Security
The British intelligence agency GCHQ is planning to create to protect the country from cyber attacks by creating a national firewall.
The news was announced, during the Billington CyberSecurity Summit held in Washington DC, by the GCHQ director general of cyber security Ciaran Martin.
The British GCHQ recently created the National Cyber Security Centre, led by Martin, that has the task to protect national infrastructure from attacks originated on the Internet.
“The NCSC will be based in London and will open in October. Ciaran Martin, currently Director General Cyber at GCHQ will lead it. Dr Ian Levy, currently Technical Director of Cyber Security at GCHQ, will join the organisation as Technical Director.” reads a press release issued by the UK Government.
“The UK faces a growing threat of cyber-attacks from states, serious crime gangs, hacking groups as well as terrorists. The NCSC will help ensure that the people, public and private sector organisations and the critical national infrastructure of the UK are safer online.”
gchq MPs emails
In March 2016, then Minister for the Cabinet Office, Matt Hancock highlighted the importance of the Centre.
“It will be the authoritative voice on information security in the UK and one of its first tasks will be to work with the Bank of England to produce advice for the financial sector for managing cyber security effectively.” said Hancock.
“Martin used the term “flagship project” while he was describing the plans of the GCHQ about the national firewall. The infrastructure will protect government websites and national security agencies from hackers.
The national firewall would be used by government agencies and internet service providers to repel cyber threats.
“What better way of providing automated defences at scale than by the major private providers effectively blocking their customers from coming into contact with known malware and bad addresses?” Martin said during his speech
The National Cyber Security Centre will start its activities next month, it represent of the pillars of the cyber strategy of the UK Government as announced last year by the former Chancellor Mr Osborne.
Osborne also announced the plans of the Government to almost double the cybersecurity budget to £1.9 billion for the years 2016 – 2021.
The UK Government will also add 1,900 new professionals to the National intelligence agencies.
“In the Spending Review, I have made a provision to almost double our investment to protect Britain from cyber attack and develop our sovereign capabilities in cyberspace, totalling £1.9 billion over five years. If you add the spending on core cyber security capabilities government protecting our own networks and ensuring safe and secure online services, the government’s total cyber spending will be more than £3.2 billion.” said Osborne.
Cyber security is crucial for any government, the number of “national security level cyber incidents” in the last year is almost doubled, the intelligence agency now detects about 200 serious incidents every month aimed to disrupt national infrastructure and services.
Cyber attacks are asymmetric and instantaneous, difficult to repel without the aid of a new generation of tools.
The National Cyber Security Centre also has plans to design a new generation of automated defense systems to neutralise a large number of attacks having a low level of sophistication, such as phishing attacks spoofing government email addresses to target members of the public.
“We trialled it, and whoever was sending 58,000 malicious emails per day from taxrefund@gov.uk isn’t doing it anymore,” added Martin.
Fooling the ‘Smart City’
17.9.2016 Kaspersky Security
The concept of a smart city involves bringing together various modern technologies and solutions that can ensure comfortable and convenient provision of services to people, public safety, efficient consumption of resources, etc. However, something that often goes under the radar of enthusiasts championing the smart city concept is the security of smart city components themselves. The truth is that a smart city’s infrastructure develops faster than security tools do, leaving ample room for the activities of both curious researchers and cybercriminals.
Smart Terminals Have Their Weak Points Too
Parking payment terminals, bicycle rental spots and mobile device recharge stations are abundant in the parks and streets of modern cities. At airports and passenger stations, there are self-service ticket machines and information kiosks. In movie theaters, there are ticket sale terminals. In clinics and public offices, there are queue management terminals. Even some paid public toilets now have payment terminals built into them, though not very often.
Ticket terminals in a movie theater
However, the more sophisticated the device, the higher the probability that it has vulnerabilities and/or configuration flaws. The probability that smart city component devices will one day be targeted by cybercriminals is far from zero. Сybercriminals can potentially exploit these devices for their ulterior purposes, and the scenarios of such exploitation come from the characteristics of such devices.
Many such devices are installed in public places
They are available 24/7
They have the same configuration across devices of the same type
They have a high user trust level
They process user data, including personal and financial information
They are connected to each other, and may have access to other local area networks
They typically have an Internet connection
Increasingly often, we see news on another electronic road sign getting hacked and displaying a “Zombies ahead” or similar message, or news about vulnerabilities detected in traffic light management or traffic control systems. However, this is just the tip of the iceberg; smart city infrastructure is not limited to traffic lights and road signs.
We decided to analyze some smart city components:
Touch-screen payment kiosks (tickets, parking etc.)
Infotainment terminals in taxis
Information terminals at airports and railway terminals
Road infrastructure components: speed cameras, traffic routers
Smart City Terminals
From a technical standpoint, nearly all payment and service terminals – irrespective of their purpose – are ordinary PCs equipped with touch screens. The main difference is that they have a ‘kiosk’ mode – an interactive graphical shell that blocks the user from accessing the regular operating system functions, leaving only a limited set of features that are needed to perform the terminal’s functions. But this is theory. In practice, as our field research has shown, most terminals do not have reliable protection preventing the user from exiting the kiosk mode and gaining access to the operating system’s functions.
Exiting the kiosk mode
Techniques for Exiting the Kiosk Mode
There are several types of vulnerabilities that affect a large proportion of terminals. As a consequence, there are existing attack methods that target them.
The sequence of operations that can enable an attacker to exit the full-screen application is illustrated in the picture below.
Methodology for analyzing the security of public terminals
Tap Fuzzing
The tap fuzzing technique involves trying to exit the full-screen application by taking advantage of incorrect handling when interacting with the full-screen application. A hacker taps screen corners with his fingers and tries to call the context menu by long-pressing various elements of the screen. If he is able to find such weak points, he tries to call one of the standard OS menus (printing, help, object properties, etc.) and gain access to the on-screen keyboard. If successful, the hacker gets access to the command line, which enables him to do whatever he wants in the system – explore the terminal’s hard drive in search of valuable data, access the Internet or install unwanted applications, such as malware.
Data Fuzzing
Data fuzzing is a technique that, if exploited successfully, also gives an attacker access to the “hidden” standard OS elements, but by using a different technique. To exit the full-screen application, the hacker tries filling in available data entry fields with various data in order to make the ‘kiosk’ work incorrectly. This can work, for example, if the full-screen application’s developer did not configure the filter checking the data entered by the user properly (string length, use of special symbols, etc.). As a result, the attacker can enter incorrect data, triggering an unhandled exception: as a result of the error, the OS will display a window notifying the user of the problem.
Once an element of the operating system’s standard interface has been brought up, the attacker can access the control panel, e.g., via the help section. The control panel will be the starting point for launching the virtual keyboard.
Other Techniques
Yet another technique for exiting the ‘kiosk’ is to search for external links that might enable the attacker to access a search engine site and then other sites. Due to developer oversight, many full-screen applications used in terminals contain links to external resources or social networks, such as VKontakte, Facebook, Google+, etc. We have found external links in the interface of cinema ticket vending machines and bike rental terminals, described below.
One more scenario of exiting the full-screen application is using standard elements of the operating system’s user interface. When using an available dialog window in a Windows-based terminal, an attacker is sometimes able to call the dialog window’s control elements, which enables him to exit the virtual ‘kiosk’.
Exiting the full-screen application of a cinema ticket vending terminal
Bike Rental Terminals
Cities in some countries, including Norway, Russia and the United States, are dotted with bicycle rental terminals. Such terminals have touch-screen displays that people can use to register if they want to rent a bike or get help information.
Status bar containing a URL
We found that the terminal system shown above has a curious feature. The Maps section was implemented using Google maps, and the Google widget includes a status bar, which contains “Report an Error”, “Privacy Policy” and “Terms of Use” links, among other information. Tapping on any of these links brings up a standard Internet Explorer window, which provides access to the operating system’s user interface.
The application includes other links, as well: for example, when viewing some locations on the map, you can tap on the “More Info” button and open a web page in the browser.
The Internet Explorer opens not only a web page, but also a new opportunity for the attacker
It turned out that calling up the virtual keyboard is not difficult either. By tapping on links on help pages, an attacker can access the Accessibility section, which is where the virtual keyboard can be found. This configuration flaw enables attackers to execute applications not needed for the device’s operation.
Running cmd.exe demonstrates yet another critical configuration flaw: the operating system’s current session is running with administrator privileges, which means that an attacker can easily execute any application.
The current Windows session is running with administrator privileges
In addition, an attacker can get the NTLM hash of the administrator password. It is highly probable that the password used on this device will work for other devices of the same type, as well.
Note that, in this case, an attacker can not only obtain the NTLM hash – which has to be brute-force cracked to get the password – but the administrator password itself, because passwords can be extracted from memory in plain text.
An attacker can also make a dump of the application that collects information on people who wish to rent a bicycle, including their full names, email addresses and phone numbers. It is not impossible that the database hosting this information is stored somewhere nearby. Such a database would have an especially high market value, since it contains verified email addresses and phone numbers. If it cannot be obtained, an attacker can install a keylogger that will intercept all data entered by users and send it to a remote server.
Given that these devices work 24/7, they can be pooled together to mine cryptocurrency or used for hacking purposes seeing as an infected workstation will be online around the clock.
Particularly audacious cybercriminals can implement an attack scenario that will enable them to get customer payment data by adding a payment card detail entry form to the main window of the bike rental application. It is highly probable that users deceived by the cybercriminals will enter this information alongside their names, phone numbers and email addresses.
Terminals at Government Offices
Terminals at some government offices can also be easily compromised by attackers. For example, we have found a terminal that prints payment slips based on the data entered by users. After all fields have been filled with the relevant data, the user taps the “Create” button, after which the terminal opens a standard print window with all the print parameters and control tools for several seconds. Next, the “Print” button is automatically activated.
A detail of the printing process on one of the terminals
An attacker has several seconds to tap the Change [printer] button and exit into the help section. From there, they can open the control panel and launch the on-screen keyboard. As a result, the attacker gets all the devices needed to enter information (the keyboard and the mouse pointer) and can use the computer for their own mercenary purposes, e.g., launch malware, get information on printed files, obtain the device’s administrator password, etc.
Public Devices at Airports
Self-service check-in kiosks that can be found at every modern airport have more or less the same security problems as the terminals described above. It is highly probable that they can be successfully attacked. An important difference between these kiosks and other similar devices is that some terminals at airports handle much more valuable information that terminals elsewhere.
Exiting the kiosk mode by opening an additional browser window
Many airports have a network of computers that provide paid Internet access. These computers handle the personal data that users have to enter to gain access, including people’s full names and payment card numbers. These terminals also have a semblance of a kiosk mode, but, due to design faults, exiting this mode is possible. On the computers we have analyzed, the kiosk software uses the Flash Player to show advertising and at a certain point an attacker can bring up a context menu and use it to access other OS functions.
It is worth noting that web address filtering policies are used on these computers. However, access to policy management on these computers was not restricted, enabling an attacker to add websites to the list or remove them from it, offering a range of possibilities for compromising these devices. For example, the ability to access phishing pages or sites used to distribute malware potentially puts such computers at risk. And blacklisting legitimate sites helps to increase the chances of a user following a phishing link.
List of addresses blocked by policies
We also discovered that configuration information used to connect to the database containing user data is stored openly in a text file. This means that, after finding a way to exit kiosk mode on one of these machines, anyone can get access to administrator credentials and subsequently to the customer database – with all the logins, passwords, payment details, etc.
A configuration file in which administrator logins and password hashes are stored
Infotainment Terminals in Taxicabs
In the past years, Android devices embedded in the back of the front passenger seat have been installed in many taxicabs. Passengers in the back seat can use these devices to watch advertising, weather information, news and jokes that are not really funny. These terminals have cameras installed in them for security reasons.
The application that delivers the content also works in kiosk mode and exiting this mode is also possible.
Exiting the kiosk mode on a device installed in a taxi makes it possible to download external applications
In those terminals that we were able to analyze, there was hidden text on the main screen. It can be selected using standard Android tools using a context menu. This leads to the search option being activated on the main screen. As a result, the shell stops responding, terminates and the device is automatically restarted. While the device is starting, all the hacker needs to do is exit to the main menu at the right time and open the RootExplorer – an Android OS file manager.
Android interface and folder structure
This gives an attacker access to the terminal’s OS and all of its capabilities, including the camera. If the hacker has prepared a malicious application for Android in advance and hosted it on a server, that application can be used to remotely access the camera. In this case, the attacker can remotely control the camera, making videos or taking photos of what is going on in the taxi and uploading them to his server.
Exiting the terminal’s full-screen application in a taxi gives access to the operating system’s functions
Our Recommendations
A successful attack can disrupt a terminal’s operation and cause direct financial damage to its owners. Additionally, a hacker can use a compromised terminal to hack into others, since terminals often form a network. After this, there are extensive possibilities for exploiting the network – from stealing personal data entered by users and spying on them (if the terminal has a camera or document scanner built into it) to stealing money (if the terminal accepts cash or bank cards).
To prevent malicious activity on public devices that have a touch interface, the developers and administrators of terminals located in public places should keep the following recommendations in mind:
The kiosk’s interactive shell should have no extra functions that enable the operating system’s menu to be called (such as right mouse click, links to external sites, etc.)
The application itself should be launched using sandboxing technology, such as jailroot, sandbox, etc. This will help to keep the application’s functionality limited to the artificial environment
Using a thin client is another method of protection. If a hacker manages to ‘kill’ an application, most of the valuable information will be stored on the server rather than the compromised device if the device is a thin client
The current operating system session should be launched with the restricted privileges of a regular user – this will make installing new applications much more difficult
A unique account with a unique password should be created on each device to prevent attackers who have compromised one of the terminals from using the password they have cracked to access other similar devices
Elements of the Road Infrastructure
The road infrastructure of modern cities is being gradually equipped with a variety of intelligent sensors, regulators, traffic analyzers, etc. All these sensors collect and send traffic density information to data centers. We looked at speedcams, which can be found everywhere these days.
Speed Cameras
We found speedcam IP addresses by pure chance, using the Shodan search engine. After studying several of these cameras, we developed a dork (a specific search request that identifies the devices or sites with pinpoint accuracy based on a specific attribute) to find as many IP addressed of these cameras as possible. We noticed a certain regularity in the IP addresses of these devices: in each city, all the cameras were on the same subnet. This enabled us to find those devices which were not shown in Shodan search results but which were on the same subnets with other cameras. This means there is a specific architecture on which these devices are based and there must be many such networks. Next, we scanned these and adjacent subnets on certain open ports and found a large number of such devices.
After determining which ports are open on speed cameras, we checked the hypothesis that one of them is responsible for RTSP – the real-time streaming protocol. The protocol’s architecture enables streaming to be either private (accessible with a login and password) or public. We decided to check that passwords were being used. Imagine our surprise when we realized there was no password and the entire video stream was available to all Internet users. Openly broadcast data includes not only the video stream itself, but additional data, such as the geographical coordinates of cameras, as well.
Direct broadcast screenshot from a speed camera
We found many more open ports on these devices, which can also be used to get many interesting technical details, such as a list of internal subnets used by the camera system or the list of camera hardware.
We learned from the technical documentation that the cameras can be reprogrammed over a wireless channel. We also learned from documentation that cameras can detect rule violations on specified lanes, making it possible to disable detection on one of the lanes in the right place at the right time. All of this can be done remotely.
Let’s put ourselves in criminals’ shoes and assume they need to remain undetected in the car traffic after performing certain illegal actions. They can take advantage of speed camera systems to achieve this. They can disable vehicle detection on some or all lanes along their route or monitor the actions of law-enforcement agents chasing them.
In addition, a criminal can get access to a database of vehicles registered as stolen and can add vehicles to it or remove them from it.
We have notified the organizations responsible for operating speed cameras in those countries where we identified the above security issues.
Routers
We also analyzed another element of the road infrastructure – the routers that transfer information between the various smart city elements that are part of the road infrastructure or to data centers.
As we were able to find out, a significant part of these routers uses either weak password protection or none at all. Another widespread vulnerability is that the network name of most routers corresponds to their geographic location, i.e., the street names and building numbers. After getting access to the administration interface of one of these routers, an attacker can scan internal IP ranges to determine other routers’ addresses, thereby collecting information on their locations. After this, by analyzing road load sensors, traffic density information can be collected from these sensors.
Such routers support recording traffic and uploading it to an FTP server that can be created by an attacker. These routers can also be used to create SSH tunnels. They provide access to their firmware (by creating its backup copy), support Telnet connections and have many other capabilities.
These devices are indispensable for the infrastructure of a smart city. However, after gaining access to them, criminals can use them for their own purposes. For example, if a bank uses a secret route to move large amounts of cash, the route can be determined by monitoring information from all sensors (using previously gained access to routers). Next, the movements of the vehicles can be monitored using the cameras.
Our Recommendations
To protect speed cameras, a full-scale security audit and penetration testing must first be carried out. From this, well-thought-out IT security recommendations be prepared for those who provide installation and maintenance of such speed monitoring systems. The technical documentation that we were able to obtain does not include any information on security mechanisms that can protect cameras against external attacks. Another thing that needs to be checked is whether such cameras are assigned an external IP address. This should be avoided where possible. For security reasons, none of these cameras should be visible from the Internet.
The main issue with routers used in the road infrastructure is that there is no requirement to set up a password during initial loading and configuration of the device. Many administrators of such routers are too forgetful or lazy to do such simple things. As a result, gaining access to the network’s internal traffic is sufficiently easy.
Conclusion
The number of new devices used in the infrastructure of a modern city is gradually growing. These new devices in turn connect to other devices and systems. For this environment to be safe for people who live in it, smart cities should be treated as information systems whose protection requires a custom approach and expertise.
This article was prepared as part of the support provided by Kaspersky Lab to “Securing Smart Cities”, an international non-profit initiative created to unite experts in smart city IT security technologies. For further information about the initiative, please visit securingsmartcities.org