Saturday, June 30, 2018

Britain's tax authority says it has taken down 20,750 malicious sites in the past year

VMware Releases Security Updates

Original release date: June 30, 2018

VMware has released security updates to address vulnerabilities in VMware ESXi, Workstation, and Fusion. An attacker could exploit these vulnerabilities to obtain sensitive information.

NCCIC encourages users and administrators to review the VMware Security Advisory VMSA-2018-0016 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

from US-CERT National Cyber Alert System https://ift.tt/2tSiNCq

Researchers Uncover New Attacks Against LTE Network Protocol

If your mobile carrier offers LTE, also known as the 4G network, you need to beware as your network communication can be hijacked remotely.

A team of researchers has discovered some critical weaknesses in the ubiquitous LTE mobile device standard that could allow sophisticated hackers to spy on users' cellular networks, modify the contents of their communications, and even can re-route them to malicious or phishing websites.

LTE, or Long Term Evolution, is the latest mobile telephony standard used by billions of people designed to bring many security improvements over the predecessor standard known as Global System for Mobile (GSM) communications.

However,

multiple security flaws

have been discovered over the past few years, allowing attackers to intercept user's communications, spy on user phone calls and text messages, send fake emergency alerts, spoof location of the device and knock devices entirely offline.

4G LTE Network Vulnerabilities

Now, security researchers from Ruhr-Universität Bochum and New York University Abu Dhabi have developed three novel attacks against LTE technology that allowed them to map users' identity, fingerprint the websites they visit and redirect them to malicious websites by tampering with DNS lookups.

All three attacks, explained by researchers on a dedicated

website

, abuse the data link layer, also known as Layer Two, of the ubiquitous LTE network.

The data link layer lies on top of the physical channel, which maintains the wireless communication between the users and the network. It is responsible for organizing how multiple users access resources on the network, helping to correct transmission errors, and protecting data through encryption.

Out of three, identity mapping and website fingerprinting developed by the researchers are passive attacks, in which a spy listens to what data is passing between base stations and end users over the airwaves from the target's phone.

However, the third, DNS spoofing attack, dubbed "

aLTEr

" by the team, is an active attack, which allows an attacker to perform man-in-the-middle attacks to intercept communications and redirect the victim to a malicious website using DNS spoofing attacks.

What is aLTEr Attack?

Since the data link layer of the LTE network is encrypted with AES-CTR but not integrity-protected, an attacker can modify the bits even within an encrypted data packet, which later decrypts to a related plaintext.

"The aLTEr attack exploits the fact that LTE user data is encrypted in counter mode (AES-CTR) but not integrity protected, which allows us to modify the message payload: the encryption algorithm is malleable, and an adversary can modify a ciphertext into another ciphertext which later decrypts to a related plaintext," the researchers said in their paper.

In aLTEr attack, an attacker pretends to be a real cell tower to the victim, while at the same time also pretending to be the victim to the real network, and then intercepts the communications between the victim and the real network.

How aLTEr Attack Targets 4G LTE Networks?

VIDEO

As a proof-of-concept demonstration, the team showed how an active attacker could redirect DNS (domain name system) requests and then perform a DNS spoofing attack, causing the victim mobile device to use a malicious DNS server that eventually redirects the victim to a malicious site masquerading as Hotmail.

The researcher performed the aLTEr attack within a commercial network and commercial phone within their lab environment. To prevent unintended inference with the real network, the team used a shielding box to stabilize the radio layer.

Also, they set up two servers, their DNS server, and an HTTP server, to simulate how an attacker can redirect network connections. You can see the video demonstration to watch the aLTEr attack in action.

The attack is dangerous, but it is difficult to perform in real-world scenarios. It also requires equipment (USRP), about $4,000 worth, to operate—something similar to

IMSI catchers

Stingray

, or

DRTbox

—and usually works within a 1-mile radius of the attacker.

However, for an intelligence agency or well-resourced, skilled attacker, abusing the attack is not trivial.

LTE Vulnerabilities Also Impact Forthcoming 5G Standard

The above attacks are not restricted to only 4G.

Forthcoming

5G networks

may also be vulnerable to these attacks, as the team said that although 5G supports authenticated encryption, the feature is not mandatory, which likely means most carriers do not intend to implement it, potentially making 5G vulnerable as well.

"The use of authenticated encryption would prevent the aLTEr attack, which can be achieved through the addition of message authentication codes to user plane packets," the researchers said.

"However, the current 5G specification does not require this security feature as mandatory, but leaves it as an optional configuration parameter."

What's Worse? LTE Network Flaws Can't be Patched Straightaway

Since the attacks work by abusing an inherent design flaw of the LTE network, it cannot be patched, as it would require overhauling the entire LTE protocol.

As part of its responsible disclosure, the team of four researchers—David Rupprecht, Katharina Kohls, Thorsten Holz, and Christina Pöpper—notified both the GSM Association and the 3GPP (3rd Generation Partnership Project, along with other telephone companies, before going public with their findings.

In response to the attacks, the 3GPP group, which develops standards for the telecommunications industry,

said

that an update to the 5G specification might be complicated because carriers like Verizon and AT&T have already started implementing the 5G protocol.

How Can You Protect Against LTE Network Attacks?

The simplest way to protect yourself from such LTE network attacks is to always look out for the secure HTTPS domain on your address bar.

The team suggests two exemplary countermeasures for all carriers:

1.) Update the specification:

All carriers should band together to fix this issue by updating the specification to use an encryption protocol with authentication like AES-GCM or ChaCha20-Poly1305.

However, the researchers believe this is likely not feasible in practice, as the implementation of all devices must be changed to do this, which will lead to a high financial and organizational effort, and most carriers will not bother to do that.

2.) Correct HTTPS configuration:

Another solution would be for all websites to adopt the HTTP Strict Transport Security (HSTS) policy, which would act as an additional layer of protection, helping prevent the redirection of users to a malicious website.

Besides the dedicated website, the team has also published a research paper [

PDF

] with all the technical details about the aLTEr attack. Full technical details of the attacks are due to be presented during the 2019 IEEE Symposium on Security and Privacy next May.

from The Hacker News https://ift.tt/2KylwYJ

Friday, June 29, 2018

Typeform, Popular Online Survey Software, Suffers Data Breach

Typeform, the popular Spanish-based online data collection company specializes in form building and online surveys for businesses worldwide, has today

disclosed

that the company has suffered a data breach that exposed partial data of its some users.

The company identified the breach on June 27th, and then quickly performed a full forensic investigation of the incident to identify the source of the breach.

According to the company, some unknown attackers managed to gain unauthorized access to its servers and downloaded a partial data backups for surveys conducted before May 3rd 2018.

Typeform confirmed that it patched the issue within just half an hour after identifying the intrusion, and emailed all the affected users, warning them to watch out for potential phishing scams, or spam emails.

The company did not disclose any details about the vulnerability that was exploited by hackers to gain access to its servers, though it assured its users that no payment card details or password information for the website had been exposed in the breach.

Also, if customers collected payments via Typeform's Stripe integration, all of their audience's payment details are safe.

One of its customers, Monzo, a digital mobile-only bank that had used Typeform's service to collect survey results in the past, also conducted an initial investigation of the incident and

confirmed

that "some personal data of about 20,000 people are likely to have been included in the breach."

"For the vast majority of people, this was just their email address. For a much smaller proportion of others, this may have included other data like their Twitter username or postcode. We’ve published a full breakdown at the bottom of this post," Monzo CEO Tom Blomfield wrote on its website.

Monzo is also sending out emails to its users affected by the data breach, informing that the breach likely included their email addresses and that the incident has not affected their user’s Monzo accounts and their money is safe.

Popular sportswear company Adidas on Thursday also

confirmed

a potential data breach that affected millions of its U.S. customers, who may have compromised their usernames, password hashes and contact information.

Yesterday, Global entertainment ticketing service Ticketmaster also

admitted

that the company has suffered a security breach that exposed some of their customers personal and payment information to unknown hackers.

from The Hacker News https://ift.tt/2Kz7ERc

RAMpage Attack Explained—Exploiting RowHammer On Android Again!

A team of security researchers has discovered a new set of techniques that could allow hackers to bypass all kind of present mitigations put in place to prevent DMA-based Rowhammer attacks against Android devices.

Dubbed

RAMpage

, the new technique (CVE-2018-9442) could re-enable an unprivileged Android app running on the victim's device to take advantage from the previously disclosed

Drammer attack

, a variant of

DRAM Rowhammer

hardware vulnerability for Android devices, in an attempt to gain root privileges on the target device.

You might have already read a few articles about RAMpage on the Internet or even the research paper, but if you are still unable to understand—

what the heck is RAMpage

—we have briefed the research in language everyone can understand.

Before jumping directly on the details of RAMpage, it is important for you to understand what is RowHammer vulnerability, how it can be exploited using Drammer attack to hack Android devices and what mitigations Google introduced to prevent Drammer.

What is DRAM Rowhammer Vulnerability?

Known since 2012, Rowhammer bug is a hardware reliability issue with new generation DRAM (dynamic random access memory) chips in which repeatedly and rapidly accessing (hammering) a row of memory can cause bit flips in adjacent rows, i.e., changing their bit values from 0 to 1 or 1 to 0.

In 2015, security researchers from Google Project Zero successfully

demonstrated

ways to deterministically exploit this hardware issue to achieve privilege escalation on the vulnerable computers (Windows and Linux).

Besides this Google researchers also introduced double-sided Rowhammer attack that increases the chance of getting bit flips in a row by hammering both of its neighbors.

Triggering the Rowhammer bug is simple, but its successful exploitation is difficult, as most bits in the memory are irrelevant for an attacker and flipping them could result in memory corruption.

Hammering, i.e., aggressively reading/writing data from/to the DRAM, at random memory locations is not sufficient to bit flip a targeted memory page (likely used by a high privileged or system application).

For successful exploitation of Rowhammer, an attacker must be able to trick the system in a way that it lands the targeted memory page into the row (vulnerable to Rowhammer) adjacent to the attacker-owned row in the physical memory of DRAM.

In our previous articles, we have also covered other Rowhammer attacks, which includes:

GLitch: This technique leverages embedded graphics processing units (GPUs) to carry out Rowhammer attacks against Android devices.
Throwhammer: The first network-based remote Rowhammer attack that involves the exploitation of a known vulnerability in DRAM through network cards using remote direct memory access (RDMA) channels.
Nethammer: Another network-based remote Rowhammer technique that can be used to attack systems using uncached memory or flush instruction while processing the network requests.

What is Drammer Attack?

Discovered two years ago, Drammer was the first practical Rowhammer-based attack that targets DRAM chips on the Android devices, which could be exploited by a malicious app without requiring any permission or software vulnerability.

Drammer attack

relies on DMA (direct memory access) buffers, which are provided by Android's main memory manager called ION.

Since DMA allows apps to directly access the memory without going through any CPU cache, it makes repeated access (hammering) to a specific row of memory more efficient.

ION organizes its memory pools in several in-kernel heaps, one of which, kmalloc heap, was designed to allocate physically contiguous memory, which enabled attackers to easily determine how virtual addresses were mapped to physical addresses.

These two properties of ION memory manager—direct access and contiguous memory allocations—were the key behind the success of Drammer attack.

How Google Mitigated the Drammer-like DMA based Rowhammer Attacks?

In 2016, after the details of the Drammer attack went public, Google pushed an update for Android devices that disabled one of the ION's component (kmalloc heap) responsible for contiguous memory allocations, in an attempt to mitigate the risk of 'deterministic' exploitation of the Rowhammer vulnerability.

After disabling the contiguous heap, now the apps and system processes running on your Android devices rely on other in-kernel heaps left available in the ION memory manager, such as the system heap, which are designed to allocate memory at random physical locations on the DRAM.

Besides non-contiguous memory allocations, the system heap also separates kernel memory and user memory by allocating them to lowmem and highmem zones, respectively, for further security.

What is RAMpage Attack and How It Could Let Attackers Bypass Rowhammer Mitigations?

The above-explained mitigation technique introduced by Google effectively disabled an attacker from performing the double-sided Rowhammer attack.

However, a team of security researchers has now claimed to discover four new rowhammer attack variants that could allow a malicious application installed on the targeted device to gain root access and steal sensitive data from other apps while bypassing all current mitigations in place.

In its research paper [

PDF

], the group explains that their first RAMpage variant (r0) is "a reliable Drammer implementation that shows how disabling contiguous memory allocations does not prevent Rowhammer-based privilege escalation attacks."

Researchers explain three following steps to achieve Drammer-like exploitation using RAMpage r0 variant:

1.) Exhausting the system heap

—Researchers found that if an application intentionally drains all ION's internal pools, the buddy allocator, another memory allocation algorithm, takes charge of the allocation process as a fallback.

Since the primary purpose of buddy allocator is to minimize memory fragmentation, it eventually offers contiguous page allocations.

To increase the possibility of the exploitation, an attacker can further also bypass the zone separation mechanism used by the system heap. To forcefully land its memory page into lowmem allocations, where pages of kernel reside, the attacker continually allocates memory until no highmem is left.

"Once this is the case, the kernel serves subsequent requests from lowmem, allowing us to find bit flips in physical memory that may later hold a page table." researchers said.

2.) Shrinking the cache pool

—Further, using Flip Feng Shui exploitation vector, attackers can trick the kernel into storing a page table in the vulnerable page.

"This step is to release physical memory of the system heap pools back to the kernel," which "indirectly forces the ION subsystem to release its preallocated cached memory, including the row with the vulnerable page," the researchers explained.

3.) Rooting a mobile device

—Implementing above two steps, tricks the operating system into landing targeted memory page very adjacent to the attacker-owned page, and then all the attacker needs to do is implementing the remaining steps of DMA-based rowhammer attack to find exploitable chunks and develop a root exploit.

"We were successful in mounting our proof of concept against an LG G4 running the latest version of Android (7.1.1. at the time of our experiments)," researchers said.

"If your system is affected, our proof-of-concept exploit can take full control over your device and access anything on it. This may include passwords and sensitive data stored on the system."

The other three variants of RAMpage attack, listed below, also allows attackers to bypass defense solutions that only protect specific parts of system memory, but they are less practical and more research requires to develop a working exploit for them.

ION-to-ION (Varint r1)

CMA-to-CMA attack (Varint r2)

CMA-to-system attack (Varint r3)

GuardION—A Solution to Mitigate All DMA-based Rowhammer Attacks

In their paper, researchers have discussed all current mitigation techniques that are ineffective in preventing against the RAMpage variants of DMA-based rowhammer attacks and has also introduced a new solution, called GuardION, along with its code in the open source.

GuardION is a software-based defense that prevents rowhammer attacks by isolating the DMA buffers with guard rows.

GuardION code needs to be installed as a patch for the Android operating system that modifies ION memory manager in a way that it isolates such sensitive buffers by injecting blank rows (as a guard), one in the left and one in the right, making it physically more than one row away from the aggressor rows.

"GuardION provides an isolation primitive that makes it impossible for attackers to use uncached DMA allocations to flip bits in memory that is in use by the kernel or any userland app," researchers said.

"GuardION protects all known Rowhammer attack vectors, and, to the best of our knowledge, no existing technique can bypass it."

It should be noted that installing the GuardION patch could slightly impact the performance of your device, as the process of creating guard rows consumes memory of your device’ DRAM.

According to researchers, all Android-based devices shipped since 2012 may be affected by rampage attack.

Answering the question, "Has rampage been abused in the wild?" the researcher said, "We don't know." and when asked, "Can I detect if someone has exploited rampage against me?", they answered "Probably not. The exploitation does not leave any traces in traditional log files."

In my opinion, if you install apps only from the trust sources, you should not be worried about the RAMpage attacks.

Since researchers have already shared their findings with Google, I believe the company would not allow such malicious apps on its Google Play Store.

from The Hacker News https://ift.tt/2tM6aK3

Threat Roundup for June 22-29

Vulnerability Spotlight: VMWare Workstation DoS Vulnerability

Threat Research

Vulnerability Spotlight: VMWare Workstation DoS Vulnerability

Today, Talos is disclosing a vulnerability in VMWare Workstation that could result in Denial of Service. VMWare Workstation is a widely used virtualization platform designed to run alongside a normal operating system, allowing users to use both virtualized and physical systems concurrently.

from Cisco Blog » Security https://ift.tt/2ICKRzb

A massive cache of law enforcement personnel data has leaked

Cloud Migration Strategies and Their Impact on Security and Governance

By Peter HJ van Eijk, Head Coach and Cloud Architect, ClubCloudComputing.com

Public cloud migrations come in different shapes and sizes, but I see three major approaches. Each of these has very different technical and governance implications.

Three approaches to cloud migration

Companies dying to get rid of their data centers often get started on a ‘lift and shift’ approach, where applications are moved from existing servers to equivalent servers in the cloud. The cloud service model consumed here is mainly IaaS (infrastructure as a service). Not much is outsourced to cloud providers here. Contrast that with SaaS.

The other side of the spectrum is adopting SaaS solutions. More often than not, these trickle in from the business side, not from IT. These could range from small meeting planners to full blown sales support systems.

More recently, developers have started to embrace cloud native architectures. Ultimately, both the target environment as well as the development environment can be cloud based. The cloud service model consumed here is typically PaaS.

I am not here to advocate the benefits of one over the other, I think there can be business case for each of these.

The categories also have some overlap. Lift and shift can require some refactoring of code, to have it better fit cloud native deployments. And hardly any SaaS application is stand alone, so some (cloud native) integration with other software is often required.

Profound differences

The big point I want to make here is that there are profound differences in the issues that each of these categories faces, and the hard decisions that have to be made. Most of these decisions are about governance and risk management.

With lift and shift, the application functionality is pretty clear, but bringing that out to the cloud introduces data risks and technical risks. Data controls may be insufficient, and the application’s architecture may not be a good match for cloud, leading to poor performance and high cost.

One group of SaaS applications stems from ‘shadow IT’. The people that adopt them typically pay little attention to existing risk management policies. These can also add useless complexity to the application landscape. The governance challenges for these are obvious: consolidate and make them more compliant with company policies.

Another group of SaaS applications is the reincarnation of the ‘enterprise software package’. Think ERP, CRM or HR applications. These are typically run as a corporate project, with all its change management issues, except that you don’t have to run it yourself.

The positive side of SaaS solutions, in general, is that they are likely to be cloud native, which could greatly reduce their risk profile. Of course, this has to be validated, and a minimum risk control is to have a good exit strategy.

Finally, cloud native development is the most exciting, rewarding and risky approach. This is because it explores and creates new possibilities that can truly transform an organization.

One of the most obvious balances to strike here is between speed of innovation and independence of platform providers. The more you are willing to commit yourself to an innovative platform, the faster you may be able to move. The two big examples I see of that are big data and internet of things. The major cloud providers have very interesting offerings there, but moving a fully developed application from one provider to another is going to be a really painful proposition. And of course, the next important thing is for developers to truly understand the risks and benefits of cloud native development.

Again, big governance and risk management are issues to address.

Peter van Eijk is one of the world’s most experienced cloud trainers. He has worked for 30+ years in research, with IT service providers and in IT consulting (University of Twente, AT&T Bell Labs, EDS, EUNet, Deloitte). In more than 100 training sessions he has helped organizations align on security and speed up their cloud adoption. He is an authorized CSA CCSK and (ISC)2 CCSP trainer, and has written or contributed to several cloud training courses.

from Cloud Security Alliance Blog https://ift.tt/2tPBeYx

Inside a VPN service: How NordVPN conducts the business of Internet privacy

Github Account of Gentoo Linux Hacked, Code Replaced With Malware

Downloaded anything from Gentoo's GitHub account yesterday?

Consider those files compromised and dump them now—as an unknown group of hackers or an individual managed to gain access to the GitHub account of the Gentoo Linux distribution on Thursday and replaced the original source code with a malicious one.

Gentoo is a free open source Linux or FreeBSD-based distribution built using the Portage package management system that makes it more flexible, easier to maintain, and portable compared to other operating systems.

In a

security alert

released on its website yesterday, developers of the Gentoo Linux distribution warned users not to use code from its GitHub account, as some "unknown individuals" had gained its control on 28 June at 20:20 UTC and "modified the content of repositories as well as pages there."

According to Gentoo developer Francisco Blas Izquierdo Riera, after gaining control of the Gentoo Github organization, the attackers "replaced the portage and musl-dev trees with malicious versions of the ebuilds intended to try removing all of your files."

Ebuild are bash scripts, a format created by the Gentoo Linux project, which automates compilation and installation procedures for software packages, helping the project with its portage software management system.

"We are still working to determine the exact extent and to regain control of the organization and its repositories. All Gentoo code hosted on GitHub should for the moment be considered compromised," the alert said.

However, Gentoo assured its users that the incident did not affect any code hosted on the Gentoo's official website or the mirror download servers and that users would be fine as long as they are using rsync or webrsync from gentoo.org.

This is because the master Gentoo ebuild repository is hosted on its own official portal and Github is just a mirror for it.

"Also, the gentoo-mirror repositories including metadata are hosted under a separate Github organisation and likely not affected as well. All Gentoo commits are signed, and you should verify the integrity of the signatures when using git," the developer said.

In an update later on its website, the organisation said it has regained control of the Gentoo Github Organization, but advised users to continue to refrain from using code from its Github account, as they are still working with Github, which was recently

acquired by Microsoft

for US$7.5 billion, on establishing a timeline of what happened.

from The Hacker News https://ift.tt/2yUwd6t

Thursday, June 28, 2018

ANAO calls out low self-assessments of Commonwealth cyber compliance

Hilarious! Paid Jailbreak for Nintendo Switches Includes Anti-Piracy Code

It's hilarious that pirates are using anti-piracy measures to protect its own paid software that helps others to run pirated games on Nintendo Switches. Hacking group Team Xecuter—the developers of Nintendo Switch jailbreaking software SX OS that helps gamers play homebrewed and pirated games on the console—has itself been caught using anti-piracy measures in its own code that can brick your

from The Hacker News https://ift.tt/2lHqho9

Why Do SOCs Look Like This?

When you hear the word "SOC," or the phrase "security operations center," what image comes to mind? Do you think of analyst sitting at desks, all facing forward, towards giant screens? Why is this?

The following image is from the outstanding movie Apollo 13, a docudrama about the challenged 1970 mission to the moon.

It's a screen capture from the go for launch sequence. It shows mission control in Houston, Texas. If you'd like to see video of the actual center from 1970, check out This Is Mission Control.

Mission control looks remarkably like a SOC, doesn't it? When builders of computer security operations centers imagined what their "mission control" rooms would look like, perhaps they had Houston in mind?

Or perhaps they thought of the 1983 movie War Games?

Reality was way more boring however:

I visited NORAD under Cheyenne Mountain in 1989, I believe, when visiting the Air Force Academy as a high school senior. I can confirm it did not look like the movie depiction!

Let's return to mission control. Look at the resources available to personnel manning the mission control room. The big screens depict two main forms of data: telemetry and video of the rocket. What about the individual screens, where people sit? They are largely customized. Each station presents data or buttons specific to the role of the person sitting there. Listen to Ed Harris' character calling out the stations: booster, retro, vital, etc. For example:

This is one of the key differences between mission control and any modern computerized operations center. In the 1960s and 1970s, workstations (literally, places where people worked) had to be customized. They lacked the technology to have generic workstations where customization was done via screen, keyboard, and mouse. They also lacked the ability to display video on demand, and relied on large television screens. Personnel with specific functions sat at specific locations, because that was literally the only way they could perform their jobs.

With the advent of modern computing, every workstation is instantly customizable. There is no need to specialize. Anyone can sit anywhere, assuming computers allow one's workspace to follow their logon. In fact, modern computing allows a user to sit in spaces outside of their office. A modern mission control could be distributed.

With that in mind, what does the current version of mission control look like? Here is a picture of the modern Johnson Space Center's mission control room.

It looks similar to the 1960s-1970s version, except it's dominated by screens, keyboards, and mice.

What strikes me about every image of a "SOC" that I've ever seen is that no one is looking at the big screens. They are almost always deployed for an audience. No one in an operational role looks at them.

There are exceptions. Check out the Arizona Department of Transportation operations center.

Their "big screen" is a composite of 24 smaller screens showing traffic and roadways. No one is looking at the screen, but that sort of display is perfect for the human eye.

It's a variant of Edward Tufte's "small multiple" idea. There is no text. The eye can discern if there is a lot of traffic, or little traffic, or an accident pretty easily. It's likely more for the benefit of an audience, but it works decently well.

Compare those screens to what one is likely to encounter in a cyber SOC. In addition to a "pew pew" map and a "spinning globe of doom," it will likely look like this, from R3 Cybersecurity:

The big screens are a waste of time. No one is standing near them. No one sitting at their workstations can read what the screens show. They are purely for an audience, who can't discern what they show either.

The bottom line for this post is that if you're going to build a "SOC," don't build it based on what you've seen in the movies, or in other industries, or what a consultancy recommends. Spend some time determining your SOC's purpose, and let the workflow drive the physical setting. You may determine you don't even need a "SOC," either physically or logically, based on maturing understandings of a SOC's mission. That's a topic for a future post!

from TaoSecurity https://ift.tt/2yQXYgr

Why cryptocurrency mining malware is the new ransomware

Inbenta, blamed for Ticketmaster breach, says other sites not affected

Demystifying: Machine Learning in Endpoint Security

Deciding on a new endpoint security vendor is tough. From your very first search, you’ll get a lot of overused terms thrown at you – machine learning, artificial intelligence, next-generation antivirus, fileless malware protection, threat hunting – the list goes on. The headlines can sound tempting and cutting edge, or make you feel crazy enough to stop your search altogether and stick with your current product. It quickly becomes difficult to distinguish one vendor from the other, much less choose the right endpoint security solution to protect your network against another term you hear a lot about – advanced threats.

After hearing a lot of well-intentioned, but misguided questions at countless trade shows and customer meetings, we decided it was important to demystify some of the terms you hear about the most. Because beyond their surface level appearance of “marketing fluff,” the concepts that these terms represent are actually very important. A lot of them are features and capabilities you should demand in the solution you ultimately invest in. But if you don’t understand what they really mean, or what the net benefit is, you could be buying into an incomplete story, a tool that doesn’t provide exactly what you need, or even worse – something you can’t use.

Which brings us to what is quite possibly the mostoverused term in endpoint security today: machine learning.

Like every other endpoint security vendor, we receive a lot of questions about machine learning. The question typically sounds something like “does Cisco use machine learning to catch malware?” To which we respond:

Machine learning alone doesn’t catch malware.

Put very simply, machine learning in endpoint security refers to the use of an algorithm to train your endpoint security solution to “learn” to identify malicious files and activity based on attributes of previous malicious files it has seen.

And yes, Cisco’s AMP for Endpoints does that. But we’ll get to that later.

What is machine learning?

While machine learning can, and should, be used to increase your detection rate and save you time, it’s important to note that machine learning alone doesn’t catch malware. To understand why this is the case, we have to understand how machine learning works in the first place. Ruba Borno, Cisco’s Vice President of Growth Initiatives and Chief of Staff for the office of the CEO, explained it well in her recent blog:

“With machine learning we can feed massive amounts of data into the algorithm, then the machine determines the best course of action in the real world (instead of having experts code rules for a machine to follow when they let it operate in the world).

Machines learn by seeing a large number of versions of something. For example, to teach a machine to know the difference between a cat and a dog, you need to show it a lot of pictures, with views of cats and dogs from the front, back, side, and above. With machine learning, the machine with the most “data” on cats and dogs will develop the best way to tell the difference on its own.”

Machine learning in endpoint security

Andrew Ng, one of the leading experts on machine learning and artificial intelligence, identified the “Achilles’ heel” of today’s supervised machine learning capabilities:

“It requires a huge amount of data. You need to show the system a lot of examples of both A and B. For instance, building a photo tagger requires anywhere from tens to hundreds of thousands of pictures (A) as well as labels or tags telling you if there are people in them (B). Building a speech recognition system requires tens of thousands of hours of audio (A) together with the transcripts (B).”

So, in order to build a machine learning algorithm that can most accurately distinguish malicious from non-malicious files, you must feed and train it with a very broad set of known malware. In other words, the more malware your machine learning algorithm sees, the smarter it becomes.

Let’s talk numbers

Cisco has spent the last 30 years building the backbone of the internet. Today, we block 20B threats per day, or 7 trillion per year. These threats are fed into our machine learning engines where they are dissected and analyzed to train the algorithms. AMP for Endpoints has a dedicated Research & Efficacy team that leverages all of this data to improve protection, and continually drive down the time to detection. These researchers and the threats they analyze are used to train our machine learning algorithms in order to better protect against new and emerging threat types. While the point of machine learning is that your tool can get smarter on its own over time, when you have the industry’s brightest minds constantly training it, your tool gets that much smarter.

This gets easier to understand when we think about the very basics of endpoint security. An endpoint security tool can categorize files and other observables into three categories:

Things it has seen and can identify as safe
Things it has seen and can identify as unsafe or malicious
Things it has never seen, and therefore cannot identify as safe or malicious

When your solution uses machine learning to help categorize files, it should reach its decision faster and with greater accuracy. If the algorithm has been trained by enough good data, it should identify new or unknown threats with relative ease. The power lies in the amount of data being fed into your models, so the more malware your machine learning algorithm sees, the more capable your endpoint security solution becomes at identifying malware attempting to enter your network. This should all be done automatically – if your machine learning tool generates alerts and makes you decide upon the disposition of the file, you’re not experiencing greater efficacy or efficiency.

Part of a solution, not the solution

We like to mention early on in any machine learning conversation that while this capability is vastly improving the time-to-detection, efficiency, and efficacy of our solutions, it isn’t an end-all-be-all tool. Machine learning should be thought of as partof a solution, not the solution. There will always be new types of malware with never-before-seen characteristics. When that malware tries to enter your environment, it has a good chance of making it past a tool that relies only on machine learning.

At this point you should ask yourself – how do you stop the threats your machine learning misses? Can you even see them? Once a threat is inside your environment, machine learning capabilities are of no help and you’ll wish you had a more complete tool that could identify malicious behaviors your machine learning algorithm hasn’t seen yet.

And what about fileless malware? There’s a reason we’ve seen an increase in the use of this approach to infiltrate your network. While machine learning algorithms can be trained to distinguish malicious from non-malicious files, they aren’t much help when there’s no file to analyze, or even do run time analysis. To protect against non-traditional malware types, you need a layered approach to protection, detection, and response. There’s just no silver bullet. Being able to block as many threats up front as possible is critical, but we all know that it’s the last 1% that will land you in the headlines.

Cisco’s approach

Cisco uses a layered approach to security, especially at the endpoint. Cisco AMP for Endpoints, our next-generation endpoint security solution, uses machine learning as one of over a dozen detection and protection techniques to prevent you from being breached. A few of AMP’s other detection and protection techniques include:

Malicious activity protection to continuously monitor the behavior of files that are executing, evaluate whether or not this behavior is legitimate, and kill processes that should not be executed by a file
Our exploit prevention engine that monitors everything running in memory to ensure legitimate applications and processes are not being leveraged to deliver malware
AMP’s built in signature-based detection engine to quickly answer if what we are seeing is a known malicious file

Continuing the layered approach, AMP for Endpoints is just one of our products that uses machine learning. You’ll also find machine learning capabilities built into Cisco Stealthwatch and Cognitive Threat Analytics. To learn more about exactly how Cisco’s security products use machine learning, stay tuned for part 2 of this blog coming soon.

To test the features (including, but definitely not limited to, machine learning) in AMP for Endpoints for yourself, check out our free trial.

Tags:

from Cisco Blog » Security https://ift.tt/2tz65cy

Cisco: Patch now, attackers are exploiting ASA DoS flaw to take down security

Google Home and Chromecast DOWN? Reboot them to Fix the Glitch

If your Google Home, Home Mini and/or Google Chromecast streaming stick were not working properly, you are not alone.

Google Home, Home Mini, and Chromecast were down globally for many users for several hours, leaving a lot of people with trouble watching TV, controlling smart home gadgets, and listening to music.

Yesterday, hundreds of Chromecasts and Home users began complaining about their devices not working properly on both the official "Made by Google" Twitter account and Down Detector.

Later, Google

confirmed

that its Home and Chromecast across the world went down due to an unspecified "issue," and that the company was investigating the issue and working on a solution, but did not provide any kind of explanation about the glitch.

The issue appears to be affecting devices that work using Google's Home technology, which is a smart ecosystem that allows users to stream content to devices.

"Bug confirmed... We use Chromecast in all our conference rooms and no way to cast anything on any of them," one user complained on Twitter.

"The fact that it's been twelve hours my Chromecast has not been working and we're only now finding out there's an issue because of @madebygoogle that is ridiculous," wrote another Twitter user.

The outage began early yesterday morning and left millions of Google smart home devices inoperable for several hours, where Home devices were throwing errors like:

There was a glitch. Try again in a few seconds.
Your Google Home is not set up yet. To get started, download the Google Home app on a phone or tablet.
Hmm, something went wrong. Try again in a few seconds.

Chromecast users were facing a similar devastating problem: unable to cast media. The Chromecast icon was missing from specific applications. Users were also unable to cast media from the Google Home app.

Google later assured its users that a broader fix is on the way, and confirmed that the outage was caused by an issue with one of the backend systems that supports Google Home and Chromecast, and that it is working to prevent this from happening in the future.

The Made by Google Twitter account is now

informing

users that the company is rolling out an automatic update that could take six hours to reach everyone affected by the issue.

Users are advised to reboot their devices and keep it ON in order to receive the automatic update to fix the issue.

Are you also one of those users facing either of these problems? Let us know in the comments!

from The Hacker News https://ift.tt/2tKKEVb

Wednesday, June 27, 2018

10 indoor security cameras for a smarter home or office

Nest Cam IQ offers some advancements over the Nest Cam Indoor. It has an 8-megapixel, 4K image sensor, 12x digital zoom, new live-streaming security features, and two-way talk. Its main body is on a hinge that connects to a stem, which hides the cables, and a base with a USB Type-C connector. Unfortunately, you still have to pay at least $10 per month for continuous cloud video storage. But it's still a solid camera that's recommended for most office or home security DIYers, especially because it supports IFTTT, Siri, Google Assistant, and Alexa integrations.

For a cheaper option, Nest does offer its Nest Cam Indoor.

get the perfect smart office: more resources

from Latest Topic for ZDNet in... https://ift.tt/2yQ3FLC

Betting giant BetVictor leaked a list of its own internal systems passwords

IBM Security Bulletin: Vulnerabilities in IBM Java Runtime Affect IBM Tealeaf Customer Experience

There are multiple vulnerabilities in IBM® Runtime Environment Java™ Version 8 Service Refresh 4 Fix Pack 7 used by IBM Tealeaf Customer Experience. IBM Tealeaf Customer Experience has addressed the applicable CVEs. These issues were also addressed by IBM Websphere Application Server shipped with IBM Tealeaf Customer Experience.

CVE(s): CVE-2017-10115, CVE-2017-10116, CVE-2017-10295, CVE-2017-10355

Affected product(s) and affected version(s):

IBM Tealeaf Customer Experience v9.0.2

The post IBM Security Bulletin: Vulnerabilities in IBM Java Runtime Affect IBM Tealeaf Customer Experience appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team https://ift.tt/2yNrROz

IBM Security Bulletin: Multiple Security Issues in IBM Tealeaf Customer Experience PCA

Multiple vulnerabilities in Apache HTTPD can cause denial of service and allow a remote attacker to bypass security restrictions and obtain sensitive information in IBM Tealeaf Customer Experience PCA. A Vulnerability in the Memcached library used by the IBM Tealeaf Customer Experience PCA could permit a denial of service attack. Multiple vulnerabilities in the PHP library used by the IBM Tealeaf Customer Experience PCA could permit a denial of service attack, allowing a remote attacker to bypass security restrictions and obtain sensitive information and thus providing weaker than expected security. Apache HTTP Server vulnerability could allow a remote attacker to obtain sensitive information and gain access to restricted HTTP resource. Apache HTTP Server is used by IBM Tealeaf Customer Experience PCA and the applicable CVEs have been addressed. Multiple vulnerabilities in the tcpdump library used by the IBM Tealeaf Customer Experience PCA could allow a denial of service attack and allow a remote attacker to obtain sensitive information. A Vulnerability in the OpenSSL library used by the IBM Tealeaf Customer Experience PCA could permit a a remote attacker to obtain sensitive information.

CVE(s): CVE-2017-7679, CVE-2017-7668, CVE-2017-3169, CVE-2017-9951, CVE-2017-11142, CVE-2017-12933, CVE-2017-12932, CVE-2017-9798, CVE-2017-12171, CVE-2017-13725, CVE-2017-13690, CVE-2017-13689, CVE-2017-13688, CVE-2017-13687, CVE-2017-13055, CVE-2017-13054, CVE-2017-12985, CVE-2017-12902, CVE-2017-12901, CVE-2017-12900, CVE-2017-12899, CVE-2017-12898, CVE-2017-12897, CVE-2017-12896, CVE-2017-12895, CVE-2017-12993, CVE-2017-12992, CVE-2017-12991, CVE-2017-12990, CVE-2017-12989, CVE-2017-12988, CVE-2017-12987, CVE-2017-12986, CVE-2017-12893, CVE-2017-12894, CVE-2015-3138, CVE-2017-13033, CVE-2017-13030, CVE-2017-13029, CVE-2017-13028, CVE-2017-13027, CVE-2017-13026, CVE-2017-13032, CVE-2017-13031, CVE-2017-13025, CVE-2017-13024, CVE-2017-13023, CVE-2017-13022, CVE-2017-13021, CVE-2017-13020, CVE-2017-13019, CVE-2017-13018, CVE-2017-13017, CVE-2017-13016, CVE-2017-13015, CVE-2017-13014, CVE-2017-13012, CVE-2017-13011, CVE-2017-13010, CVE-2017-13009, CVE-2017-13008, CVE-2017-13007, CVE-2017-13006, CVE-2017-13005, CVE-2017-13004, CVE-2017-13003, CVE-2017-13002, CVE-2017-13001, CVE-2017-13000, CVE-2017-12999, CVE-2017-13013, CVE-2017-12998, CVE-2017-12997, CVE-2017-12996, CVE-2017-12995, CVE-2017-12994, CVE-2017-13051, CVE-2017-13050, CVE-2017-13049, CVE-2017-13048, CVE-2017-13047, CVE-2017-13046, CVE-2017-13045, CVE-2017-13044, CVE-2017-13043, CVE-2017-13042, CVE-2017-13041, CVE-2017-13040, CVE-2017-13039, CVE-2017-13036, CVE-2017-13053, CVE-2017-13052, CVE-2017-13035, CVE-2017-13034, CVE-2017-13038, CVE-2017-13037, CVE-2017-3735, CVE-2017-16808

Affected product(s) and affected version(s):

IBM Tealeaf Customer Experience v9.0.2, v9.0.1, v8.8.x and v8.7.x

The post IBM Security Bulletin: Multiple Security Issues in IBM Tealeaf Customer Experience PCA appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team https://ift.tt/2lHcQ7P

Top Security Tips for Small Businesses

By Jon-Michael C. Brook, Principal, Guide Holdings, LLC

Most small businesses adopt some sort of cloud offering, be it Software as a Service like Quickbooks or Salesforce, or even renting computers in Amazon Web Services or Microsoft’s Azure, in an Infrastructure as a Service environment. You get Fortune 50 IT support, including things that a small business could never afford, like building security and power fail-over with 99.999-percent reliability.

While cloud has great advantages, you must know your supply chain. Cloud providers use something called the shared responsibility model. Their risks and vulnerabilities become yours, so choosing a discount provider may open you up to compliance issues you never thought possible. That said, cloud does allow small business to focus on their competitively different things, leaving the technical aspects to others for essentially a pay-as-you-go utility computing.

In today’s increasingly complex security environment, following these three top security tips will go a long way to letting small business owners concentrate on running their business rather than keeping up with the latest security issues.

Something You Know

Let’s talk about authentication, typically referred to as passwords. The first thing to establish is “something you know,” like a pin or password. The worst thing anyone can do in today’s day and age is use one username with one password. If any one of the sites used becomes compromised, the username/password combination will be sold on the Dark Web as a known combination. The lists are huge, but infinitely faster on other banking or e-commerce sites that implement effective security. This happened in the Yahoo! breach that nearly scuttled the Verizon acquisition a couple years ago, sending ripples throughout the web and forced resets by nearly every company in the world.

At the very least, use a unique password with between eight and (preferably) 16 characters. Characters are more than numbers and letters. The more of the keyboard utilized, the longer testing every combination in a brute force attack becomes.

Password managers such as LastPass or KeePass will make keeping these organized easier, and they synch across the various phone, laptop and desktop devices through cloud providers like Dropbox, Box and OneDrive. Many of these are now tying in to the “something you are” such as fingerprint or facial recognition.

Something You Have

The next step up is a technique known as one-time passwords. They are much more than one-step effective and take the something you know to also include “something you have” in your mobile device. That’s why banks and financial trading firms incorporated the technology a few years ago.

As security gets better, so, too, do the hackers. SIM-card duplication and other attacks gave rise to something call soft tokens from Google Authenticator and Authy. The apps use a synchronized clock and the same hard mathematics in cryptography to make a system where the next number is easy to compute in the valid minute of use but the previous is impossibly difficult before the timer clicks over to the next one.

Currently, the most secure consumer password scenario comes from mathematics developed in the late 70’s called public key cryptography. This is the same technology in the soft token apps but in a purpose-built device, typically seen as a key fob or USB from manufacturers like Entrust, RSA or Yubi. This takes the one-time password to the next level by self-erasing on any attempt to get to the originally entered number.

To recap, secure passwords should be a combination of something you know, something you have and something you are, with an order of strength: Same Passwords -> Unique Passwords -> Txt Messages -> Soft Tokens (Authenticator/Authy) -> Hard Tokens (SecureID/RSA/Yubi)

Built-in, Not Bolted On

Lastly, follow your industry/vertical’s rules early.

The typical adage of “built-in, not bolted on” holds true for small business if you really want to make it in the long haul. It’s always easier to include security in the beginning than shoehorn it in afterwards. A small business may be fined for non-compliance to the point of bankruptcy by a few of the below regulations:

US Securities and Exchange Commission’s Sarbanes Oxley (SOX);
Payment Card Industry’s Data Security Standard (PCI-DSS);
Health Insurance Portability and Accountability Act (HIPAA);
Privacy controls by the US Federal Trade Commission’s Fair Credit Reporting Act (FCRA) and Children’s Online Privacy Protection Act (COPPA); and
European Union’s General Data Protection Directive (GDPR).

Jon-Michael C. Brook, Principal at Guide Holdings, LLC, has 20 years of experience in information security with such organizations as Raytheon, Northrop Grumman, Booz Allen Hamilton, Optiv Security and Symantec. He is co-chair of CSA’s Top Threats Working Group and the Cloud Broker Working Group, and contributor to several additional working groups. Brook is a Certified Certificate of Cloud Security Knowledge+ (CCSK+) trainer and Cloud Controls Matrix (CCM) reviewer and trainer.

from Cloud Security Alliance Blog https://ift.tt/2tGSQWs

Thanatos ransomware: Free decryption tool released for destructive file-locking malware

Unpatched WordPress Flaw Gives Attackers Full Control Over Your Site

Last week we received a tip about an unpatched vulnerability in the WordPress core, which could allow a low-privileged user to hijack the whole site and execute arbitrary code on the server.

Discovered by researchers at RIPS Technologies GmbH, the "

authenticated arbitrary file deletion

" vulnerability was

reported

7 months ago to the WordPress security team but remains unpatched and affects all versions of WordPress, including the current 4.9.6.

The vulnerability resides in one of the core functions of WordPress that runs in the background when a user permanently deletes thumbnail of an uploaded image.

Researchers find that the thumbnail delete function accepts unsanitized user input, which if tempered, could allow users with limited-privileges of at least an author to delete any file from the web hosting, which otherwise should only be allowed to server or site admins.

The requirement of at least an author account automatically reduces the severity of this flaw to some extent, which could be exploited by a rogue content contributor or a hacker who somehow gains author's credential using phishing, password reuse or other attacks.

Researchers say that using this flaw an attacker can delete any critical files like ".htaccess" from the server, which usually contains security-related configurations, in an attempt to disable protection.

Besides this, deleting "

wp-config.php

" file—one of the most important configuration files in WordPress installation that contains database connection information—could force entire website back to the installation screen, allegedly allowing the attacker to reconfigure the website from the browser and take over its control completely.

VIDEO

However, it should be noted that since the attacker can't directly read the content of wp-config.php file to know the existing "database name," "mysql username," and its "password," he can re-setup the targeted site using a remote database server in his control.

Once complete, the attacker can create a new admin account and take complete control over the website, including the ability to execute arbitrary code on the server.

"Besides the possibility of erasing the whole WordPress installation, which can have disastrous consequences if no current backup is available, an attacker can make use of the capability of arbitrary file deletion to circumvent some security measures and to execute arbitrary code on the web server," researchers say.

In a proof-of-concept video published by the researchers, as shown above, the vulnerability worked perfectly as described and forced the site to re-installation screen.

However, as of now, website admins should not panic due to this vulnerability and can manually apply a hotfix provided by the researchers.

We expect the WordPress security team would patch this vulnerability in the upcoming version of its CMS software.

from The Hacker News https://ift.tt/2IwJnWX