Robert Lemos, Author at eWEEK https://www.eweek.com/author/robert-lemos/ Technology News, Tech Product Reviews, Research and Enterprise Analysis Tue, 02 Feb 2021 15:17:45 +0000 en-US hourly 1 https://wordpress.org/?v=6.5.3 Security Lessons Companies Can Learn From the U.S. Elections https://www.eweek.com/security/security-lessons-companies-can-learn-from-the-u-s-elections/ https://www.eweek.com/security/security-lessons-companies-can-learn-from-the-u-s-elections/#respond Mon, 05 Nov 2018 01:32:00 +0000 https://www.eweek.com/uncategorized/security-lessons-companies-can-learn-from-the-u-s-elections/ The election race for the governorship of the state of Georgia promises to be tight, with current estimates showing that Democrat Stacey Abrams and Republican Brian Kemp are in a statistical dead heat. Unfortunately, Georgia is also one of five states that continue to use fully electronic voting with no verified paper ballot trails, raising […]

The post Security Lessons Companies Can Learn From the U.S. Elections appeared first on eWEEK.

]]>
The election race for the governorship of the state of Georgia promises to be tight, with current estimates showing that Democrat Stacey Abrams and Republican Brian Kemp are in a statistical dead heat. Unfortunately, Georgia is also one of five states that continue to use fully electronic voting with no verified paper ballot trails, raising the specter that, if inconsistencies arise, voters could lose confidence in the result.

Like many companies, the state is behind in implementing good cyber-security measures and having good visibilities over their assets and vulnerabilities. One example: Officials in the Kemp’s office—he is also Secretary of State in charge of elections—used an internet-connected computer to load memory cards containing the voting-system software, potentially giving attackers a pathway to compromise election machines. Over the weekend, the Democratic Party of Georgia pointed out critical vulnerabilities in the election website that Kemp’s office had ignored.

The fact that the all-electronic voting machines do not create paper ballots or some other way to audit the system means that such vulnerabilities could impact the vote, or at least voters’ confidence, Marian Schneider, president of the nonprofit Verified Voting, said during a press briefing on election issues.

“That is a huge risk of attack,” she said. “The takeaway here is, yes, it is a risk, it is not a certainty, [we] can’t get the risk down to zero, but [the problem is] if something happens, it will be very hard to detect and it will be impossible to recover from it.”

As Americans head to the polls this week, Georgia’s travails underscore the cyber-security complexities of conducting elections on a budget, but its efforts—and the efforts of other states—also hold lessons for companies. The threat landscape for elections differs from those faced by most companies but should underscore the multiple pathways to compromise that most companies face.

“There is one thing for sure—we can learn a lot from this election,” said Srinivas Mukkamala, CEO of RiskSense, a cyber-threat management firm. “Trust, misinformation, cyber-physical systems, and whether this is this a lot of FUD [fear, uncertainty and doubt] or are we trying to solve a real problem?”

While a lot of potential attacks are ones commonly seen by companies—such as phishing, denial-of-service and database-injection attacks, such as SQL-command injection—the threat landscape faced by election officials also demonstrates other, less popular methods of compromise.

Here are five lessons that companies can learn from the current election security landscape.

1. Trust is valuable, so disinformation is a danger.

In May, election officials in Knoxville, Tenn., faced a nightmare: Minutes before the primary election results would be posted online, a denial-of-service attack crashed the county’s server. While the issue did not affect election results, it did cause citizens to question whether the integrity of the election was compromised, according to a news report in Vox. Attackers also used the chaos to slip into the election tally system and view the code, according to the report.

Such attacks undermine trust in election systems, as does disinformation pushed through fake accounts on social media. The infrastructure for such propaganda is enormous: Twitter removed 90 million suspect accounts in May and June, a pace that seems to be continuing.

“When you go to a restaurant, you assume that the health department has been in there—you would not buy food by some person on a street corner because there is no sense of trust,” said Shawn Henry, president of services and chief security officer for cyber-security firm CrowdStrike. “But people are consuming media every day without knowing the source.”

Companies should look to their brand on social media to keep consumer trust in their products. In addition, service disruption should be considered as a significant risk. Attacks on both can undermine consumer confidence, Henry said.

2. Physical security is important.

At the DEFCON hacking convention in August, a group of voting-security activists taught kids techniques for hacking voting machines and tabulating systems. Among the problems found: A system used in 18 states could be hacked in two minutes by picking the lock and using a program to load malicious software onto the system.

“[I]t takes the average voter six minutes to vote,” stated a report on the results. “This indicates one could realistically hack a voting machine in the polling place on Election Day within the time it takes to vote.”

Companies need to worry about insiders having physical access to systems. Many adversaries will try to get someone hired into a company, use a contractor to gain access to sensitive areas or co-opt someone already working for a company, said CrowdStrike’s Henry.

“If you are looking at comprehensive nation-state programs, they are looking at the physical aspect,” he said. “That’s not speculation. It is happening.”

3. The most obvious hack is not the most dangerous.

Because election machines are, usually, not connected to the internet, many election officials consider them to be safe. As Georgia’s election officials learned, however, there are other ways to attempt to compromise such systems.

In a court case filed in 2017, voting-security experts revealed that sensitive information on Georgia’s registered voters had already been downloaded from a purportedly secure database, that officials in the Secretary of State’s office used an internet-connected computer to load memory cards containing the voting-system software, and that the voting machines could be hacked without even being connected to the internet by installing software onto the USB memory stick.

Yet, in September, a U.S. district court judge ruled that there was not enough time to fix the issues and so allowed Georgia to continue using the all-electronic systems.

Companies should conduct threat modeling exercises to identify overlooked avenues of attack. In addition, third-party suppliers and contractors need to be evaluated as potential sources of risk, said RiskSense’s Mukkamala.

“It is not just a need to understand your own systems—you have to understand your vendors and their systems,” he said. “The unfortunate situation is that most of the election vendors are not very sophisticated in cyber-security. Often, small third-party suppliers are similarly unsophisticated.”

4. Have a crisis plan.

Because misinformation and denial-of-service on election officials’ pages can undermine trust in election systems, officials need to have a crisis response plan in place. Having such a plan in place was the primary recommendation of the DEFCON Voting Village 2018 report, which pointed to the publication of false election results in Ukraine and distributed denial-of-service (DDoS) attacks on industry and election sites as potential threats.

“Organizational leaders should anticipate what conditions might be created by a cyber attack on their systems … and create a plan for how to communicate with the public and other stakeholders under such conditions,” the report recommended. “This plan should be part of a local or state government’s overall emergency planning.”

5. When nation-states are involved, organizations need help.

The May attack on Knox County election systems, the massive efforts of the Internet Research Agency in Russia, and continuing attacks and probes on states’ election systems underscore that nation-states are looking to disrupt U.S. elections and deepen the divides between parties.

Companies have dealt with similar attacks for at least a decade, but defending against such well-resourced attackers is difficult. Both election systems and businesses need government collaboration to better defend against such attacks, said CrowdStrike’s Henry.

“All organizations need to understand that there are nation-states that are interested in their information,” he said. “It also provides an asymmetrical threat. There are nations that can impact the U.S., and they don’t have the weaknesses that we have.”

With the latest evidence showing not just Russian operatives targeting the U.S., but also attackers from Iran and potentially China running their own operations, the U.S. government is doing more to protect election systems and companies.

“Our adversaries are trying to undermine our country on a persistent and regular basis, whether it’s election season or not,” Christopher Wray, director of the FBI, said in an August briefing on election security. “There’s a clear distinction between activities that threaten the security and integrity of our election systems and the broader threat from influence operations designed to influence voters. With our partners, we’re working to counter both threats.”

The post Security Lessons Companies Can Learn From the U.S. Elections appeared first on eWEEK.

]]>
https://www.eweek.com/security/security-lessons-companies-can-learn-from-the-u-s-elections/feed/ 0
Five Trends in Attacks on Industrial Control Systems https://www.eweek.com/security/five-trends-in-attacks-on-industrial-control-systems/ https://www.eweek.com/security/five-trends-in-attacks-on-industrial-control-systems/#respond Thu, 04 Oct 2018 22:43:10 +0000 https://www.eweek.com/uncategorized/five-trends-in-attacks-on-industrial-control-systems/ In May, a new modular malware system—dubbed VPNFilter—began running rampant among small and home office-based routers as well as network-attached storage. More than 500,000 devices in 54 countries were infected by the software, according to networking giant Cisco, and what’s more—the malware scanned for traffic used in many industrial control systems, known as Modbus. The […]

The post Five Trends in Attacks on Industrial Control Systems appeared first on eWEEK.

]]>
In May, a new modular malware system—dubbed VPNFilter—began running rampant among small and home office-based routers as well as network-attached storage. More than 500,000 devices in 54 countries were infected by the software, according to networking giant Cisco, and what’s more—the malware scanned for traffic used in many industrial control systems, known as Modbus.

The attack appears to be just the latest campaign to target industrial, manufacturing and control systems—a worrisome trend that could turn purely digital threats into physical damage, especially if it uses the destructive capabilities coded into VPNFilter, researchers with Cisco’s Talos Intelligence team stated in

an analysis of VPNFilter

.

“The behavior of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of website credentials and monitoring of Modbus SCADA protocols,” the researchers said. “Lastly, the malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide.”

Overall, security firms are reporting an increase in attacks on industrial control networks. Gathering data from systems protected by its software, Kaspersky Lab found that 41.2 percent of systems were attacked at least once during the six months of 2018, up from 36.6 percent in the first half of 2017.

The attacks targeted Windows systems that performed supervisory control and data acquisition (SCADA) duties, acted as data storage servers or data gateways in operational networks, or were used as workstations by engineers and operators.

“The year-over-year increase of percentage of ICS computers attacked means more malware and attacks are able to get through network perimeters and to hit the ICS computers,” Kirill Kruglov, security researcher at Kaspersky Lab, told eWEEK. “The primary reason is an overall increase in malicious activity.”

Symantec has seen a six-fold increase in attacks year-over-year among its customers, according to the firm.

Yet, the threat landscape does not consist of a single topography. Looking at the data, a variety of different trends jump out.

1. Attacks on industrial control systems are not all alike

While Kaspersky and Symantec have seen a jump in attacks on industrial control systems, it is likely that those systems are not connected to critical infrastructure, said Dale Peterson, CEO of Digital Bond, an ICS security consultancy.

“You cannot view ICS as a whole,” he said. “You do have small companies or low-value industrial control systems that are sitting on the corporate network, and the reports are showing that those systems are getting attacked more. But those are not power systems, and they are not the large water systems that compose critical infrastructure.”

In the large critical infrastructure providers with whom Peterson works, he rarely sees any successful attacks, although he does acknowledge that even the critical infrastructure firms have security challenges. The most significant attack for such companies is attackers targeting administrators who have remote access from an external workstation. Phishing attacks are often used to compromise those privileged users.

While such attacks are harder to plan and execute, they can deliver spectacular results.

“They are much harder to get into than ever before, but once you are inside, those networks are insecure,” Peterson said. “Because they are insecure by design, if you are on the system, all the features and functions are there for you.”

2. Attacks are not generally sophisticated

In its report for the first half of 2018, Kaspersky Lab noted that an operation that was previously known as Energetic Bear—because of its link to Russian operators and its targeting of energy companies—actually had a wider scope than first thought. (The firm has renamed the threat “Crouching Yeti” to downplay the connection with Russia.) While the attacker focused on targetingthe U.S. and Europe, the operation also compromised a variety of websites as well as various manufacturers and infrastructure companies and government agencies.

Overall, however, the attacks were not overly sophisticated, using spear phishing via PDF documents, software installers with Trojan installers and waterhole attacks through pre-compromised websites. Once a machine had been successfully exploited, the attack framework could install additional modules to expand the attackers’ foothold,

Kaspersky stated in an analysis

.

“The industrial companies need to pay more attention to the level of employees’ awareness of cyberthreats, and keep up with modern cybersecurity measures starting from access and traffic control on perimeter of [operation technology] network and continue hardening ICS endpoints by removing and blocking unnecessary software, separating privileges and tightening control of compelled usage of remote administration tools when those tools are required, such as during remote maintenance,” Kaspersky Lab’s Kruglov said.

3. Attackers focus on specific geographies

Attackers also continue to focus on certain regions of the world. Organizations in Asian, African and Latin American nations suffered a greater percentage of attacks compared with the number of systems they have protected, as compared to North American, Western European and Australian firms.

“Presumably, this situation could be due to the amounts of funds invested by organizations in infrastructure protection solutions,” Kaspersky Lab’s researchers

said in its analysis

.

Removable media continues to be a significant threat in many of the most attacked nations, with Asian countries, Latin America and the Middle East all showing signs of a much higher rate of infection from removable media compared with Russia, Europe and North America. Meanwhile, attacks through email—while often effective—are not seen as often, perhaps because they target a small group at each firm.

4. Internet-connected systems are at greatest risk

While attacks via removable media and phishing emails are often encountered, the greatest number of attacks use widespread scans of internet-facing systems to establish a beachhead within a vulnerable network, Kaspersky Lab found. More than 27 percent of attacks came from internet sources in the first half of 2018, up from 20.6 percent of attacks in the same six months of 2017.

“Contrary to the conventional wisdom about control networks being isolated, in the past years the internet became the main source of infection for computers on organizations’ industrial networks,” Kaspersky Lab’s report stated.

Yet, Digital Bond’s Peterson stressed that the attacks seen by security firms are likely the ones hitting smaller firms that do not protect their systems as rigorously as critical infrastructure is protected in Western countries.

“What the report is really saying is that there is still a lot of low-hanging fruit,” he said. “I don’t see that there are a lot of high-value critical infrastructure that has Windows servers connected directly to the internet.”

5. Managers think systems are more secure than operators believe

There is another disconnect in the ICS world. High-level managers tend to believe their systems are more secure than do operational engineers and other employees with “boots on the ground,” according to Barbara Filkins, a senior analyst with the SANS Institute.

In its latest report—The 2018 SANS Industrial IoT Security Survey: Shaping IIoT Security Concerns—the SANS Institute found that almost three-quarters of firms were confident or somewhat confident in their ability to maintain the security of their industrial internet of things (IIoT). Yet, companies’ leadership and department managers were more likely to have a rosy outlook on their security compared to the operational technology (OT) department.

“The closest people to the risk were less confident in their ability to defend the operational network,” said Filkins, one of the study’s authors. “Management is actually more confident than they should be, and they should be listening to someone down the food chain.”

Companies need to get better visibility, train employees in security operations and better segment their network to limit the ability of attackers to move laterally once a beachhead is established, according to the SANS survey.

The post Five Trends in Attacks on Industrial Control Systems appeared first on eWEEK.

]]>
https://www.eweek.com/security/five-trends-in-attacks-on-industrial-control-systems/feed/ 0
Five Ways Government Can Help Businesses Fight Nation-State Attacks https://www.eweek.com/security/five-ways-government-can-help-businesses-fight-nation-state-attacks/ https://www.eweek.com/security/five-ways-government-can-help-businesses-fight-nation-state-attacks/#respond Wed, 05 Sep 2018 06:14:00 +0000 https://www.eweek.com/uncategorized/five-ways-government-can-help-businesses-fight-nation-state-attacks/ Over the past six months, a relatively unsophisticated group of attackers used a variety of remote access Trojans to attempt to grab banking details from companies—a scheme reminiscent of tactics used by cyber-criminals.  Yet, these attacks also targeted a number of Russian, Spanish and U.S. government agencies and were more likely the work of nation-state […]

The post Five Ways Government Can Help Businesses Fight Nation-State Attacks appeared first on eWEEK.

]]>
Over the past six months, a relatively unsophisticated group of attackers used a variety of remote access Trojans to attempt to grab banking details from companies—a scheme reminiscent of tactics used by cyber-criminals. 

Yet, these attacks also targeted a number of Russian, Spanish and U.S. government agencies and were more likely the work of nation-state operators, according to an analysis published by network security firm Palo Alto Networks

Unlike many nation-state attacks, the group was not connected to Russia, China, Iran or North Korea, but to the developing cyber capability in Pakistan, just one of an increasing number of nations developing their cyber capabilities. Pakistan has joined more than 30 nations who now have cyber-attack capabilities, according to the United States’ annual threat assessment published in February. 

“The risk is growing that some adversaries will conduct cyberattacks—such as data deletion or localized and temporary disruptions of critical infrastructure—against the United States in a crisis short of war,” Daniel R. Coats, the U.S. Director of National Intelligence, stated in the report. “Ransomware and malware attacks have spread globally, disrupting global shipping and production lines of U.S. companies.” 

As the number of nation-state actors increase, U.S. businesses—a favored target of nation-state and cyber-criminal hackers—will continue to be under threat. Unfortunately, even a cyber capability modestly funded by a smaller nation is usually too persistent for most companies to repulse on a regular basis. Larger nation-states will outclass any private-sector opponent, experts say. 

“The most dangerous opponents are nation-states,” James Lewis, senior fellow at the Center for Strategic and International Studies, told eWEEK. “They are big, they are rich, and they don’t really care about the law. No company is going to be able take them on, and that is where companies can reasonably say to the government that your job is to protect me—and we are not there yet.” 

So far damages are mounting. In a report released this year, the U.S. Council of Economic Advisors estimated that malicious cyber-activity cost the U.S. economy between $57 billion and $109 billion in 2016. In 2017, the double whammy of the  q pidemics likely mean that damages rocketed even higher. 

For companies looking to the government to help, however, the wait may be long. A variety of issues still hobble government efforts to aid private-sector firms: from over-classification to concerns over targeting the right adversary. But here are five ways that cyber-security experts hope the U.S. government will help businesses. 

1. Sanctions can help, but are not the only way 

In 2015, the Obama administration threatened sanctions against China unless the country stopped economic attacks on U.S. private companies. The resulting agreement between China and the United States only blocks the nations from hacking each other’s industry for economic gain. Espionage is still fair game. While attacks may have declined, there is no solid evidence that Chinese operational activity has declined, said Christopher Porter, chief intelligence strategist of cyber-security company FireEye,

stated in a policy analysis

“There is no evidence that such measures have improved cyber-security for the United States,” Porter stated. “Chinese operations continued apace after the 2014 indictment of hackers associated with the Chinese military and decreased only after diplomatic efforts became serious.” 

A lack of fear of repercussions has made hacking between countries the status quo. Most other countries have operations that hack with relative impunity, because they don’t fear retribution. The U.S. government will have to take quick, decisive action to cause economic pain to the countries who hack U.S.-based businesses, CSIS’s Lewis said. 

“If we are not willing to do something back, then the bad guys will never stop,” Lewis said. 

2. U.S. should reconsider what constitutes critical infrastructure 

Both the U.S. government and companies need to determine which private-sector systems are critical and should be protected by the weight of the federal government. The U.S. Department of Homeland Security lists 16 critical infrastructure sectors, but vulnerable industries are still not on the list. 

Prior to the 2016 presidential election, for example, election systems were considered to solely be the responsibilities of the states, but now efforts are underway to have them designated as critical infrastructure. In January 2017, the U.S. Department of Homeland Security clarified that it now considered election infrastructure to be critical. 

“Recent history has shown that the U.S. government is not as good at picking which industries to protect as threat actors are at finding strategically valuable soft targets to hit,” FireEye’s Porter said. “And today’s institutions, however well-staffed, well-equipped and well-led, have not focused on the right problems.” 

3. Make more information available to U.S. firms 

While some information sharing and analysis centers (ISACs) do well at providing members with information about the latest threats, timely threat information continues to be scarce. 

Firms are wary about sharing information with competitors and of the liability inherent in admitting that they may have been breached. Furthermore, when government agencies receive information, it is often a one way street. Information about attacks tends to be classified and often only provided to industry after companies that could have made best use of the data have been breached by cyber-attacks. 

“At a minimum, the director of national intelligence should consider requiring intelligence agencies to provide Secret-level briefings of major findings and technical indicators for all cyber-related finished intelligence that is published,” FireEye’s Porter wrote. “This would greatly widen the circle of outside experts, private companies, and cleared academics that could benefit from reporting.” 

However, CSIS’s Lewis argued that companies should only participate if they are able to use the data. 

“A small company that gets information is probably not going to be able to do something with it,” he said. “So, in that case, we need managed services.” 

4. Increase attackers’ pain 

To dissuade nation-state groups from attacking companies, federal agencies should find ways to make attacking businesses more painful. Indictments and sanctions do not do enough to dissuade the attackers, said CSIS’s Lewis 

“We have to think of what are more extreme measures that would increase the pain for these guys,” Lewis said. “Part of it is that the previous administration was unwilling to take action and so there was a general perception among our state opponents that the U.S. would never do anything back.” 

FireEye’s Porter argued that giving more responsibility to military commanders and intelligence directors to conduct cyber operations could help make the U.S. response more agile. 

“The U.S. and its allies must push more authority to the commanders of cyber-forces so that they have freedom to act to the degree required to keep citizens safe from ongoing and imminent cyber operations, he said. “President Trump’s decision to revisit PPD 20 and take off some of those handcuffs is a necessary first step.” 

5. Create international norms for cyber operations 

Lewis contributes to a group of internet experts aiming to set standards of behavior among actors in cyberspace. Called the Global Commission on the Stability of Cyberspace, the group is working with the United Nations and other group to establish normative rules on how countries should act. 

“Norms help set behavioral standards,” he said. “You have to say here are norms that everyone has agreed to, and your behavior deviated from those norms, and so that justifies some kind of punitive action, whether it’s public censure or sanctions or something else.” 

While companies—especially large enterprises—have the technical resources and capabilities to defend against most threats, the government can help head off the well-funded nation-state actors, Lewis said. 

“Getting new defensive technologies out there—the private sector does that quite well,” he said. “The government can help bring everyone up to the same level, through standards, and help dissuade the threats though norms and other actions.”

The post Five Ways Government Can Help Businesses Fight Nation-State Attacks appeared first on eWEEK.

]]>
https://www.eweek.com/security/five-ways-government-can-help-businesses-fight-nation-state-attacks/feed/ 0
Five Basic Controls Companies Can Implement to Improve Data Hygiene https://www.eweek.com/security/five-basic-controls-companies-can-implement-to-improve-data-hygiene/ https://www.eweek.com/security/five-basic-controls-companies-can-implement-to-improve-data-hygiene/#respond Fri, 17 Aug 2018 05:50:00 +0000 https://www.eweek.com/uncategorized/five-basic-controls-companies-can-implement-to-improve-data-hygiene/ Many companies are failing to implement the most basic security controls to lock down their networks and data, an oversight that leaves them less able to respond to attacks and security incidents. While security hardening guides that prioritize the most basic steps are freely available from the National Institute of Standards and Technology (NIST), the […]

The post Five Basic Controls Companies Can Implement to Improve Data Hygiene appeared first on eWEEK.

]]>
Many companies are failing to implement the most basic security controls to lock down their networks and data, an oversight that leaves them less able to respond to attacks and security incidents.

While security hardening guides that prioritize the most basic steps are freely available from the National Institute of Standards and Technology (NIST), the Center for Internet Security (CIS), and the Defense Information Systems Agency (DISA), 60 percent of companies do not benchmark their progress against those guides, according to a survey conducted by security technology company Tripwire.

Those companies are forgoing a significant source of security knowledge to put them on the right path, Tim Erlin, vice president of product management and strategy for Tripwire, told eWEEK.

“There is a lot of research and community contributions that go into those hardening guidelines,” he said. “These days, they are generally evidence-based recommendations about what you should do to eliminate risk in your environment. For those companies, it is a missed opportunity.”

The CIS Controls guide, for example, breaks down security measures into six groups of basic controls, 10 foundational controls, and four organizational controls. Among the basic steps companies should take are creating an inventory of hardware and software assets, manage vulnerabilities continuously, separate privileged access from normal user accounts, and monitoring log files.

“We focus pretty tightly on the current problems—what bad guys are doing today and what are the challenges,” Tony Sager, senior vice president CIS, told eWEEK. “The problem in this business is that there is an infinite number of ways that you could improve your security. They are important things, but it can be overwhelming with hundreds and thousands of pages of things to do.”

Sager often finds companies who want to know how to get started on improving and institutionalizing their security. He recommends that the foundational controls first be implemented.

“On their own, these will not help you stop any specific attack,” Sager said. “They are part of the infrastructure you need to stop big classes of attacks.”

Here are the top five ways that companies can incorporate the foundational controls into their security process and improve their cyber hygiene.

1. Get better visibility into your network operations

Companies still do not have good visibility into the devices and software on their network and the complexity of their networks appear to be getting the better of them.

Only 29 percent of companies track 90 percent or more of their devices, according to the Tripwire survey. In 2018, only 75 percent of companies were able to remove or isolate an unauthorized device from their network, and 18 percent of companies required days to remove the unknown device. In 2015, 89 percent of companies could claim the same efficiency.

“It has gotten worse—I don’t know how this can be anything but worse,” Erlin said. “Part of it, no doubt, is that organizations have a skills gap and a talent shortage. But vendors should be responding to these trends and filling the gap.”

Yet, companies seem to be doing a decent job of keeping track of devices, if not removing them. In 2018, three-quarters of companies detected a new device on the network in hours, compared to 71 percent of companies in 2015.

2. Vulnerability scans: Checking the box is not enough

While vulnerability scanning has become widespread, with 89 percent of companies conducting regular scans, only half of companies do an authenticated scan that uses access to the device to check for specific software flaws.

This is a major oversight, said Erlin. In addition, only 59 percent of companies are scanning on at least a weekly basis, with 23 percent conducting scans each month and 18 percent conducting scans quarterly or less often.

“If you are not doing authenticated vulnerability scans, then you are only giving yourself a partial picture of the vulnerability risk in your environment,” he said.

While DevOps is often seen as a way to integrate software testing into the development process, even DevOps shops are having trouble scanning for vulnerabilities as part of the agile process. Only 54 percent of organizations have implemented a DevOps pipeline scan for vulnerabilities throughout the development lifecycle.

3. Monitor system logs to improve response

Knowing what devices are on your network is only part of the battle. Companies also need to gather logs from critical systems and use systems that glean high-quality security events from those logs, said Tripwire’s Erlin. Only 46 percent of organizations have centralized their log collection, according to the company’s study.

“If you are not collecting logs, then you have no idea what happened on these systems in the case of an incident,” he said. “And it is difficult to collect them after an incident, especially because an attacker can change them.”

Companies that do not collect logs are also putting themselves in legal jeopardy because most industry requirements and government regulations require that companies monitor—and in some cases, continuously monitor—the logs of critical systems and devices.

“I don’t know how the companies are complying with regulations if they are not collecting log functions,” Erlin said.

4. Simplify by outsourcing, moving to the cloud

While companies have a reasonable handle on defending their perimeter, keeping data secure means encrypting data, knowing where your data is and securing mobile devices. About 38 percent of companies are not able to reliably enforce configuration settings on devices.

These are issues that managed security startup Expel commonly sees among its prospective clients. Part of the problem is that the IT and security teams are overwhelmed dealing with bespoke hardware on site.

“One of the biggest challenges they have is that they still run their own stuff and they have huge amounts of legacy infrastructure that they need to maintain,” Bruce Potter, Expel’s chief information security officer, told eWEEK

“When you look at these organizations, there are things that most companies shouldn’t do anymore, such as run their own mail servers, or run their own accounting systems, or host their own Web site. These are things that other providers do professionally, singularly and very well. So companies should get that outside of their walls.”

5. Focus on privilege access

Most companies—88 percent—use a dedicated account for administrative tasks, a basic control in the CIS document. Yet, less than half of companies take the extra step to use dedicated workstations for administrative activities, according to the Tripwire survey.

“If you control administrative access, especially within your user community, you can dramatically reduce the amount of risk, because many of the attacks that occur in a user environment,” Tripwire’s Erlin said.

In general, companies need to do better with their password policies, according to the study, which found that 41 percent of companies do not use multi-factor authentication and a third allow default passwords to be used without changes.

While every organization is different, the basic security measures are useful across almost every industry and size of company, CIS’s Sager said.

“We are all kind of drowning in a soup of bad things,” he said. “So 99 percent of what is going on out there applies to everyone.”

The post Five Basic Controls Companies Can Implement to Improve Data Hygiene appeared first on eWEEK.

]]>
https://www.eweek.com/security/five-basic-controls-companies-can-implement-to-improve-data-hygiene/feed/ 0
Five Security Defenses Every Containerized Application Needs https://www.eweek.com/security/five-security-defenses-every-containerized-application-needs/ https://www.eweek.com/security/five-security-defenses-every-containerized-application-needs/#respond Wed, 01 Aug 2018 03:20:00 +0000 https://www.eweek.com/uncategorized/five-security-defenses-every-containerized-application-needs/ With the increase in popularity of agile development and DevOps methodologies, containers have taken off as a way to create easily managed and reproducible software components.  Attackers have taken notice, however, and attempts to compromise containers are on the rise. When container management firm Sysdig put a cluster of containers online and exposed the application […]

The post Five Security Defenses Every Containerized Application Needs appeared first on eWEEK.

]]>
With the increase in popularity of agile development and DevOps methodologies, containers have taken off as a way to create easily managed and reproducible software components. 

Attackers have taken notice, however, and attempts to compromise containers are on the rise. When container management firm Sysdig put a cluster of containers online and exposed the application programming interface (API), for example, attackers found and exploited the open port in four days, installing Bitcoin mining software in a new container instance. 

“It’s not surprising that Bitcoin mining is the thing the attacker tried to run,” Mark Stemm, a software engineer at Sysdig, wrote in an analysis. “[T]he dominant cost in mining bitcoins is CPU processing power. It helps your bottom line if the CPU costs are stolen and therefore zero!” 

Containers have quickly become popular at companies, with a quarter of all firms using Docker containers, according to application-monitoring firm Datadog. The fast adoption of the software, however, has resulted in many misconfigured containers that are publicly accessible and insecure. 

Research by container-software company Docker and cloud-security firm Twistlock that scanned a limited subset of the Internet, for example, found 1,000 exposed registries, of which only 10 percent were configured correctly while 60 percent were completely open to attack. 

“There was a large number of even corporate IP spaces, that were publicly exposed [and] allowed write access,” John Morello, CTO of Twistlock, told eWEEK.  “The attack was not an implant that tried to gain a foothold in the company’s network, but simply a way to monetize the compromise by forcing the victim to unknowingly run a coin miner on the attacker’s behalf.” 

With attackers increasingly hunting for insecure containers in corporate cloud deployments, businesses need to take steps to make their infrastructure more secure. Here are five ways that businesses can better secure their containers and microservices.

1. Educate developers about security 

Containers represent many of the ideals of the DevOps mentality. Developers not only write the code for applications, but also set the configurations that are used with software when deployed into production. 

For that reason, developers need to understand a great deal more about security, orchestration and managing deployed software, according to Amir Jerbi, chief technology officer and co-founder of Aqua Security, a container security firm. 

“Because developers are shifting left and having more responsibilities from the security perspective, sometimes the developers are not aware of bad security configurations—so they could package a Web server without SSL or ship a container with hardcoded passwords,” he said. “When you combine developers’ relative lack of experience with security, you create opportunity for the attackers.”

2. Use certified container images 

Earlier this year, several security firms—including Fortinet, Kromtech, and Twistlock—detailed the discovery of a set of nearly a score of Docker images that would download and run mining software. Applications distributed in containers through centralized hubs could be a vector for malicious code or backdoor vulnerabilities, much like malicious applications downloaded from public app stores. 

Developers that use well-maintained and certified container images should be safe from such attacks, however. 

Moreover, Docker argued that the mining fears have to be put into context. While the images found by the security firms were downloaded more than 100,000 times and resulted in profits of more than $172,000 for the operators, it is unlikely that the attacker had fooled unwitting developers into downloading the containerized applications, said Banjot Chanana, vice president of product at Docker. 

“The folks that are putting those container images out there in the public are not typically trying to trick people into downloading those images,” he said. “They are using the Docker hub as a way to distribute their own images, much in the same way as someone who puts code up in an S3 bucket.”

3. Check containers and software for vulnerabilities 

A large security advantage of containers is that they allow you to package an environment and turn it into an immutable image. Any change results in a new image, which allows companies to know the state of their containers. 

Combined with static analysis and software component management, this capability allows companies to know whether there are vulnerabilities in their containers. Rather than rechecking each software component, a container’s list of components can be used to check the collection of software for known vulnerabilities. 

“Historically, the configuration of the environment was an artifact that was a point in time—you knew the state of the application at the time you scanned it, but you didn’t know enough to use it later on,” said Twistlock’s Morello. “With containers, you really don’t have to rescan packages once you have done it, giving you a much more proactive approach to vulnerability scanning.”

4. Automate compliance checks 

To create a security-focused DevOps pipeline, companies need to create automated checks that not only scan code, but also check for correct configurations. Deployment issues, such as those found by Docker and Twistlock, can leave containerized applications open to exploitation. 

No wonder, then, that adding automated compliance checks is one of the best practices recommended by security firms. Creating a series of automated “security gates” where code and containers are checked for security and reliability issues can ensure that vulnerable applications are not deployed to production. 

“Companies are now shifting to adding more security controls into the development and deployment pipeline,” said Aqua Security’s Jerbi. “As you’re shipping the container into production, there should be automatic checks around the security gate that will evaluate that all the components are fine, and no one has modified anything.”

5. Check runtime behavior 

Finally, containerized applications are easily monitored for anomalous behavior. Because containers declare what software should be running and limit running processes to least privilege, the environment is limited enough to make detecting anomalies much easier. 

Add newer techniques such as data analysis and machine learning to the process, detecting runtime anomalies can help further secure containerized applications, said Twistlock’s Morello. 

“We can apply a lot more automation and machine learning to create a reference model for what is normal inside an application and be able to detect anomalies compared to that reference model, without having a human being create rules for the anomaly,” he said. 

Overall, if done properly, containers can be a significant security benefit for deploying applications. The steps are not complex: Check for vulnerabilities, automate security, and use verified software components for development. 

In addition, just porting existing applications into containers will give many of the security benefits, said Docker’s Chanana. 

“Continuous security is really the same kind of fundamental best practices that you have been using for decades,” he said. “None of that really changes with containers. It’s much less likely that someone will compromise your application with a zero-day and more likely that you are running an old version of Python with a two-year-old vulnerability in it.”

The post Five Security Defenses Every Containerized Application Needs appeared first on eWEEK.

]]>
https://www.eweek.com/security/five-security-defenses-every-containerized-application-needs/feed/ 0
How Blockchain Can Secure Supply Chains, IoT Devices, and More https://www.eweek.com/security/how-blockchain-can-secure-supply-chains-iot-devices-and-more/ https://www.eweek.com/security/how-blockchain-can-secure-supply-chains-iot-devices-and-more/#respond Tue, 17 Jul 2018 01:22:00 +0000 https://www.eweek.com/uncategorized/how-blockchain-can-secure-supply-chains-iot-devices-and-more/ On July 9, crypto-currency exchange Bancor announced that hackers had compromised one of the company’s digital wallets, using the keys to steal about $23.5 million in Ethereum and other digital currencies.  The compromise is the latest digital theft of crypto-currencies based on digital tamperproof ledgers, known as blockchains. In Bancor’s case, however, the company had […]

The post How Blockchain Can Secure Supply Chains, IoT Devices, and More appeared first on eWEEK.

]]>
On July 9, crypto-currency exchange Bancor announced that hackers had compromised one of the company’s digital wallets, using the keys to steal about $23.5 million in Ethereum and other digital currencies. 

The compromise is the latest digital theft of crypto-currencies based on digital tamperproof ledgers, known as blockchains. In Bancor’s case, however, the company had a built-in failsafe to claw back approximately $10 million of its own coin—a smart token known as BNT—limiting the damage. 

“The tokens that were frozen were BNT tokens stolen during the breach,” the company said in a statement. “We firmly believe that this ability is a preventative measure essential to most tokens and necessary to protect the network and token holders in a state of emergency.” 

The incident shows both the security risks and promises of blockchain technologies. The combination of the decentralized nature of the blockchain, along with the ability for anyone with access to a particular wallet to issue transactions on behalf of the owner, means that compromises tend to be big and expensive. 

However, the core capabilities of blockchain—decentralized databases, proof of work or state, and tamper resistance—can give applications that use blockchain technology a security advantage. 

“I think there is a misconception that blockchain automatically equals security,” Michael Julian, director of information security for blockchain security group Hosho, told eWEEK. “Blockchain can be secure, but it has to be done right.” 

Here are five ways that blockchain, if set up and maintained properly, can add security to applications. 

1. Better internet of things (IoT) networks 

The number of interconnected, but limited, computing devices has skyrocketed. In the consumer realm, these networked devices are collectively known as the internet of things (IoT), while similar technology used by manufacturers and other production operations are known as industrial control networks. 

To secure such networks, companies need to create a central database of all authorized devices, continuously updating the registration as new devices are added and old devices retired. Putting the registration functions into the blockchain makes it easier for network administrators to add a variety of trusted devices—such as wireless routers—to the network.  

“The blockchain contains a directory service that has all the devices that are allowed on the network,” Roman Arutyunov, co-founder and vice president of products with Xage, a provider of blockchain security for industrial IoT. “If the device is not registered, it is not authenticated and that [decision] can happen at the edge of the network.” 

2. Security log database 

A blockchain-based system could also be used to track and verify security information from network devices. By using the blockchain, devices could automatically add their logging information to a blockchain in a way that is resilient to being modified or deleted, which allows for more reliable logging. 

Such a system could allow devices to simply add specific events to an automatically updated log shared between devices and systems. 

“You could have the data logged to a blockchain rather than to a large centralized database, then you have an immutable ledger of everything that has happened,” Jason Schwerberg, director of engineering at Hosho, told eWEEK

3. Securing the supply chain

In January, IBM and shipping conglomerate Maersk established a joint venture for finding ways of applying blockchain technology to the global supply chain and shipping business. With more than $4 trillion in goods shipped every year, nearly $180 billion could be saved each year with a more efficient and secure process for tracking goods, IBM estimated. 

Rather than the inconsistent organization of today’s ecosystem for tracking trade, a blockchain-based system would allow multiple agencies and organizations to work with a single source of supply-chain information, allowing for better assessment of risk and more trusted information. 

A variety of other industries are looking at similar applications. Computers and devices shipped into sensitive applications could have bill-of-materials that collect all the supply chain details for each component. 

“Being able to understand where each component is coming from is important,” said Xage’s Arutyunov. “Because multiple parties are involved, the records have to be highly tamperproof.” 

4. Emergency measures implemented through blockchains 

Crypto-currencies and smart contracts that rely on consensus proof-of-work to add transactions to the blockchain can be compromised in a number of ways. The most straightforward attack is the “51 percent” attack, where an attacker controls more than half of the power of the network, which would allow for a denial-of-service attack or the ability to double-spend coins. 

Adding security features to claw back malicious transactions—as Bancor did—can help prevent attacks and aid companies in recovering from attacks. But this tactic sacrifices the decentralization around which many blockchain technologies are founded. Bancor, for example, apparently intends to only use the technology during its initial three-year pilot, but argued that all blockchains might need such an emergency switch. 

“We hope to never have to use this security feature again, and while we were compelled to use it this time, we see a growing need for evolving governance models to allow different configurations of permissions to act on a community’s behalf,” Guy Benartzi, co-founder of Bancor, said in a statement. “We look forward to continuing the dialogue on how to best implement diverse governance models for a variety of situations that may arise.”

5. Domain-name protection 

In April, attackers used the internet system to announce new network routes, known as the border gateway protocol or BGP, to intercept DNS requests for MyEtherWallet.com, a popular digital wallet for storing the information necessary to perform transaction in the Etherium crypto-currency and redirect those requests to a server in Russia. 

Much of the internet’s security relies on the DNS system working correctly. Blockchain could help with that, said Hosho’s Julian. Rather than work through a registrar, people could get verified as the owner of a domain and get a private key that would then confirm them as the owner. 

“You could improve the security of the domain-name system massively,” said Hosho’s Julian. “The decentralized nature of the blockchain would make it reliable, and without a private key—or multiple private keys—no changes could be made.” 

Overall, blockchain can improve security in many applications by storing data in a tamperproof, public ledger. Yet, developers have to be careful, because vulnerabilities can easily creep into the design and into the coding, said Hosho’s Julian. 

“If it involves a computer, there is probably a vulnerability,” he said. “So make sure you plug those holes and realize that security is a moving target.”

Editor’s Note: This article was updated to correct the spelling of Roman Arutyunov’s name and to clarify the description of his company Xage.

The post How Blockchain Can Secure Supply Chains, IoT Devices, and More appeared first on eWEEK.

]]>
https://www.eweek.com/security/how-blockchain-can-secure-supply-chains-iot-devices-and-more/feed/ 0
Five Ways Digital Assistants Pose Security Threats in Home, Office https://www.eweek.com/security/five-ways-digital-assistants-pose-security-threats-in-home-office/ https://www.eweek.com/security/five-ways-digital-assistants-pose-security-threats-in-home-office/#respond Tue, 03 Jul 2018 04:10:00 +0000 https://www.eweek.com/uncategorized/five-ways-digital-assistants-pose-security-threats-in-home-office/ Voice-activated digital assistants—such as the Amazon Echo that sits on your counter to Cortana on your Windows systems or Siri on Apple’s iPhones—are intended to connect users to services through an easy-to-use voice interface. However, the voice assistants are making cyber-attackers’ jobs easier as well.  At the Black Hat conference later this month, for example, […]

The post Five Ways Digital Assistants Pose Security Threats in Home, Office appeared first on eWEEK.

]]>
Voice-activated digital assistants—such as the Amazon Echo that sits on your counter to Cortana on your Windows systems or Siri on Apple’s iPhones—are intended to connect users to services through an easy-to-use voice interface. However, the voice assistants are making cyber-attackers’ jobs easier as well. 

At the Black Hat conference later this month, for example, four researchers will show how Cortana can be used to bypass the security on locked Windows PCs and other devices. While the group is exploiting a specific vulnerability—dubbed “Open Sesame”—the issues with voice assistants are deeper, said Tal Be’ery, an independent researcher and part of the team. 

“Voice interfaces can be a good idea, but it is not relevant to all devices and all actions,” he said. “Enabling everything the PC does, and going through a voice interface on a corporate environment—this is not a very smart architecture decision.” 

The research involves just the latest attack that utilizes voice assistants, which often prioritize convenience over security. Digital assistants have been added to phones and PCs as a convenient new way of interacting with the devices. Smart speakers—such as the Amazon Echo and the Google Home—have taken off, with 1 in 6 Americans owning one of the devices

Yet, there already has been incidents. In January 2017, an on-air news caster said, “I love the little girl saying, ‘Alexa ordered me a dollhouse,'” leading to Alexa devices in viewers’ homes attempting to order dollhouses. And in May 2018, Amazon’s smart speaker picked up a couples’ conversation, recorded it, and sent it to a friend

The incidents underscore that, in addition to bypassing many security controls, voice assistants are nothing less than sleepless sensors that are almost always listening for potential commands, which makes them a privacy issue. 

“The cases that will be handled first are those that are triggered accidentally—like the dollhouse incident,” said Nicholas Carlini, a recent PhD graduate from the University of California, Berkeley, who researched adversarial attacks against artificial intelligence systems. “It is an active area of research of how to stop these issues.” 

Here are five ways that voice assistants can be used to attack. 

1. Hiding commands in the audio

Among adversarial attacks against machine-learning and artificial-intelligence systems are a class that attempt to change an input—an image for vision systems and an audio clip for voice systems—so that the machine recognizes it as something completely different. 

UC Berkeley’s Carlini used just such a technique in his research by modifying an audio clip that transcribes to one phrase to a 99.9-percent similar clip that transcribes into a completely different phrase. The technique can even hide commands inside music. 

Currently, the effort only works in the most controlled environments, but creating a generalized attack should be feasible, said Carlini. 

“It’s still unknown whether this can be done over the air,” he said. “We tried some obvious things, but we didn’t try too hard…I believe it would be possible.” 

2. Machines can hear it, you can’t

Hiding commands inside other audio is not the only way to create a covert way to manipulate voice assistants. In an attack presented in 2017, six researchers from Zhejiang University showed that they could use sound inaudible to human to command Siri to make a phone call or to take other actions. 

Called the DolphinAttack, the hack shows that a lack of security can be used to command a voice assistant to visit a malicious site, spy on the users, inject fake information or conduct a denial-of-service attack, the researchers stated in their paper

This “serves as a wake-up call to reconsider what functionality and levels of human interaction shall be supported in voice controllable systems,” the researchers said. 

3. It this on? Yes, it is

Even when a voice assistant is not taking an action on your behalf, it continues to listen for commands. Like mobile phones, home voice assistants are sensors that know a lot about you. This gives the companies behind the devices a privileged place in your home, and your life, making them an ideal target for attackers. 

“To operate, these devices need to listen all the time by design—once you say the keyword, and then they start collecting data and sending it to the cloud,” researcher Be’ery said. “So this is a bug that is placed in your house by design.” 

In addition to malicious attacks, the devices have already been shown to expose privacy inadvertently. The incident where a couple was recorded by an Amazon Echo, required the device to mishear three commands or prompts before sending the message to a friend. 

4. Trumping system security

Multiple portions of the code base in many general-purpose devices, such as a PC or a phone, could be exploited by hackers. This “attack surface area” is only made larger and more porous when you add voice-assistant technology and prioritize convenience over security, said researcher Be’ery. 

Along with two researchers from the Israel Institute of Technology and the former chief technology officer of security firm Imperva, Be’ery will demonstrate at the Black Hat conference the weaknesses that the Cortana digital assistant adds to Windows devices. 

“Introducing such a complex logic and extending it to so many places, all happening when the computer is supposed to be locked—it is not going to end up well,” he said. “There is too much attack surface area.” 

5. Jumping from device to device

Attackers often find ways into a home through the router or an unsecured wireless network. Voice assistants add another vector that allows them to bridge attacks, using an audio device—such as a TV or even a loud car radio on the street—to issue commands to the devices. 

The dollhouse incident is an inadvertent version of this attack. 

For most of these issues, there is no easy solution. While filters can be put in place to limit using inputs outside of human hearing, most security fixes for the other problems would make the devices more difficult to use and so are only requested in certain cases, such as purchasing items or transferring money. 

“From a usability aspect, the answer is no, we don’t want to add a second factor,” said Carlini. “I don’t see an obvious solution that is not to ask for a second factor.”

The post Five Ways Digital Assistants Pose Security Threats in Home, Office appeared first on eWEEK.

]]>
https://www.eweek.com/security/five-ways-digital-assistants-pose-security-threats-in-home-office/feed/ 0
Five Ways GDPR Could Limit Security Research https://www.eweek.com/security/five-ways-gdpr-could-limit-security-research/ https://www.eweek.com/security/five-ways-gdpr-could-limit-security-research/#respond Wed, 27 Jun 2018 01:05:00 +0000 https://www.eweek.com/uncategorized/five-ways-gdpr-could-limit-security-research/ For months, marketing and online-services companies have dreaded the coming of the General Data Protection Regulation (GDPR), pro-privacy rules protecting European citizens that went into force on May 25. Yet, few understood the impact that the rules would have on another group: security researchers. Worried about falling afoul of the regulations, a number of domain-name […]

The post Five Ways GDPR Could Limit Security Research appeared first on eWEEK.

]]>
For months, marketing and online-services companies have dreaded the coming of the General Data Protection Regulation (GDPR), pro-privacy rules protecting European citizens that went into force on May 25. Yet, few understood the impact that the rules would have on another group: security researchers.

Worried about falling afoul of the regulations, a number of domain-name registrars have limited access to the formerly-public database listing the contact information for the owners and technical contacts of domains. The Whois database maintained by those registrars is a useful tool for security researchers to use as an initial step toward tracking down malicious actors.

Similar services have shut down as well. A blockchain startup that included information about whether a wallet owner had passed a background check shuttered its service. And academic and industry researchers worry that their databases used to track down bad actors could expose them to legal liability.

In fact, the GDPR has garnered polar opposite reactions from developers and security professionals, said Guy-Vincent Jourdan, an associate professor of electrical engineering and computer science at the University of Ottawa, who described the reactions at two conferences he recently attended.

“I was at a web conference, and there, people were uncorking champagne—everyone was celebrating about GDPR, because it was so great and they were excited about it,” he said. “While at the security conference, everyone was crying and saying this was the end of the world.”

The GDPR aims to curtail the unwanted use of data and give consumers more control of their own data. Companies that use Whois data for mass emails and spammers who use it for fraud schemes will violate the rules. The publishing of identifying data—which includes IP address and many blockchain implementations—along with sensitive information also violates the GDPR.

Security researchers have traditionally found uses for public data in ways that were not intended. If those methods reveal the subject’s identity, the researchers could violate sections of the GDPR. It will take both time and due diligence for security researchers to determine whether their investigative methods are impacted by the regulations.

“It is important for us, as researchers, to think about the data we are gathering and collecting,” said Richard Ford, chief scientist at security software firm Forcepoint. “There are still ways to do it right, but it is just a little bit harder.”

While the GDPR is intended to protect European citizens, because researchers cannot always know whose data they are collecting, the rules will hamper research in general, experts said. Here are five areas of research that are, or could be, impacted by the EU’s General Data Protection Regulation.

1. Non-intended uses of Whois data

When companies and individuals register a domain, their information is placed in a public database known as the Whois database. Large domain name registrars, such as GoDaddy, maintain a server that provides that information to anyone who asks using a web form or a service known as the domain lookup service on port 43.

In May, with the GDPR looming, leading registrar GoDaddy removed details of all the 57 million domains registered on its service, only responding to so-called “port 43 queries” with the organization, state or province, and country. Queries made through its website can get access to the full Whois record, unless the address is in a country protected by the GDPR.

While the lack of registration information could pose problems for researchers, the information in the database is usually not that useful for identifying bad actors but can be used for detecting patterns in ownership, said Allan Liska, senior solutions architect at Recorded Future.

“Whois has been a very valuable tool for researchers, but [has been] diminishing in value over the past few years,” he said. “Bad guys tend to use fake information, but they tend to reuse that fake information, so it can still make connections and be valuable.”

2. Finding ways to de-anonymize data

Companies have published “anonymized” data for research purposes in the past, only to find that the data actually allows the identification of some of the people whose information was included in the data set. In 2006, for example, the research arm of internet service America Online released a data set that included the search data of 658,000 subscribers. Yet, a variety of sensitive data—such as “can you adopt after a suicide attempt” and queries on incest—as well as location data, and even Social Security numbers, appeared in the data set.

Researchers often find ways to de-anonymize, with other instances of de-anonymization occurring with movie databases, data from social networks, geolocation data and online reading preferences.

For security researchers working with network telemetry data or information harvested from PCs, the dangers of de-anonymization—and a GDPR violation—are real.

“Most types of telemetry are not impacted, but you have to be careful when you are gathering telemetry to make sure that you are anonymizing the data,” said Forcepoint’s Ford. “If it is data-centric telemetry, GDPR is most likely not an issue. But when you are doing human-centric research, with anomalies in people’s behavior, those data sets become even more difficult to manage under GDPR.”

3. Some blockchain implementations will disappear

Blockchain technologies that allow for information to be harvested from the ledger have already fallen afoul of the GDPR.

In late May, for example, blockchain services firm Parity shut down its Parity ICO Passport Service (PICOPS) a day before the GDPR went into force. The service allowed owners of wallets to pass an ID background check, confirming that they were not from a restricted set of countries or on a watch list. Because the wallet is seen as an identifier, the service had to comply with the GDPR.

“[A]s things stand the solutions we have identified restrict the service to a very limited set of features,” the company said in a statement. “Because of this, the significant resources required to make PICOPS GDPR-compliant, and the fact that PICOPS is not part of our core technology stack, we have decided to discontinue the service despite overwhelming market needs and demand.”

Researchers who cull blockchain data may have to take extraordinary care to avoid de-anonymizing personal information and violating GDPR.

4. Take care in mining social media

Researchers who mine social networks for a variety of information—whether for content, to create a network map or to create a profile of individuals—will have to abide by provisions of the GDPR, which has restrictions on automated profiling.

Researchers will have to be careful with research on “anything that is about mining information from social media to find cliques with the same interests or issues, or simply to determine if there is a flu outbreak somewhere,” said the University of Ottawa’s Jourdan. “The information is going to be less available and considered more private.”

In addition, researchers may have to give notice and obtain consent for any non-anonymous data included in a profile and abide by the subject’s decisions, according to an analysis by the International Association of Privacy Professionals.

5. Hunting may produce protected data

Another security research activity that will likely be impacted by the GDPR is threat hunting. Using network telemetry and other data to find threats in the network, and then investigating those threats to identify the attacker, will often involve protected data under the GDPR.

For threat-intelligence analysts, this is problematic.

“Countless stories have been shared in the industry about how finding just one email address registered to a domain used for C2 [command and control] malware led to more insights about the malware threat and those operating it,” one security firm pointed out.

Overall, threat hunters will have to maintain strong contacts with their companies’ legal teams to vet any actions that could identify EU citizens.

“I hope that security researchers will embrace privacy and find ways to work with it,” Forcepoint’s Ford said. “The security industry will look at how we gather data and practice data minimization.”

Overall, the impact of the GDPR on security research has not yet been fully felt, experts said.

“By default, organizations will close things up until they figure out what they can and cannot do,” said the University of Ottawa’s Jourdan. “For the next few months, everything that has to do with investigating incidents and determining who is behind something will be impacted by GDPR.”

The post Five Ways GDPR Could Limit Security Research appeared first on eWEEK.

]]>
https://www.eweek.com/security/five-ways-gdpr-could-limit-security-research/feed/ 0
Processor Flaws Force Chip Producers to Make Security Top Priority https://www.eweek.com/security/processor-flaws-force-chip-producers-to-make-security-top-priority/ https://www.eweek.com/security/processor-flaws-force-chip-producers-to-make-security-top-priority/#respond Wed, 06 Jun 2018 03:55:00 +0000 https://www.eweek.com/uncategorized/processor-flaws-force-chip-producers-to-make-security-top-priority/ Late last year, chip makers and operating-system vendors scrambled to create critical fixes for three vulnerabilities.  However, unlike most typical software flaws that are regularly patched, these vulnerabilities were in the processors created by Intel, AMD and other chip makers and not in the applications and operating systems that run on top of those processors.  […]

The post Processor Flaws Force Chip Producers to Make Security Top Priority appeared first on eWEEK.

]]>
Late last year, chip makers and operating-system vendors scrambled to create critical fixes for three vulnerabilities. 

However, unlike most typical software flaws that are regularly patched, these vulnerabilities were in the processors created by Intel, AMD and other chip makers and not in the applications and operating systems that run on top of those processors. 

Known as Spectre and Meltdown, the security issues led to a massive effort to update and patch processors’ microcode—the base-level software that interprets commands to the chips. 

Yet, security researchers were not done. In May, continued research into potential vulnerabilities created by design efficiencies delivered another serious flaw that exposed information. 

“CPU manufacturers are in a crunch, trying to squeeze as much performance out of the chips,” Alex Ionescu, chief architect at security-services firm Crowdstrike, told eWEEK. “They are clearly making good technical decisions for performance, but those decisions have side effects for security that they have not always thought about.” 

In the past year, a number of serious flaws have been found in the central processing units (CPUs)—nowadays, just referred to as processors—that power the computing potential of everything from internet-of-things devices to desktops, and from mobile phones to cloud-enabled servers. While the flaws discovered in some of these devices may not match the seriousness of the Meltdown and Spectre flaws, but their very existence attracts security researchers much as blood in the water attracts sharks. 

“You need special skills and equipment to conduct these hacks, but as these devices become more and more popular, and part of our life, I have no doubt people will increase the focus on the hardware,” Itzik Kotler, chief technology officer and co-founder of SafeBreach, told eWEEK

Already, chip makers are reacting to the discoveries. As a direct result of the vulnerability reports, Intel launched its “Security First” effort, pledging to issue patches quickly, be transparent in its efforts and create initiatives to spur the discovery of vulnerabilities. 

Within three months of being notified of the issues in its processors, for example, Intel released microcode updates for every affected processor model manufactured in the past five years, the company stated. The first issue—one of two issues known as Spectre—will only be addressed by software updates. However, Intel is redesigning parts of its CPUs to address the other Spectre flaw as well as the Meltdown flaw, known as variants 2 and 3, the company said. 

“We have redesigned parts of the processor to introduce new levels of protection through partitioning that will protect against both Variants 2 and 3,” Brian Krzanich, Intel’s CEO, stated in a March 15 blog post on the issues. “Think of this partitioning as additional ‘protective walls’ between applications and user privilege levels to create an obstacle for bad actors.” 

Yet, researchers’ efforts continue, and there will undoubtedly be more vulnerabilities disclosed. Here are five of the most serious that were reported in the past year. 

1. Spectre, Meltdown variants post triple threat 

In January, researchers from Google’s Project Zero, Cyberus Technology and four universities announced a trio of flaws that abuse a widely-used technique known as speculative execution to read private data, such as passwords. Speculative execution speeds processing by pre-computing possible execution paths of a program, but differences in the running times of different branches can reveal the contents of memory, the researchers found

The fix is not easy. Already, patches for both microcode and specific applications, such as browsers, have prevented—or at least, hardened—processors against the attacks, but the final fix will have to be in future designs of the processors to isolate the multiple cores and registers. 

Intel is not alone in its efforts. AMD has also had to scramble to secure devices and computers based on their platforms, although only the Spectre flaws affected the platform. Apple released updates for all three issues as well, however, not every chip platform was equally affected by the vulnerabilities. 

“Analysis of these techniques revealed that, while they are extremely difficult to exploit, even by an app running locally on a Mac or iOS device, they can be potentially exploited in JavaScript running in a web browser,” Apple stated in an advisory

2. Researchers find flaws related to Speculative Store Bypass 

Researchers were not done, however. In May, Microsoft and Google’s Project Zero both released details of another class of flaws related to processor’s speculative execution. Called Speculative Store Bypass, the variant of the Spectre and Meltdown flaws also affect AMD, ARM and Intel CPUs

“AMD customers will be able to install the microcode by downloading BIOS updates provided by PC and server manufacturers and motherboard providers,” AMD said in a May 21 advisory. “We will provide further updates as appropriate on this site as AMD and the industry continue our collaborative work to develop solutions to protect users from security threats.” 

Intel expects that more variants will likely be discovered. 

“We know that new categories of security exploits often follow a predictable lifecycle, which can include new derivatives of the original exploit,” Leslie Culbertson, executive vice president and general manager of the company’s newly minted Product Assurance and Security group, said in a statement

“Expecting that this category of side-channel exploits would be no different, one of the steps we took earlier this year was expanding our bug bounty program to support and accelerate the identification of new methods.” 

3. Intel acknowledges flaws in ME, AMT subsystems 

While Intel is not alone in being affected by the Spectre and Meltdown vulnerabilities, the company did have to support a major platform update in 2017 to repair flaws in its ubiquitous Intel Management Engine, a subsystem of the motherboard that manages and maintains the overall health of the system while it’s running, but also when a system is asleep or booting up. 

In November 2017, the company acknowledged that its systems had several security vulnerabilities that affected all eight generations of the Intel Core processor family, as well as a variety of its server and embedded processors. The vulnerabilities could allow an attacker to gain unauthorized access to the system. 

It was not the first time subsystem firmware exposed vulnerabilities. The company had to fix vulnerabilities in a related subsystem, known as the Active Management Technology (AMT) module, that could also allow attackers to take control of systems. 

The Electronic Frontier Foundation, a pro-digital rights group, likened the computer-control software to a “tiny homunculus” inside every system. The EFF called on Intel to provide a way to disable the Management Engine. “What would be best for users and for the public’s ability to control machines that they have purchased would be for Intel to provide official support for reducing the attack surface to limit the potential harm of the ME,” the group stated

4. When 140 years is not long enough: the ROCA flaw 

The trusted platform module (TPM) is a cryptographic chip used by an increasing number of computers to provide a secure storage for the digital keys needed to secure content and enable trusted transactions. In January 2017, security researchers at the Centre for Research on Cryptography and Security discovered that TPM chips made by Infineon used firmware that included a known vulnerable library for generating private keys. 

The vulnerability could allow the recovery of 512-bit keys in 2 processor-hours—costing about 6 pennies—and enable recovery in up to 142 processor-years for 2,048-bit keys. While the cost of recovering 2,048-bit keys is high, it remains less than $40,000 per key, which could put critical encrypted data at risk from a determined attacker. 

“The private key can be misused for impersonation of a legitimate owner, decryption of sensitive messages, forgery of signatures—such as for software releases—and other related attacks,” the researchers stated in their public analysis, which disclosed the vulnerability in October 2017. 

The analysis found that at least 760,000 keys—and perhaps as many as three times that number–were affected by the issue. Microsoft’s hard-disk encryption technology, BitLocker, relies on the TPM, so the vulnerability weakened its security as well. To fix the issue, an administrator must update Windows, stop BitLocker protection, clear the trusted computing module, and then restart BitLocker to re-encrypt the data with a non-vulnerable key. 

5. Insensitive disclosure of sensitive issues: AMD PSP flaws 

In March, a relatively unknown company CTS Labs controversially publicized a set of security issues in AMD Platform Security Processors , which acts like a TPM, after only giving the chip maker a day to respond to their report. The software flaws allowed an attacker that had administrator access to bypass a number of hardware security measures, such as Secure Boot, infect the motherboard firmware, and bypass other defensive features. 

While the company may have fueled hyperbole surrounding the security issues—and disclosed them without adequate notification—the vulnerabilities are real, said Dan Guido, co-founder and CEO of security firm Trail of Bits

“Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public [as far as I know]), and their exploit code works,” Guido stated on Twitter, adding, “Yes, all the flaws require admin [privileges] but all are _flaws_ not expected functionality.”

The post Processor Flaws Force Chip Producers to Make Security Top Priority appeared first on eWEEK.

]]>
https://www.eweek.com/security/processor-flaws-force-chip-producers-to-make-security-top-priority/feed/ 0
Five Ways Cyber-Criminals are Trying to Cash in on Crypto-Currency https://www.eweek.com/security/five-ways-cyber-criminals-are-trying-to-cash-in-on-crypto-currency/ https://www.eweek.com/security/five-ways-cyber-criminals-are-trying-to-cash-in-on-crypto-currency/#respond Tue, 01 May 2018 21:25:00 +0000 https://www.eweek.com/uncategorized/five-ways-cyber-criminals-are-trying-to-cash-in-on-crypto-currency/ Before speculation led to the skyrocketing market capitalizations of crypto-currencies over the past year, online crime was a significant driver of the commercial value of Bitcoin, Ethereum and other digital currencies.  Dark Web transactions for drugs, payoffs for ransomware attacks and money laundering for a variety of criminal enterprises drove much of the initial value […]

The post Five Ways Cyber-Criminals are Trying to Cash in on Crypto-Currency appeared first on eWEEK.

]]>
Before speculation led to the skyrocketing market capitalizations of crypto-currencies over the past year, online crime was a significant driver of the commercial value of Bitcoin, Ethereum and other digital currencies. 

Dark Web transactions for drugs, payoffs for ransomware attacks and money laundering for a variety of criminal enterprises drove much of the initial value increases of the currencies. 

Yet, criminals have increasingly targeted the burgeoning ecosystem for virtual currencies, looking to illicitly generate currency through mining, by stealing currency from exchanges and wallets, and by finding new ways to deny service for extortion and revenge. 

In January, for example, hackers compromised crypto-currency exchange Coincheck, stealing 500 million NEM tokens from the company’s vulnerable wallet. The total value of the haul was about $534 million, according to the most recent estimates. The attack, which accounted for about a sixth of the $3.7 billion NEM market capitalization, could have destroyed the currency, but Japanese online brokerage firm Monex Group bought the company for about $33 million. 

Such attacks will continue as the value of crypto-currencies grow and as their uses become more legitimate and oversight becomes more stringent, said Ian Gray, senior intelligence analyst with risk intelligence firm Flashpoint. 

“Definitely, the rising valuations of crypto-currency has had an impact on the number of attacks that we have seen,” he said. “Not just with exchanges, but also in terms of wallets and the number of crypto-currency miners we have seen recently.” 

While cyber-criminals have often used crypto-currencies as a way to monetize their diverse illicit schemes, they are increasingly finding other ways to incorporate crypto-currencies into their attacks and operations. 

Malware, for example, has increasingly incorporated payloads that manipulate crypto-currencies, either searching for and stealing wallets or turning a compromised computer into a currency-mining bot. In the third quarter of 2017, about half of all malware focused on crypto-currencies, but by the last quarter of the year, that had grown to about 90 percent of malware, according to web application security firm Imperva. 

“The attackers are evolving and doing whatever they can to maximize their profit,” said Nadav Avital, security research team leader at Imperva. 

As the value of the crypto-currency ecosystem grows, and more companies adopt the distributed ledger technology of the blockchain to implement security in other contexts, cyber-criminals will focus more heavily on taking advantage of the digital currencies. 

Here are five ways that criminals are utilizing cryptocurrencies in their attacks. 

1. Taking advantage of lax exchange security 

Cyber-attackers will continue to assail currency exchanges. 

Coincheck is just the latest—and most major—breach of an exchange. In 2014, Bitcoin exchange Mt. Gox failed following two breaches, one for nearly $9 million in 2011 and another for a whopping $450 million in 2014. The following year, another exchange, BitStamp, announced that its “hot wallet,” or operational funds, had been stolen by hackers. 

With a greater focus on security and risk management and more oversight by government regulators, however, exchanges are getting better at fending off hackers, said Flashpoint’s Gray. 

“A lot of exchanges are getting a lot more serious about security and creating risk programs that better protect their assets,” he said. “A lot of governments are also getting more serious about how they are treating crypto-currency, not only regulating the exchanges, but improving the anti-money laundering procedures and other operations.” 

2. Enslaving devices to mine crypto-currency 

When the Berkeley SETI Research Center introduced its desktop-based application, SETI@Home in 1999 to process of radio signals from space in search of extraterrestrial civilizations, the group kicked off the idea of using users’ systems to parallelize the processing of a compute-intensive task. Malicious bot software copied the idea, turning compromised systems into a large distributed computer. 

Online criminals with an interest crypto-currency mining have reproduced the same infrastructure. From PCs to routers to phones to browsers, illicit crypto-currency miners compromise systems, install malware and execute programs to crunch the numbers needed to generate tokens in their preferred currency. 

Most recently, attackers have used vulnerabilities in Apache Struts and Drupal to infect web servers with their programs, which also often attempt to infect visitors’ systems with crypto-mining tools, said Ryan Barnett, principal security researcher at Akamai. 

“While these are the most current vulnerabilities, attackers are agile and will quickly migrate to new vulnerabilities that will allow them download their crypto-mining tools into vulnerable systems,” he said. 

3. Virtual pickpocketing of insecure wallets 

Security firm Zscaler has seen a doubling in the number of crypto-mining payloads in 2018, but it has also seen an increase in malware targeting the wallets used by consumers to store the security keys needed to sign and verify crypto-currency transactions, according to Deepen Desai, vice president of security research and operations. 

If attacking the exchanges is like a bank heist, breaking into and stealing from insecure wallets is akin to virtual pickpocketing.  

“With the exponential increase in crypto-currency values, lots of consumers are also engaged in legitimate mining activity using their own hardware resources,” Desai said. “Cyber-criminals on the other hand are performing mining activity on the compromised systems as well as attempting to steal crypto-currency wallets from the user’s system.” 

While best security practice for crypto-currency wallets calls for the majority of digital value to be kept in offline storage—a ‘cold wallet,’ many consumers do not take this step. 

4. Fueling crime and tax evasion

Criminals are naturally attracted to crypto-currencies because the financial instruments have helpful attributes—such as varying levels of anonymity and the ability to turn processing power directly into cash. While no one has been able to measure the actual proportion of crypto-currency transactions that are illicit, signposts do exist. In 2015, for example, academic research that scraped data from major sites on the Dark Web found that 70 percent of sales consisted of cannabis-, ecstasy- and cocaine-related products with most being sold for crypto-currency. 

In a 2017 report on crypto-currencies published by a public-private group of government agencies and financial firms found that few consumer applications of crypto-currencies had taken off. 

“The crypto-currency payments market remains small, despite the regular introduction of new crypto-currencies,” the report stated. “Crypto-currency users are slowly growing and evolving. However, widespread adoption of crypto-currencies by the general public remains unlikely in the near future.” 

In January, while acknowledging the usefulness of the technology behind crypto-currencies, Larry Fink, the CEO of financial firm BlackRock called crypto-currencies “more of an index of money laundering than anything more than that.” 

Yet, government agencies are cracking down on the use of crypto-currencies for money laundering and tax evasion. Japan’s Financial Services Agency, for example, has put pressure on exchanges to drop support for certain crypto-currencies—such as Monero, Zcash, and Dash—that are thought to be used by criminals because of their privacy protections. 

In April, the European Parliament voted to tighten regulations on virtual currencies, forcing exchanges to operate more like banks, including a customer verification requirement. 

5. Targeting the blockchain infrastructure 

Criminals are also finding ways to exploit the distributed ledgers, or blockchains, used by crypto-currencies to record transactions and provide proof of work for miners. 

In 2016, for example, members of the community behind the Ethereum crypto-currency created the Decentralized Autonomous Organization, or DAO, as a blockchain-based venture capital fund based on a smart contract. However, two issues in the implementation of the DAO allowed an attacker to drain approximately $70 million in funds from the contract: The DAO allowed recursive calls, and the smart contract decremented funds before updating the internal balance. 

To fix the issue, the group performed a controversial “hard fork” of the Ethereum currency—in some ways similar to a stock split that delivers two different shares to each shareholder: Ethereum (ETH) and Ethereum Classic (ETC). In retribution, however, attackers used a distributed denial-of-service attack against the currency’s blockchain to slow down transaction processing. 

Such attacks are not limited to online criminals and dissidents. Law enforcement agencies are using blockchain exploits to expose the identities of criminal networks and money launderers trafficking in illicit drugs. In January testimony, Greg Nevano, deputy assistant director of the Department of Homeland Security said the investigative group looks to disrupt crypto-currency transactions often used to fund narcotics trafficking and launder money. 

“In support of its diverse financial investigative efforts ICE uses undercover techniques to infiltrate and exploit peer-to-peer crypto-currency exchangers who typically launder proceeds for criminal networks engaged in or supporting dark net marketplaces,” Nevano said. “Furthermore, ICE leverages complex Blockchain technology exploitation tools to analyze the digital currency transactions and identify transactors.”

The post Five Ways Cyber-Criminals are Trying to Cash in on Crypto-Currency appeared first on eWEEK.

]]>
https://www.eweek.com/security/five-ways-cyber-criminals-are-trying-to-cash-in-on-crypto-currency/feed/ 0