As security and operating system vendors continue to improve defensive technologies to deal with a wide range of attack vectors, there has been somewhat of a shift in the forms of malware that Intel Security is now seeing. Intel Security's McAfee Labs ...
Fileless Memory Infection, Macro Malware on the Rise: McAfee Labs
↧
↧
Gurucul’s Hybrid Behavior Analytics Bridges Cloud, Enterprise Security
Gurucul's CEO explains how link analysis enables better understanding of user behavior and risk across the enterprise and in the cloud.
Understanding the security of both enterprise- and cloud-based data is cr...
↧
U.S. Seriously Lags in Chip Card Use, Putting Merchants at Risk
NEWS ANALYSIS: Despite the security benefits of EMV-equipped payment cards, they are used in relatively few transactions in the United States. That is not good news for SMBs.
I was walking to the register at m...
↧
WiFi SPARK –‘Friendly WiFi’‘Approved Provider’ Supporting the Initiative
December 22nd 2015: WiFi SPARK is proud to support the work of ‘Friendly WiFi’, the world’s first accreditation scheme designed to verify whether a business’ public WiFi service meets a minimum level of filtering to block out access to pornographic and child abuse websites. The ‘Friendly WiFi’ scheme works in partnership with the Internet Watch Foundation, in which WiFi SPARK is proud to be a member of. What is ‘Friendly WiFi’?‘Friendly WiFi’ aims to help parents, children and young people make informed choices about using public WiFi and protects them from viewing inappropriate material. The scheme verifies whether the public WiFi provided at a venue meets an industry standard for filtering, blocking access to sites containing inappropriate content. We are now encouraging all of our clients to join the ‘Friendly WiFi’ scheme and be accredited as a ‘Friendly WiFi’ venue.Why is it important?Public WiFi is the same as the WiFi we use at home except there's just lots more people using the same connection at any one time. With so many places letting you access the internet it's really important that businesses in charge of letting you use their public WiFi take the right steps to protect you, your friends and your children from seeing upsetting, disturbing and generally not very nice images, videos or websites. It's important that when you use public WiFi to access the internet that you feel safe and remain safe online.Who is already a part of ‘Friendly WiFi’?A selection of WiFi SPARK’s customers have already taken up the initiative such as Queen Elizabeth Olympic Park and Maudsley Learning Centre. Other companies like TESCO and IKEA are also on board with ‘Friendly WiFi’.Friendly WiFi is thrilled to offer the Scheme in partnership with WiFi SPARK. Beverley Smith, Director of Friendly WiFi commented: “The team at WiFi SPARK has been a pleasure to work with from the beginning and has been extremely proactive. We were aware that they were a main provider to NHS Trusts which is a key market we were keen to tell about the Friendly WiFi Scheme.” She added: “Doing this in partnership with WiFi SPARK will create more interest and it also has enabled us to communicate an exclusive offer via WiFi SPARK. I look forward to growing the relationship further in 2016.”How can I join ‘Friendly WiFi’?WiFi SPARK is a ‘Friendly WiFi’ ‘Approved Provider’ meaning the company’s public WiFi offering meets the scheme’s specification, making joining the scheme a straightforward process for WiFi SPARK clients.WiFi SPARK clients can now apply to join the scheme and have their service verified, to ensure that access to pornographic material is filtered and child abuse webpages known to the Internet Watch Foundation are blocked. Once verified and approved, venues can then display the ‘Friendly WiFi’ symbol to make it clear that their WiFi is ‘Friendly’. The ‘Friendly WiFi’ symbol has been designed to help children, young people and adults navigate their way through the high street and gives them the option to choose and use a ‘Friendly WiFi’ venue, to ensure that the public WiFi that they are accessing is filtered and independently accredited.More information about the ‘Friendly WiFi’ Scheme and how to join can be found at www.friendlywifi.co.uk, or by emailing fw@rdi-online.co.ukAbout WiFi SPARKFriendly WiFi and WiFi SPARK has had a strong relationship since the launch of the scheme in 2014 when WiFi SPARK became an approved provider. WiFi SPARK is a specialist wireless network solutions provider with a broad variety of active locations across the UK, including the National Exhibition Centre (NEC) in Birmingham, the National Portrait Gallery in London and an expanding NHS portfolio that includes hundreds of NHS locations nationwide.Since the beginning of the relationship, WiFi SPARK has been a great supporter of the scheme both technically and by way of introduction to their clients.Press contactsRebecca O’Donovan | 0344 848 9555 | marketing@wifispark.com Source: RealWire
↧
Oracle must carry apology for botched Java security on its website for two years
Old builds stayed resident, opening security loops. Regulator orders ongoing apology
↧
↧
PCI DSS Dials Back on SSL/TLS 1.1 Requirement
The Payment Card Industry Security Standards Council pushes back the date for organizations to migrate away from the vulnerable encryption technology standard.
Organizations that need to be compliant with Payment Card Industry Data Security Standard (PCI DSS) version 3.1 are getting a reprieve on a key compliance measure. They now do not need to migrate to Transport Layer Security (TLS) version 1.1 or higher until June 2018, a two-year delay from the original data of June 2016.
The PCI DSS 3.1 standard first debuted in April, shifting away from older versions of TLS and Secure Sockets Layer (SSL) in a bid to reduce the risk of exposure from insecure data transport protocols. One of the key requirements in PCI DSS 3.1 is for organizations to disable all use of SSL version 3. SSL has been determined to be cryptographically insecure by a large volume of research, as evidenced by the POODLE vulnerability in SSL 3 that was first disclosed in October 2014.
"One of the key factors that gave us the confidence in pushing out the date to June 2018 is that, at the moment, we're not seeing criminals accessing cardholder data through these vulnerabilities," Jeremy King, international director of the PCI Security Standards Council (PCI SSC), told eWEEK.
In moving the date back, PCI SSC is trying to balance risk and operational needs, King said. That is, how does the risk associated with the added time needed to migrate to TLS 1.1 or higher balance with the potential loss of business for merchants, processors and assessors?
"What is absolutely clear is that this is not a signal to organizations to do nothing for two years. In fact, it is quite the opposite," he said. "For sure, if a company can migrate away from SSL and early TLS today, then they should do so immediately."
If it is not practical for an organization to move to TLS 1.1 or higher just yet, then the company must understand that it is at greater risk and so must take greater care, King stressed. Organizations must have clear mitigation and migration plans to deal with the time between now and their migration, and they must be very aware of strange activity related to SSL and early TLS protocols.
As to why PCI SSC is making the announcement about the TLS migration date now, during the busiest time of the year for retailers, King said the announcement is being made as early as possible after receiving and analyzing feedback from the PCI SSC's global community.
"After merchants and service providers started looking at their systems to make the shift, it became apparent to them that the migration was going to have far wider-ranging business implications than was originally thought," he said. "This made the original shift date challenging for virtually everyone."
David Picotte, manager of security engineering at Rapid7, is among those who are not surprised at PCI SSC's extension of the TLS migration deadline. Picotte said PCI SSC doesn't want the majority of merchants suddenly assessing PCI DSS in a noncompliant state because time ran out.
"It's also possible that the date gets moved forward should a new attack technique be discovered in the coming years that dramatically reduces the complexity of a successful attack," Picotte told eWEEK. "To remain secure, merchants should ensure that all new implementations use TLS 1.1 or above."
Rob Sadowski, director of marketing at RSA, the Security Division of EMC, said there is no question that the migration away from SSL and early TLS is absolutely necessary to protect payment data and other sensitive data types. Extending the migration deadline is a pragmatic concession by PCI SSC that some legacy hardware environments will be very difficult to patch or update, he added.
"Some of the most vulnerable environments, such as e-commerce, have already migrated or efforts should be well underway," Sadowski told eWEEK. "Despite the extension, organizations that are affected are generally aware that they should not be waiting another two years to address this well-known vulnerability."
From a PCI DSS standard perspective, a formal update set to be released in 2016 that will codify the migration date move as well as provide additional changes to PCI DSS. King said 2016 is already scheduled to be a PCI DSS standard update year, as per the PCI SCC's standards development life cycle. It's not clear yet if the 2016 update will still be called PCI DSS 3.1 or if it will be given a new number.
"We are conscious that too many changes in quick succession can cause confusion to the marketplace, so we are currently looking at how best to proceed," King said. "Therefore, the version iteration has not yet been finalized. As soon as it is, we will let everyone know."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
↧
Microsoft Targets Man-in-the-Middle Adware in Policy Update
To help improve the security of its Windows software ecosystem, Microsoft is cracking down on adware that relies on man-in-the-middle techniques.
Microsoft wants to put Windows users back in control of their computing experience and improve security by making it more difficult for adware makers to hijack certain Web browser functionality.
In a follow-up to the company's adware classification policies from April, Microsoft announced on Dec. 21 that it is taking a tougher stance on ad-supported software to combat man-in-the-middle (MiTM) techniques that often result in a poor user experience and lead to security breaches. "Some of these techniques include injection by proxy, changing DNS settings, network layer manipulation and other methods," wrote Microsoft Malware Protection Center researchers Michael Johnson and Barak Shein, in a company blog post.
Microsoft argues that software employing a man-in-the-middle approach to online ad delivery robs PC users of one of the hallmarks of the Windows ecosystem: choice.
"All of these techniques intercept communications between the Internet and the PC to inject advertisements and promotions into webpages from outside, without the control of the browser," stated Johnson and Shein. "Our intent is to keep the user in control of their browsing experience and these methods reduce that control."
Man-in-the-middle techniques often bypass many of the notification systems used by modern browsers that alert users when a change is being made to their Web-browsing experience, they noted. They can also dig into a browser's advanced settings, making changes that the average user may be unaware of.
Moreover, some adware can pave the way for a more serious breach of data security. "MiTM techniques add security risk to customers by introducing another vector of attack to the system," said Johnson and Shein.
So Microsoft, in its endless quest to improve Windows security, particularly on its new Windows 10 operating system, is instituting new adware detection rules.
In the coming months, the Microsoft Malware Protection Center is updating its "adware objective criteria to require that programs that create advertisements in browsers must only use the browsers’ supported extensibility model for installation, execution, disabling, and removal," said the staffers. "The choice and control belong to the users, and we are determined to protect that."
The new rules take effect on March 31, 2016, giving developers a few months to adapt their offerings.
"We encourage developers in the ecosystem to comply with the new criteria," said Johnson and Shein. "We are providing an ample notification period for them to work with us as they fix their programs to become compliant. Programs that will fail to comply will be detected and removed," they warned.
On the lookout for man-in-the-middle attacks, IT security watchers have been on high alert after the Lenovo-Superfish adware scandal.
Earlier this year, security researchers discovered that the PC maker had installed Superfish adware on some of its consumer notebooks during late 2014, injecting advertisements in Google searches, indicating a Secure Sockets Layer (SSL) MiTM. Lenovo has since stopped including Superfish on its devices and cut the server connections for the software.
↧
Is U.S. Critical Infrastructure Under Attack?
NEWS ANALYSIS: New reports allege that a dam and multiple power stations were hacked by Iran. What's the real risk, and what needs to be done?
A pair of recent reports allege that foreign attackers have been able to infiltrate U.S. critical infrastructure. A Wall Street Journal report alleged that Iranian hackers were able to infiltrate the operation of a dam not far from New York City. An Associated Press report alleged even more widespread risks to the U.S. power grid, in particular an attack involving power producer Calpine.
The public reports that the U.S. power grid has been infiltrated is not being met with surprise by security experts contacted by eWEEK. Barak Perelman, CEO of Indegy, said that after decades of cyber-attacks focusing on "traditional" IT networks, it was a logical next step for hackers and nations to target critical infrastructure. What attacks such as Stuxnet confirmed is that compromising an industrial control device can be just as easy as compromising a PC, he said.
"Cyber-security companies have been focusing on technologies that protect traditional IT networks for the past 20 years," Perelman told eWEEK. "These technologies are not designed to protect operational networks that manage dams or electric substations, which means they have minimal or no protection measures in place."
The idea that industrial control systems aren't yet fully hardened for the modern world of cyber-attacks is shared by Lila Kee, chief product officer and vice president of business development at GlobalSign.
"SCADA [supervisory control and data acquisition] systems have yet to catch up in terms of adequate identity and access management safeguards, increasing cyber vulnerability associated with direct and indirect remote access," Kee told eWEEK. "The reality is grid providers must and are thinking in terms of how to respond to a successful attack."
Kee is a member and participant in the NIST-NCCoE (National Institute of Science and Technology, National Cybersecurity Center of Excellence) Energy Sector Identity and Access Management Use Case Consortium and a member of the Wholesale Electric Quandrant's executive board. Kee noted that the NCCoE's Identity and Access Management for Electric Utilities cyber-security guide addresses the exact issue that played out at Calpine. In the Calpine attack, information was allegedly stolen from a contractor that had access to data.
"NIST in partnership with commercial security vendors such as GlobalSign developed an example solution guide using off-the-shelf commercial products and services to increase network security," Kee said. "One of the design goals was to implement secure access to physical and logically access assets in a method that addressed energy-specific standards such as North American Electric Reliability Corporation Critical Infrastructure Protection [NERC CIP], CyberSecurity Framework and North American Energy Standards Board [NAESB] standards."
Kee explained that the how-to solution guide was designed to address real-life user stories around physical and remote access to networks as described by power generators and transmission and distribution providers. One example the NIST-led guide addresses to increase grid protection is around strong authentication, using two-factor authentication as well as automated and sophisticated access control techniques such as contextual authentication and reliance on a real-time central authorization system, she said.
In the Calpine incident, the root cause appears to be a user risk from a stolen username and password, which can potentially be mitigated by automation, though not entirely.
"There will always be exposure, especially associated with privileged users who have access to rules and policy settings tied to automation," Kee said. "Independent monitoring is vital to the cyber-security equation to assure the appropriate checks and balances are in place."
Perelman commented that in his view automation is not the complete answer to mitigating the risk of cyber-threats in critical infrastructures. He also advocates for the use of improved visibility to monitor the risks.
"Automation can help, but visibility into the status of industrial control systems and the processes they control enables facilities operators to establish procedures and policies for securing them and responding to threats or failures before damage occurs," Perelman said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
↧
The Internet Will Keep Working After Jan. 1 No Matter What CBS Says
NEWS ANALYSIS: Despite predictions of doom on the Internet, the transition to security certificates that enforce SHA-2 encryption will not immediately cut off Web access to anyone.
All of a sudden many Interne...
↧
↧
IT Pros Plan on Improving Security in 2016: Spiceworks
When asked how they plan to invest in more advanced solutions, 36 percent of IT professionals expect to increase their investment in intrusion detection.
While 80 percent of organizations experienced a security incident in 2015, 71 percent of IT professionals expect their organizations to be more secure in 2016, according to a Spiceworks survey of 197 IT professionals.
When asked how they plan to invest in more advanced solutions, 36 percent of IT pros expect to increase their investment in intrusion detection, 24 percent expect to increase investment in penetration testing and 22 percent expect to increase investment in advanced threat protection.
"It's surprising to see the gap between the security threats feared by IT pros and the attacks they actually experienced this year, particularly when it comes to ransomware," Peter Tsai, IT analyst at Spiceworks, told eWEEK. "While 20 percent of IT pro respondents actually experienced a ransomware attack in 2015, more than half indicated that it was a top concern. Our theory is that steady news coverage, the hostile nature of the malware and numerous anecdotes of ransomware horror stories could be elevating the fear of this relatively new threat."
Tsai said some of the hurdles businesses face when implementing an IT security strategy include putting in place a truly effective IT security strategy, which requires companies to adopt a holistic approach covering technology, people and processes.
"This requires the participation of every single person in an organization, even those who aren't tech savvy," he explained. "Therefore, one of the biggest hurdles is educating end users on security dangers and convincing them of the need to take precautions. Additionally, many IT departments lack the budget needed to invest in security solutions or manpower to dedicate the countless hours required to properly secure networks and keep up with the latest threats."
To protect end users from breaches on various devices in the workplace, 73 percent of IT pros are enforcing end-user security policies and 72 percent are regularly educating their employees on topics such as how to avoid malware and how to spot phishing scams.
"Many IT departments now support multiple devices per employee. These connected PCs, smartphones, tablets, wearable and Internet of things devices increase an organization's potential attack surface and give IT departments more to worry about, especially if devices have access to company data," Tsai said. "IT professionals need to be extra careful to restrict access to networks and sensitive information and develop strategies for tracking, patching and managing company-owned devices."
They also need a solid plan to handle employee-owned devices that come into the workplace, such as keeping them on a completely separate guest network, he noted.
↧
Bufferzone Hooks Into Windows to Containerize Security
Bufferzone's technology segregates the activity that is done over the Web by running it within a secure container.
The idea of using isolation techniques—such as a sandbox or a hypervisor—to limit the attack surface in an operating system or a piece of software is not a new one, but it is an evolving space with innovations. One of the vendors using isolation to limit security risks is Bufferzone, which is using its own proprietary container approach to help protect users from threats.
"We allow companies that have levels of security requirements to connect to the Internet safely," Israel Levy, CEO of Bufferzone, told eWEEK.
The company has raised approximately $10 million in funding to date, with plans to raise more funds in the next six months, Levy said.
Bufferzone's technology segregates all the activity that is done over the Web by running it within a secure container. The idea is that if there is malware, it will be restricted and limited by the boundaries of the container and not have a wider risk or impact for organizations.
The term "container" is often associated in the modern computing world with Docker; however, that's not the container technology that Bufferzone is using.
"Our approach is completely designed for security and is a proprietary technology that is very lightweight," Eyal Dotan, CTO and co-founder of Bufferzone, told eWEEK. "It contains file system and registry modifications, but processes still run on the same machine, isolated by our windows kernel driver."
Bufferzone's container hooks into the Windows kernel directly, which Dotan said provides an advantage of user-mode forms of security. Programs that are in the buffer zone cannot access processes outside of the buffer zone. The way Windows works, a process needs to be accessed in order to inject code or to read what is running.
"Given that we're in kernel mode, we see everything that is coming though our driver," Dotan said.
Users still can get access to the underlying file system, by way of an approach known as "copy on write."
"We let processes in the buffer zone see what's on the file system," Dotan explained. As soon as a process requests write access for creating or modifying something, we simulate that operation in our own repository."
For a file system operation, there is a redirected file directory, and for the Windows registry there is a redirected registry key. The Bufferzone repository contains the delta, or the differences over time, of modifications made. Existing applications continue to work inside the Bufferzone since the technology resides in the Windows kernel and is not application-specific, Dotan said.
Among the many companie that compete with Bufferzone is Bromium, which provides a virtualization, or microvisor-based approach to securely isolating a system. Levy noted that his company will often compete on deals with Bromium.
Bufferzone is now making its technology available for Windows 10 users and is looking to expand the platform in 2016. Levy said that one area he's looking at is offering Bufferzone through a managed security service provider (MSSP) model.
"The technology will continue to be deployed by large accounts by companies with over 100,000 employees," Levy said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
↧
Hello Kitty Vendor Sanrio Admits to and Patches Flaw
Japanese toy vendor Sanrio, owner of the popular Hello Kitty brand, is admitting to a security vulnerability on its SanrioTown.com community Website. The vulnerability has already been patched, and there is no public evidence that private user information has been publicly posted.
"On Dec. 19, it was revealed through outside sources that personal information such as names, date of birth, gender and other information belonging to SanrioTown.com members was accessible if you knew the address of the vulnerable servers," Sanrio stated in a release on Dec. 22. "The vulnerable data did not include credit card information or other payment information and passwords were securely encrypted."
The outside sources include a report that alleged that 3.3 million Hello Kitty fans were exposed by a database leak. In a statement sent by Sanrio to eWEEK Dec. 21, the company noted that it was investigating the report. Sanrio did not respond directly to a question from eWEEK about whether the vulnerability was responsibly reported to them.
Though multiple media reports this week have alleged that details on millions of users were publicly leaked, Sanrio is denying that claim.
"To the Company's current knowledge, no data was stolen or exposed," Sanrio stated. "Up to 3.3 million Website members were potentially affected by this security vulnerability; however, there is no indication that any user data was actually exposed or utilized by malicious parties."
That said, there was a vulnerability on SanrioTown.com that could have enabled an attacker to potentially get access to personal user information, including names, birth dates and user passwords. Sanrio is now recommending that users change their passwords for SanrioTown in order to further limit any potential risk.
While Sanrio's statement doesn't identify the vulnerability, it does indicate that it was a server misconfiguration that enabled the vulnerability. According to Sanrio, it has now placed additional security measures on its vulnerable servers and is conducting a review on how its servers were left vulnerable.
Unfortunately, misconfigured servers, particularly database servers, are not uncommon.
Chris Vickery, the security researcher who first discovered the SanrioTown.com vulnerability, also reported on a similar flaw with software vendor MacKeeper earlier this month. In the MacKeeper incident, up to 13 million user accounts were potentially exposed to risk. Among the risky server misconfigurations are MongoDB databases, which a Shodan security search shows 35,000 publicly available and unauthenticated instances that could be exposing users to risk.
The SanrioTown vulnerability is particularly worrisome in light of the recent disclosure of security vulnerabilities with toy vendor VTech as well as the Hello Barbie toy. In the VTech incident, law enforcement in the UK has already made an arrest.
With the Hello Barbie toy incident, the security vulnerabilities were responsibly reported to the vendor and fixed, limiting the risk.
The truth is that security vulnerabilities exist and it is incumbent upon researchers to responsibly report issues when they find them. Sometimes it's easy—for example, when server misconfigurations that can be easily found using publicly available Internet tools like Shodan.
When it comes to database security--especially when those databases contain the information of children—vendors really need to take responsible actions now to make sure that simple database misconfigurations are not exposing users to unnecessary risk.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
↧
Google Testing Password-Free Log-ins to Online Services
The company invited a small group of users to help test a new way to log in to accounts.
Google is testing a way to let people log in to its online services without a password. A small number of its users have been invited to participate in tests involving the use of their smartphones to log in to Gmail and other Google services.
" 'Pizza,' 'password' and '123456'—your days are numbered', " Google said in a statement. "We've invited a small group of users to help test a new way to sign in to their Google accounts, no password required."
A Reddit user who claimed to have received an invite said users who register for the option will receive an alert on their phones when they enter their usernames to access a Google service. The alert prompts the user to confirm whether he or she is attempting to log in to the service. Once confirmed, the user gains access to the account.
Users will still be able to access their accounts using a regular typed password if they choose to do so. The password-free sign-in feature will become available to users of both Android and iOS devices.
Google's goal in introducing the new feature appears to be to curb phishing and other attacks that involve the use of passwords to gain access to accounts and to exploit them.
Security researchers have long lamented the tendency among people to use weak, easily guessed passwords to protect account access and have urged organizations and individuals to implement strong two-factor authentication to their accounts.
Despite considerable awareness of the issue, studies have repeatedly shown that a vast majority of online users continue to stick with passwords that are simple to guess.
A study by SplashData earlier this year showed that the most commonly used password for 2014 was "123456," followed by "password." Other common passwords that SplashData gleaned from a collection of more than 3.3 million stolen user names and passwords included "qwerty," "baseball" and "dragon." The tendency by many online users to use the same password across multiple accounts has only exacerbated the problem.
The results of a Google study, released earlier this year, showed that even the security questions that people use to recover forgotten passwords are easy to guess. Users trying to keep their password recovery answers simple often tended to use common responses. Google, for instance, discovered that with a single guess an attacker would have a nearly 20 percent chance of guessing that an average English-speaking user's favorite food is pizza. Similarly, with 10 guesses, an attacker would have a 21 percent chance of correctly guessing a Spanish-speaking user's father's middle name.
Conversely, users who chose hard answers for their password recovery security questions often had a hard time remembering it. Because of such issues, some security researchers have been advocating the use of other mechanisms, particularly smartphones to authenticate users to their accounts.
Google is the second major email provider to consider a password-free log-in process. Yahoo recently introduced a new Yahoo Account Key feature that lets mobile users sign in to its services without a password.
↧
↧
Encryption Backdoor Debate Heats Up With Juniper Breach Discovery
As evidence mounts that an intelligence agency had the capability to wiretap Juniper network hardware, technology experts resist political pressure to to make encryption breakable.
The mystery surrounding two backdoors in Juniper's virtual private networking (VPN) products—and whether one of them may have originated with a U.S. intelligence agency—has added fuel to the debate surrounding government access to communications and data.
On Dec. 17, Juniper announced that an internal code review had revealed that two backdoors had been added to its ScreenOS operating system. One intentionally introduced flaw allows attackers to use a hard-coded password to gain administrative rights to vulnerable systems while the other allows the decryption of communications captured by an attacker who knows a unique key.
Juniper's Security Incident Response Team "is not aware of any malicious exploitation of these vulnerabilities; however, the password needed for the administrative access has been revealed publicly," the company stated in an advisory.
The hard-coded password was apparently introduced in ScreenOS 6.2.0r15, released by Juniper in September 2012, while an attacker inserted the decryption bypass vulnerability into ScreenOS 6.2.0r17, released in May, according to Juniper. Versions of the operating system released as far back as August 2012 have, however, been patched for the issue.
Security researchers have linked the capability to decrypt communications to a backdoor surreptitiously supported by the U.S. National Security Agency and incorporated into products sold by security firm RSA. The company was reportedly paid $10 million for including the broken Dual Elliptic Curve (DualEC) pseudo random number generator (PRNG) in its products.
The kerfuffle over the backdoor password and code comes as politicians and law enforcement officials continue to ratchet up the rhetoric calling for technology companies to weaken the security of their products to allow authorities to have access to communications and data.
In a 60 Minutes segment aired over the weekend, Apple CEO Tim Cook attempted to explain the problems that weakened encryption poses for all citizens—that security weaknesses are often exploited and not just by legitimate authorities.
"If there is a way to get in, then someone would find a way in," Cook said in the 60 Minutes segment. "The reality is, if you put a backdoor in—that backdoor is for everybody, for good guys and bad guys."
In the latest Democratic debate, presidential candidate Hillary Clinton, when asked to comment on Apple's assertions, called for a massive effort to find a solution.
"I would hope that, given the extraordinary capacities that the tech community has and the legitimate needs and questions from law enforcement, that there could be a Manhattan-like project, something that would bring the government and the tech communities together to see they're not adversaries, they've got to be partners," Clinton said in the debate.
Such a view is referred to by technologists as the "nobody but us," or NOBUS, argument, where legitimate authorities seek to undermine security with technology that only they will be able to use. The backdoor password is "infinitely stupid," but the NOBUS decryption weakness is a seductive approach, because it seems like it could work, said Nate Cardozo, staff attorney with the Electronic Frontier Foundation.
Such secrets will eventually leak, however, and if ubiquitously implemented, leave everyone with weakened security, he said.
↧
Top 10 High-Profile Global Hack Attacks of 2015
In 2014, the high-profile hacks of Sony, the U.S. Postal Service, JP Morgan Chase and iCloud (for celebrity nude photos) dominated the IT security news. Sadly, 2015 wasn't any better for cyber-security. The volume of hacking attacks that took place this year is becoming more worrisome, and the damage caused by the hack attacks continues to be shocking. Most of the hackers remain at large, which means there is a good chance that they will strike again—or show others how to strike. And what about the thousands of hacks about which the public doesn't hear? Here's a scary metric: The average time it takes for an unprotected PC to get hacked after connecting to the Internet is 60 to 90 seconds. Enterprises must think laterally about security in 2016. As hackers exploit weak or stolen passwords in more than 90 percent of security breaches and simply log in as normal users to avoid detection, having multifactor authentication in place is a good way to take security to the next level. In this eWEEK slide show, using industry information from security specialist SMS Passcode, we present the company's annual Top 10 Global Hack Attacks list, which recalls some of the most high-profile hacks of this past year.
↧
CA Council to Improve Internet Certificate Security in 2016
On Jan. 1, 2016, the SHA-1 deadline kicks in, helping to kick off what could be a breakout year of Internet certificate security.
At the heart of much of the Internet's security is the use of Secure Sockets Layer/Transport Layer Security (SSL/TLS), which provides encryption for data in motion. Certificate Authorities (CAs) are the trusted entities that issue TLS certificates, and as a group, the CAs are gearing up for big year in 2016, with multiple efforts designed to improve the security of the Internet.
Among the leading associations of CAs is the CA Security Council (CASC), a group of organizations that got started in 2013 as an advocacy building group for the SSL/TLS industry.
The big change that the CASC is helping to usher in on Jan. 1, 2016, is the widespread deployment of TLS certificates signed with the SHA-2 (Secure Hash Algorithm) cryptographic hash. SHA-2 is the successor to SHA-1, which has been widely deployed in the last decade and is now seen as cryptographically insecure.
"Any Website that needs to get a TLS certificate will only be able to get a SHA-2 certificate as of Jan. 1," Bruce Morton, director of certificate services at Entrust, told eWEEK. "All the modern operating systems and browsers support SHA-2, but a small percentage of older browsers don't support SHA-2."
While some systems and devices don't support SHA-2, the shift on Jan. 1 will not break the Internet or actually change the way the Web works.
"On Jan. 1, nothing really happens that's different than Dec. 31," Doug Beattie, vice president of product management at GlobalSign, told eWEEK. "Everyone has been working hard at replacing their SHA-1 certificates with SHA-2, and that will continue because no one will be able to issue a SHA-1 certificate anymore."
Beattie added that the browser vendors aren't making instant updates on Jan. 1 that disable SHA-1. That said, browser vendors have announced plans to slowly deprecate support for SHA-1, but that's a gradual process and from a user perspective; the Internet will work the same on Jan. 1 as it does on Dec. 31.
"Some organizations, however, might be surprised when they go to renew their TLS certificate in the first or second quarter of 2016 and realize they can't get a SHA-1 certificate," Beattie said.
Both Beattie and Morton emphasized that the CAs have been contacting customers over the course of 2015 with reminders about the SHA-1 deadline and the need to migrate to SHA-2. Approximately 80 percent of Websites are already supporting SHA-2, Morton said.
Even for users on older devices and operating systems that do not support SHA-2 by default, there typically is an easy workaround—just install a new browser that supports SHA-2, Morton said. For example, while Windows XP SP2 doesn't support SHA-2, Firefox can still be installed on that operating system and will provide SHA-2 support, he added.
RC4
SHA-1 isn't the only issue that will impact CAs and Web server operators in 2016. The RC4 stream cipher, which is also used in TLS encryption, is also being deprecated across the Internet, as it has been deemed to be cryptographically insecure, as well.
In contrast to the SHA-1 issue, which requires Websites to obtain a new SHA-2 certificate from a CA, with RC4, no new certificate is required.
"RC4 is more of a server-configuration issue," Morton explained. "Organizations need to make sure they are selecting the right set of cipher suites to support secure TLS.
↧
As Internet Gets Faster, Volume of DDoS Attacks Grows, Akamai Reports
Quarter after quarter, global broadband speeds edge higher, providing users around the world with faster access to the Internet. Unfortunately, even as Internet users benefit from increased speeds, there is a growing number of security risks, according to the third-quarter 2015 State of the Internet (SOTI) reports from Akamai. Akamai issues two separate SOTI reports, the security-focused report, which it released on Dec. 8, and the network-specific report that was released on Dec. 16. In the third quarter, the average global connection speed into Akamai's network was 5.1M bps, a 14 percent year-over-year gain. The average connection speed in the United States was 12.6M bps—a 9.4 percent year-over-year gain—ranking the U.S. 16th globally. From a security perspective, Akamai reported that it defended against 1,510 distributed denial-of-service (DDoS) attacks in the quarter, which is a 180 percent year-over-year increase. While the number of DDoS attacks rose, the top DDoS attack in the quarter came in at 149G bps, a decline from the 250G-bps peak reported in the second quarter. In this slide show, eWEEK takes a look at some of the key findings in the 3Q15 Akamai State of the Internet report.
↧
↧
15 Emerging Trends in the Security Sector for 2016
Hacking Will Become Influenced by Ideology
2016 will be the year the phrases "corporate homicide" and "drive-by hackings" enter the common lexicon. These will be the types of attacks that are described as politically or ideologically focused—think "V for Vendetta"—where shadowy groups target financial, insurance, government, political, gender and similarly divisive organizations (Planned Parenthood, NRA, etc.). The intent of these hacks will fall into one of three momentous categories: hack for profit, hack for destruction and hack for political momentum. —Art Gilliland, CEO, Skyport Systems
↧
Symantec Adds Deep Learning to Anti-Malware Tools to Detect Zero-Days
NEWS ANALYSIS: Android versions of Symantec mobile security products are the first to include deep learning, but the access to this big data approach will soon spread to other platforms.
Deep learning may be the next frontier for a security industry that's dealing with constant attacks from cyber-criminals who become more sophisticated by the day.
According to a Symantec executive, the company has been working to integrate the whole idea of machine learning into its security services since February 2015. Symantec asserts that the capability, as new as it is, may be the next critical technology to keep cyber-attacks at bay.
Until recently, deep learning has been locked away in the software development labs. A few companies have realized that they can spot malware by its components and its behavior to ferret out most zero-day attacks before they have a chance to cause damage. Because of this, deep learning is now being deployed on the cyber-security battleground.
"As a user, you can't afford a bad download, and that's where we need to focus," said Andrew Gardner, senior technical director of machine learning at Symantec, to explain why the company first focused its efforts on Android. "That's what deep learning let us do."
Gardner said that most of the malware files in the Android environment are known, but at any given time two to five percent of the malware in circulation represent what he called low-scoring threats that are often missed by malware scanners. These include zero-day attacks.
However, Gardner noted that because of the seriousness of a malware attack, the customers simply can't afford any kind of attack, which made preventing zero-day attacks critical. Because machine learning presents the possibility of a very strong defense against zero-day malware attacks, Symantec started there.
Because of this focus, the first Symantec product that actively uses deep learning is Norton Mobile Security for Android. There's also a version of Norton Mobile Security for iOS, but that version doesn't make use of deep learning, at least not yet. But that's just the start.
Symantec has their sights set on bigger goals in the enterprise. The next target will be enterprise email, especially cloud-based email. "We process a lot of the world's email," Gardner said. "A lot of attacks enter the enterprise through email. They're insidious." He said that by attacking company email systems, cyber-criminals are able to seize critical information and, in addition, able to steal a lot of money through phishing schemes that install malware on company networks.
The problem until now was that a great deal of email analysis required human intervention. "At the end of the day, we had to have analysts go through and score them as attacks," Gardner said.
↧
Interset Applies Machine Learning to Sniff Out Stealthy Cyber-Threats
Interset brings artificial intelligence to the fight against enterprise threats, regardless of the source using machine learning techniques that leverage advanced malware scanning algorithms.
Enterprises battling cyber-threats can find a new ally in threat management platform from Interset that combines Machine Learning with a massive data repository to identify suspected malware that would otherwise go undetected.
Interset accomplishes this ambitious goal by using extensive data ingestion capabilities that correlates events and activities with network activity to determine the level of risk that activity poses at any given time.
A Closer Look at Interset:
Interset goes about threat detection in a different fashion than most similar products. Simply put, Interset combines the power of Machine Learning with Big Data analytics, where normally unrelated bits of data are examined to find relationships and expose trends that pose potential hazards.
Interset is able to identify potential threats because it analyses data from multiple sources related to the movement of data across or within a network, while also gathering information about the entities involved.
An entity can be anything that impacts the transmission or consumption of data, such as a user, an endpoint, an application, or so on. What’s more, that platform can also track the access of sensitive files and usage patterns of a given entity to detect abnormal activity that might identify potential threats and display it through alerts and dashboards.
In a nutshell, Interset boasts the following features:
1. It connects and aggregates a broad range of data sources, including endpoints, directories, IP repositories, such as PLM, SCM, and content management tools like SharePoint into analytic models to increase the accuracy and timeliness of threat detection
2. It Employs multiple, probabilistic math models to more accurately recognize and trigger alerts about users, machines, repositories or and files that are under threat
3. Interset delivers prioritized and contextually rich views of the entities and events related to risks and threats so security teams understand which events represent the greatest risk and what to do to stop them before data is lost.
Hands On with Interset:
Getting started with Interset requires little more than using the Interset Data Gateway (I-DG), which is deployed on premises as a data collection, aggregation, anonymization, encryption, and communication appliance.
The I-DG provides an anonymized data analytics capability, which works by incorporating behavioral analytic models that are run against an anonymized log and metadata. It’s important to note that all data remains private, secure, and completely in control of the customer.
Data ingestion and processing are the key tasks of the I-DG, which is managed via a browser based console. Setup consists of defining the how’s, why’s, and where’s of data collection, which can then be analyzed using self-evolving algorithms that are powered by the device’s machine learning capabilities. Wizards and interactive help screens smooth the process of creating use cases, which in essence are administrator-defined policies.
The use cases are critical elements for creating alerts, defining actions, and driving reports. Use cases leverage Boolean logic to drive actions. Examples include the following plain English constructs: “If Analytics detects that Someone has Been Behaving Strangely where Any of the Following are True the Risk is Greater than 50 then Call a Script script Block_Login.PL."
Administrators create the constructs using pull-down menu fields that offer several pre-populated options. In the example above, each of the bold-italicized terms are available via pull down lists, making it very simple to create complex use cases that can fulfill a multitude of security needs.
Much the same can be said for the data ingestion process, where wizards guide administrators through the essential steps to gather data to be analyzed. The product can work with all types of data via Interset Connectors, which are basically predefined connection scripts for PLM, SIEM, SCM and DLP data types from leading platforms, such Splunk, SAP, Siemens, RSA, Symantec, and dozens more.
↧
More Pages to Explore .....
