Monthly Archives: January 2016

Companies generally agree that sharing threat intelligence helps to improve everyone’s cybersecurity posture, but some companies are hesitant to do it for fear of giving away too much information.

That attitude is beginning to change, however, and IBM is the latest to adopt a more friendly approach to threat intelligence. The company recently announced that it was opening up its security analytics platform for custom application development as well as launching an app exchange for creating and sharing apps based on IBM security technologies, it said in a press release.

IBM Security QRadar consolidates log source event data from thousands of devices, endpoints and applications distributed throughout a network and performs analytics on raw data to distinguish real threats from false positives, the company said. IBM customers, partners and developers can now leverage the platform’s advanced security intelligence capabilities through new open application programming interfaces (APIs), the company said.

IBM also has launched IBM Security App Exchange, a marketplace for the security community to create and share apps based on these new QRadar APIs. IBM and partners including Bit9 + Carbon Black, BrightPoint Security, Exabeam and Resilient Systems already have built a total of 14 new apps for the IBM Security App Exchange that extend QRadar security analytics in areas like user behavior, endpoint data and incident visualization, according to IBM. Other partners such as STEALTHbits and iSIGHT Partners also have apps in development.

For example, Exabeam’s User Behavior Analytics app integrates user-level behavioral analytics and risk profiling directly into the QRadar dashboard, providing a real-time view of user risk that allows companies to detect small behavioral differences between a normal employee and an attacker using that same credential, according to IBM.

The opening of QRadar and launch of the security app exchange is not the first major move IBM has taken this year to promote sharing of threat intelligence and industry collaboration to fight cyber criminals. In April, IBM opened its 700 terabyte database of security threat data through its IBM X-Force Exchange platform. Since then more than 2,000 organizations have joined the program to share threat intelligence.

Marc van Zadelhoff, vice president, strategy and product management for IBM Security, said it’s imperative that industry leaders like IBM take initiative to extend security technologies to share threat intelligence to promote better cybersecurity globally, which suggests that stakeholders can expect similar moves from Big Blue in the future.

“With thousands of customers now standardizing on IBM’s security technologies, opening this platform for closer collaboration and development with partners and customers changes the economics of fighting cybercrime,” he said in the press release. “Sharing expertise across the security industry will allow us to innovate more quickly in order to help stay ahead of increasingly sophisticated attacks.”

Via: thevarguy

If you’re an Apple user, you should have been notified of the latest updates to iOS and OS X.

Official updates are available for the most recent three OS X versions via the App Store or as standalone installers:

• OS X 10.11.3 El Capitan. (Upgrade from 10.11.2 only.)
  
• OS X 10.11.3 El Capitan Combo. (Upgrade from any earlier 10.11 version.)
  
• Security Update 2016-001 for Yosemite. (Previous OS X, 10.10.)
  
• Security Update 2016-001 for Mavericks. (Pre-previous OS X, 10.9.)
  

You definitely want this OS X update, because of the security holes it fixes.

In the El Capitan update, for example, Apple has patched six bugs listed as “a local user may be able to execute arbitrary code with kernel privileges”, which means that any malware or other untrusted code that reached your Mac could have acquired unlimited powers – without popping up any password prompts.

Additionally, a libxslt bug that could be triggered via your browser is listed as “visiting a maliciously crafted website may lead to arbitrary code execution.”

It’s the usual story that remote code execution (RCE) and elevation of privilege (EoP) bugs should never be seen in isolation, because the two can be combined to provide total remote compromise.

But that’s not what this article is really about!

The most interesting bug of the lot is this one, fixed in the iOS 9.2.1 update:

WEBSHEET

Available for: iPhone 4s and later,

iPod touch (5th generation) and later, iPad 2 and later

Impact: A malicious captive portal may be able to access

the user’s cookies

Description: An issue existed that allowed some captive

portals to read or write cookies. The issue was addressed

through an isolated cookie store for all captive portals.

CVE-2016-1730 : Adi Sharabani and Yair Amit of SKYCURE

The Skycure researchers have now described the hole they found, and it’s both interesting and important at the same time.

CAPTIVE PORTALS

You know how your iPhone tries to detect when a Wi-Fi hotspot is trying to redirect you to a login page, known as a “captive portal”, and then displays the captive portal in a special pop-over browser window?

Greatly simplified, iOS does this by fetching the URL…

http://www.apple.com/library/test/success.html

…and waiting for the captive portal to redirect the request to its own sign-up page.

Usually, instead of seeing Apple’s real “success.html” page, which just contains one word, Success, you see the login page served up by the captive portal.

That page is whatever mix of HTML, stylesheets, JavaScript, images and so forth that the hotspot provider wishes to present.

This means you can interact with the captive portal, including signing up and agreeing to terms and conditions if necessary, in order to deactivate the captive portal and activate regular access to the internet.

SHARED COOKIES

The Skycure researchers noticed that iOS incorrectly shared web cookies already set in mobile Safari with the captive portal page, as well as sharing new cookies set in the captive portal back with mobile Safari.

That could allow a malicious captive portal to pull off numerous tricks:

• If you were already logged in to various online services, the portal could steal your authentication cookies and later pretend to be you. Your accounts could be hijacked, just like Firesheep all over again.
  
• If you weren’t logged in, the portal could login as someone else, and set authentication cookies for later. You’d think you were logged in, but your subsequent interactions with services such as social media accounts would happen under someone else’s name.
  
• The portal could send back booby-trapped replies pretending to be other people’s web pages, along with HTTP headers to mark the bogus content as cacheable for later. These booby-trapped pages could poison your subsequent browsing, for example by tricking your browser into using malicious JavaScript, or by swapping images such as [Allow] and [Deny].
  

A LONG FIX

Believe it or not, Skycure states that “we reported this issue to Apple on June 3, 2013. This is the longest it has taken Apple to fix a security issue reported by us.”

Given the potential severity of this bug, it’s to Skycure’s credit that the company kept faith with Apple and didn’t go public until the fix was finally ready:

It is important to note that the fix was more complicated than one would imagine. However, as always, Apple was very receptive and responsive to ensure the security of iOS users.

And, in conclusion, Skycure notes:

Starting with iOS 9.2.1, iOS employs an isolated Cookie Store for all Captive Portals. As with almost any update for iOS, we recommend users and organizations upgrade to the latest iOS version promptly.

We agree – head to Settings | General | Software Update to make sure you’re patched.

Patch early, patch often!

Via: sophos

The Microsoft Remote Desktop app could make mobile users more productive by allowing Windows 10 Mobile and smartphones that support Continuum to function as PCs.

Remote desktops on smartphones typically offer a subpar user experience, but a new app and Windows 10’s Continuum feature could change all that.

The Microsoft Remote Desktop Preview app on Windows 10 Mobile enables users to connect to remote PCs from their smartphones. When the app is combined with Continuum, which transforms the Windows 10 user interface to suit a particular form factor, users can cast the remote desktop and apps onto any monitor, and get a full PC experience — essentially using their smartphones as thin clients.

“This feature … is the future, and everyone will be doing it,” said Steve Greenberg, CEO and principal consultant at Thin Client Computing, a virtualization services provider in Scottsdale, Ariz.

Continuum works in conjunction with Universal Windows Platform apps, which can run across smartphones, tablets, PCs, Xbox and other Windows 10 devices. Certain Windows 10 Mobile smartphones, including Microsoft’s Lumia 950 and 950 XL, can connect to a monitor via a USB 3 display dock, or wirelessly with Bluetooth and Miracast. When running the Microsoft Remote Desktop app on a phone and casting the display to a monitor, Continuum kicks in, giving users a familiar PC interface, with universal apps running in desktop mode. Users can even connect a full keyboard and mouse.

This capability has opened the door for a new client that has desktop virtualization experts buzzing.

Microsoft Remote Desktop app use cases

Microsoft is trying to make a bigger push into the enterprise with Windows 10, and support for desktop virtualization with Continuum on smartphones creates some very compelling use cases for the mobile workforce, said Robert Young, an analyst at research firm IDC.

“You … can have a full desktop experience in that virtualized environment that can’t function natively on the phone,” Young said.

Any workplace where employees are on the go and need quick access to data, such as a hospital, could find these tools useful, he added.

Organizations could set up workstations composed of a monitor, a keyboard and a mouse that supports Continuum, allowing employees or customers to hook up their phones when they need a work experience larger than a phone screen, said John Savill, founder of SavillTech, a Dallas-based  IT education company.

“The idea that, essentially, a phone is a computer is the reality today, and Continuum just lets that capability get expanded,” he said. “Think of any time you may want your computer … but don’t want to carry a PC. Continuum can help with that.”

The concept of using a smartphone for a full desktop experience is not new. Motorola’s Atrix smartphone, released in 2011, had a similar feature; users could connect the phone to a dock that came with the device, and attach the dock to a monitor. The technology did not take off, and Motorola scrapped the feature in its following phone release.

Despite the potential of the Remote Desktop app, Microsoft will have to overcome several hurdles to avoid a similar fate.

First off, Windows 10 is still in its early days of adoption, and Microsoft only released the first Windows 10 Mobile phones in late November. The company continues to develop its own apps to support Continuum, but the number of third-party universal apps is still limited. With insufficient apps and few smartphone models able to support the remote desktop client, desktop virtualization and Continuum on Windows 10 Mobile may not take off as a widely used tool.

“I doubt this will be a game changer for [Windows 10 Mobile],” said Paul DeGroot, principal consultant at Pica Communications in Camano Island, Wash. “But as a substitute for carting a computer around … [Continuum] would be a very effective tool.”

Microsoft’s small share of the smartphone market could also hold it back, but future generations of the concept will catch on, Greenberg said.

“Even though we have wireless ways to cast it, it might still be before its time,” he said. “It is the right idea, and the current offering is interesting, but may not become mainstream.”

The Microsoft Remote Desktop app is now in preview, and the company did not provide a release date for the full version.

Via: techtarget

Cyberfraud sent shares of Austria’s FACC AGto their steepest drop since the supplier of parts to Boeing Co.and Airbus Group SE began trading in 2014. The company put damages at 50 million euros ($55 million) — one of biggest losses after a hacking event for its size.

“The financial accounting department of FACC Operations GmbH was the target of cyber fraud,” the company, whose biggest investor is Aviation Industry Corp. of China, said Wednesday afternoon. FACC said earlier in the day that “cyberattack activities were executed from outside.” The stock closed 17 percent lower.

While high-profile hacks against businesses spanning JPMorgan Chase & Co. to retailer Target Corp. have led to the theft of millions of customer records and caused short-term share slides, the financial impact of cyber crime is often hard to measure. The average cost of a data breach is $3.8 million, a survey by IBM and the Ponemon Institute estimated. TalkTalk Telecom Group Plc said an attack in October caused losses of up to 35 million pounds ($50 million).

Deutsche Bank co-CEO John Cryan told reporters today at World Economic Forum in Davos, Switzerland that the risk of cyber crimes are his biggest concern in 2016.

China Link

The FACC case is intriguing because the company is ultimately controlled by China, often linked to intellectual property theft, via AVIC’s 55 percent holding, said Rick Gamache, a managing director at U.S. cyber-security firm Wapack Labs. FACC has “some really neat technology,” and the attack could potentially have come from a competitor company or a nation state, he said.

“It raises a lot of questions,” said Daniel Damaska, an analyst at Raiffeisen Centrobank in Vienna who is reviewing his “hold” rating on FACC shares. “Even if the attack didn’t effect production, investors and the public need to get more insight on what happened.”

FACC, based in Ried im Innkreis, a town between Vienna and Salzburg, fell 1.07 euros to 5.32 euros at market close in Vienna. The aerospace supplier, listed at 9.50 euros by AVIC in June 2014, has lost more than a third of its worth in 12 months and is valued at 245 million euros.

High Cost

Tom Draper, technology and cyber-practice leader at Arthur J. Gallagher, said damages of 50 million euros seem high. “I can’t see how you can spend that much,” he said, adding that FACC might be factoring in future intelligence-technology upgrades or canceled contracts.

While the total direct cost of Target’s 2013 breach was probably more than $500 million, Draper said, the U.S. retailer has annual revenue of $73 billion, versus 529 million euros at FACC in its last fiscal year. The Austrian group’s Chief Financial Officer, Minfen Gu, declined to comment when reached by phone.

The company, which makes composite components for most Airbus and Boeing models, the Chinese C919, Sukhoi’s Superjet and the Bombardier Inc. CSeries, as well as interiors for business jets and helicopters, is scheduled to report third quarter-earnings Thursday. It had a 9.6 million-euro loss in fiscal 2015.

Via: bloomberg

A new zero-day vulnerability allows Android or Linux applications to escalate privileges.

A new zero-day vulnerability has been discovered that allows Android or Linux applications to escalate privileges and gain root access, according to a report released this morning by Perception Point.

“This affects all Android phones KitKat and higher,” said Yevgeny Pats, co-founder and CEO at security vendor Perception Point.

Any machine with Linux Kernel 3.8 or higher is vulnerable, he said, including tens of millions of Linux PCs and servers, both 32-bit and 64-bit. Although Linux lags in popularity on the desktop, the operating system dominates the Internet, mobile, embedded systems and the Internet of Things, and powers nearly all of the world’s supercomputers.

Using this vulnerability, attackers are able to delete files, view private information, and install unwanted programs.

According to Pats, this vulnerability has existed in the Linux kernel since 2012.

Pats said that the Linux team has been notified, and patches should be available and pushed out soon to devices with automatic updates. Perception Point has also created proof of concept code that exploits this vulnerability to gain root access.

So far, Pats said, no exploits have been observed in the wild that take advantage of this vulnerability.

That may change, however, as news of the vulnerability spreads and some devices take longer to be patched than others.

“We recommend that security teams examine potentially affected devices and implement patches as soon as possible,” the company said.

According to Pats, the vulnerability is related to the keyrings facility, a way for drivers to save security data, authentication keys, and encryption keys in the kernel.

The new keyrings vulnerability is currently known only by its identification number, CVE-2016-0728.

The new vulnerability disclosure comes on the heels of of a whole batch of Android vulnerabilities that Google fixed just last week, including several kernel privilege escalation vulnerabilities. Five of the critical vulnerabilities patched were related to bugs in the kernel drivers or the kernel itself.

Google does not allow applications that root Android devices to be distributed through the Google Play store, but some slip through the vetting process — or are downloaded through unofficial app stores. Some users deliberately root their phones in order to gain capabilities not typically available on Android.

Via: csoonline

The simple attack shows how software needs to be more phishing resistant.

A relatively simple phishing attack could be used to compromise the widely used password manager LastPass, according to new research.

Notifications displayed by LastPass version 4.0 in a browser window can be spoofed, tricking people into divulging their login credentials and even snatching a one-time passcode, according to Sean Cassidy, who gave a presentation at the Shmoocon conference.

Cassidy, who is CTO of Praesido Inc., notified LastPass of the issues. In a blog post, LastPass said it has made improvements that should make such an attack harder to pull off without a user knowing.

Cassidy released a tool on GitHub called LostPass that shows how an attacker can spoof alerts from LastPass, eventually tricking a user into giving up their login credentials.

In a blog post, Cassidy describes how LastPass will alert users if they’re logged out of the application. But the alert is shown through the browser’s viewport, and the exact same alert could be created and triggered by an attacker if someone can be lured to a malicious website.

For his proof-of-concept attack, he bought the domain “chrome-extension.pw,” which looks similar to Chrome’s protocol for browser extensions and unlikely raise eyebrows.

The bogus LostPass alert, if clicked on, could then lead to the malicious domain that asks for a user’s credentials. If two-factor authentication is enabled, the access token could also be stolen. At that point, all of the victim’s passwords can be collected using the LastPass API, Cassidy wrote.

Strangely, those LastPass customers who have two-factor authentication could have been more vulnerable to the attack.

Cassidy wrote that LastPass sent an email notification if a login attempt is made from a new IP address. But that alert is only sent if a person doesn’t have two-factor authentication enabled, so those with it enabled wouldn’t know of a suspicious login.

LastPass has since changed the notification to also go to people who have two-factor enabled if a login attempt is made from a new location or device.

Cassidy contends his research shows how software needs to be more resistant to phishing attacks.

“Many responses to the phishing problem are ‘train the users,’ as if it was their fault that they were phished,” Cassidy wrote. “Training is not effective at combating LostPass because there is little to no difference in what is shown to the user.”

Although Cassidy wrote that the problems are hard to fix, he decided to go public.

“As soon as I published details of this attack, criminals could make their own version in less than a day,” he wrote. “I am publishing this tool so that companies can pen-test themselves to make an informed decision about this attack and respond appropriately.”

LastPass has implemented some new defenses in response to Cassidy’s research and also plans “to release additional notification options that bypass the viewport.”

The company has also blocked web pages from logging someone out of LastPass. Even if users see a warning that they’re logged out, in theory they should notice that LastPass is actually still logged in.

Via: csoonline

I don’t know if you have noticed, but when it comes to incident response, the methodology applied by organizations can vary from the downright chaotic, to a well-disciplined, well-oiled machine. However, from what I have observed over the preceding five years of my professional life, the general approach seems to be ad-hoc and has suffered from a lack of discipline.

I have also observed that whilst there is security input from the security bucket of compliance and governance, there can be a very big mind-the-gap moment when it comes to getting the right kind of technical advice from the attending security teams – which by implication also infers there is a lacking in the area of skills.

It is now the year 2016, and when organizations consider security, they need to add two thoughts into the cauldron of risk assessment:

1. I have probably suffered some form of cyber-compromise, but don’t know it!

2. If I have not been hacked, I will be!

When encountering cyber adversity, or a part/full-on cyberattack, there are a number of keys which can dictate the potential of a positive outcome – and the more keys you have, the greater the chance of mitigating the event, and countering the attack.

The keys are as follows:

KEY 1: PREPARATION

Always expect the worst to happen, and be prepared and have an established CSIRT (Computer Security Incident Team) structure in place, which may be mobilized in a coordinated manner.

KEY 2: PROCESSES

The time of encountering an attack is not the time to consider how you will respond to the event. Here, it is essential to have documented processes in place to guide the CSIRT through the security engagement with clear and defined robust actions.

KEY 3: SKILLS

One very important element of the key chain is to have the right people in place whounderstand the ramifications and implications – people who can deliver value to the incident response process based on the technological risk.

KEY 4: TOOLS

Have tools and response capabilities in place that may be deployed to support the security mission, along with a team who has been trained in their use.

KEY 5: COMMUNICATIONS

It is important for those larger organizations to have both internal and externalcommunications protocols in place to assure they may apply follow-the-sun capabilities, as well as communicating with external agencies, such as the police when the event dictates.

KEY 6: CASE MANAGEMENT

At the core of all successful incident responses exists the ability to document a contemporaneous record of events, and to record any acquired element or artifacts that may seem to be pertinent to the case under investigation.

KEY 7: STAY LEGAL

It is essential that the applicable laws are understood in relation to the region, or regions which are implicated by the event – ranging from the UK with its Data Protection Act to those outsourcing domiciles, which fall under other international laws and directive.

KEY 8: CYBER THREAT INTELLIGENCE (CTI)

When encountering any form of cyber adverse interest, it is a good practice to seek out what any potential adversaries may be saying about your brand online though the employment of CTI – this can give an organisation suffering a cyberattack an insight into the attacker’s mind and objectives.

KEY 9: DIGITAL FORENSIC READINESS

Remember you may need to investigate the acquired artifacts in more depth, so having an evolved Digital Forensic Readiness Capability in the CSIRT Framework should be considered an essential element.

KEY 10: LEARNING

The last important element of the keys to success is to learn from past events and to adjust the futuristic rules of engaged on the past experiences.

It may be that the 10 Point Key Cycle as outlined above may be seen as imposing a difficult challenge on any security team to evolve such a multi-faceted skill set. However, focused training courses do exist which can deliver a one-stop-solution, along with the required commensurate skills and documentation sets – which at time of responding to a cyber security incident have, and can prove to represent an investment in the key steps to commercial survival.

Via: tripwire

Verifone and Microsoft are teaming up on the EMV front.

Verifone announced a new partnership today (Jan. 14) with Microsoft to provide its comprehensive, EMV-ready, Payment-as-a-Service solutions certified for Microsoft Dynamics AX. This integration will deliver Microsoft Dynamics customers with the ability to expedite EMV acceptance, simplify payment management and enhance security.

“Ongoing changes in standards and requirements have made managing payments increasingly more complex,” said Ashvin Mathew, general manager of Microsoft Dynamics. “Partnering with Verifone — a longtime expert in solving merchants’ payment challenges — will simplify this process and enable our users to focus on growing their businesses and improving the customer experience.”

In the merchant race to spend time and money certifying point-of-sale software with processors in order to support EMV, those merchants are also working to secure PCI compliance. That’s where Microsoft Dynamics AX and Microsoft Dynamics RMS come into play to serve users. Payment-as-a-Service from Verifone bundles the necessary solutions (payment hardware, software and support services) into one integrated solution.

The central payment system management is key to a simpler payment system, Verifone noted in the release about the news. Because this solution is built on Verifone’s Secure Commerce Architecture (SCA), which connects payment terminals directly to the Verifone Payment Gateway, it prevents sensitive payment data from entering POS software.

In turn, it enables merchants to update their devices to support PCI changes and card brand-specific EMV requirements, all without having to re-certify each time software changes occur. Verifone’s Payment-as-a-Service offerings also incorporate end-to-end encryption.

Beyond simplifying payment management for merchants, Verifone’s solution protects merchants by preventing exposure of sensitive payment information to malware that cybercriminals often use to infect POS software and steal cardholder data.

“In addition to simplified payment management, merchants want the most efficient, secure and hassle-free ways to support EMV, NFC, mobile wallets and other emerging payment methods that also offer new engagement opportunities with their customers,” said Jim Surber, regional head of Payment-as-a-Service in North America for Verifone. “Partnering with Microsoft Dynamics — provider of industry-leading point-of-sale software and omnichannel retail and commerce solutions — will greatly expedite our ability to deliver these capabilities to a vast number of merchants across the U.S.”

Via: pymnts

If the reports by Investor’s Business Daily are correct, then the executive teams at Target, Walmart, Macy’s and every other big physical retailer in the world are all likely having some variation on the same terrible morning.

Investment bank Cowen — after surveying 2,500 U.S. shoppers — concluded in a report released yesterday (Jan. 13) that, as of Dec. 2015, Amazon Prime has 41 million subscribers in this country, a 32 percent increase from the same time in 2014. Much of that spike is attributed to Prime Day and the wave of shopping and memberships it set off during the summer.

Worldwide estimates of Prime membership clock in around the 80 million mark.

The report also indicates that they are a higher earning group than Walmart’s or Target’s base, with a household income of around $70,000 — 25 percent higher than the average Walmart household’s income and 4 percent above Target’s. Prime shoppers also tend to convert at a much higher rate than both regular Amazon shoppers and Internet users in general and purchase more when they make a buy.

“That’s their weapon [fulfillment] right now,” Wells Fargo Analyst Matt Nemer told IBD in an interview. “The extremely efficient distribution program feeds into Prime. There’s a lot of loyalty.”

And loyalty, lately, is the name of the game. Amazon might not have invented the pay-to-play loyalty platform — Costco is more often named with that honor in mass market retail — but it sure has perfected it, particularly in the eCommerce arena.

“I’m surprised we haven’t seen more innovation in loyalty, but I don’t think it’s too late,” Nemer added.

Despite all the powerfully good news, Amazon stock has been in a slide, likely caught up in the great selloff that is becoming the most notable feature of early 2016. Investors, at this point, are unsure about how some things will break for Amazon in the near and distant future.

Via: pymnts

For those who believe a cluttered desk is a cluttered mind, the same is likely doubly true when it comes to your iPhone’s home screen. Unfortunately, those who desire complete control of the aesthetic flow of their phones have always had to play around the unavoidable inclusion of Apple’s stock iOS apps on their launch screens.

Whether it’s a free-spirited soul looking to ditch the Reminders app, a Krispy Kreme lover trying to lose the Health app or a regretful Twitter investor wanting to delete the Stocks app, this trick can help you keep the apps out of mind, though they’ll still be accessible through Spotlight search.

The mechanics of the trick are simple enough and involve dragging the desired app out of a folder with a tap of the home screen button. It’s much easier to carry out after following the video above from YouTube user videosdebarraquito who discovered the hack. You may have guessed, but you don’t have to actually name the folder “Disappear” to get the hack to work.

It’s cool to get “locked” icons off the home screen as this was originally only a feature available to jailbreakers or, as the comments will undoubtedly note, Android users.

This trick also works for downloaded app icons, if you want to keep the functionality of the app on your phone but eliminate visual traces of it from your home screen.

If you have second thoughts, the move can quickly be undone by carrying out a restart of your phone, which is kind of a bummer as it’d be nice to rid myself of all signs of Apple News once and for all, but this can at least offer some momentary relief that dies when your phone does as well.

Via: techcrunch