Monthly Archives: July 2017

Microsoft won’t patch SMBv1 flaw that only an idiot would expose

‘SlowLoris’ flaw could see a mouse of a machine take down an elephant of a server.

An SMBv1 bug described late last week at DEF CON won’t be patched, because Redmond says it only needs a suitable block on connections coming from the Internet.

The 20-year-old bug was discovered by two RiskSense researchers combing code for vulnerabilities exposed by the NSA’s EternalBlue exploit.

After it landed, Twitter user @JennaMagius detailed what happens in a longish Twitter-thread, saying that the bug offers an easy vector to hose big web servers with small computers (all the way down to a Raspberry Pi).

However, it only works if the target machine has SMBv1 exposed to the Internet, and for that reason, Microsoft doesn’t see it as demanding an immediate patch.

SMBLoris is a memory handling bug, @JennaMagius explained on Twitter, associated with two non-paged allocations that use physical memory and can’t be swapped out – so it’s trivial to fill a target Web server’s memory.

image

NBSS is the NetBIOS Session Service protocol, and a connection to it allocates 128kB of memory that’s only freed when the connection is closed (after 30 seconds if the attacker opens it but then does nothing). At one connection per TCP port (there are 65,535, @JennaMagius explains), the attacker can fill up more than 8 GB.

If they launch the attack on IPv4 and IPv6, that rises to 16 GB, and if an attack comes from just two IPs, they can fill 32 GB, and so on. Eventually, the target can’t allocate memory for NBSS and needs a manual reboot.

RiskSense researchers Sean Dillon and Zach Harding chatted to Kaspersky’s Threatpost about the bug before their DEF CON talk.

Noting a similarity to the old 2009 Slowloris bug, Dillon said:

“Similar to Slowloris, it requires opening many connections to the server, but these are low-cost connections for the attacker, so a single machine is able to perform the attack.”

In response to Microsoft saying it didn’t intend patching, Dillon said “The reason they say it’s a moderate issue is because it does require opening many connections to the server, but you could do it all from a single machine, and a Raspberry Pi could take down the beefiest server”.

 

via:  theregister

Putin passes law that will ban VPNs in Russia

Russia has banned VPNs and other technology that allows users to gain anonymous access to websites.

The new law (link via Google Translate), signed today by President Vladimir Putin, goes into effect on Nov. 1 and represents another major blow to an open Internet. This weekend, news broke that Apple has removed most major VPN apps from the App Store in China to comply with regulations passed earlier this year that require VPN apps to be explicitly licensed by the Chinese government.

According to state-run news agency RIA (link via Google Translate), Leonid Levin, chairman of the Duma’s committee on information policy and technology, has said that the law is not targeted at “introducing new bans for law-abiding citizens.” Instead, he claims it is to prohibit access to illegal content. The scope of what is considered “illegal content” in Russia, however, has widened considerably during Putin’s third term as president, with the government exerting more control over what people access or post online. As Freedom House notes, “anti-extremism laws are widely used as a pretext to block political content, often without judicial oversight.”

Russia’s attempts to limit access to online information are concurrent with legislation that may put the privacy of users at risk. In 2015, the government passed legislation that requires all user data from Russian citizens to be stored in Russian-based servers, and last year it passed another law that requires telecoms and Internet service providers to retain traffic data for up to a year, a move that prompted VPN provider Private Internet Access to discontinue its Russian gateways.

 

via:  techcrunch

Amazon gets into shoes and handbags with its new private fashion label “The Fix”

Amazon is again expanding its presence in the fashion industry with this week’s launch of yet another private label brand, The Fix. The new label for Prime members is aimed at women and features shoes and handbags inspired by designer trends, but available at discounted prices.

Unlike designer collections, The Fix will release new styles on a monthly – not seasonal – basis. This sped up schedule gives Amazon the ability to immediately follow on trends that are resonating with shoppers.

The label’s launch was covered this week by WWD, Business Insider, FootWearNews (via CNBC), and others.

To choose items for The Fix, Amazon’s editors hunt across the market for new and popular items, then offer similar styles at lowered prices, when compared with designers’ items.

The Fix’s Handbags will start at $49 and shoes will start at $69, in its debut collection.

At launch, shoppers will find satin slides, colorful sneakers, studded flats, colorful mules, and floral-embellished boots, said FootWearNews, in describing the new collection’s first products. There are 45 SKUs now appearing on The Fix’s page, with some shoes as high as $99 and some bags costing as much as $119.

There’s even a knock-off Birkenstock – you know, the sandal maker that pulled its products off Amazon last year. Amazon now sources its shoes from third-parties – a move that has enraged Birkenstock USA chief exec David Kahan, who threatened Birkenstock would close down retailers reselling their shoes. Kahan also said he was considering legal action against Amazon.

The Fix is now one of a large and growing list of in-house fashion labels at Amazon.

Today, the retailer also offers women’s apparel under brands like James & Erin, Lark & Ro, North Eleven, Society New York, Ella Moon, Paris Sunday; intimate apparel brand Mae; basic tees, shirts, shorts, pants and intimates for men and women under Amazon Essentials; men’s apparel and shoes under brands like Franklin & Freeman, Franklin Tailored, Buttoned Down, and Goodthreads; and children’s clothing under the Scout + Ro brand.

Some of its brands are only available to Prime subscribers, offering consumers another incentive to join the annual membership program, whose perks today range far beyond just free, two-day shipping.

The Fix is now a part of this Prime-only group.

However, The Fix isn’t Amazon’s first entry into the handbags space – Amazon’s women’s workwear line Society New York also has a few in its collection. But it is the first time Amazon has launched a collection that’s just focused on women’s shoes and handbags, not clothing.

The launch comes at a time when Amazon is preparing to roll out its own Stitch Fix competitor, Amazon Prime Wardrobe, possibly ahead of Stitch Fix’s expected IPO. But unlike Stitch Fix, which uses stylists to curate boxes shipped monthly, Prime Wardrobe instead will allow shoppers to fill boxes with clothes and shoes and other items for home try-on. Those items they don’t like can then be easily returned.

It’s easy to see how Amazon could later promote its own brands for use with the Prime Wardrobe service, now that it has its own apparel collections – from casual to workwear to formal – and with The Fix, accessories, too.

Amazon also this year was awarded a patent for a new on-demand apparel manufacturing system that could pump out products in five days. And it launched the Echo Look, a smart device with a camera for snapping photos of your outfits, which could give Amazon a new source of data about what people are actually wearing.

 

via:  techcrunch

Should you stay awake at night worrying about hackers on the grid?

Watt’s all this about cyberspy threat leaks… Analysts weigh in.

Analysis The energy sector across multiple Western countries is under intensified assault by hackers. Security experts warn that industrial systems are wide open to potential exploit once hackers secure a foothold, the most difficult part of the hacking process, using targeted phishing or similar tactics.

The UK’s government lead cyber defense agency recently warned that hackers are targeting the country’s energy sector to some effect. Just over a week ago, a memo was leaked from the NCSC (National Cyber Security Centre) warning that it had spotted connections “from multiple UK IP addresses to infrastructure associated with advanced state-sponsored hostile threat actors, who are known to target the energy and manufacturing sectors,” Motherboard reported.

That warning implied that state-sponsored hackers may have already secured a foothold in the UK’s energy sector network. Whether or not this compromised access is enough to do any harm is unclear.

Such attacks are far from limited to the UK. Ireland’s Electricity Supply Board (ESB) is under attack from suspected Russian hackers out to infiltrate control systems, The Times reports. Security sources in the Emerald Isle tell El Reg the attack involved a phishing email sent to an engineer who twigged it was bad and reported it. ESB said the attack failed.

Meanwhile, multiple US energy companies were sent phishing emails as part of a campaign aimed at stealing stealing credentials, Cyberscoop adds.

Reconnaissance

Added together, the reports suggest a concerted effort to gather steal credentials, map networks and probe for weaknesses in Western energy sector firms in preparation for a possible future attack. While nothing damaging has happened to date, the whole threat of attacks on the energy sector has ratcheted up since December 2015’s game changing BlackEnergy malware-based attacks in the Ukraine, which resulted in power outages for hours in districts around Kiev.

The recent “reconnaissance” campaign on Western energy sector targets likely takes the form of directed phishing attacks rather than internet-wide scanning and worm activity, according to experts at Rapid7, the firm behind the popular Metasploit pen-testing tool.

Hackers phish people targeted as working in energy sector in assault probably aimed at getting shells on victims’ computers. Shelled accounts then connect back “to infrastructure associated with advanced state-sponsored hostile threat actors”.

“None of these steps are particularly visible to Rapid7 Sonar, nor Heisenberg. Heisenberg is good at catching undirected attacks (internet-wide scanning and worm activity), not so much directed attacks like this,” explained Tod Beardsley at Rapid7.

Mind the air-gap. What air-gap?

Andrea Carcano, founder and chief product officer of Nozomi Networks, said that the impracticality of air gap sensitive operation networks and systems from corporate IT networks is partly responsible for the problem.

“Targeting engineers with access to control systems with phishing messages is pretty straight-forward and, if successful, could be extremely damaging,” Carcano explained. “In tandem, while air-gapping offered a degree of protection, the way our nuclear plants, and any infrastructure for that matter, is maintained today means this practice is defunct.”

“We often see engineers ‘plugging’ in their own devices to perform diagnostic checks. Should that person’s device have been compromised, this action could unleash malware directly into the heart of each component being checked, which then crawls and burrows deeper into the infrastructure,” he warned.

Air-gapping SCADA systems might seem as sensible tactic but as Faizel Lakhani, a pioneer of SCADA technology, previously told El Regin practice operational networks are seldom isolated because of a test link someone has forgotten to take out or a bridge to Wi-Fi networks someone has set up, among other reasons.

Almost everything is connected to the internet one way or another and the sectors tightening embrace of industrial IoT technology for remote monitoring and other functions is only pushing this along. All this added connectivity has implications for those attempting to defend industrial control and energy distribution systems from attack.

Carcano added: “You have to assume that all parts of critical infrastructure are being probed for vulnerabilities 24/7 from a risk management point of view. While Information Technology (IT) and Operation technology (OT) that control the electric grid systems and other critical infrastructure are separated, there have been increasing connections.

“Risk management is an ongoing process. Up to date patching and the use of artificial intelligence and machine learning to immediately identify suspicious network communications and incidents helps to harden the security that guards industrial control systems,” he added.

Industrial control; system threats [source: ENISA whitepaper: Communication network dependencies for ICS/SCADA Systems]

Internet exposure

A report on the Industrial Control Systems (ICS) threat landscape last year by Kaspersky Lab revealed that large organizations likely have ICS components connected to the internet that could allow cybercriminals to attack critical infrastructure systems. US organizations were especially exposed.

The investigation found that 17,042 ICS components on 13,698 different hosts exposed to the internet likely belong to large organizations. These include energy, transportation, aerospace, oil and gas, chemicals, automotive and manufacturing, food and service, governmental, financial and medical institutions. The figures are the latest available from Kaspersky Lab. Other more recent studies present a similar picture albeit it in less detail.

“The world isn’t ready for cyber threats against critical infrastructure, but criminals are clearly ready and able to launch attacks on these facilities – as the widely-speculated compromise of the UK’s energy sector shows,” said David Emm, principal security researcher at Kaspersky Lab.

“We’ve seen attempts on power grids, oil refineries, steel plants, financial infrastructure, seaports and hospitals – cases where organizations have spotted attacks and acknowledged them. However, many more companies do neither, and the lack of reporting these incidents hampers risk assessment and response to the threat.”

“Security must be tailored to the specific needs of each organization and be seen as an ongoing process. This is true also of the human dimension – tricking people into taking action that launches the initial exploit is as common in attacks on such facilities as it is in any other context.” he added.

Phish fry

Groundbreaking research by ERPScan unveiled two years ago showed how hackers might be able to bridge the gap between ostensibly air-gapped systems in oil and gas production by pivoting from enterprise planning onto production systems. Vulnerabilities and insecure installations in SAP business software and other enterprise systems might be used to interfere with loosely-couple but nonetheless connected industrial control systems.

That might be one way in but, in practice, there might be more straightforward ways to secure the first crucial foothold into targeted networks.

Michael Shalyt, chief exec of APERIO Systems, and a former team leader in an elite Israel Defense Forces (IDF) intelligence unit, explained that the initial point of entry is key in any operation ultimately geared towards planting malware at strategic locations on a targeted SCADA (industrial control) network.

“Unfortunately, a typical SCADA environment today is very easy to branch out across and/or affect any specific piece of equipment remotely – whether due to lack of patching of known PLC vulnerabilities or the wealth of 0-day vulnerabilities that we don’t yet know about but are obviously there. So, once an attacker has a foothold – spreading and “borrowing” is easy,” Shalyt told El Reg.

“The hardest part is getting the initial ‘foot in the door’ – as the SCADA network is usually isolated from the outside networks (in theory…),” he added.

One of the easiest ways is still the fairly simple phishing attack, but state-sponsored hackers have a much more compressive playbook at their disposal that feature “willing or unwilling” insiders and equipment counterfeiting and/or interference.

“Even isolated systems still must allow access – sometimes remotely – for maintenance and installation purposes,” Shalyt explained. “A state actor can uncover these types of business relationships and infect the relevant personnel in advance.”

Strategic infection of equipment before it is even installed at the plant/facility is an option open to hackers playing the long game.

Sleeper cells

There are additional possibilities that involve chaining 0-days to progressively gain access to incremental parts of the outside administrative network, and then breaking into networking hardware like routers and equipment that are designed to keep SCADA network separated from the rest of the world.

What might the capable hackers seemingly probing Western electricity distribution systems be seeking to do? Having “digital sleeper agents” – very well hidden malware that is completely passive at the moment but can shut down operations with the push of a (remote) button – is one possible objective. The goal on potential activation could be a show of strength – creating a psychological intimidation effect – rather than a tool to cause real economic damage. But once achieved, compromised access also offers a capability that might be deployed in times of war or conflict, as best evidenced by the attacks in Ukraine, Saudi Arabia and Qatar over recent years.

Best practice

Earlier this month, the SANS Institute released the results of their 2017 survey of energy companies, chemical producers, critical infrastructure providers and other industrial operators. The survey revealed that industrial control system (ICS) security risks had reached an all-time high-water mark.

Four out of 10 ICS security practitioners quizzed as part of the study said they lacked visibility into their ICS networks. Despite high profile news coverage of recent attacks on unpatched systems, SANS found that only 46 per cent of respondents regularly apply vendor-validated patches, and 12 per cent neither patch nor layer controls around critical control system assets.

While reliability and availability remain the highest priority for OT systems, 69 per cent of ICS security practitioners believe threats to the ICS systems are high or severe and critical.

ICS-SCADA security [source: ENISA]

The latest annual study by EU security agency ENISA provides recommendations on how to protect critical infrastructure systems such as industrial control systems against cyber threats. ENISA’s paper on communication network dependencies for ICS/SCADA systems can be downloaded here.

 

via:  theregister

Gas Pump Skimmer Sends Card Data Via Text

Skimming devices that crooks install inside fuel station gas pumps frequently rely on an embedded Bluetooth component allowing thieves to collect stolen credit card data from the pumps wirelessly with any mobile device. The downside of this approach is that Bluetooth-based skimmers can be detected by anyone else with a mobile device. Now, investigators in the New York say they are starting to see pump skimmers that use cannibalized cell phone components to send stolen card data via text message.

Skimmers that transmit stolen card data wirelessly via GSM text messages and other mobile-based communications methods are not new; they have been present — if not prevalent — in ATM skimming devices for ages.

But this is the first instance known in which such SMS skimmers have been found inside gas pumps, and that matches the experience of several states hardest hit by pump skimming activity.

The beauty of the GSM-based skimmer is that it can transmit stolen card data wirelessly via text message, meaning thieves can receive real-time transmissions of the card data anywhere in the world — never needing to return to the scene of the crime. That data can then be turned into counterfeit physical copies of the cards.

Here’s a look at a new skimmer pulled from compromised gas pumps at three different filling stations in New York this month. Like other pump skimmers, this device was hooked up to the pump’s internal power, allowing it to operate indefinitely without relying on batteries.

A GSM-based card skimmer found embedded in a gas pump in the northeastern United States.

A GSM-based card skimmer found embedded in a gas pump in the northeastern United States.

It may be difficult to see from the picture above, but the skimmer includes a GSM-based device with a SIM card produced by cellular operator T-Mobile. The image below shows the other side of the pump skimmer, with the SIM card visible in the upper right corner of the circuitboard:

The reverse side of this GSM-based pump skimmer shows a SIM card from T-Mobile.

The reverse side of this GSM-based pump skimmer shows a SIM card from T-Mobile.

It’s not clear what type of mobile device was used in this skimmer, and the police officer who shared these images with KrebsOnSecurity said the forensic analysis of the device was ongoing.

Here’s a close-up of the area around the SIM card:

GSMpumpskimcloseup2

The officer, who shared these photos on condition of anonymity, said this was thought to be the first time fraud investigators in New York had ever encountered a GSM-based pump skimmer.

Skimmers used at all three New York filling stations impacted by the scheme included T-Mobile SIM cards, but the investigator said analysis so far showed the cards held no other data other than the SIM’s card’s unique serial number (ICCID).

KrebsOnSecurity reached out to weights and measures officials in several states most heavily hit by pump skimming activity, including Arizona, California and Florida.

Officials in all three states said they’ve yet to find a GSM-based skimmer attached to any of their pumps.

Skimmers at the pump are most often the work of organized crime rings that traffic in everything from stolen credit and debit cards to the wholesale theft and commercial resale of fuel — in some cases from (and back to) the very fuel stations that have been compromised with the gang’s skimming devices.

Investigators say skimming gangs typically gain access to station pumps by using a handful of master keys that still open a great many pumps in use today. In a common scenario, one person will distract the station attendant as fuel thieves pull up alongside the pump in a van with doors that obscure the machine on both sides. For an in-depth look at the work on one fuel-theft gang working out of San Diego, check out this piece.

There are generally no outward signs when a pump has been compromised by a skimmer, but a study KrebsOnSecurity published last year about a surge in pump skimming activity in Arizona suggests that skimmer gangs can spot the signs of a good mark.

Fraud patterns show fuel theft gangs tend to target stations that are close to major highway arteries; those with older pumps; and those without security cameras, and/or a regular schedule for inspecting security tape placed on the pumps.

Many filling stations are upgrading their pumps to include more physical security — such as custom locks and security cameras. In addition, newer pumps can accommodate more secure chip-based payment cards that are already in use by all other G20 nations.

But these upgrades are disruptive and expensive, and some stations are taking advantage of recent moves by Visa to delay adding much-needed security improvements, such as chip-capable readers.

Until late 2016, fuel station owners in the United States had until October 1, 2017 to install chip-capable readers at their pumps. Under previous Visa rules, station owners that didn’t have chip-ready readers in place by then would have been on the hook to absorb 100 percent of the costs of fraud associated with transactions in which the customer presented a chip-based card yet was not asked or able to dip the chip (currently, card-issuing banks and consumers eat most of the fraud costs from fuel skimming).

But in December 2016, Visa delayed the requirements, saying fuel station owners would now have until October 1, 2020 to meet the liability shift deadline.

The best advice one can give to avoid pump skimmers is to frequent stations that appear to place an emphasis on physical security. More importantly, some pump skimming devices are capable of stealing debit card PINs as well, so it’s good idea to avoid paying with a debit card at the pump.

Armed with your PIN and debit card data, thieves can clone the card and pull money out of your account at an ATM. Having your checking account emptied of cash while your bank sorts out the situation can be a huge hassle and create secondary problems (bounced checks, for instance).

 

via:  krebsonsecurity

Mystery “FruitFly” Malware Infected Macs For Years, No One Noticed It Until 2017

Short Bytes: Two malware which go by the name FruitFly and FruitFly 2 have been discovered over the course of the last few months, starting Janaury this year. The malware, known to have infected hundreds of Macs, are being assumed as surveillance tools instead of some ransomware or some other type of malware.

Adistant malware, designed to infect Apple’s macOS, is leaving a bewildered look on the face of the security researchers. The first variant of the malware called FruitFly, aka the first Mac malware of 2017, was discovered earlier this year by the security firm Malwarebytes and analyzed by Thomas Reed.

Back then, an IT admin at the firm had spotted some unusual outgoing traffic from a particular Mac. The “simplistic” malware consisted of only two files, carrying some “ancient” obfuscated Perl. Some of the code even dates back to 1998, before the existence of macOS. The malware could take screenshots, log keystrokes, spy through web cams, and it was known to have targeted some biomedical research centers as well. According to Malwarebytes, an update was released by Apple to take care of the same.

Fast forward a few months, another malware with similarities to FruitFly was detected by ex-NSA hacker Patrick Wardle who is now a security researcher at Synack. Known as FruitFly 2, it’s assumed that the malware is in existence for a decade or so, undetected by many antivirus software.

During the breakdown, Wardle found that FruitFly 2 could connect to a C&C server and send the data back to to the hackers, Motherboard reports. Backup servers were also present if some issues occur with the primary ones. More than 400 victims were discovered when Wardle infected his virtual machine after registering a domain that hackers planned to use as a backup.

FruitFly mac malwareList of detected IP addresses. (Credit: Patrick Wardle/Twitter)

He could see the IP addresses of the victims and even the names of the Mac computers. However, this number might increase as Wardle didn’t have access to all the C&C servers used to control the malware. Wardle contacted law enforcement and reported his findings. He has also talked about his findings at this year’s Black Hat conference.

Both Wardle and Reed are unaware of the origins of malware, who made it, and what is its purpose. In the case of the Wardle, around 90 percent of the FruitFly 2 victims are living in the US or Canada.

The possibility of the malware being baked by a federal body gets thinner as the malware isn’t sophisticated enough and it hasn’t targeted any high-profile individuals, writes Motherboard. FruitFly 2 isn’t a ransomware and it doesn’t log keystrokes. But, according to Wardle, both FruitFly malware might have been designed to perform surveillance.

FruitFly 2 is also written in Perl and allows the attacker to control the mouse and keyboard remotely. It even notifies the attacker when the victim starts using the mouse and keyboard.

Wardle said that malware seems to have been to target specific individuals, maybe normal Mac users or families, but the intentions are unclear. He calls the situation “worrisome.” He warns Mac users to be cautious while using their machines. “Just because they have a Mac, it doesn’t mean that they’re safe.”

 

via:  fossbytes

NIST SP 800-171 Deadline at End of 2017 – Is Your Organization Ready?

The National Institute of Standards and Technology (NIST) has released Special Publication 800-171. The document covers the protection of Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations.

The document was designed to provide guidance on ensuring that all systems that process, store, or transmit CUI information are secured and hardened. Compliance to the 800-171 standard is enforced by a set of technical policies. NIST SP800-171 outlines those policies. A deadline to comply or to report delays in compliance has been set for December 31, 2017.

WHERE DID THIS REQUIREMENT ORIGINATE? WHO IS RESPONSIBLE FOR THE PROGRAM?

Executive Order 13556 (11/10/2010) designated the National Archives and Records Administration (NARA) as the Executive Agent to implement the CUI program, for which the Information Security Oversight Office (ISOO) of the National Archives and Records Administration is responsible. In April of 2013, ISSO issued a memorandum to government agency leads on the management of the CUI program.

In September 2016, ISOO released notice 2016-01 outlining the implementation guidance for CUI, and a later notice 2017-01 was issued in June of 2017 with recommendations for implementation of the CUI program. Below are excerpts of that notice (2017-01).

A bit of background

“The Information Security Oversight Office (ISOO) exercises Executive Agent responsibilities for the CUI Program. In consultation with the Office of Management and Budget and affected agencies, on September 14, 2016, ISOO issued CUI Notice 2016-01, ‘Implementation Guidance for the Controlled Unclassified Information Program.’ CUI Notice 2016-01 outlines the phased implementation deadlines for agencies and describes the significant elements of a CUI Program.”

Program management

“ISOO’s memorandum to the heads of executive departments and agencies, “Appointments of Senior Agency Official and Program Manager for the Controlled Unclassified Information (CUI) Program Implementation,” dated April 11, 2013, requested that agencies affirm or update their initial designations of their CUI Senior Agency Official (SAO) and also requested that they assign a CUI Program Manager (PM).”

WHO IS IMPACTED BY NIST 800-171?

Anyone (individual or business/contractor) who processes, stores, or transmits information (that falls into one of many CUI categories) for or with federal or state agencies is impacted. This includes all governmental contractual relationships.

A list of categories of CUI information has been made available by NARA here.

WHAT ARE THE 800-171 REQUIREMENTS?

There are 14 categories of security requirements that must be met. Each category has a unique set of policy tests in which affected programs must meet.

  1. Access Control
  2. Audit and Accountability
  3. Awareness and Training
  4. Configuration Management
  5. Identification and Authentication
  6. Incident Response
  7. Maintenance
  8. Media Protection
  9. Physical Protection
  10. Personnel Security
  11. Risk Assessment
  12. Security Assessment
  13. System and Communications Protection
  14. System and Information Integrity

For a complete list of policy tests included under each of the 14 categories, please refer to the NIST SP800-171 web page: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf

To find out more about NIST SP 800-171, join me, David Henderson, and federal security and compliance expert Sean Sherman for a webinar on July 27th to learn:

  • What the regulation means for you
  • How this standard is enforced though FAR and DFAR
  • How Tripwire’s security solutions map to the new 800-171 control families
  • How to use Tripwire to prove and maintain compliance with this new standard

You can register for the webcast here.

Whilst you wait, you can learn more about how Tripwire solutions can help you meet the requirements NIST 800-171 here.

Or you can view the current list of 800 policy/platform combinations that are available to help you continuously monitor, assess and harden your systems here.

 

via:  tripwire

Update Your iPhone, iPad To Squash Dangerous Wi-Fi Bug

Apple  made a number of security updates to its iOS mobile operating system, including a fix for a Wi-Fi chip vulnerability that could let hackers gain wireless access to iPhones and iPads.

The iOS 10.3.3 update addresses nearly four dozen security flaws, one of which, called “Broadpwn,” lies in the Broadcom Wi-Fi chip used in many iPhones and Android devices. Google announced an Android fix for Broadpwn earlier this month. Apple’s patch is available for the iPhone 5 and later, 4th-generation and later iPads, and the 6th-generation iPod touch.

The vulnerability could allow a remote actor to trigger a memory corruption error via Wi-Fi on a user’s mobile device, according to details on Broadpwn from Security Tracker. That error could then enable the hacker to execute arbitrary code on the device without any actions by the user.

Chip Vulnerability on ‘Millions’ of Devices

Apple credits discovery of the Wi-Fi vulnerability to Nitay Artenstein, a security researcher with Exodus Intelligence. Artenstein is scheduled to discuss his findings later this month during a briefing at the Black Hat information security conference in Las Vegas.

“Remote exploits that compromise Android and iOS devices without user interaction have become an endangered species in recent years,” Artenstein said in a description of his coming Black Hat presentation. “Such exploits present a unique challenge: Without access to the rich scripting environment of the browser, exploit developers have been having a hard time bypassing mitigations such as DEP and ASLR.”

Rather than targeting a mobile device’s operating system, though, Broadpwn takes aim at the Wi-Fi system on chip (SoC) that’s used to handle a device’s wireless connectivity. The vulnerability exists on “millions” of Android and iOS devices featuring the Broadcom SoC, Artenstein said.

“The Broadcom BCM43xx family of Wi-Fi chips is found in an extraordinarily wide range of mobile devices — from various iPhone models, to HTC, LG, Nexus and practically the full range of Samsung flagship devices,” he noted.

‘Critical’ Vulnerability, Easy To Deploy

In its July 5 Android Security Bulletin, Google described the severity of the Broadcom vulnerability as “critical.” The U.S. Computer Security Resource Center’s National Vulnerability Database, which published details about the vulnerability early last month, noted that taking advantage of the security flaw was not complex.

Wi-Fi SoCs are designed to handle a broad range of processing tasks related to wireless networking, Google security researcher Gal Beniamini wrote in an April blog post for Project Zero, Google’s research program aimed at finding zero-day exploits. While such SoCs help to reduce power consumption and free up mobile device operating systems to focus on other tasks, they come with a cost, he added.

“Introducing these new pieces of hardware, running proprietary and complex code bases, may weaken the overall security of the devices and introduce vulnerabilities which could compromise the entire system,” Beniamini said, adding that Broadcom’s Wi-Fi SoCs are the most common Wi-Fi chipsets used on mobile devices.

Beniamini noted that Broadcom has said newer versions of its Wi-Fi SoC use a memory protection unit, “along with several additional hardware security mechanisms.” He called such improvements “a step in the right direction.”

 

via:  enterprise-security-today

The biggest cybersecurity breaches of 2017 so far

What can we learn from the latest cybersecurity breaches

The frequency and impact of cybercrime has been steadily escalating for several years now, but 2017 has been one of the worst– at least in terms of media headlines. Worse still, we’re only half way through the year.

So what has happened, and what can you learn?

NSA hacking tools are stolen and leaked

The National Security Agency – the US body responsible for “intelligence” – maintains an impressive array of tools that allow their analysts to hack computers belonging to foreign spies, terrorists or suspected criminals. Many of these tools use vulnerabilities that had were previously unknown even to the most successful cybercriminals.

However, these tools were stolen and leaked online earlier this year. Details of the exploits were also published on Wikileaks, throwing a spotlight onto US intelligence activity. Once the NSA tools were leaked, hackers immediately began to use them against innocent people.

How to protect yourself:

The NSA tools work by exploiting gaps and bugs in operating systems and software, like Windows 8 or Apple’s MacOS. You should regularly check for updates, and install patches as quickly as possible – this closes the loopholes used by the hackers, rendering their malware ineffective.

The WannaCry outbreak

Ransomware has been gaining popularity in recent years as a way to extract extort money from people by infecting their computer and encrypting their files. The only way to recover data is to pay a ransom to the hackers.

In May, WannaCry went global, infecting thousands of computers across the world. In the UK, several NHS trusts were affected, taking clinical systems offline, and forcing the cancellation of planned operations as engineers tried to reverse the damage.

Although the source of the WannaCry infection remains in dispute, security analysts agree that the malware uses one of the vulnerabilities exposed in the NSA theft. Some believe that the outbreak was planned by the North Korean government as a way to raise revenue – however the malware was more effective than expected, leading to the global outbreak.

The Petya outbreak

Just one month after WannaCry wreaked havoc, another malware variant burst onto the scene. Using the same NSA exploits, Petya (also known as NotPeya, Nyetya and Goldeneye) managed to compromise several major companies, including pharmaceutical giant Merck, shipping company Maersk and the Russian oil firm Rosnoft.

Unlike WannaCry which was global in its reach, Petya appears to have been targeted at businesses in Ukraine. The central bank, several power companies and the public transport network were particularly badly affected.

How to protect yourself:

The success of the NSA hacking tools relies on security vulnerabilities that are not known by a software vendor, and have not yet been repaired, called zero day exploits. Every computer is in danger of being exploited until these loopholes are closed.

You can improve protection by installing an anti-malware tool

Anti-malware cannot detect zero day exploits, but it can recognise malware by the way it acts – and block it automatically before damage is done to your data.

 

In fact, you can (and should) install an anti-malware tool. Download one now, and you’re well on the way to protecting your data through the rest of 2017.

 

via:  pandasecurity

Patching Not Enough to Stop Petya

Voluminous amounts of information have already been disseminated regarding the “Petya” (or is it “NotPetya”?) ransomware that hit the Ukraine hard along with organizations such as “the American pharmaceutical giant Merck, the Danish shipping company AP Moller-Maersk, the British advertising firm WPP, Saint-Gobain of France, and the Russian steel, mining and oil firms Evraz and Rosneft”.

Not surprisingly, nearly every Petya write-up references the WannaCry outbreak that wreaked havoc about a month-and-a-half ago. This is reasonable given the recentness of WannaCry and that both malwares are ransomware known to leverage the EternalBlue exploit against patched vulnerability MS17-010.

Amidst this deluge of information (and misinformation), we wanted to make sure that the association of Petya with WannaCry did not obscure some important differences. In particular, the EternalBlue-based propagation mechanism, mitigated by patching MS17-010, is not the only method employed by Petya to spread. Another propagation method employed by Petya is not thwarted by simply patching. According to Kaspersky, once Petya has compromised a machine, it will begin to hijack local credentials from the Windows Local Security Authority (lsass.exe) then leverage those credentials via PsExec or WMI in an attempt to remotely compromise other systems on the local network. In many enterprises, this activity will not be blocked and is likely to fly under the radar as typical remote administration activity. Afterall, PsExec is a legitimate Windows SysInternals command line tool and WMI stands for Windows Management Instrumentation. If a widely used administrative credential is compromised, it could very quickly be game over for many systems regardless of whether the patch for MS17-010 has been applied or not.

Another important difference between Petya and WannaCry is that there is no “KillSwitch” for Petya. Indeed, contrary to many reports, ASERT has found no evidence that Petya has any form of command-and-control.

In conclusion, avoid any false sense of security that may derive from patching MS17-010 and heed the longstanding calls for appropriate network segmentation to limit the damage from Petya and other malware. Finally, note that the following ET Pro rules appear to fire on Petya propagation behavior and, thus, can be used for detection using network security products such as Arbor Networks Spectrum:

  • 2001569 – ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection
  • 2012063 – ET NETBIOS Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
  • 2024297 – ET CURRENT_EVENTS ETERNALBLUE Exploit M2 MS17-010

 

via:  arbornetworks