Tag Archives: Security

No need to rush network patching for Spectre and Meltdown

The recently discovered security threat in CPUs from nearly a dozen manufacturers poses a low risk to corporate networking gear, so operators have time to test vendors’ patches thoroughly.

That’s the take of security experts contacted by SearchNetworking following the discovery last week of the Spectre and Meltdown vulnerabilities that affect Intel, AMD and ARM chips. In response, Cisco and Juniper Networks have released patches rated medium and low risk, respectively, for a variety of products.

The low risk of Spectre and Meltdown to switches and routers means network managers have the time to thoroughly test the patches to minimize their impact on hardware performance, experts said.

“If you’re getting a firmware update, you need to patch,” said Rob Westervelt, analyst at IDC. “[But] the issue is whether you just deploy the patch or test it thoroughly and make sure you don’t break any applications or anything else.”

Roughly 20 CSOs and IT security professionals interviewed by IDC were taking a methodical approach to applying Spectre and Meltdown fixes across all systems.

“While it is top of mind, it’s not something that they’re immediately jumping on to patch,” Westervelt said. “They are using established best practices and testing those patches first.”

Network performance at risk

Westervelt warned there is the possibility network performance will suffer. “In some cases, it could be very costly.”

If you’re getting a firmware update, you need to patch.
Rob Westerveltanalyst at IDC

Indeed, Microsoft reported in a blog post patches for the PC and server versions of Windows would range from minor to significant, depending on the age of the operating system and the CPU. “I think we can expect a similar variety of performance impacts across other [vendors’] products,” said Jake Miller, a senior security analyst at IT consulting firm Bishop Fox, based in Tempe, Ariz.

Security pros expect hackers sophisticated enough to exploit the hard-to-reach vulnerabilities to target mostly servers in large data centers that host cloud computing environments. Because of the level of expertise needed to take advantage of the flaws, hackers working for nation states are the most likely attackers, experts said.

Exploiting the CPU holes would involve crafting code that takes advantage of how some processors anticipate features computer users will request next. In preparation for those requests, processors will load into memory valuable data and instructions that hackers can steal.

“The threat is significant, but currently is limited to highly sophisticated attackers and hacking groups with the means to carry out multi-staged targeted attacks,” IDC said in a research note. “Financially motivated cybercriminals are more likely to continue to use more accessible, time-tested methods to retrieve passwords and sensitive data.”

Nevertheless, even a low risk to networking gear is worth the time needed for fixing. “It’s better to be safe than sorry,” said Jonathan Valamehr, COO and co-founder of cybersecurity company Tortuga Logic Inc.

Meltdown and Spectre bugs dominate January Patch Tuesday

Administrators have their work cut out for them on multiple fronts after a serious security flaw surfaced that affects most operating systems and devices.

The Meltdown and Spectre vulnerabilities encompass most modern CPUs — from Intel-based server systems to ARM processors in mobile phones — that could allow an attacker to pull sensitive data from memory. Microsoft mitigated the flaws with several out-of-band patches last week, which have been folded into the January Patch Tuesday cumulative updates. Full protection from the exploits will require a more concerted effort from administrators, however.

Researchers only recently discovered the flaws that have existed for approximately 20 years. The Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715) exploits target the CPU’s pre-fetch functionality that anticipates the feature or code the user might use, which puts relevant data and instructions into memory. A CPU exploit written in JavaScript from a malicious website could pull sensitive information from the memory of an unpatched system.

“You could leak cookies, session keys, credentials — information like that,” said Jimmy Graham, director of product management for Qualys Inc., based in Redwood City, Calif.

In other January Patch Tuesday releases, Microsoft updated the Edge and Internet Explorer browsers to reduce the threat from Meltdown and Spectre attacks. Aside from these CPU-related fixes, Microsoft issued patches for 56 other vulnerabilities with 16 rated as critical, including a zero-day exploit in Microsoft Office (CVE-2018-0802).

Microsoft’s attempt to address the CPU exploits had an adverse effect on some AMD systems, which could not boot after IT applied the patches. This issue prompted the company to pull those fixes until it produces a more reliable update.

Most major cloud providers claim they have closed this security gap, but administrators of on-premises systems will have to complete several deployment stages to fully protect their systems.

“This is a nasty one,” said Harjit Dhaliwal, a senior systems administrator in the higher education sector who handles patching for his environment. “This is not one of your normal vulnerabilities where you just have a patch and you’re done. Fixing this involves a Microsoft patch, registry entries and firmware updates.”

Administrators must ensure they have updated their anti-virus product so  it has the proper registry setting otherwise they cannot apply the Meltdown and Spectre patches. Windows Server systems require a separate registry change to enable the protections from Microsoft’s Meltdown and Spectre patches. The IT staff must identify the devices under their purview and collect that information to gather any firmware updates from the vendor. Firmware updates will correct two exploits related to Spectre. Microsoft plugged the Meltdown vulnerability with code changes to the kernel.

Dhaliwal manages approximately 5,000 Windows systems, ranging from laptops to Windows Server systems, with some models several years old. He is exploring a way to automate the firmware collection and deployment process, but certain security restrictions make this task even more challenging. His organization requires BitLocker on all systems, which must be disabled to apply a firmware update, otherwise he could run into encryption key problems.

“This is not going to be an overnight process,” Dhaliwal said.

How expansive is Meltdown and Spectre?

Attacks that use the Meltdown and Spectre exploit a bug with how many CPUs execute address space layout randomization. The difference between the two vulnerabilities is the kind of memory that is presented to the attacker. Exploits that use the flaws can expose data that resides in the system’s memory, such as login information from a password manager.

Microsoft noted Meltdown and Spectre exist in many processors — Intel, AMD and ARM — and other operating systems, including Google Android and Chrome, and Apple iOS and macOS.  Apple reportedly has closed the vulnerabilities in its mobile phones, while the status of Android patching varies depending on the OEM. Meltdown only affects Intel processors, and the Spectre exploit works with processors from Intel, AMD and ARM, according to researchers.

Virtualized workloads may require fine-tuning

Some administrators have confirmed early reports that the Meltdown and Spectre patches from Microsoft affect system performance.

 Dave Kawula, principal consultant at TriCon Elite Consulting, applied the updates to his Windows Server 2016 setup and ran the VM Fleet utility, which runs a stress test with virtualized workloads on Hyper-V and the Storage Spaces Direct pooled storage feature. The results were troubling, with preliminary tests showing a performance loss of about 35%, Kawula said.

 “As it stands, this is going to be a huge issue,” he said. “Administrators better rethink all their virtualization farms, because Meltdown and Spectre are throwing a wrench into all of our designs.”

Intel has been updating its BIOS code since the exploits were made public, and the company will likely refine its firmware to reduce the impact from the fix, Graham said.

For more information about the remaining security bulletins for January Patch Tuesday, visit Microsoft’s Security Update Guide.

Tom Walat is the site editor for SearchWindowsServer. Write to him at twalat@techtarget.com or follow him @TomWalatTT on Twitter.

NIST botnet security report recommendations open for comments

The Departments of Commerce and Homeland Security opened public comments on a draft of its botnet security report before the final product heads to the president.

The report was commissioned by the cybersecurity executive order published by the White House on May 11, 2017. DHS and the National Institute of Standards and Technology (NIST), a unit of the Department of Commerce, were given 240 days to complete a report on improving security against botnets and other distributed cyberattacks, and they took every minute possible, releasing the draft botnet security report on Jan. 5, 2018.

The public comment period ends Feb. 12, 2018 and industry experts are supportive of the contents of the report. According to a NIST blog post, the draft report was a collaborative effort.

“This draft reflects inputs received by the Departments from a broad range of experts and stakeholders, including private industry, academia, and civil society,” NIST wrote. “The draft report lays out five complementary and mutually supportive goals intended to dramatically reduce the threat of automated, distributed attacks and improve the resilience of the ecosystem. For each goal, the report suggests supporting activities to be taken by both government and private sector actors.”

The blog post listed the goals for stakeholders laid out by the draft botnet security report as:

  1. Identify a clear pathway toward an adaptable, sustainable, and secure technology marketplace.
  2. Promote innovation in the infrastructure for dynamic adaptation to evolving threats.
  3. Promote innovation at the edge of the network to prevent, detect, and mitigate bad behavior.
  4. Build coalitions between the security, infrastructure, and operational technology communities domestically and around the world.
  5. Increase awareness and education across the ecosystem.

Rodney Joffe, senior vice president, technologist and fellow at Neustar, Inc., an identity resolution company headquartered in Sterling, Va., said NIST and DHS took the right approach in putting together the report.

“The Departments of Commerce and Homeland Security worked jointly on this effort through three approaches — hosting a workshop, publishing a request for comment, and initiating an inquiry through the President’s National Security Telecommunications Advisory Committee (NSTAC),” Joffe told SearchSecurity. “We commend the administration for working with and continuing to seek private sector advice on the best path forward.”

A good start, but… 

Experts, like Michael Patterson, CEO of Plixer, a network traffic analysis company based in Kennebunk, Maine, generally applauded the draft botnet security report as being an in-depth starting point that is missing some key features.

“The report offers a comprehensive framework for threat intelligence sharing, and utilizing NIST to work with a variety of industry groups to establish tighter security protocols and best practices while outlining government and industry transformations to protect the internet,” Patterson told SearchSecurity. “However, it is missing the required teeth to propel industry action. Without a mechanism to define a specific compliance standard, service providers will not have enough incentive to take the steps required to mitigate these risks.”

Stephen Horvath, vice president of strategy and vision for Telos Corporation. a cybersecurity company located in Ashburn, Va., applauded the draft botnet security report for balancing “high level explanations along with some technical details of merit.”

“This report will hopefully drive improvements and awareness of the issues surrounding botnets. Given a few of the more important recommendations are taken and funded, the establishment of an IoT [cybersecurity framework] profile for example, a general overall improvement across all domains should be felt in the next few years,” Horvath told SearchSecurity. “I believe stronger improvements would be possible more quickly if the recommendations included greater focus on enforcing hard requirements rather than incentives.”

Gavin Reid, chief security architect at Recorded Future, a threat intelligence company headquartered in Somerville, Mass., said NIST’s goals are “laudable and the paper takes the approach of providing as comprehensive of a solution as is possible given the transient nature of attacks.”

“It does not address how the goals and technology approach keep up with and change to match changes to the attack vectors,” Reid told SearchSecurity. “The paper also conflates all botnets with IoT botnets. Bots resulting in automated controlled attacks and toolkits are not limited to IoT but have a much wider footprint covering all IT ecosystems.”

The IoT question

Following the highly publicized botnet attacks like Mirai which preyed on insecure IoT devices, the draft report focused on these issues and even noted “IoT product vendors have expressed desire to enhance the security of their products, but are concerned that market incentives are heavily weighted toward cost and time to market.”

Luke Somerville, manager of special investigations at Forcepoint Security Labs, said the goals and actions within the draft botnet security report are “a good starting point, but the effectiveness of ideas such as baseline security standards for IoT devices will depend entirely on the standards themselves and how they are implemented.”

“Any standards would need to be backed up robustly enough to overcome the strong market incentives against security which exist at present,” Somerville told SearchSecurity. “Increasing awareness and security education is also discussed — something that has been a goal of the security industry for a long time. Ultimately, insecure systems don’t fix themselves, and nor do they make themselves insecure in the first place. By focusing on the human point of contact with data and systems — be that point of contact the developers writing the code controlling the systems, the end-users configuring the systems, or even prospective users in the process of making a purchasing decision — we can attempt to build security in throughout the design and usage lifecycle of a product.”

Botnet security report outcomes

While experts were generally favorable to the draft botnet security report, some were less optimistic about real-world changes that might come from such a report.

Jeff Tang, senior security researcher at Cylance, said he was “not convinced this report will make any significant strides towards deterring the spread of botnets.”

“Trying to develop an accepted security baseline through a consensus-based process when one of your stakeholder’s primary goal is to sell you a new shiny IoT device every year is only going to result in watered-down standards that will be ineffective. As the recent spectacle of CPU bugs has shown, speed is the enemy of security. If you’re rushing to release a new device every year, security is going to be nonexistent,” Tang told SearchSecurity. “Additionally, secure development best practices haven’t changed much in the last decade, but judging by the reports of various device vulnerabilities, manufacturers have not voluntarily adopted these best practices.”

This is not the work of a moment; this is evolution over thousands of software design lifecycles.
Pam Dingleprincipal technical architect at Ping Identity

Pam Dingle, principal technical architect at Ping Identity, an identity security company headquartered in Denver, said “changing ecosystems is difficult” and it will take a concerted effort by vendors and CISOs alike to make the change real, otherwise “the effects will likely be limited.”

“It is up to those who see the value in the recommended actions to put the manpower into participating in standards groups, collaborating with adjacent vendor spaces to make integration easier and more pattern-based, and demanding that a shared defense strategy stay high in priority lists,” Dingle told SearchSecurity. “This is not the work of a moment; this is evolution over thousands of software design lifecycles, and even then, the mass of legacy devices out there with no update capabilities will be shackles on our collective legs for a long time to come. We have to start.”

A DHS data breach exposed PII of over 250,000 people

A data breach at the U.S. Department of Homeland Security exposed the personally identifiable information of over 250,000 federal government employees, as well as an unspecified number of people connected with DHS investigations.

DHS released a statement Jan. 3, 2018, that confirmed the exposure of “approximately 246,167” federal government employees who worked directly for DHS in 2014. It also disclosed the breach of a database for the Office of Inspector General that contained the personally identifiable information (PII) of any person — not necessarily employed by the federal government — who was associated with OIG investigations from 2002 to 2014. This includes subjects, witnesses and complainants.

In its statement, the department emphasized the DHS data breach was not caused by a cyberattack and referred to it as a “privacy incident.”

“The privacy incident did not stem from a cyber-attack by external actors, and the evidence indicates that affected individual’s personal information was not the primary target of the unauthorized unauthorized [sic] transfer of data,” DHS said.

The DHS data breach was initially found in May 2017 during a separate, ongoing DHS OIG criminal investigation in which it was discovered that a former DHS employee had an unauthorized copy of the department’s case management system.

However, individuals affected by the DHS data breach weren’t notified until Jan. 3, 2018. In its statement, DHS addressed why the notification process took so long.

“The investigation was complex given its close connection to an ongoing criminal investigation,” the department said. “From May through November 2017, DHS conducted a thorough privacy investigation, extensive forensic analysis of the compromised data, an in-depth assessment of the risk to affected individuals, and comprehensive technical evaluations of the data elements exposed. These steps required close collaboration with law enforcement investigating bodies to ensure the investigation was not compromised.”

The DHS employee data breach exposed PII that included names, Social Security numbers, dates of birth, positions, grades and duty stations of DHS employees; the DHS investigative data breach exposed names, Social Security numbers, dates of birth, alien registration numbers, email addresses, phone numbers, addresses and other personal information that was provided to the OIG during investigative interviews with its agents.

DHS is offering free identity protection and credit-monitoring services for 18 months to affected individuals. The department said it has also taken steps to improve its network security going forward, including “placing additional limitations on which individuals have back end IT access to the case management system; implementing additional network controls to better identify unusual access patterns by authorized users; and performing a 360-degree review of DHS OIG’s development practices related to the case management system.”

While the affected government employees were notified directly about the breach, DHS stated, “Due to technological limitations, DHS is unable to provide direct notice to the individuals affected by the Investigative Data.”

DHS urged anyone associated with a DHS OIG investigation between 2002 and 2014 to contact AllClear ID, the Austin, Texas, breach response service retained by DHS to provide credit-monitoring and identity protection services to affected individuals.

In other news:

  • A group of senators has introduced a bill to secure U.S. elections. The Secure Elections Act is a bipartisan bill that aims to provide federal standards for election security. One measure proposed in the bill is to eliminate the use of paperless voting machines, which are regarded by election security experts as the least secure type of voting machines in use in today. Paperless voting machines don’t allow for audits, which the proposed legislation also wants to make a standard practice in all elections. The idea is that audits after every election will deter foreign meddling in American democracy like Russia’s interference in the 2016 U.S. presidential election. “An attack on our election systems by a foreign power is a hostile act and should be met with appropriate retaliatory actions, including immediate and severe sanctions,” the bill states. The bill was sponsored by Sen. James Lankford (R-Okla.) and co-sponsors Sens. Amy Klobuchar (D-Minn.), Lindsey Graham (R-S.C.), Kamala Harris (D-Calif.), Susan Collins (R-Maine) and Martin Heinrich (D-N.M.).
  • Attackers exploited a vulnerability in Google Apps Script to automatically download malware onto a victim’s system through Google Drive. Discovered by researchers at Proofpoint, the vulnerability in the app development platform enabled social-engineering attacks that tricked victims into clicking on malicious links that triggered the malware downloaded on their computer. The researchers also found the exploit could happen without any user interaction. Google has taken steps to fix the flaw by blocking installable and simple triggers, but the researchers at Proofpoint said there are bigger issues at work. The proof of concept for this exploit “demonstrates the ability of threat actors to use extensible SaaS platforms to deliver malware to unsuspecting victims in even more powerful ways than they have with Microsoft Office macros over the last several years,” the research team said in a blog post. “Moreover, the limited number of defensive tools available to organizations and individuals against this type of threat make it likely that threat actors will attempt to abuse and exploit these platforms more often as we become more adept at protecting against macro-based threats.” The researchers went on to note that, in order to combat this threat, “organizations will need to apply a combination of SaaS application security, end user education, endpoint security, and email gateway security to stay ahead of the curve of this emerging threat.”
  • The United States federal government is nearing its deadline to implement the Domain-based Message Authentication, Reporting and Conformance (DMARC) tool. In October 2016, the DHS announced it would mandate the use of DMARC and HTTPS in all departments and agencies that use .gov domains. DHS gave those departments and agencies a 90-day deadline to implement DMARC and HTTPS, which means the Jan. 15, 2018, deadline is soon approaching. According to security company Agari, as of mid-December, 47% of the federal government domains were now using DMARC, compared to 34% the month before. Another requirement within this mandate is federal agencies are required to use the strongest “reject” setting in DMARC within a year. This means emails that fail authentication tests will be less likely to make it to government inboxes — i.e., be rejected. Agari reported a 24% increase in the use of higher “reject” settings in the last month. On the flip side, Agari noted that most agency domains (84%) are still unprotected, with no DMARC policy.

Data protection news 2017: Security issues make headlines

Backup and data security became intertwined in 2017.

WannaCry ransomware and Amazon Simple Storage Service (S3) bucket leaks highlighted data protection news, forcing users and vendors to find new ways to protect data. Other data protection news showed shifts in technology and corporate strategy, such as two old-school backup vendors rolling out converged appliances, a billion-dollar-plus private equity transaction and a maturing vendor’s decision to split its CEO job in two.

WannaCry shines a light on ransomware, data recovery

The WannaCry attack that hit more than 100,000 organizations in 150 countries in May brought ransomware into the public conscience, and it also highlighted the need for proper data protection. As a result, backup vendors now routinely include features designed to help combat ransomware attacks.

That hasn’t stopped the attacks, though. Experts noted that ransomware attacks have become stealthier, and protection against ransomware is now more complicated. That means recovering data from such attacks is getting trickier.

News about WannaCry continued right until the end of the year, as well, when the White House in December officially blamed the North Korean government for the attacks.

See: WannaCry proves the importance of backups

U.S. blames North Korea for WannaCry

Cybersecurity experts expose leaky Amazon S3 buckets

Reports surfaced that corporations, small companies and government agencies have left terabytes of corporate and top-secret data exposed on the internet via misconfigured Amazon S3 storage buckets. Experts claim data was left vulnerable to hacking because access control lists were configured for public access, so any user with an Amazon account could get to the data simply by guessing the name of the bucket.

The list of firms affected by the data protection news included telecommunications giant Verizon, Dow Jones, consulting firm Accenture, World Wrestling Entertainment and U.S. government contractor Booz Allen Hamilton. Many in the IT industry blame end users for failing to click on the proper restricted access level on the buckets, but the publicity still prompted Amazon to build in new features to mitigate the cloud storage security problem.

Amazon added new S3 default encryption that mandates all objects in the bucket must be stored in an encrypted form. The vendor also added permission checks that display a prominent indicator next to each Amazon S3 bucket that is publicly accessible.

Still, reports of more sensitive data left exposed in unsecured storage buckets continued. In November, cybersecurity firm UpGuard reported it was able to access data in storage buckets belonging to the United States Army Intelligence and Security Command and the U.S. Central Command and Pacific Command.

See: Poorly configured Amazon S3 buckets exposed data

Don’t blame Amazon for S3 issues

Dell EMC, Commvault converge backup

Relative backup newcomers Cohesity and Rubrik had a great impact on data protection news in 2017, as stalwarts Dell EMC and Commvault moved down the converged backup path the upstarts have taken.

The Dell EMC Integrated Data Protection Appliance (IDPA) launched at Dell EMC World in May. The purpose-built, preintegrated system converges storage, software, search and analytics in one appliance, providing data protection across applications and platforms with a native, cloud-tiering capability for long-term retention. IDPA includes Data Domain data deduplication technology.

Commvault answered with its HyperScale appliance that puts the vendor’s HyperScale software on a scale-out storage system. The branded Commvault appliance marks a new direction for the vendor, which previously only sold software. Commvault has also partnered with Cisco, which rebrands HyperScale as ScaleProtect on the Cisco Unified Computing System. 

See: Dell EMC integrates backup technologies

Commvault hypes HyperScale

Barracuda becomes a private affair

In a deal that best represents data protection acquisitions in 2017, equity giant Thoma Bravo spent $1.6 billion to acquire publicly held Barracuda Networks and take it private. Barracuda is best known for its security products, but has steadily expanded its backup and disaster recovery platforms in recent years.

The Bravo-Barracuda data protection news highlighted a 2017 trend in the field’s acquisitions. Datto and Spanning also went the private-equity route during the year. Vista Equity Partners acquired Datto and merged it with Autotask, and Dell EMC sold off cloud-to-cloud backup pioneer Spanning to Insight Venture Partners.

See: Bravo takes Barracuda Networks private

Veeam tag-teams CEO role

Veeam Software has grown up so much it now takes two chief executives to run the company. Veeam split its CEO job in 2017, naming Peter McKay and founder Andrei Baronov co-CEOs. Baronov started Veeam in 2006 along with Ratmir Timashev, who served as CEO until 2016 and remains on its board. McKay came to Veeam in 2016 as COO and president.

The division of power calls for McKay to head Veeam’s “go-to-market,” finance and human resources functions, while Baronov handles research and development, market strategy and product management. William Largent, who held the CEO job for 11 months, is now chairman of Veeam’s finance and compensation committees.

See: Veeam shifts management, product strategy

Microsoft and Facebook disrupt ZINC malware attack to protect customers and the internet from ongoing cyberthreats – Microsoft on the Issues

Last week Microsoft, working together with Facebook and others in the security community, took strong steps to protect our customers and the internet from ongoing attacks by an advanced persistent threat actor known to us as ZINC, also known as the Lazarus Group. We concluded that this threat actor was responsible for WannaCry, a destructive attack in May that targeted Microsoft customers. Among other steps, last week we helped disrupt the malware this group relies on, cleaned customers’ infected computers, disabled accounts being used to pursue cyberattacks and strengthened Windows defenses to prevent reinfection. We took this action after consultation with several governments, but made the decision independently. We anticipate providing more information about our actions and their effect in the coming months once we have had the opportunity to analyze applicable data and information.

Today, the governments of the United States, United Kingdom, Australia, Canada, New Zealand and Japan have all announced that the government of North Korea is responsible for the activities of ZINC/Lazarus. We are pleased to see these governments making this strong statement of attribution. If the rising tide of nation-state attacks on civilians is to be stopped, governments must be prepared to call out the countries that launch them. Today’s announcement represents an important step in government and private sector action to make the internet safer.

Microsoft welcomed the opportunity to work with Facebook and others in recent weeks to address this issue. As we look to 2018, it’s essential that we act with shared responsibility to strengthen further the partnerships with the security community and governments to combat cyberattacks against civilians. There is much we can build on from our longstanding work with private industry partners, Interpol, Europol, the FBI and other law enforcement agencies in our ongoing efforts to combat botnets and other cybercrime.

Tags: Brad Smith, cybersecurity, malware

DevSecOps is a must-have in enterprise app development

It’s likely that 2018 will be the year of DevSecOps.

DevSecOps is the practice of addressing security at every phase of the software application development lifecycle. And it’s everyone’s responsibility to take security more seriously early on and throughout, the development lifecycle.

At the recent Amazon Web Services re:Invent 2017 conference, AWS CTO Werner Vogels told software builders in a keynote that they must now become security engineers. To truly embrace continuous integration and continuous delivery, everyone involved must address security, he said.

This idea isn’t new, with advocates since the early 2000s, but it’s getting more traction as enterprises embrace DevOps principles.

“You can’t wait to test out the security vulnerabilities just before release, nor can you wait for a vulnerability to lead to a breach in production to worry about security,” said Theresa Lanowitz, an analyst at Voke, a Minden, Nev., market research firm, who has advised clients on this topic since 2005. “Security is the responsibility of everyone on the software engineering team, which includes the business, development, QA and operations staff. It is software engineering practices that matter, not the latest portmanteau of DevSecOps.”

Theresa Lanowitz, Voke analystTheresa Lanowitz

Enterprises should adopt a view of continuous quality and continuous security, and must specify and design the code to be secure, said Thomas Murphy, a Gartner analyst based in Stamford, Conn., another longtime preacher of the DevSecOps gospel since the early 2000s. “But most people still look at security as a set of walls they will put up, or tools that will scan their code at the end and make them safe,” he said.

Murphy cited the importance and adoption of security scanning and monitoring tools, but the industry must do a better job to provide security training for developers. This might be an area where artificial intelligence might help developers address security concerns earlier in the application lifecycle, he said.

Baking security into applications

And security should not just be a focus at every stage of the application lifecycle, it must be automated, said Amit Khanna, senior vice president of technology at Virtusa, an IT services company based in Westborough, Mass. “Everyone needs to think about security, not just early on but at every stage,” he said.

Khanna cited his company’s internal process that tests the architecture, design and implementation of every new project from a security perspective, and then provides ongoing security testing throughout the life of the application.

“It’s an end-to-end approach,” he said. “Security cannot be an afterthought; it has to be baked in.”

Golden Giving, an online fundraising platform, is adding security into all new applications as it migrates its systems to the cloud.

“We didn’t just lift and shift all of our stuff into the cloud, we rearchitected things so that we could do it with security in mind from the beginning,” said Justin Rupp, a systems and cloud architect at GlobalGiving.”

The transformation of a software developer to a security engineer is not enough, Rupp said. Software architects also need to become security architects to advance security not just in individual applications and services, but entire systems.

Asking too much of developers?

However, the shift to put more of the onus for security onto developers might be too much for some.

“We’re asking developers to really step up and I don’t know if that is entirely fair,” said Chris Wegmann, managing director for Accenture’s Amazon Web Services Practice & Relationship. “There are ways for organizations to set guardrails or parameters that developers can live within so that they get the access to the security capabilities they need, but you’re going to have to automate some of these policies. You’re going to have to force compliance and you’re going to have to review it.”

Joedon Easter, a solutions delivery architect at CDS in Dallas, said he agreed with the concept of DevSecOps and embedding security into applications. But the implementation and execution depends on an organization’s corporate culture, which also must shift if DevSecOps is to achieve broad adoption.

There will be some spectacular failures in the next couple of years as [DevSecOps] moves to adoption and mandatory implementation.
Joedon Eastersolutions delivery architect, CDS

“There will be some spectacular failures in the next couple of years as this concept moves to adoption and mandatory implementation,” Easter said. “It seems like a repeat of the shift from the mainframe to minicomputers and then the shift to micro. Early adopters were excited evangelists of the newfound freedom of the next thing.”

Like those earlier technology shifts, initial interest in security was minimal and seen as a nuisance; security was first bolted, and then welded on, he said. And now it is blended into the application development process.

Moreover, AWS has substantial provisions for security built in from the start, Easter said. It will take some discipline and cultural effort for it to spread within any given environment, which is why a grassroots approach to DevSecOps has the best chance for success.

Yet, Nevertheless, DevSecOps has become a common perspective across cloud platform providers, said Rhett Dillingham, an analyst at Moor Insights & Strategy in Austin, Texas. Cloud-native development methods, particularly DevOps and microservices architecture, drive cultural and organizational change that empowers developers to move fast on innovation in experimentation and time-to-market while they are tasked with more distributed responsibility for the availability, security, and cost management of their applications.

“This distributes first-level operational responsibility for security while the centralized security function focuses further on strategy, policies and tools to best standardize and minimize the developer workload and take second-level operational responsibility for addressing high-severity risks and incidents,” Dillingham said.

CyberSight RansomStopper

Your antivirus or security suite really ought to protect you against ransomware, along with all other kinds of malware. There might be an occasional slipup with a never-before-seen attack, but those unknowns rapidly become known. Unfortunately, ex post facto removal of ransomware still leaves your files encrypted. That’s why you may want to add a ransomware protection utility to your arsenal. The free CyberSight RansomStopper stopped real-world ransomware in testing, but can have a problem with ransomware that only runs at boot time.

Similar Products

RansomStopper is quite similar to Cybereason RansomFree, Trend Micro RansomBuster, and Malwarebytes Anti-Ransomware Beta. All four are free, and all detect ransomware based on its behavior. Since they rely on behavior, it doesn’t matter whether the ransomware is an old, known quantity or a just-created zero-day attack. Like RansomFree, RansomStopper uses bait files as part of its detection methodology. However, RansomStopper hides its bait files from the user.

Getting Started

Installation went quickly in my testing. After the download, I completed the process by entering my first and last name and email address. Once I responded to the confirmation email, the product was up and running.

The product’s simple main window reports that “You are protected from ransomware.” Buttons across the bottom let you view security alerts, processes RansomStop has blocked, and processes you’ve chosen to allow. Another button lets you check for updates, if you didn’t select automatic updates during installation. Simple!

CyberSight also offers a business edition. Added features include email alerts, centralized administration, and detailed reports. The business edition costs $29.99 for a single license, though the price drops to as low as $10 per seat with volume licensing.

Ransomware Protection

When RansomStopper detects a ransomware attack, it terminates the offending process and pops up a warning in the notification area. Clicking the warning lets you see what file caused the problem. There’s an option to remove programs from the blocked processes list—along with a warning that doing so is a bad idea.

Waiting to detect ransomware behavior can sometimes mean that the ransomware encrypts a few files before termination. When I tested Malwarebytes, it did lose a few files this way. Check Point ZoneAlarm Anti-Ransomware actively recovers any encrypted files. In my testing, it did so for every ransomware sample. ZoneAlarm’s only error was one instance of reporting failure when it had actually succeeded.

For a quick sanity check, I launched a simple fake ransomware program that I wrote myself. All it does is look for text files in and below the Documents folder and encrypt them. It uses a simple, reversible cipher, so a second run restores the files. RansomStopper caught it and prevented its chicanery. So far so good.

Caution, Live Ransomware

The only sure way to test behavior-based ransomware protection is by using live ransomware. I do this very cautiously, isolating my virtual machine test system from any shared folders and from the internet.

This test can be harrowing if the anti-ransomware product fails its detection, but my RansomStopper test went smoothly. Like ZoneAlarm and Malwarebytes, RansomStopper caught all the samples, and I didn’t find any files encrypted before behavioral detection kicked in. Cybereason RansomFree did pretty well, but it missed one.

I also test using KnowBe4’s RanSim, a utility that simulates 10 types of ransomware attack. Success in this test is useful information, but failure can simply mean that the behavior-based detection correctly determined that the simulations are not real ransomware. Like RansomFree, RansomStopper ignored the simulations.

Boot-Time Danger

Keeping under the radar is a big deal for ransomware. When possible, it does its dirty deeds silently, only coming forward with its ransom demand after encrypting your files. Having administrator privileges makes ransomware’s job easier, but getting to that point typically requires permission from the user. There are workarounds to get those privileges silently. These include arranging to piggyback on the Winlogon process at boot time, or set a scheduled task for boot time. Typically, the ransomware just arranges to launch at boot and then forces a reboot, without performing any encryption tasks.

I mention this because I discovered that ransomware can encrypt files at boot time before RansomStopper kicks in. My own fake encryption program managed that feat. It encrypted all text files in and below the Documents folder, including RansomStopper’s bait text file. (Yes, that file is in a folder that RansomStopper actively hides, but I have my methods…)

I reverted the virtual machine and tried again, this time setting a real-world ransomware sample to launch at startup. It encrypted my files and displayed its ransom note before RansomStopper loaded. From my CyberSight contact I learned that they’re “testing several solutions” for this problem, and that an update in the next few weeks should take care of it. I’ll update this review when a solution becomes available.

RansomFree runs as a service, so it’s active before any regular process. When I performed the same test, setting a real-world ransomware sample to launch at startup, RansomFree caught it. Malwarebytes also passed this test. RansomBuster detected the boot-time attack and recovered the affected files.

To further explore this problem, I obtained a sample of the Petya ransomware that caused trouble earlier this year. This particular strain crashes the system and then simulates boot-time repair by CHKDSK. What it’s actually doing is encrypting your hard drive. Malwarebytes, RansomFree, and RansomBuster all failed to prevent this attack. RansomStopper caught it before it could cause the system crash—impressive! To be fair to the others, this one is not a typical file encryptor ransomware. Rather, it locks the entire system by encrypting the hard drive.

Querying my contacts, I did learn that boot-time ransomware attacks, including Petya, are becoming less common. Even so, I’m adding this test to my repertoire.

Other Techniques

Behavior-based detection, when implemented properly, is an excellent way to fight ransomware. However, it’s not the only way. Trend Micro RansomBuster and Bitdefender Antivirus Plus are among those that foil ransomware by controlling file access. They prevent untrusted programs from making any change to files in protected folders. If an untrusted program tries to modify your files, you get a notification. Typically, you get the option to add the unknown program to the trusted list. That can be handy if the blocked program was your new text or photo editor. Panda Internet Security goes even farther, preventing untrusted programs from even reading data from protected files.

Ransomware crooks need to take care that they’ll be able to decrypt files when the victim pays up. Encrypting files more than once could interfere with recovery, so most include a marker of some kind to prevent a second attack. Bitdefender Anti-Ransomware leverages that technique to fool specific ransomware families into thinking they’ve already attacked you. Note, though, that this technique can’t do a thing about brand-new ransomware types.

When Webroot SecureAnywhere AntiVirus encounters an unknown process, it starts journaling all activity by that process, and sending data to the cloud for analysis. If the process proves to be malware, Webroot rolls back everything it did, even rolling back ransomware activity. ZoneAlarm and RansomBuster have their own methods for recovering files. When the anti-ransomware component of Acronis True Image kills off a ransomware attack, it can restore encrypted files from its own secure backup if necessary.

Give It a Try

CyberSight RansomStopper detected and blocked all my real-world ransomware samples without losing any files. It also detected my simple hand-coded ransomware simulator. And it blocked an attack by Petya, where several competing products failed.

RansomStopper did exhibit a vulnerability to ransomware that only runs at boot time, but my sources say this type of attack is becoming less common, and CyberSight is working on a solution. Other free products had their own problems. RansomFree missed one real-world sample, and Malwarebytes let another sample encrypt a few files before its detection kicked in. RansomBuster fared worse, missing half the samples completely (though its Folder Shield component protected most files).

Check Point ZoneAlarm Anti-Ransomware remains our Editors’ Choice for dedicate ransomware protection. It’s not free, but at $2.99 per month it’s also not terribly expensive. If that still seems too steep, give the three free utilities a try, and see which one you like best.

Return of Bleichenbacher: ROBOT attack means trouble for TLS

A team of security researchers discovered eight leading vendors and open source projects whose implementations of the Transport Layer Security protocol are vulnerable to the Bleichenbacher oracle attack, a well-known flaw that was first described in 1998.

The Bleichenbacher attack has been referenced in all IETF specifications for the Transport Layer Security (TLS) protocol since version 1.0 in 1999, and implementers of TLS versions through 1.2 were warned to take steps to avoid the Bleichenbacher attack. However, the researchers noted that, based on the ease with which they were able to exploit the vulnerability, it appears that many implementers ignored the warnings.

The attack is named after its discoverer, Daniel Bleichenbacher, a Swiss cryptographer who was working for Bell Laboratories in 1998 when his research on the vulnerability was first published. The TLS protocol, which was meant to replace the Secure Sockets Layer, is widely used for encryption and the authentication of web servers.

The research team  included Hanno Bock, information security researcher; Juraj Somorovsky, research associate at the Horst Görtz Institute for IT Security at the Ruhr-Universität Bochum in Germany; and Craig Young, , computer security researcher with Tripwire’s Vulnerability and Exposures Research Team (VERT). “Perhaps the most surprising fact about our research is that it was very straightforward,” the researchers wrote. “We took a very old and widely known attack and were able to perform it with very minor modifications on current implementations. One might assume that vendors test their TLS stacks for known vulnerabilities. However, as our research shows in the case of Bleichenbacher attacks, several vendors have not done this.”

The researchers said many web hosts are still vulnerable to the ROBOT attack and that nearly a third of the top 100 sites in the Alexa Top 1 Million list are vulnerable. The team identified vulnerable products from F5, Citrix, Radware, Cisco, Erlang, and others, and “demonstrated practical exploitation by signing a message with the private key of facebook.com’s HTTPS certificate.”

The researchers described their work as the “Return Of Bleichenbacher’s Oracle Threat” (ROBOT) and published it in a paper of the same title, as well as on a branded vulnerability website. The team also published a capture the flag contest, posting an encrypted message and challenging the public to decrypt the message using the strategies described in the paper.

TLS protocol designers at fault

The researchers placed the blame for the ease of their exploits squarely on the shoulders of TLS protocol designers. The ROBOT attack is made possible by the behavior of servers implementing TLS using the RSA Public-Key Cryptography Standards (PKCS) #1 v1.5 specification; the issues that enable the Bleichenbacher attack are fixed in later versions of PKCS. TLS 1.3, which is expected to be finalized soon, deprecates the use of PKCS #1 v1.5 and specifies use of PKCS #1 v2.2.

The TLS protocol designers absolutely should have been more proactive about replacing PKCS#1 v1.5.
Craig Youngcomputer security researcher, Tripwire VERT

“The TLS protocol designers absolutely should have been more proactive about replacing PKCS#1 v1.5. There is an unfortunate trend in TLS protocol design to continue using technology after it should have been deprecated,” Young told SearchSecurity by email. He added that vendors also “should have been having their code audited by firms who specialize in breaking cryptography since most software companies do not have in-house expertise for doing so.”

TLS as currently deployed ignores improperly formatted data, and as described in 1999 in RFC 2246. “The TLS Protocol Version 1.0,” the original specification for TLS 1.0, the ROBOT attack “takes advantage of the fact that by failing in different ways, a TLS server can be coerced into revealing whether a particular message, when decrypted, is properly PKCS #1 formatted or not,” the RFC 2246 document states.

The solution proposed in that specification for avoiding “vulnerability to this attack is to treat incorrectly formatted messages in a manner indistinguishable from correctly formatted RSA blocks. Thus, when it receives an incorrectly formatted RSA block, a server should generate a random 48-byte value and proceed using it as the premaster secret. Thus, the server will act identically whether the received RSA block is correctly encoded or not.”

Potential for attacks, detection and remediation

The researchers noted in the paper that the ROBOT flaw could lead to very serious attacks. “For hosts that are vulnerable and only support RSA encryption key exchanges it’s pretty bad. It means an attacker can passively record traffic and later decrypt it,” the team wrote on the ROBOT website, adding that “For hosts that usually use forward secrecy, but still support a vulnerable RSA encryption key exchange the risk depends on how fast an attacker is able to perform the attack. We believe that a server impersonation or man in the middle attack is possible, but it is more challenging.”

Young said that it might be possible to detect attempts to abuse the Bleichenbacher vulnerability, but it would not be easy. “This attack definitely triggers identifiable traffic patterns. Servers would observe a high volume of failed connections as well as a smaller number of connections with successful handshakes and then little to no data on the connection,” he told SearchSecurity. “Unfortunately, I am unaware of anybody actually doing this. Logging the information needed to detect this can be cumbersome and for a site receiving a billion connections a second, it could be quite difficult to notice 10-100 thousand failed connections.”

As for other, ongoing risks, Young said that while “PKCS#1 v1.5 is not being used in TLS 1.3 but it is still used in other systems like XML encryption. Whether or not it can be disabled through configuration is highly application specific.”

Juniper Junos Space Security Director gets automation boost

SAN FRANCISCO — Juniper Networks has made its security products more responsive to threats, thereby reducing the amount of manual labor required to fend off attacks.

On Tuesday at the Juniper NXTWORK conference, the company introduced “dynamic policy management” in the Junos Space Security Director. The central software console for Juniper network security manages the vendor’s firewalls and enforces security policies on Juniper’s EX and QFX switches.

The latest improvement to Junos Space Security Director lets security pros define variables that will trigger specific rules in Juniper SRX Series next-generation firewalls. For example, if a company is under a ransomware attack that has planted malware in employees’ PCs, then Director could activate rules restricting access to critical applications that handle sensitive data. The rules could also tell firewalls to cut off internet access for those applications.

The new Junos Space Security Director features can lower the response time to security threats from hours to minutes, said Mihir Maniar, vice president of security product management at Juniper, based in Sunnyvale, Calif. “It’s completely dynamic, completely user-intent-driven.”

Vendors trending toward automated security threat response

Automating the response to security threats is a trend among vendors, including Juniper rival Cisco. Companies can configure products to take specific actions against threats, which removes the time security pros would have to spend deploying new firewall rules manually.

Automation means 10 different things to 10 different people.
Dan Condeanalyst at Enterprise Strategy Group

“You have to mitigate very quickly and not just inform somebody and hope for the best,” said Dan Conde, an analyst at Enterprise Strategy Group, based in Milford, Mass. “Manual procedures do not work very quickly.”

But the ultimate goal, which eludes vendors today, is to have products that detect and mitigate threats on their own and then continue to monitor the network to ensure the steps taken were successful.

Vendor marketing tends to play down the fact that the level of automation is rudimentary, which has led to confusion over the definition of automation across different products. “Automation means 10 different things to 10 different people,” Conde said.

Juniper network security stronger with new SRX4600 firewall

Juniper has integrated a new firewall with the latest iteration of Junos Space Security Director. The SRX4600 is designed to protect data flowing in multi-cloud environments found in an increasing number of companies. The SRX4600 is a 1RU appliance with a throughput of 80 Gbps.

Juniper also unveiled at NXTWORK an on-premises malware detection appliance that uses analytics and remediation technology built by Cyphort, which Juniper acquired this year. Cyphort has developed security analytics that spots malware based on its abnormal activity in the network.

The new Advanced Threat Prevention Appliance in Juniper’s network security portfolio is designed for companies with “strict data sovereignty requirements,” the company said. The on-premises hardware has been certified by ISCA Labs, which is an independent division of Verizon that conducts testing and certification of security and health IT products.