Tag Archives: against

Healthcare CIOs put on alert for potential Iran cyberattacks

Tensions between the U.S. and Iran are prompting concerns about possible Iranian cyberattacks against critical U.S. infrastructure and raising questions about how prepared healthcare systems are to handle them.

The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued an alert Monday for critical infrastructure systems such as healthcare systems. The agency warned of potential Iran cyberattacks in response to the U.S. military strike that killed General Qassem Soleimani. The Health Information Sharing and Analysis Center, a non-profit organization focused on enhancing healthcare cybersecurity that keeps tabs on threats to the industry, followed suit.

Iran has not historically targeted U.S. health systems. It has opted instead for targets that would drive greater economic influence. But Caleb Barlow, president and CEO of Austin, Texas-based healthcare cybersecurity firm CynergisTek, said that may be changing.

Caleb BarlowCaleb Barlow

“This isn’t a point of scaring the living daylights out of people and saying, ‘Hey, the Iranians are going to attack healthcare.’ That’s not what we’re saying at all,” he said. “What we are saying, however, is that the threat landscape just changed dramatically in the last week. The likelihood that a foreign actor — or someone sympathetic to a foreign actor — may try to impact U.S. critical infrastructure, which includes healthcare, and may use known means that work, are very high.” 

CISA recommended that industries including healthcare increase awareness and organizational vigilance around cyberthreats. Beyond the potential for an Iranian cyberattack, healthcare CIOs should prepare their organizations for destructive malware attacks.

A growing threat

Iranian cyber threat actors continue to engage in more “conventional” attacks such as website defacement and theft of personally identifiable information, but they have continuously improved their cyberattack capabilities and shown a “willingness to push the boundaries of activities,” according to the CISA alert.

The likelihood that a foreign actor, or someone sympathetic to a foreign actor, may try to impact U.S. critical infrastructure, which includes healthcare, and may use known means that work, are very high.
Caleb BarlowPresident and CEO, CynergisTek

Barlow said Iranian cyber threat actors are known for destructive wiper attacks, which he described as “ransomware on steroids.” The number of known wiper attacks is small, but they can be devastating, according to Barlow. IBM X-Force Incident Response and Intelligence Services found destructive malware attacks destroyed about 12,000 devices and cost organizations more than $200 million on average.

Due to recent tensions, Iranian cyberattacks may be shifting away from targets that could provide economic influence to cyberattacks that could provide political influence. Coupled with the threat of destructive wiper attacks, healthcare CIOs should be on high alert.

How healthcare CIOs can respond

Barlow said healthcare security teams need to rethink their response plans.

“This isn’t just about prevention,” he said. “This is also about, can you maintain the resiliency of your business — whether it’s manufacturing, a hospital, or state or local government — without your IT systems? How would you do it? How would you recover it? And how would you get started?”

Healthcare organizations likely have plans for cybersecurity incidents; most start with calling their insurance company. But many cyber insurance policies do not cover the actions of a foreign nation, according to Barlow.

Healthcare organizations are also unprepared for handling ransomware, malware that locks data until a ransom is paid, and often pay the fine to regain access to their data and systems, according to Barlow. But paying a ransom won’t be an option if they’re hit by a destructive wiper attack.  

“With a destructive attack, you don’t have that option, it’s just gone,” Barlow said. “If you don’t have a plan in place to maintain resiliency, so is your institution.”

David ChouDavid Chou

Wiper attacks can destroy everything, according to David Chou, vice president and principal analyst at Constellation Research in Cupertino, Calif. He stressed that even without a potential increase in Iranian cyberattacks, healthcare and government are targets. That’s why organizations like the Health Information Sharing and Analysis Center (H-ISAC) have issued a call to action to become better prepared for ransomware as well as destructive wiper attacks.

“The healthcare industry has to prepare for wiper, which is definitely something that can be serious and potentially wipe out the business of a hospital,” Chou said.

CISA recommended healthcare organizations focus on vulnerability mitigation and incident preparation, which includes taking steps to disable unnecessary ports and protocols, increase monitoring of email and network traffic, and ensure backups are updated and stored in a separate, but easily retrievable, location from the organization.

Chou said H-ISAC recommends backing up data and keeping systems updated, which he said should be done as good practice regardless of the current state of high alert.

Go to Original Article
Author:

Experts weigh in on risk of Iranian cyberattacks against U.S.

The Department of Homeland Security warned of potential of Iranian cyberattacks against the U.S., and security experts weighed in on the risks facing enterprises.

In the bulletin, released Saturday as part of the National Terrorism Advisory System, DHS said there was no indication that attacks from Iran were imminent, but noted the country and its allies “have demonstrated the intent and capability to conduct operations in the United States.” The bulletin was issued in the wake of escalating military conflict with Iran.

“Iran maintains a robust cyber program and can execute cyberattacks against the United States. Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States,” DHS wrote in the bulletin. “Be prepared for cyber disruptions, suspicious emails, and network delays. Implement basic cyber hygiene practices such as effecting data backups and employing multi-factor authentication [MFA].”

In general, experts agreed there is a legitimate threat of Iranian cyberattacks against U.S. entities and many added that while Iran has offensive cyber capabilities, they are not known to have capabilities on the level of the U.S., China or Russia.

Rick Holland, CISO and vice president of strategy at Digital Shadows in San Francisco, said Iran has proven the ability to cause damage with cyberattacks.

“Iranian offensive cyber capabilities have grown significantly since the days of Stuxnet, which was a catalyst for the Iranian regime to mature their capabilities,” Holland told SearchSecurity. “While Iran isn’t as mature as the United States, Russia or China, they are capable of causing damage. Destructive or wiper malware like Iran used against Saudi Aramco could cause significant damage to their targets.”

Robert M. Lee, CEO and founder of Dragos, said Iran has “consistently been growing their capabilities and are aggressive and willing to be as destructive as they can be.”

“We’re unlikely to see widespread issues or scenarios such as disrupting electric power but it’s entirely possible we will see opportunistic responses to whatever damage they think they can inflict,” Lee told SearchSecurity. “Iran has shown previously to be opportunistic in its targeting of infrastructure with denial of service attacks against banks as well as trying to get access to industrial control systems in electric and water companies. While it is important to think where strategic targets would be for them, it’s just as relevant that they might search for those who are more insecure to be able to have an effect instead of a larger effect on a harder target.”

High disruption value

While DHS was unclear what organizations Iran might target with cyberoperations, some experts tended to agree with Lee that infrastructure and financial targets would be most likely.

Jake Williams, founder and president of Rendition Infosec in Augusta, Ga., classified Iran as having “moderately sophisticated capabilities.”

“They aren’t on par with Russia or China, but they aren’t script kiddies either. Iran will most likely target defense industrial base and financial institutions — basically, targets that have a high disruption value,” Williams told SearchSecurity. “For an enterprise, the things to keep in mind are DDoS and early indicators of compromise for defense industrial base organizations. Of course, Iran could target other verticals, but we assess these to be the most likely initial targets.”

Levi Gundert, vice president of intelligence and risk at Recorded Future, noted that “Iranian sponsored groups are constantly probing potential targets for weaknesses toward intelligence gathering.”

“When provoked, these groups have also successfully demonstrated retaliatory cyberattacks. Based on historical precedent, Iran retaliates with destructive attacks against perceived threatening organizations (e.g. Sands Corporation), or they attack businesses toward achieving economic impact — large American financial service companies (Operation Ababil) and Saudi Aramco are two good examples,” Gundert told SearchSecurity via email. “We believe the most likely targets of cyberattacks remain the United States government, contractors, and partner businesses involved in U.S. regional interests.”

However, Chris Morales, head of security analytics at threat detection vendor Vectra in San Jose, Calif., said “everyone could be at risk” of an Iranian cyberattack.

“While certain industries were targeted in the past for disruption or for data theft, there is no limitation to who could be targeted in an asymmetric attack that involves disruption, misdirection and confusion,” Morales told SearchSecurity. “Earlier state-sponsored Iranian actors stole only basic information, but over the past few years they have been building long-term espionage campaigns. The risk here being in many cases Iranian actors already persist inside networks and it becomes a case of identifying their presence and removing them.”

Holland said the risk of being targeted by Iran would be low for most organizations, but enterprises should perform threat modeling by asking:

  • How do Iranian interests intersect your business?
  • How has historic Iranian targeting/victimology related to your company?
  • How does the Iranian threat stack up against your supply chain?

Protecting your organization

Experts agreed that taking care of the basics is probably the best approach to defend against possible Iranian cyberattacks.

Dr. Chase Cunningham, principal analyst serving security and risk professionals for Forrester Research, suggested enterprises “fix the easy stuff: deploy MFA everywhere; bolster DDoS defense and make sure email security is in place. Other than that, brace for impact and maintain situational awareness.”

Holland said enterprises “shouldn’t have to take any extraordinary measures.”

“Patch operating systems and applications. Disable Microsoft Office macros. Implement application whitelisting. Restrict admin privileges. Disable external-facing Remote Desktop Protocol,” Holland said. “Enable multi-factor authentication for external-facing applications and privileged users. Monitor for malicious domains registrations related to your organization.”

Gundert suggested organizations “take the time to understand Iranian sponsored groups’ historical tools, tactics, and techniques.”

“These groups typically achieve initial unauthorized access through password re-use, phishing, and/or web shells,” Gundert said. “Now is a great time to review and improve security controls for each threat category, as well as visibility into post-compromise activity like the usage of native Windows tools.”

Lee said the best approach is for cybersecurity professionals to “be in a heightened sense of awareness and put the investments they’ve made into people, process, and technology to use.”

“For companies that have yet to make proper investments into the cybersecurity of their business, there is not much that can be done quickly in situations like this,” Lee said. “Companies need to prepare ahead of these moments and these moments and any angst felt should serve as an opportunity to look internally to determine what your plans would be especially for incident response and disaster recovery.”

Go to Original Article
Author:

DOJ takes action against Dridex malware group, Evil Corp

The U.S. and the U.K. announced criminal charges and sanctions against alleged members of the Russian threat group Evil Corp, which is responsible for the Dridex malware.

The U.S. Department of Justice indicted Maksim Yakubets, 32, of Russia on counts of computer hacking and bank fraud. The State Department offered up to $5 million for information leading to the arrest and/or conviction of Yakubets, who is the alleged leader of Evil Corp. Additionally, the DOJ indicted Igor Turashev, 38, in relation to the Dridex banking Trojan.

The Department of Treasury announced sanctions against Evil Corp, which has been active since 2009 and has been connected to the Zeus, Bugat and Dridex malware. According to the Treasury Department announcement, “Evil Corp has used the Dridex malware to infect computers and harvest login credentials from hundreds of banks and financial institutions in over 40 countries, causing more than $100 million in theft.”

Assistant Attorney General Brian Benczkowski of the Justice Department’s criminal division noted in the DOJ press release that the U.K. National Crime Agency (NCA) was “crucial” in efforts to identify Yakubets and other members of Evil Corp.

The DOJ unsealed two indictments — one filed on Nov. 12 in the Western District of Pennsylvania and one filed Nov. 14 in the District of Nebraska. The former indictment named both Yakubets and Turashev in multiple fraud attempts using Dridex malware beginning in Nov. 2011, including an attempted transfer of $999,000 from the Sharon City School District and an attempt to transfer nearly $2.2 million from Penneco Oil. In total, the indictment filed in Pennsylvania included 10 charges of conspiracy, fraud and intentional damage to a computer.

The indictment filed in Nebraska only named Yakubets and listed 21 businesses and local government offices targeted across the country, nine of which were financial institutions, and covered incidents dating back to 2009. 

According to the DOJ, Yakubets went by the handle “aqua” online. A case from the District of Nebraska charged a John Doe “also known as ‘aqua'” and resulted in the extradition of two Ukrainian nationals from the U.K. to the U.S. in 2014. Those Ukrainians had previously been convicted in the U.K of laundering money for Evil Corp.

The Treasury Department said that its sanctions target “17 individuals and seven entities to include Evil Corp, its core cyber operators, multiple businesses associated with a group member, and financial facilitators utilized by the group.” The announcement went on to name Denis Gusev as a senior member of Evil Corp, as well as entities owned or controlled by Gusev, six other members of the group and eight known financial facilitators.

Previous attempts

These actions are not the first taken against Dridex malware threat actors. In October 2015, the DOJ indicted Andrey Ghinkul in connection with spreading the malware. Ghinkul was arrested in August 2015 in Cyprus and extradited to the U.S. in February 2016.

At the time, Brad Duncan, security researcher at Rackspace, noted that Dridex incidents had disappeared in September following Ghinkul’s arrest, but new instances of the malware began appearing again before the DOJ announced the indictment.

In October 2015, both the FBI and NCA set up sinkholes in efforts to stop the malware from connecting to command and control servers. But by January 2016, IBM security researchers confirmed a new version of Dridex malware was targeting banks in the U.K.

Earlier this year, Chronicle released the results of a five-year study into crimeware, which included looking at arrests made in connection with Zeus and Dridex malware, and found that law enforcement takedown attempts had only short-lived impacts if the masterminds behind such crimeware were not apprehended.

Go to Original Article
Author:

NSS Labs drops antitrust suit against AMTSO, Symantec and ESET

NSS Labs ended its legal battle against the Anti-Malware Testing Standards Organization, Symantec and ESET.

The independent testing firm dropped its antitrust lawsuit Tuesday, which was filed in 2018 against AMTSO (a nonprofit organization) and several top endpoint security vendors, including Symantec, ESET and CrowdStrike. The suit accused the vendors and AMTSO of conspiring to prevent NSS Labs from testing their products by boycotting the company.

In addition, NSS Labs accused the vendors of instituting restrictive licensing agreements that prevented the testing firm from legally purchasing products for public testing. The suit also alleged AMTSO adopted a draft standard that required independent firms like NSS Labs to give AMTSO vendor members advance notice of how their products would be tested, which NSS Labs argued was akin to giving vendors answers to the test before they took it.

In May, NSS Labs and CrowdStrike agreed to a confidential settlement that resolved the antitrust suit as well as other lawsuits between the two companies stemming from NSS Labs’ 2017 endpoint protection report that included negative test results for CrowdStrike’s Falcon platform. Under the settlement, NSS Labs retracted the test results, which the firm admitted were incomplete, and issued an apology to CrowdStrike.

In August, a U.S. District Court judge for the Northern District of California dismissed NSS Labs’ antitrust claims, ruling in part that NSS Labs failed to show how the alleged conspiracy damaged the market, which is required for antitrust claims. The judge also said NSS Labs’ complaint failed to show ESET and AMTSO participated in the alleged conspiracy (Symantec did not challenge the conspiracy allegations in the motion to dismiss). The ruling allowed the company to amend the complaint; instead, NSS Labs dropped its lawsuit.

Still, the testing firm had some harsh words in its statement announcing the dismissal of the suit. NSS Labs said vendors “were using a Draft Standard from the non-profit group to demonstrate their dissatisfaction with tests that revealed their underperforming products and associated weaknesses, which did not support their marketing claims.”

“During the past year, AMTSO has made progress to be more fair and balanced in its structure, vendors have shown progress in working with testing organizations, and the market itself has had significant change and notable acquisition activity,” NSS Labs CEO Jason Brvenik said in the statement. “It is said that sunshine is the best disinfectant, and that has been our experience here. We look forward to continued improvement in the security vendor behaviors.”

AMTSO sent the following statement to SearchSecurity:

“While AMTSO welcomes NSS Lab’s decision to dismiss, its actions were disruptive, expensive, and without merit,” said Ian McShane, an AMTSO Board member and senior director of security products at Elastic. “However, we agree with its statement that ‘sunshine is the best disinfectant,’ and we’re looking forward to NSS Labs re-joining AMTSO, and to its voluntary participation in standard-based testing. We believe this will give customers a greater assurance that the tests were conducted fairly.”

AMTSO did not comment on whether the organization has made any specific changes to its structure or policies in the wake of the antitrust suit.

NSS Labs changed its approach to testing results earlier this year with its 2019 Advanced Endpoint Protection Group Test, which redacted the names of vendors that received low scores and “caution” ratings. At RSA Conference 2019, Brvenik told SearchSecurity that NSS Labs decided to take a “promote, not demote” approach that focuses on the vendors that are doing well.

Go to Original Article
Author:

New machine learning model sifts through the good to unearth the bad in evasive malware – Microsoft Security

We continuously harden machine learning protections against evasion and adversarial attacks. One of the latest innovations in our protection technology is the addition of a class of hardened malware detection machine learning models called monotonic models to Microsoft Defender ATP‘s Antivirus.

Historically, detection evasion has followed a common pattern: attackers would build new versions of their malware and test them offline against antivirus solutions. They’d keep making adjustments until the malware can evade antivirus products. Attackers then carry out their campaign knowing that the malware won’t initially be blocked by AV solutions, which are then forced to catch up by adding detections for the malware. In the cybercriminal underground, antivirus evasion services are available to make this process easier for attackers.

Microsoft Defender ATP’s Antivirus has significantly advanced in becoming resistant to attacker tactics like this. A sizeable portion of the protection we deliver are powered by machine learning models hosted in the cloud. The cloud protection service breaks attackers’ ability to test and adapt to our defenses in an offline environment, because attackers must either forgo testing, or test against our defenses in the cloud, where we can observe them and react even before they begin.

Hardening our defenses against adversarial attacks doesn’t end there. In this blog we’ll discuss a new class of cloud-based ML models that further harden our protections against detection evasion.

Most machine learning models are trained on a mix of malicious and clean features. Attackers routinely try to throw these models off balance by stuffing clean features into malware.

Monotonic models are resistant against adversarial attacks because they are trained differently: they only look for malicious features. The magic is this: Attackers can’t evade a monotonic model by adding clean features. To evade a monotonic model, an attacker would have to remove malicious features.

Monotonic models explained

Last summer, researchers from UC Berkeley (Incer, Inigo, et al, “Adversarially robust malware detection using monotonic classification”, Proceedings of the Fourth ACM International Workshop on Security and Privacy Analytics, ACM, 2018) proposed applying a technique of adding monotonic constraints to malware detection machine learning models to make models robust against adversaries. Simply put, the said technique only allows the machine learning model to leverage malicious features when considering a file – it’s not allowed to use any clean features.

Figure 1. Features used by a baseline versus a monotonic constrained logistic regression classifier. The monotonic classifier does not use cleanly-weighted features so that it’s more robust to adversaries.

Inspired by the academic research, we deployed our first monotonic logistic regression models to Microsoft Defender ATP cloud protection service in late 2018. Since then, they’ve played an important part in protecting against attacks.

Figure 2 below illustrates the production performance of the monotonic classifiers versus the baseline unconstrained model. Monotonic-constrained models expectedly have lower outcome in detecting malware overall compared to classic models. However, they can detect malware attacks that otherwise would have been missed because of clean features.

Figure 2. Malware detection machine learning classifiers comparing the unconstrained baseline classifier versus the monotonic constrained classifier in customer protection.

The monotonic classifiers don’t replace baseline classifiers; they run in addition to the baseline and add additional protection. We combine all our classifiers using stacked classifier ensembles–monotonic classifiers add significant value because of the unique classification they provide.

How Microsoft Defender ATP uses monotonic models to stop adversarial attacks

One common way for attackers to add clean features to malware is to digitally code-sign malware with trusted certificates. Malware families like ShadowHammer, Kovter, and Balamid are known to abuse certificates to evade detection. In many of these cases, the attackers impersonate legitimate registered businesses to defraud certificate authorities into issuing them trusted code-signing certificates.

LockerGoga, a strain of ransomware that’s known for being used in targeted attacks, is another example of malware that uses digital certificates. LockerGoga emerged in early 2019 and has been used by attackers in high-profile campaigns that targeted organizations in the industrial sector. Once attackers are able breach a target network, they use LockerGoga to encrypt enterprise data en masse and demand ransom.

Figure 3. LockerGoga variant digitally code-signed with a trusted CA

When Microsoft Defender ATP encounters a new threat like LockerGoga, the client sends a featurized description of the file to the cloud protection service for real-time classification. An array of machine learning classifiers processes the features describing the content, including whether attackers had digitally code-signed the malware with a trusted code-signing certificate that chains to a trusted CA. By ignoring certificates and other clean features, monotonic models in Microsoft Defender ATP can correctly identify attacks that otherwise would have slipped through defenses.

Very recently, researchers demonstrated an adversarial attack that appends a large volume of clean strings from a computer game executable to several well-known malware and credential dumping tools – essentially adding clean features to the malicious files – to evade detection. The researchers showed how this technique can successfully impact machine learning prediction scores so that the malware files are not classified as malware. The monotonic model hardening that we’ve deployed in Microsoft Defender ATP is key to preventing this type of attack, because, for a monotonic classifier, adding features to a file can only increase the malicious score.

Given how they significantly harden defenses, monotonic models are now standard components of machine learning protections in Microsoft Defender ATP‘s Antivirus. One of our monotonic models uniquely blocks malware on an average of 200,000 distinct devices every month. We now have three different monotonic classifiers deployed, protecting against different attack scenarios.

Monotonic models are just the latest enhancements to Microsoft Defender ATP’s Antivirus. We continue to evolve machine learning-based protections to be more resilient to adversarial attacks. More effective protections against malware and other threats on endpoints increases defense across the entire Microsoft Threat Protection. By unifying and enabling signal-sharing across Microsoft’s security services, Microsoft Threat Protection secures identities, endpoints, email and data, apps, and infrastructure.

Geoff McDonald (@glmcdona),Microsoft Defender ATP Research team
with Taylor Spangler, Windows Data Science team


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft Defender ATP community.

Follow us on Twitter @MsftSecIntel.

Go to Original Article
Author: Microsoft News Center

Federal privacy regulations usher in the age of tech lawmakers

Tech companies that have successfully lobbied against stricter privacy regulations are facing pushback from consumers on their latest campaign to curtail data privacy rights.

Big tech’s call for federal regulation comes amid a reactionary call for privacy rights, as data breach media coverage has exposed companies’ poor management of personal information and piqued consumers’ data protection concerns.  

“Consumers are seeing data breaches and privacy mistakes in the news every single day, and the breaches are getting larger in scope. And the number of individuals impacted seems to be larger for every single one,” said Nicholas Merker, partner and co-chair of the data security and privacy practice at Ice Miller, based in Indianapolis. “People understand that some companies are misusing their data or not protecting their data appropriately, and it’s creating a risk for these individuals.”

Shortly after GDPR — the European law that unified data privacy protection and specified consumer rights to their personal data — went into effect last spring, California passed the California Consumer Privacy Act (CCPA) of 2018. The new state law gives users the right to request details about individual data collected by the companies they do business with and to delete personal data without penalty to service.

Now, tech giants like Facebook, IBM and Microsoft are playing offense and proposing federal privacy regulations that override the California rules.

As the fight between state and federal laws plays out, CIOs and their data privacy experts may well find themselves advising their companies on where to come down on data privacy rights.

A company‘s best course will likely depend, in large part, on where it does business, how it makes money and how much its customers value data privacy.

Why the push for federal law?

Tech companies with multistate operations are gunning for the federal law in order to avoid having to comply with up to 50 competing jurisdictions. Experts expect other states to begin following in California’s footsteps by amending or creating state privacy laws.

The CCPA has certainly set the bar for other like-minded states, said Erin Illman, co-chair of Bradley’s cybersecurity and privacy practice group and member of the North Carolina Bar Association’s Privacy and Data Security Committee.

“You’re going to see the states that have taken a forward stance in privacy start to really look at California and say, ‘Maybe we need to amend our laws that are already on the books, but maybe we also need to put forward a similar law or something that even goes farther than California,'” Illman said.

But big tech’s effort to get a federal law passed is not just to save themselves the headache of state-specific compliance, experts said, but also to preserve profits amid growing concern over business preservation.

And if we look to the GDPR as a model for U.S. legislation, we must also examine the immediate aftermath, Merker said.

“The GDPR is a great example of what [strict federal privacy legislation] would do to the behavioral advertising firm, targeted advertising firm, company index firm industry — it would destroy it,”  Merker said.

“When GDPR was implemented for publicly traded companies, you saw massive drops in stock prices; you saw some companies that just no longer existed, because their practices are no longer legitimate under the GDPR.”

Data: The new dollar

Data privacy experts advise CIOs keep a close eye on the proposed legislation and its framework, including exactly whom it seeks to regulate.

For example, one of the proposals for the federal privacy regulations defines consumers as users who have purchased something from the company. Under this definition, social media businesses like Facebook and email businesses like Gmail that do not charge for their services or sell products would have far fewer reportable consumers than sites that sell a product or charge a nominal fee for service. Even a $1 yearly fee makes each individual a consumer whose privacy is protected instead of a user who remains exempt from privacy regulations.

Experts noted that this distinction shows the defining characteristic of online business: Data is money.

Personal information is the currency of the internet — more so than bitcoin, more so than the dollar. [Data] is what is being bartered for services and then sold for revenue,” said Nader Henein, research director of data protection and privacy at Gartner.

“Like any other currency, it needs to be regulated. Otherwise, it loses its value, and it’s inconsistent.”

Love affair gone sour

In the face of big tech’s all-out lobbying effort for the federal law, data privacy interest groups have not hung back. Instead, they are taking advantage of growing consumer sentiment that the titans of Silicon Valley can delight customers and still not have their best interest at heart.

The inability of business to prevent massive data breaches that expose sensitive information has also fueled consumer interest in wanting more control over personal data. 

Internationally, America seems like we are now behind the times when it comes to privacy law.
Nicholas Merkerpartner and co-chair of Ice Miller’s data security and privacy practice

A major point on the tech companies’ list of wishes is self-regulation and the creation of industry guidelines with no legal or financial penalty for noncompliance. Trade groups such as the U.S. Chamber of Commerce, the Internet Association and the Information Technology Industry Council are all pushing for voluntary standards.

Tech companies’ C-suites claim they know exactly what data is being collected, how it’s used and, ultimately, how to protect it. They argue self-regulation allows for flexible compliance that protects privacy and the ability to remain profitable.

Privacy advocates, on the other hand, cite years of improper data management, privacy violations and data breaches as examples of the whittling of trust that’s occurred between the general public and tech businesses.

“There’s a lot of trust that’s been lost between the general public and between privacy advocates and business,” Illman said. “Because of that loss of trust, the concept of self-regulation is something that privacy advocates are pushing back against and saying, ‘You know, we don’t really trust you to regulate yourselves.'”

So, what’s the next battle move? The proposal and establishment of federal privacy regulations could be a positive change if companies develop strategies that are fair, transparent and create a more equal benefit for company and user.

“Internationally, America seems like we are now behind the times when it comes to privacy law,” Merker said. “All privacy advocates want America to catch up and be standing with the rest of the world.”

Physical security keys eliminate phishing at Google

Google claims it has completely eliminated successful phishing attacks against its employees through the use of physical security keys and Universal Second Factor.

Google began introducing and evaluating physical security keys in 2014 and by early 2017 all 85,000-plus Google employees were required to use them when accessing company accounts. In the time since, the company told Brian Krebs, no employee has been successfully phished.

A Google spokesperson said the decision to use the Universal Second Factor (U2F) physical security keys instead of software-based one-time-password (OTP) authentication was based on internal testing.

“We believe security keys offer the strongest protections against phishing,” a Google spokesperson wrote via email. “We did a two-year study that showed that OTP-based authentication had an average failure rate of 3%, and with U2F security keys, we experienced zero percent failure.”

Lane Thames, senior security researcher at Tripwire, based in Portland, Ore., said the main reason these software-based apps are less secure is “because attackers can potentially intercept these OTPs remotely.”

“Another issue is the bulk production of OTPs that users can store locally or even print. This is done in order to make the 2FA [two-factor authentication] process a little easier for end users or so end users can save OTPs for later use, if they don’t have access to their phones when the code is needed,” Thames wrote via email. “This is akin to a similar problem where users write passwords and leave them around their workspace.”

However, John Callahan, CTO at Veridium, an identity and access management software vendor based in Quincy, Mass., noted that there are also benefits to users opting for 2FA via smartphone.

“Some people who use a U2F key fear losing it or damaging it. This is where biometrics can play a key role. Methods using biometrics are helping to prevent attacks,” Callahan wrote via email. “Using biometrics with the Google Authenticator app is a secure solution, because a mobile phone is always nearby to authenticate a transaction.”

Moving companies to physical security keys

Physical security keys implementing U2F was the core part of Google’s Advanced Protection Program, which it rolled out as a way for high-risk users to protect their Google accounts. A physical security key, like a YubiKey, can authenticate a user simply by inserting the key into a computer, tapping it against an NFC-capable smartphone or connecting to an iOS device via Bluetooth.

Nadav Avital, threat research manager at Imperva, based in Redwood Shores, Calif., said, “in an ideal world,” more companies would require multifactor authentication (MFA).

In general, physical keys offer better security, because software-based authentication relies on a shared secret between the client and the provider that can be discovered.
Nadav Avitalthreat research manager at Imperva

“In general, physical keys offer better security, because software-based authentication relies on a shared secret between the client and the provider that can be discovered. Unfortunately, most people don’t use [2FA or MFA], neither physical nor software-based, because they don’t understand the implications or because they prefer simplicity over security,” Avital wrote via email. “Clients can suffer from fraud, data theft or identity theft, while the company can suffer from reputation damage, financial damage from potential lawsuits and more.”

Richard Ford, chief scientist at Forcepoint, a cybersecurity company based in Austin, Texas, said worrying about the best way to implement 2FA might be premature, as “we still have oodles of companies still using simple usernames and password.”

“Getting off that simple combo to something more secure provides an immediate plus up for security. Look at your risk profile, and try and peer a little into the future,” Ford said. “Remember, what you plan today won’t be reality for a while, so you want to skate to where the puck is going. With that said, please don’t let perfect be the enemy of good.”

Petitioning the board

Experts noted that not all IT teams will have as easy a time convincing the board to invest in making physical security keys or another form of multifactor authentication a requirement as Google would.

Matthew Gardiner, cybersecurity expert at Mimecast, a web and email security company based in Lexington, Mass., suggested framing the issue in terms of risk reduction.

“It is hard to quantify risk unless you have experienced a recent breach. Using MFA is not a theoretical idea; it is now a security best practice that is incredibly cheap and easy to use from a multitude vendors and cloud service providers,” Gardiner wrote via email. “I can only assume that if organizations are still only using a single-factor of authentication in support of B-to-B or B-to-E applications that they must think they have nothing of value to attackers.”

Ford said it was probably best not to spear phish the board for effect, “no matter how tempting that might be.”

“I would, however, suggest that the Google data itself can be of tremendous value. Boards understand risk in the scope of the business, and I think there’s plenty of data now out there to support the investment in more sophisticated authentication mechanisms,” Ford wrote. “Start with a discussion around Google and their recent successes in this space, and also have a reasoned — and money-based — discussion about the data you have at risk. If you arm the board with the right data points, they will very likely make the right decision.”

New Spectre variants earn $100,000 bounty from Intel

Researchers found new speculative execution attacks against Intel and ARM chips, and the findings earned them a $100,000 reward under Intel’s bug bounty.

The new methods are themselves variations on Spectre v1 — the bounds check bypass version of Spectre attacks — and are being tracked as Spectre variants 1.1 and 1.2.

The new Spectre 1.1 has also earned a new Common Vulnerabilities and Exposures (CVE) number, CVE-2018-3693, because it “leverages speculative stores to create speculative buffer overflows” according to Vladimir Kiriansky, a doctoral candidate in electrical engineering and computer science at MIT, and Carl Waldspurger of Carl Waldspurger Consulting.

“Much like classic buffer overflows, speculative out-of-bounds stores can modify data and code pointers. Data-value attacks can bypass some Spectre v1 mitigations, either directly or by redirecting control flow. Control-flow attacks enable arbitrary speculative code execution, which can bypass fence instructions and all other software mitigations for previous speculative-execution attacks. It is easy to construct return-oriented-programming gadgets that can be used to build alternative attack payloads,” Kiriansky and Waldspurger wrote in their research paper. “In a speculative data attack, an attacker can (temporarily) overwrite data used by a subsequent Spectre 1.0 gadget.”

Spectre 1.2 does not have a new CVE because it “relies on lazy enforcement” of read/write protections.

“Spectre 1.2 [is] a minor variant of Spectre v1, which depends on lazy PTE enforcement, similar to Spectre v3,” the researchers wrote. “In a Spectre 1.2 attack, speculative stores are allowed to overwrite read-only data, code pointers and code metadata, including v-tables [virtual tables], GOT/IAT [global offset table/import address table] and control-flow mitigation metadata. As a result, sandboxing that depends on hardware enforcement of read-only memory is rendered ineffective.”

As the research paper from Kiriansky and Waldspurger went live, Intel paid them a $100,000 bug bounty for the new Spectre variants. After the initial announcement of the Spectre and Meltdown vulnerabilities in January 2018, Intel expanded its bug bounty program to include rewards of up to $250,000 for similar side-channel attacks.

I expect that more variants of Spectre and/or Meltdown will continue to be discovered in the future.
Nick BilogorskiyCybersecurity strategist, Juniper Networks

Nick Bilogorskiy, cybersecurity strategist at Juniper Networks, also noted that the research into these new Spectre variants was partially funded by Intel.

“When implemented properly, bug bounties help both businesses and the research community, as well as encourage more security specialists to participate in the audit and allow CISOs to optimize their security budgets for wider security coverage,” Bilogorskiy wrote via email. “These bugs are new minor variants of the original Spectre variant one vulnerability and have similar impact. They exploit speculative execution and allow speculative buffer overflows. I expect that more variants of Spectre and/or Meltdown will continue to be discovered in the future.”

ARM and Intel did not respond to requests for comment at the time of this post. ARM did update its FAQ about speculative processor vulnerabilities to reflect the new Spectre variants. And Intel published a white paper regarding bounds check bypass vulnerabilities at the same time as the disclosure of the new Spectre variants. In it, Intel did not mention plans for a new patch but gave guidance to developers to ensure bounds checks are implemented properly in software as a way to mitigate the new issues.

Advanced Micro Devices was not directly mentioned by the researchers in connection with the new Spectre variants, but Spectre v1 did affect AMD chips. AMD has not made a public statement about the new research.

Wanted – Cheap/free HDMI monitor for teaching with Raspberry Pis

Didn’t see anything against the rules for threads like this. Mods, please accept my apologies in advance and remove this thread if I’m breaking any rules.

I’m teaching some children some computer science basics in my neighbourhood. We have some Raspberry Pi Zeros (edited on 12/07./2018 to reflect we have Pi Zeros, not Pis!), but no dedicated display units. I’ve been using my TV for this, but the number of children has increased, so we need additional displays. The only requirement, is they be able to accept an HDMI input, and work.

I’m looking for something as cheap as possible. I can make a small donation to charity or pay a small cost for anyone supplying a monitor.

I can collect from Berkshire or Bristol by arrangement.

Location: Bracknell, Berkshire

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

Wanted – Cheap/free HDMI monitor for teaching with Raspberry Pis

Didn’t see anything against the rules for threads like this. Mods, please accept my apologies in advance and remove this thread if I’m breaking any rules.

I’m teaching some children some computer science basics in my neighbourhood. We have some Raspberry Pis, but no dedicated display units. I’ve been using my TV for this, but the number of children has increased, so we need additional displays. The only requirement, is they be able to accept an HDMI input, and work.

I’m looking for something as cheap as possible. I can make a small donation to charity or pay a small cost for anyone supplying a monitor.

I can collect from Berkshire or Bristol by arrangement.

Location: Bracknell, Berkshire

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.