Tag Archives: Protect

Chrome site isolation arrives to mitigate Spectre attacks

Version 67 of Google Chrome enabled site isolation by default in an effort to protect users against Spectre-based attacks.

Google has been testing Chrome site isolation since version 63, but has now decided the feature is ready for prime time to help mitigate Spectre attacks. Google described Chrome site isolation as a “large change” to the browser’s architecture “that limits each renderer process to documents from a single site. As a result, Chrome can rely on the operating system to prevent attacks between processes, and thus, between sites.”

“When site isolation is enabled, each renderer process contains documents from at most one site. This means all navigations to cross-site documents cause a tab to switch processes,” Charlie Reis, site isolator at Google, wrote in a blog post. “It also means all cross-site iframes are put into a different process than their parent frame, using ‘out-of-process iframes.’ Splitting a single page across multiple processes is a major change to how Chrome works, and the Chrome Security team has been pursuing this for several years, independently of Spectre.”

This is a major change to the previous multi-process architecture in Chrome in which there were ways to connect to other sites in the same process using iframes or cross-site pop-ups. Reis noted there are still ways an attacker could access cross-site URLs even with Chrome site isolation enabled; he warned developers to ensure “resources are served with the right MIME type and with the nosniff response header,” in order to minimize the risk of data leaks.

A source close to Google described the aim of Chrome site isolation as an effort to protect the most sensitive data, so even if new variants of Spectre or other side-channel attacks are discovered, the attack may be successful but Chrome will keep things worth stealing out of reach.

Brandon Czajka, vice CIO at Switchfast Technologies, said it’s reassuring to see Google “lead the field” by developing new features such as Chrome site isolation.

“Google’s site isolation appears to work as a means of separation. Rather than allowing Chrome to process data for all websites opened under a single renderer, site isolation separates the rendering process to limit a sites access to user data that may have been entered on other sites (or in other words, increases confidentiality),” Czajka wrote via email. “So, while a user could still fall victim to a Spectre attack, its scope should be more limited to just the malicious site rather than affording it unlimited access.”

Chrome site isolation has been enabled for 99% of users on Windows, Mac, Linux and Chrome OS, according to Google, with Android support still in the works. However, the added protection and increased number of processes will require more system resources.

“Site isolation is a significant change to Chrome’s behavior under the hood, but it generally shouldn’t cause visible changes for most users or web developers (beyond a few known issues),” Reis wrote. “Site isolation does cause Chrome to create more renderer processes, which comes with performance tradeoffs: on the plus side, each renderer process is smaller, shorter-lived, and has less contention internally, but there is about a 10-13% total memory overhead in real workloads due to the larger number of processes.”

Czajka said while performance may be one of the most important aspects for any business, “it is just one piece of the puzzle.”

“While Google’s site isolation may require more memory, and thus may slow browser performance, it is these type of security measures that help to secure the confidentiality and integrity of user data,” Czajka wrote.

New Aquatic Skins Out Today!

We’re supporting the incredible work of The Nature Conservancy to protect and restore these coral reefs (which you can learn more about here). Both from sales of this new skin pack and with the promise to donate more money for every coral block YOU place in the game.

It’s true! As soon as players have collectively placed ten million coral blocks underwater in Minecraft, we’ll donate one hundred thousand dollars to The Nature Conservancy and their efforts. We’ve got no doubt you’ll manage it in no time!

So what are you waiting for? Build something amazing out of coral, help us help the oceans and enjoy the new skin pack!

Learn more about the Nature Conservancy by clicking this lovely line of green text.

IMPORTANT LEGAL STUFF:

Net proceeds from sales of the Coral Crafter Skin Pack excluding platform and marketplace operating fees will be donated to The Nature Conservancy, 4245 North Fairfax Drive, Suite 100, Arlington, VA, 22203-1606, USA, www.nature.org. No portion of purchase or gift is tax deductible.

Minecraft will contribute $100,000.00 to The Nature Conservancy to protect and restore coral reefs around the world once players have placed 10 million coral blocks underwater, beginning on June 8th. (Coral blocks are only counted in Minecraft versions without “Edition” in the title.) The mission of The Nature Conservancy is to conserve the land and waters on which all life depends. More information about the Conservancy is available at www.nature.org.

We’ll update on Twitter when ten million coral blocks have been placed.

New Aquatic Skins Out Today!

We’re supporting the incredible work of The Nature Conservancy to protect and restore these coral reefs (which you can learn more about here). Both from sales of this new skin pack and with the promise to donate more money for every coral block YOU place in the game.

It’s true! As soon as players have collectively placed ten million coral blocks underwater in Minecraft, we’ll donate one hundred thousand dollars to The Nature Conservancy and their efforts. We’ve got no doubt you’ll manage it in no time!

So what are you waiting for? Build something amazing out of coral, help us help the oceans and enjoy the new skin pack!

Learn more about the Nature Conservancy by clicking this lovely line of green text.

IMPORTANT LEGAL STUFF:

Net proceeds from sales of the Coral Crafter Skin Pack excluding platform and marketplace operating fees will be donated to The Nature Conservancy, 4245 North Fairfax Drive, Suite 100, Arlington, VA, 22203-1606, USA, www.nature.org. No portion of purchase or gift is tax deductible.

Minecraft will contribute $100,000.00 to The Nature Conservancy to protect and restore coral reefs around the world once players have placed 10 million coral blocks underwater, beginning on June 8th. (Coral blocks are only counted in Minecraft versions without “Edition” in the title.) The mission of The Nature Conservancy is to conserve the land and waters on which all life depends. More information about the Conservancy is available at www.nature.org.

We’ll update on Twitter when ten million coral blocks have been placed.

CyberSight RansomStopper

Your antivirus or security suite really ought to protect you against ransomware, along with all other kinds of malware. There might be an occasional slipup with a never-before-seen attack, but those unknowns rapidly become known. Unfortunately, ex post facto removal of ransomware still leaves your files encrypted. That’s why you may want to add a ransomware protection utility to your arsenal. The free CyberSight RansomStopper stopped real-world ransomware in testing, but can have a problem with ransomware that only runs at boot time.

Similar Products

RansomStopper is quite similar to Cybereason RansomFree, Trend Micro RansomBuster, and Malwarebytes Anti-Ransomware Beta. All four are free, and all detect ransomware based on its behavior. Since they rely on behavior, it doesn’t matter whether the ransomware is an old, known quantity or a just-created zero-day attack. Like RansomFree, RansomStopper uses bait files as part of its detection methodology. However, RansomStopper hides its bait files from the user.

Getting Started

Installation went quickly in my testing. After the download, I completed the process by entering my first and last name and email address. Once I responded to the confirmation email, the product was up and running.

The product’s simple main window reports that “You are protected from ransomware.” Buttons across the bottom let you view security alerts, processes RansomStop has blocked, and processes you’ve chosen to allow. Another button lets you check for updates, if you didn’t select automatic updates during installation. Simple!

CyberSight also offers a business edition. Added features include email alerts, centralized administration, and detailed reports. The business edition costs $29.99 for a single license, though the price drops to as low as $10 per seat with volume licensing.

Ransomware Protection

When RansomStopper detects a ransomware attack, it terminates the offending process and pops up a warning in the notification area. Clicking the warning lets you see what file caused the problem. There’s an option to remove programs from the blocked processes list—along with a warning that doing so is a bad idea.

Waiting to detect ransomware behavior can sometimes mean that the ransomware encrypts a few files before termination. When I tested Malwarebytes, it did lose a few files this way. Check Point ZoneAlarm Anti-Ransomware actively recovers any encrypted files. In my testing, it did so for every ransomware sample. ZoneAlarm’s only error was one instance of reporting failure when it had actually succeeded.

For a quick sanity check, I launched a simple fake ransomware program that I wrote myself. All it does is look for text files in and below the Documents folder and encrypt them. It uses a simple, reversible cipher, so a second run restores the files. RansomStopper caught it and prevented its chicanery. So far so good.

Caution, Live Ransomware

The only sure way to test behavior-based ransomware protection is by using live ransomware. I do this very cautiously, isolating my virtual machine test system from any shared folders and from the internet.

This test can be harrowing if the anti-ransomware product fails its detection, but my RansomStopper test went smoothly. Like ZoneAlarm and Malwarebytes, RansomStopper caught all the samples, and I didn’t find any files encrypted before behavioral detection kicked in. Cybereason RansomFree did pretty well, but it missed one.

I also test using KnowBe4’s RanSim, a utility that simulates 10 types of ransomware attack. Success in this test is useful information, but failure can simply mean that the behavior-based detection correctly determined that the simulations are not real ransomware. Like RansomFree, RansomStopper ignored the simulations.

Boot-Time Danger

Keeping under the radar is a big deal for ransomware. When possible, it does its dirty deeds silently, only coming forward with its ransom demand after encrypting your files. Having administrator privileges makes ransomware’s job easier, but getting to that point typically requires permission from the user. There are workarounds to get those privileges silently. These include arranging to piggyback on the Winlogon process at boot time, or set a scheduled task for boot time. Typically, the ransomware just arranges to launch at boot and then forces a reboot, without performing any encryption tasks.

I mention this because I discovered that ransomware can encrypt files at boot time before RansomStopper kicks in. My own fake encryption program managed that feat. It encrypted all text files in and below the Documents folder, including RansomStopper’s bait text file. (Yes, that file is in a folder that RansomStopper actively hides, but I have my methods…)

I reverted the virtual machine and tried again, this time setting a real-world ransomware sample to launch at startup. It encrypted my files and displayed its ransom note before RansomStopper loaded. From my CyberSight contact I learned that they’re “testing several solutions” for this problem, and that an update in the next few weeks should take care of it. I’ll update this review when a solution becomes available.

RansomFree runs as a service, so it’s active before any regular process. When I performed the same test, setting a real-world ransomware sample to launch at startup, RansomFree caught it. Malwarebytes also passed this test. RansomBuster detected the boot-time attack and recovered the affected files.

To further explore this problem, I obtained a sample of the Petya ransomware that caused trouble earlier this year. This particular strain crashes the system and then simulates boot-time repair by CHKDSK. What it’s actually doing is encrypting your hard drive. Malwarebytes, RansomFree, and RansomBuster all failed to prevent this attack. RansomStopper caught it before it could cause the system crash—impressive! To be fair to the others, this one is not a typical file encryptor ransomware. Rather, it locks the entire system by encrypting the hard drive.

Querying my contacts, I did learn that boot-time ransomware attacks, including Petya, are becoming less common. Even so, I’m adding this test to my repertoire.

Other Techniques

Behavior-based detection, when implemented properly, is an excellent way to fight ransomware. However, it’s not the only way. Trend Micro RansomBuster and Bitdefender Antivirus Plus are among those that foil ransomware by controlling file access. They prevent untrusted programs from making any change to files in protected folders. If an untrusted program tries to modify your files, you get a notification. Typically, you get the option to add the unknown program to the trusted list. That can be handy if the blocked program was your new text or photo editor. Panda Internet Security goes even farther, preventing untrusted programs from even reading data from protected files.

Ransomware crooks need to take care that they’ll be able to decrypt files when the victim pays up. Encrypting files more than once could interfere with recovery, so most include a marker of some kind to prevent a second attack. Bitdefender Anti-Ransomware leverages that technique to fool specific ransomware families into thinking they’ve already attacked you. Note, though, that this technique can’t do a thing about brand-new ransomware types.

When Webroot SecureAnywhere AntiVirus encounters an unknown process, it starts journaling all activity by that process, and sending data to the cloud for analysis. If the process proves to be malware, Webroot rolls back everything it did, even rolling back ransomware activity. ZoneAlarm and RansomBuster have their own methods for recovering files. When the anti-ransomware component of Acronis True Image kills off a ransomware attack, it can restore encrypted files from its own secure backup if necessary.

Give It a Try

CyberSight RansomStopper detected and blocked all my real-world ransomware samples without losing any files. It also detected my simple hand-coded ransomware simulator. And it blocked an attack by Petya, where several competing products failed.

RansomStopper did exhibit a vulnerability to ransomware that only runs at boot time, but my sources say this type of attack is becoming less common, and CyberSight is working on a solution. Other free products had their own problems. RansomFree missed one real-world sample, and Malwarebytes let another sample encrypt a few files before its detection kicked in. RansomBuster fared worse, missing half the samples completely (though its Folder Shield component protected most files).

Check Point ZoneAlarm Anti-Ransomware remains our Editors’ Choice for dedicate ransomware protection. It’s not free, but at $2.99 per month it’s also not terribly expensive. If that still seems too steep, give the three free utilities a try, and see which one you like best.

Datos IO RecoverX backup gets table-specific

Datos IO RecoverX software, designed to protect scale-out databases running on public clouds, now allows query-specific recovery and other features to restore data faster.

RecoverX data protection and management software is aimed at application architects, database administrators and development teams. Built for nonrelational databases, it protects and recovers data locally and on software-as-a-service platforms.

Datos IO RecoverX works with scale-out databases, including MongoDB, Amazon DynamoDB, Apache Cassandra, DataStax Enterprise, Google Bigtable, Redis and SQLite. It supports Amazon Web Services, Google Cloud Platform and Oracle Cloud. RecoverX also protects data on premises.

RecoverX provides semantic deduplication for storage space efficiency and enables scalable versioning for flexible backups and point-in-time recovery.

More security, faster recovery in Datos IO RecoverX 2.5

The newly released RecoverX 2.5 gives customers the ability recover by querying specific tables, columns and rows within databases to speed up the restore process. Datos IO calls this feature “queryable recovery.” The software’s advanced database recovery function also includes granular and incremental recovery by selecting specific points in time.

The latest Datos IO RecoverX version also performs streaming recovery for better error-handling. The advanced database recovery capability for MongoDB clusters enables global backup of sharded or partitioned databases. The geographically dispersed shards are backed up in sync to ensure consistent copies in the recovery. Administrators can do local restores of the shards or database partitions to speed recovery.

RecoverX 2.5 also supports Transport Layer Security and Secure Sockets Layer encryptions, as well as X.509 certificates, Lightweight Directory Access Protocol authentication and Kerberos authentication.

With the granular recovery, you can pick and choose what you are looking for. That helps the time to recovery.
Dave Russelldistinguished analyst, Gartner

Dave Russell, distinguished analyst at Gartner, said Datos IO RecoverX 2.5 focuses more on greater control and faster recovery with its advanced recovery features.

“Some of these next-generation databases are extremely large and they are federated. The beautiful thing about databases is they have structure,” Russell said. “Part of what Datos IO does is leverage that structure, so you can pull up the [exact] data you are looking for. Before, you had to back up large databases, and in some cases, you had to mount the entire database to fish out what you want.

“With the granular recovery, you can pick and choose what you are looking for,” he said. “That helps the time to recovery.”

Peter Smails, vice president of marketing and business development at Datos IO, based in San Jose, Calif., said the startup is trying to combine the granularity of traditional backup with the visibility into scale-out databases that traditional backup tools lack.

“With traditional backup, you can restore at the LUN level and the virtual machine level. You can get some granularity,” Smails said. “What you can’t do is have the visibility into the specific construct of the database, such as what is in each row or column. We know the schema.

“Backup is not a new problem,” Smails said. “What we want to do through [our] applications is fundamentally different.”

Advanced Protection Program locks down Google accounts

The latest Google multifactor authentication solution aims to protect high-risk users from targeted attacks, but will add complexity to logins.

Google’s Advanced Protection Program has been designed to not only help keep users safe from phishing attacks such as spear phishing as well preventing unauthorized access to Gmail accounts by having users take advantage of physical security keys — like a Yubikey — for authentication.

“Journalists, human rights defenders, environment campaigners and civil society activists working on any number of sensitive issues can quickly find themselves targeted by well-resourced and highly capable adversaries,” Andrew Ford Lyons, a technologist at Internews, said in Google’s announcement post. “For those whose work may cause their profile to become more visible, setting this up could be seen as an essential preventative step.”

Google’s Advanced Protection Program could help to prevent some types of cyberattacks seen over the past couple years, including the phishing schemes that compromised the Gmail account of Hillary Clinton’s campaign chairman, John Podesta, or the Google Docs phishing attack.

According to Google, the Advanced Protection Program focuses on three areas of defense: using a security key for multifactor authentication, limiting third-party app access to Gmail and Google Drive, and mitigating fraudulent account access by adding steps to the account recovery process.

Google warns that third-party mobile apps like Apple Mail, Calendar and Contacts “do not currently support security keys and will not be able to access your Google data,” so Advanced Protection Program users would need to use Google’s first-party apps for now.

How the Google Advanced Protection Program works

Google has supported security keys for multifactor authentication in the past and has an option to use mobile devices as a multifactor device, but the Advanced Protection Program is far more strict because there will be no backup options with SMS or stored authentication codes.

Users will only be able to login to Google accounts with their password and registered security keys. If a security key is lost, the account recovery will be more onerous than answering simple security questions, but Google has yet to provide details on what such a recovery process will entail.

For those whose work may cause their profile to become more visible, setting this up could be seen as an essential preventative step.
Andrew Ford Lyonstechnologist at Internews

Although anyone can enroll in the Advanced Protection Program, Google admitted in its blog post that it would be best for those who “are willing to trade off a bit of convenience for more protection of their personal Google Accounts.”

At the start, the Advanced Protection Program requires the use of the Chrome browser and two security keys that support the FIDO U2F standard — one to connect to a traditional computer via USB port and one for mobile devices using Bluetooth.

The former isn’t as troublesome, but users need to be careful about the security key used for mobile. Google’s support page suggests purchasing the Feitan Multipass Bluetooth security key, which appears to be in limited supply on Amazon, as of this post, but, a Bluetooth security key is only necessary for those using iOS devices or an Android device that doesn’t support Near Field Communication.(NFC) for wireless access. An NFC-enabled security key would work for those with NFC-capable Android devices. 

IBM Spectrum Protect Plus tackles VM data protection

IBM has designed a new application to protect virtual machines, as part of its IBM Spectrum Protect storage suite.

IBM Spectrum Protect Plus includes Google-like search, snapshot-based recovery and policy management in virtual environments. It works with VMware vSphere and Microsoft Hyper-V hypervisors.

The agentless software can be deployed as stand-alone software for data protection or application availability in small environments, or integrated with the agent-based IBM Spectrum Protect Tivoli Storage Manager — for physical and cloud data protection.

It also supports the agent-based IBM Spectrum Protect for data protection in physical and cloud environments.

IBM Spectrum Protect Plus will enter beta in September, with general availability planned for later in 2017.

IBM previously had a similar product for virtual environments. Tivoli Storage Manager for virtual environments was the company’s first attempt at backup and restores in virtual environments that leveraged the VMware vStorage API for Data Protection (VADP).

“Protect Plus still uses VADP, but it also uses blockchain technology. It’s written so much more efficiently,” said Randy Kerns, senior strategist and analyst at IT consultant firm Evaluator Group.

Backup and recovery for VMware vSphere and Microsoft Hyper-V

The IBM Spectrum Protect Plus server provides block-level incremental forever backup for vSphere and Hyper-V. Backups are stored as read and write snapshots, and the storage can be tiered to disk, tape and the cloud. Instant restores are available in a repository for multipurpose data access for testing, DevOps, reporting, analytics and other operations.

The product provides global search and restore so that administrators across the organization can do text searches across all VMware vSphere and Microsoft Hyper-V virtual machines (VMs). IBM claims Spectrum Protect Plus can install in less than 15 minutes and be configured in an hour.

Customers can deploy storage service-level agreements via the centralized policy management for consistent data protection practices across VMs. IBM Spectrum Protect Plus also works with virtual machine APIs to create application- or crash-consistent data copies. It also performs block-level incremental forever backups and immutable backup snapshots, using any storage as a backup target.

IBM Spectrum Protect Plus also works with virtual machine APIs to create application- or crash-consistent data copies.

“The Google-like search can be done not just by timeline but by text search,” said Doug O’Flaherty, program director for IBM’s Spectrum marketing. “This is a brand new product by the development team for backup and management in virtual machines. It’s designated for simple installation and simple ease of use.”

Evaluator Group’s Kerns said now administrators can directly mount snapshots and bring up VMs for instant restores. In previous IBM Spectrum Protect versions, administrators had to restore the data first and then bring up the VMs.

“When you get the Spectrum Protect suite, you can also leverage more advanced features like tiering to the cloud and tiering to tape,” Kerns said. “And the unique thing about the file-level search is you can do it across all VMs, whether it’s VMware or Hyper-V.”