<![CDATA[Decipher]]> https://decipher.sc Decipher is an independent editorial site that takes a practical approach to covering information security. Through news analysis and in-depth features, Decipher explores the impact of the latest risks and provides informative and educational material for readers curious about how security affects our world. Mon, 18 Nov 2019 00:00:00 -0500 en-us info@decipher.sc (Amy Vazquez) Copyright 2019 3600 <![CDATA[US Government Has Stopped Warrantless Collection of Phone Data]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/us-government-has-stopped-warrantless-collection-of-phone-data https://duo.com/decipher/us-government-has-stopped-warrantless-collection-of-phone-data Mon, 18 Nov 2019 00:00:00 -0500

When the United States Supreme Court ruled last year that Fourth Amendment protections apply to location data on mobile devices, it was hailed as a significant privacy victory for individuals. But what wasn’t clear is how intelligence and law enforcement agencies would handle the ruling when it came to using their authority under Section 215 of the PATRIOT Act to collect phone location data.

But the Office of the Director of National Intelligence has sent a letter to a senior member of the Senate Select Committee on Intelligence confirming that the intelligence community and Department of Justice have not been collecting mobile device location data using Section 215 since the ruling in June 2018. That section is what gives agencies the authority to gather information, including some telephone record information as part of national security investigations, under the Foreign Intelligence Surveillance Act. That power has been highly controversial for many years, and privacy advocates and some legislators have been pushing for Section 215 to be reformed to provide better privacy protections for individuals.

Last year, the Supreme Court ruled in Carpenter v. United States that mobile phone location records are afforded Fourth Amendment protections. In a letter responding to questions from Sen. Ron Wyden (D-Ore.), Assistant DNI for Legislative Affairs Benjamin Fallon said that the intelligence community has stopped collection of those records, including cell site location information (CSLI), under Section 215.

“While neither the Department of Justice nor the INtelligence Community has reached a legal conclusion as to whether the ‘traditional’ Title V provision may be used to obtain CSLI in light of Carpenter, given the significant constitutional and statutory issues the decision raises for use of that authority to obtain such data, the Intelligence Community has not sought CSLI records or global positioning system (GPS) records pursuant to Title V of FISA since Carpenter was decided,” the letter says.

Both GPS and CSLI records can be used to reconstruct the historical location and movements of an individual’s device, which raises serious privacy concerns. In July, Wyden sent a letter to Dan Coats, who was then the DNI, asking how the Carpenter ruling affected the intelligence community’s ability to collect CSLI. The response from Fallon makes clear that for right now, intelligence agencies are not collecting that information under Section 215, but that does not preclude the government from getting that data with a warrant.

Wyden said the decision not to use Section 215 to gather CLSI data should be codified in law.

“The Intelligence Community has now publicly revealed that, since the Supreme Court decision more than a year ago, it hasn’t used Section 215 of the PATRIOT Act to track Americans,” Wyden said in a statement.

“At the same time, the government is hedging its bets by not formally acknowledging that the Supreme Court case applies to intelligence surveillance. The Supreme Court has confirmed that tracking our movements without a warrant is unconstitutional. Now that Congress is considering reauthorizing Section 215, it needs to write a prohibition on warrantless geolocation collection into black-letter law. As the past year has shown, Americans don’t need to choose between liberty and security – Congress should reform Section 215 to ensure we have both.”

<![CDATA[New Variant of ZombieLoad Bypasses Intel Mitigations]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/new-variant-of-zombieload-bypasses-intel-mitigations https://duo.com/decipher/new-variant-of-zombieload-bypasses-intel-mitigations Thu, 14 Nov 2019 00:00:00 -0500

When security researchers at Graz University of Technology in Austria first discovered a new set of speculative execution attacks on Intel processors in April, the team worked with the vendor to work out mitigations and fixes before disclosing the attacks a few weeks later. It turns out, those fixes were not completely effective and the researchers have disclosed a new variant of their ZombieLoad attack that works on Intel processors that have hardware mitigations in place.

The new version of ZombieLoad affects several different Intel CPUs used in mobile devices, servers, desktops, and workstations, and the TU Graz team discovered that they could bypass the mitigations Intel put in place and use the attack to steal sensitive information from the processors under certain conditions. Intel has developed new mitigations and released firmware updates for the affected processors, which include some Intel Core, Xeon, and Pentium chips.

“With November 14th, 2019, we present a new variant of ZombieLoad that enables the attack on CPUs that include hardware mitigations against MDS in silicon. With Variant 2 (TAA), data can still be leaked on microarchitectures like Cascade Lake where other MDS attacks like RIDL or Fallout are not possible. Furthermore, we show that the software-based mitigations in combinations with microcode updates presented as countermeasures against MDS attacks are not sufficient,” the researchers said.

ZombieLoad is a specific type of side-channel attack that takes advantage of a feature in modern processors called speculative execution that allows the processor to save tiny amounts of time by preparing instructions it thinks a program might need before it asks for them. In some cases, a malicious program may be able to reconstruct some of those instructions after the fact and gain access to sensitive data such as encryption keys or passwords. The new variant of the attack takes advantage of weaknesses in Intel’s Transactional Synchronization Extensions, and Intel said in an advisory on the attack that only processors that support TSX are vulnerable.

“Intel TSX supports atomic memory transactions that are either committed or aborted. When an Intel TSX memory transaction is aborted, either synchronously or asynchronously, all earlier memory writes inside the transaction are rolled back to the state before the transaction start. While an Intel TSX asynchronous abort (TAA) is pending, certain loads inside the transaction that are not yet completed may read data from microarchitectural structures and speculatively pass that data to dependent operations. This may cause microarchitectural side effects, which can later be measured to infer the value of the data in the microarchitectural structures,” Intel’s advisory says.

The research team from TU Graz who discovered the vulnerabilities and developed the ZombieLoad attack includes Moritz Lipp, Daniel Gruss, and Michael Schwarz, and they presented their findings at the ACM Conference on Computer and Communications Security this week in London. In their technical paper, they present several potential attack scenarios for the new variant of ZombieLoad, all of which are predicated on the attacker being able to run code on the target machine.

“In the cross-process user-space scenario, an unprivileged attacker leaks values loaded or stored by another concurrently running user-space application. We consider such a cross-process scenario most dangerous for end users. Many secrets are likely to be found in user-space applications such as browsers. The attacker is co-located with the victim on the same physical but a different logical CPU core, a common case for hyperthreading,” the paper says.

Side-channel attacks such as ZombieLoad are complex, time consuming, and difficult to execute. But that does not mean that they’re out of reach for skilled attackers. The TU Graz researchers said they don’t have any evidence of the ZombieLoad attack being implemented in the wild, but both the researchers and Intel urged customers to install the firmware updates to mitigate the new technique.

<![CDATA[Firms Increasingly Affected by Breaches at Other Organizations]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/firms-increasingly-affected-by-breaches-at-other-organizations https://duo.com/decipher/firms-increasingly-affected-by-breaches-at-other-organizations Wed, 13 Nov 2019 00:00:00 -0500

The world is more interconnected than ever, and that network of dependencies means when an organization experiences a security incident, so do other downstream organizations in the supply chain.

Cyentia Institute analyzed historical data from cyber-loss database Advisen and found 813 incidents which involved at least three organizations. These incidents could be linked to 5,437 loss events at other organizations in the supply chain, a clear indicator that focusing on the number of records breached in an incident tells only part of the story. These “ripple events” are different than traditional security breaches because they spawn secondary loss events affecting thousands of organizations, said Cyentia Institute.

“As an industry, we’ve waited far too long to address the interconnected nature of today’s risk landscape,” said Wade Baker, founder of Cyentia Institute.

Ripple events are aptly named because the complex network of third-party dependencies and exposures means something happening to one entity has cascading effects on others, much like the ripples in the water grow wider when a stone is thrown. On average, ripple events impact fewer than 10 firms beyond the original victim, but some were wider. The largest ripple event in the analysis impacted 131 organizations.

Some of the more significant breaches over the past year or so would be considered muti-party incidents. In May, the American Medical Collection Agency disclosed a breach which compromised personal information of over 24 million individuals. Other companies provided AMCA with the data for debt collection, and these companies were “caught up in the fallout” of AMCA’s breach even though their systems were intact. Cyentia analysis found that 29 entities suffered known loss events in the wake of the AMCA breach. AMCA’s parent company filed for bankrupcy protection, and several of the organizations that worked with AMCA now face lawsuits and investigations.

Magecart is another example of how incidents can cascade as a result of “diverse and sprawling nature of third-party relationships.” The criminal collective compromised two third-party plugins used on Ticketmaster’s website for payment processing, allowing the group to siphon off credit card numbers of Ticketmaster customers. The compromised plugins allowed the group to backdoor other retailers and work through other organizations.

"Most breach research doesn’t explain the downstream impact of ripple events and that these incidents no longer simply impact a single organization," said Kelly White, CEO and co-founder of RiskRecon. RiskRecon sponsored the report.

Another firm’s breach could impact your organization just as much (or worse) than a breach of your own systems.

Collection agencies, banks and lending organizations,credit bureaus, government offices, and IT firms accounted for half of the organizations that generated ripple events. They are also among the most often impacted by these events. Hotels and hospitals are also frequently affected. These happen to be the industry sectors with the highest concentration of personal data. The organizations in these sectors tend to have large digital footprints and maintain extensive third-party relationships.

Multi-party loss events resulted in 13 times larger financial loss than traditional single-party incidents, Cyentia said in its analysis. However, there was little difference between the losses reported by the original victim and the losses reported by each secondary victim.

“Another firm’s breach could impact your organization just as much (or worse) than a breach of your own systems,” Cyentia said.

Ripple events are becoming more common, and the frequency is expected to continue to rise because the hyper-interdependency among organizations is not going away anytime soon. Financial and business support sectors tend to have more intricate digital supply chains and information flows, Cyentia said, so organizations in those sectors should consider “extra spend on identifying and managing your portfolio of third-party relationships.”

The point of the analysis wasn’t that third-party relationships are bad, but rather that third-party management programs—especially those that go beyond just vendor contracts and relationship management—are important, regardless of company size.

“Many—perhaps even most—cyber-incidents impact organizations beyond the central victim to some degree,” Cyentia wrote, noting that the analysis showed that “we as a community need to be more aware of and more actively managing this risk.”

<![CDATA[Decipher Podcast: Chris Wysopal]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/decipher-podcast-chris-wysopal https://duo.com/decipher/decipher-podcast-chris-wysopal Tue, 12 Nov 2019 00:00:00 -0500

Chris Wysopal, member of the legendary hacker collective the L0pht and co-founder and CTO of Veracode, joins Dennis Fisher to dive into the deep end of the application security pool and discuss the company's new State of Software Security report.

<![CDATA[TLS Delegated Credentials to Protect Private Keys on Web Servers]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/tls-delegated-credentials-to-protect-private-keys-on-web-servers https://duo.com/decipher/tls-delegated-credentials-to-protect-private-keys-on-web-servers Tue, 12 Nov 2019 00:00:00 -0500

Large websites like Facebook operate multiple web servers around the world to support all the users—too few servers and the site will not be able to handle the volume of users, and if they are not geographically distributed, some users will have lag and degraded user experience.

Companies operating large website setups or relying on content delivery networks have a specific challenge if they want to support HTTPS for those sites. Transport Layer Security (TLS) relies on digital certificates issued by a certificate authority and private/public keys to make HTTPS possible. Large websites have to put a copy of the site’s private key on each web server. Anyone hosting an HTTPS site on a CDN would have to upload the site’s private key, and the CDN would distribute the key to all its servers. That is a lot of copies of the private key floating around, and an attacker needs to breach any one of those servers to steal the private key. With the key, the attacker can impersonate any web server used by the company and intercept user traffic to that website until the certificate expires.

To tackle this TLS security challenge, Facebook, Mozilla, and Cloudflare proposed TLS Delegated Credentials, a new security protocol currently being considered for a standard at the Internet Engineering Task Force (IETF). Designed to work as an extension to TLS 1.3, TLS Delegated Credentials is intended for large website operations such as Facebook, or sites using CDNs, such as Cloudflare.

The TLS Delegate Credentials extension allows site owners to create and deploy short-lived TLS private keys to these servers instead of the real private key.

Called delegated credentials, these keys live up to seven days and can be rotated automatically once they expire. If an attacker somehow intercepts the private key from the web server, the attacker actually has the delegated credential and not the real private key. That delegated credential works for just a few days, which is better than months (or a year) for the real TLS private key. A new key can be created and pushed out to TLS servers before the current delegated credentials expires, which lets site owners keep up with the short expiration windows.

“They [delegated credentials] work like a power of attorney: your server authorizes our server to terminate TLS for a limited time,” Cloudflare’s head of research Nick Sullivan and cryptography engineer Watson Ladd wrote. “When a browser that supports this protocol connects to our edge servers we can show it this ‘power of attorney’, instead of needing to reach back to a customer’s server to get it to authorize the TLS connection,” Sullivan and Ladd said.

In current TLS setups, if a certificate’s private key is stolen before its expiration date, the server operator can either just wait out the clock for the certificate to expire, or have the certificate authority revoke the certificate. Even if a certificate has been revoked, each browser (and client device) has its own mechanism for learning what certificates are no longer valid—making certificate revocation a complicated process. This is partly why there has been a push to shorten certificate validity periods so that site operators don’t have to rely on revocation to protect themselves.

“The shorter the certificate lifetime, the less likely a certificate will need to be revoked before it expires.,” wrote Facebook engineers Subodh Iyengar, Kyle Nekritz, and Alex Guzman.

TLS delegated credentials are generated by the web server and not the certificate authority, so the site owner doesn’t have to depend on the CA to issue the new keys every few hours. The delegated credentials are composed of the key’s public key and the private key’s expiration date. The delegated credential is signed by the certificate (leaf certificate) obtained from the CA, and bundled with that certificate. The delegated credential has its own public key to establish secure connections and does not need the real TLS private key.

Site owners don’t have to put the real private key on each web server as they can use the delegated credentials instead. Even if an attacker successfully compromises a server and steals the private key, other web servers are still safe from man-in-the-middle attacks.

Mozilla implemented support for TLS delegated credentials in the Nightly versions of Firefox. The configuration can be activated through about:config via the security.tls.enable_delegated_credentials option. Mozilla has also set up a test site to show how the experience would look from the user’s perspective.

“As gratifying as it can be to solve a problem for ourselves and our customers, it can be even more gratifying to solve a problem for the entire Internet,” Cloudflare’s Sullivan and Ladd wrote.

<![CDATA[Macs Storing Copies of Encrypted Messages from Apple Mail]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/macs-storing-copies-of-encrypted-messages-from-apple-mail https://duo.com/decipher/macs-storing-copies-of-encrypted-messages-from-apple-mail Mon, 11 Nov 2019 00:00:00 -0500

The Apple Mail app on the most recent Macs appear to be storing copies of encrypted emails in plaintext, an Apple IT specialist found. There is a way to turn this off, temporarily.

Apple’s voice assistant Siri can look at information stored on the machine and things the user has done in the past to make tailored suggestions. The suggestions feature is possible because the operating system collects information from various Apple applications, such as Spotlight, Mail, and Messages, and stores them in special database files. The information is used for things like news personalization and Siri recommendations.

One such database file contains copies of emails sent by Apple Mail, including encrypted messages, Bob Gendler, an Apple IT specialist, wrote on Medium last week. He could read S/MIME encrypted emails sent using Apple Mail in the snippets.db database file without needing his private key to first decrypt the message.

"Secret or top-secret information, which was sent encrypted, would be exposed via this process and database, as would trade secrets and proprietary data," Gendler said.

Necessary Context

An app storing copies of encrypted data as plaintext is problematic, but proper framing is still important. In this case, several things have to be true for the issue to be a problem: the Mac user has to be using Apple Mail to send encrypted emails, and also not using FileVault to encrypt the entire system.

This issue affects just a small segment of Mac users.

Add in the fact that someone interested in those plaintext copies will still need a way to access system files on the machine and the risk seems less immediate.

This may be why Apple hasn’t pushed out a fix yet, despite having known about the issue since July and having rolled out several operating system updates since then. Apple told The Verge the fix will be in a future software update—but did not provide any other details.

Even so, this feels like an unforced error by Apple, the company that has staked out a reputation for itself as the tech company that cares the most about user privacy. If nothing else, providing the temporary workaround sooner would have been helpful.

“It brings up the question of what else is tracked and potentially improperly stored without you realizing it,” Gendler said.

Shadow Contacts

Another database file, entities.db, contained contacts information such as names, emails, and phone numbers that were collected from email messages—such as signature blocks and forward blocks.

The presence of an automatically built addressbook “could be touchy, as it may allow quick and easy access to some potentially sensitive information,” Gendler said.

It doesn’t matter if Siri is not enabled on the machine. The machine is still collecting the information so that if Siri ever gets enabled, the reference data is ready to go. This is counterintuitive—it is reasonable to expect that disabling Siri would disable data collection for Siri. Gendler said he observed this behavior on the four most recent Mac releases—Catalina, Mojave, High Sierra, and Sierra.

"This is a big deal for governments, corporations and regular people who use encrypted email and expect the contents to be protected," Gendler wrote.

Apple also told The Verge that only portions of emails are stored, but that itself isn’t very reassuring. The copying defeats the purpose of utilizing and sending an encrypted message in the first place.

Gendler was unable to confirm whether information from these database files were sent to iCloud if users have both iCloud and Siri enabled.

Stopping Collection

Apple provided Gendler with a workaround earlier this month, stating that it was possible to tell Siri to not learn from specific apps. That setting is under System Preferences > Siri > Siri Suggestions & Privacy > Mail. Toggling off Learn from this App will ensure that Siri will not be making copies of messages sent by Apple Mail.

Fixing it checkbox by checkbox is not scalable for administrators managing a fleet of Macs. A future update could also potentially re-enable the feature. Gendler created a configuration script to "permanently disable" the feature.

“For an operating system that you generally have to change controls to make it less secure, this is a setting that requires you to set to make it more secure and behave correctly,” Gendler said.

Disabling the learning setting just prevents new messages from being added to the database file. To remove older messages that have already been collected, users will need to delete the snippets.db file from /Users/(username)/Library/Suggestions/.

Gendler noted that there are some protections in place so that the information is not completely exposed, such as turning on FileValut to encrypt everything on the disk. System Integrity Protection is enabled by default, so scripts such as bash and python can't be used to access the contents of the database files.

"So there are protections in place and even a way to stop it, but it’s still an incorrect behavior because even with Siri enabled or disabled it should not be storing encrypted messages completely unencrypted," Gendler said.

<![CDATA[Microsoft Warns of Possible Further BlueKeep Exploits]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/microsoft-warns-of-possible-further-bluekeep-exploits https://duo.com/decipher/microsoft-warns-of-possible-further-bluekeep-exploits Fri, 08 Nov 2019 00:00:00 -0500

In May, Microsoft released a patch for CVE-2019-0708, the dangerous vulnerability in Remote Desktop Services known as BlueKeep. The worm that some researchers feared might appear to exploit the bug on a mass scale hasn’t materialized, but in the last few days someone has begun running an exploit against unpatched systems to install a cryptominer and Microsoft is warning customers that more serious exploitation may be on the way.

The exploit attempts began showing up in security researcher Kevin Beaumont’s honeypots last week, crashing the systems he had set up specifically to monitor for BlueKeep attacks. The exploit turned out to be a module for the Metasploit framework, but it was a little shaky and so was causing the honeypots to crash and reboot. The end goal of the exploit attempts was to install a cryptominer and Beaumont got in touch with both Microsoft and Marcus Hutchins, a researcher at KryptosLogic, who began investigating the attacks. Microsoft’s team discovered some connections between the BlueKeep exploits and a campaign from September.

“After extracting indicators of compromise and pivoting to various related signal intelligence, Microsoft security researchers found that an earlier coin mining campaign in September used a main implant that contacted the same command-and-control infrastructure used during the October BlueKeep Metasploit campaign, which, in cases where the exploit did not cause the system to crash, was also observed installing a coin miner,” Microsoft’s analysis says.

“If somebody makes a reliable worm for this vulnerability — which to be clear has not happened here- expect global consequences."

“This indicated that the same attackers were likely responsible for both coin mining campaigns—they have been actively staging coin miner attacks and eventually incorporated the BlueKeep exploit into their arsenal.”

After the initial analysis, the server running the coinmining operation was taken offline, but Beaumont found that the attackers have set up a new one that’s still operating. The cryptomining attacks are more of a nuisance than anything else, but they have clearly demonstrated the ability of attackers to exploit the BlueKeep vulnerability, and there are still hundreds of thousands of unpatched systems exposed to the Internet. Although the current BlueKeep exploit is somewhat unstable, Microsoft’s analysts warn that there’s a good possibility it will be improved and used to deliver more dangerous payloads.

“Security signals and forensic analysis show that the BlueKeep Metasploit module caused crashes in some cases, but we cannot discount enhancements that will likely result in more effective attacks. In addition, while there have been no other verified attacks involving ransomware or other types of malware as of this writing, the BlueKeep exploit will likely be used to deliver payloads more impactful and damaging than coin miners,” Microsoft said.

“The new exploit attacks show that BlueKeep will be a threat as long as systems remain unpatched, credential hygiene is not achieved, and overall security posture is not kept in check. Customers are encouraged to identify and update vulnerable systems immediately. Many of these unpatched devices could be unmonitored RDP appliances placed by suppliers and other third-parties to occasionally manage customer systems. Because BlueKeep can be exploited without leaving obvious traces, customers should also thoroughly inspect systems that might already be infected or compromised.”

The BlueKeep vulnerability is a remote code execution flaw in RDS that requires no authentication in order to exploit. An attacker who is able to exploit the flaw would essentially have full control over a compromised machine. Microsoft released a patch for BlueKeep on May 14 and specifically warned customers to install it as soon as possible, as the flaw was ripe for exploitation by a worm. That hasn’t happened yet, but Beaumont doesn’t discount the possibility of one appearing at some point.

“If somebody makes a reliable worm for this vulnerability — which to be clear has not happened here- expect global consequences as it will then spread inside internal networks,” Beaumont wrote in his analysis of the attacks.

<![CDATA[The Future is Encrypted]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/the-future-is-encrypted https://duo.com/decipher/the-future-is-encrypted Thu, 07 Nov 2019 00:00:00 -0500

A fight is brewing in Washington over the move by large Internet companies to implement DNS over HTTPS, with Mozilla asking Congress to investigate the actions of ISPs that are pushing back against the use of a technology that prevents them from seeing users’ DNS queries.

In a letter sent Monday, Mozilla officials said that industry associations representing ISPs and telecom providers have been disingenuous in their lobbying efforts against the implementation of DoH. The idea behind DoH is to preserve the privacy of individuals’ DNS queries by running them through an HTTPS tunnel from the client to the DNS resolver. The standard is designed to prevent entities sitting along the route from the client to the DNS resolver from being able to snoop on or alter those queries. The idea has been around for several years and recently both Mozilla and Google have announced experiments to use DoH in their browsers.

Those efforts have drawn the ire of ISPs and several trade associations, which contend that DoH implementations--especially Google’s--will result in all DNS data being concentrated in the hands of a small number of providers. In September, three trade associations sent a letter to members of both the House of Representatives and Senate asking them to investigate Google’s move to implement DoH in Chrome and Android.

“By interposing itself between DNS providers and the users of the Chrome browser (> 60% worldwide share) and Android phones (> 80% worldwide share of mobile operating systems), Google would acquire greater control over user data across networks and devices around the world. This could inhibit competitors and possibly foreclose competition in advertising and other industries,” the letter from the NCTA, CTIA, and US Telecom says.

“Moreover, the centralized control of encrypted DNS threatens to harm consumers by interfering with a wide range of services provided by ISPs (both enterprise and public-facing) and others.”

The ISPs have a vested interest in keeping DoH from becoming the norm, though. Commercial service providers act as a man in the middle between individual users and the web and can see any DNS queries users send. Those queries contain information about users’ interests that is quite valuable to advertisers. But if the queries are encrypted, the ISPs lose their visibility into users’ habits and the sites they’re visiting, and also the ability to monetize that information.

“The motivating concern for using DoH is that the ISPs are actively tracking you and looking at the DNS queries and seeing all of the sites you’re visiting and monetizing that. They treat it basically like ad tech,” said Tom Ptacek, a veteran security researcher and principal at Latacora, which provides security teams to startups.

In its letter, sent to many of the same members of Congress, Mozilla said the telecom associations are misrepresenting the way DoH works and why they’re opposed to its use.

“That letter contained a number of factual inaccuracies. These have been examined in detail by others and as such will not be given an in-depth treatment here. Nonetheless, it is important to highlight the underlying premise of that letter: telecommunications associations are explicitly arguing that ISPs need to be in a position to collect and monetize users’ data. This is inconsistent with arguments made just two years earlier regarding whether privacy rules were needed to govern ISP data use,” the letter from Marshall Erwin, senior director of trust and security at Mozilla, said.

“It seems pretty clear that Mozilla and Google are on the right side of this."

Mozilla and Google have different implementations of DoH, but neither one involves centralizing DNS requests through resolvers owned by those companies by default. Mozilla’s implementation uses the DNS service from Cloudflare, and as part of that partnership, Cloudflare agreed to a tight privacy policy. Google’s implementation in Chrome, meanwhile, will first try to use the DNS resolvers the user already has set up if they support DoH before trying Google’s own servers.

The use of DoH has support among privacy and digital rights activists, as well.

“This is a game-changer for Internet users around the world, and is crucial for human rights workers, activists, journalists, and dissidents whose online activities are under surveillance,” said Max Hunter, engineering director at the Electronic Freedom Foundation. “We hope to see Congress step up and fully support systemic deployment of DoH.”

Though it has a number of benefits, by no means is DoH a cure-all for Internet privacy and security concerns. It’s one link in a long and complex chain that requires trust and cooperation among many parties, and those relationships can be tenuous, especially in enterprise environments. Because it encrypts DNS queries, DoH has the effect of masking outbound traffic in enterprise networks where inspection of user traffic is routine.

“Purely on a technical level, if you’re an individual and not an enterprise, it makes sense. But you lose a tremendous amount of visibility with DNS over HTTPS in a corporate network,” said Kenn White, a security researcher who focuses on cryptography and is a co-director of the Open Crypto Audit Project.

“In the context of a corporate network that’s where it gets tricky. You want every tool possible to have visibility into your network and so the questions around visibility with DNS over HTTPS are legitimate ones.”

Even with those potential limitations, there are plenty of benefits to be had by protecting DNS queries from eavesdropping.

“It seems pretty clear that Mozilla and Google are on the right side of this. Normal people would want their DNS queries to be encrypted. Who wouldn’t want that? DNS over HTTPS is an unalloyed good thing,” Ptacek said.

<![CDATA[Online Privacy Act Would Create Federal Privacy Agency]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/online-privacy-act-would-create-federal-privacy-agency https://duo.com/decipher/online-privacy-act-would-create-federal-privacy-agency Wed, 06 Nov 2019 00:00:00 -0500

Two Silicon Valley legislators have introduced a new privacy bill in the House of Representatives that would create an independent privacy agency and place significant restrictions on the kinds and amount of personal data companies can collect and what they can do with that information while they have it.

The Online Privacy Act, introduced Tuesday by Reps. Zoe Lofgren and Anna Eshoo, would establish the Digital Privacy Agency (DPA), a new federal bureau that would have the authority to issue regulations and enforce them through stiff fines. That agency would be the first of its kind in the United States and would centralize the creation and enforcement of privacy regulations, which is currently all over the map.The U.S. does not have a federal privacy law that protects individuals’ rights, though the Federal Trade Commission has some authority to impose fines on companies for certain privacy violations. Under the terms of the proposed bill, the DPA would have the authority to issue fines of up to $42,530 for each individual violation and state attorneys general also would have the authority to bring civil suits against companies that violate the privacy regulations.

The new bill is heavily focused on setting out strict requirements for how companies can collect, use, and transfer individuals’ data. It requires organizations to spell out in plain language why they need to collect specific types of data and to minimize to the greatest extent possible the amount of data they gather, store, and disclose. It also prohibits companies from selling or disclosing personal information without consent, using third-party data to re-identify people, or process data in a way that violates civil rights. The bill requires companies to have easily understandable privacy policies and user consent processes, as well.

The Online Privacy Act includes a number of provisions that give individuals more control over the ways in which their data is used and collected. For example, companies are required to give users a mechanism through which they can correct, delete, and transfer their own data. Individuals also would have the right to decide how long a company can hold their data.

“Our country urgently needs a legal framework to protect consumers from the ever-growing data-collection and data-sharing industries that make billions annually off Americans’ personal information,” said Lofgren.

“Privacy for online consumers has been nonexistent – and we need to give users control of their personal data by making legitimate changes to business practices. The Online Privacy Act creates a robust framework that balances the actual needs of businesses with fair privacy rights and expectations for users.”

"This is the bill that Congress should enact."

The Online Privacy Act joins a crowded field of pending privacy bills at various stages in both the House and the Senate. In October, Sen. Ron Wyden (D-Ore.) introduced his Mind Your Own Business Act, which provides for the creation of a centralized Do Not Track database to allow people to opt out of sharing data with third parties. And last year, a large group of senators introduced the Data Care Act, which has some similarities with the Online Privacy Act, but would give enforcement authority to the FTC. None of those bills, including the Online Privacy Act, would apply to federal government agencies.

Privacy advocates have shown strong support for the creation of a separate privacy agency in the past. In April, the Electronic Privacy Information Center (EPIC) sent a letter to the Senate Committee on Commerce, Science and Transportation urging Congress to create a new independent agency to oversee data privacy. On Tuesday, EPIC officials said the Online Privacy Act hits the right notes for user privacy.

“The bill by Reps. Eshoo and Lofgren sets out strong rights for Internet users, promotes innovation, and establishes a data protection agency. This is the bill that Congress should enact,” EPIC Policy Director Caitriona Fitzgerald said.

<![CDATA[Google Unveils OpenTitan Secure Chip Project]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/google-unveils-opentitan-secure-chip-project https://duo.com/decipher/google-unveils-opentitan-secure-chip-project Tue, 05 Nov 2019 00:00:00 -0500

Google and a group of partner organizations are launching a new project to build an open-source hardware root of trust, aiming to provide a secure chip for cloud providers, data center operators, and others to use in high-performance environments.

For years, Google has used its own custom-built chip called Titan in the servers that populate its data centers around the world. The Titan chip is a tiny secure microcomputer that serves a number of purposes in Google’s cloud servers, most importantly to ensure that servers boot from a known secure state and that the code they run is cryptographically verified. Google designs and builds its own servers and the Titan chip is built to Google’s own specifications, as well. The company has a version of the chip, called the Titan M, in some of its Pixel Android phones, as well.

The new project that Google launched Tuesday is called OpenTitan and it’s a collaboration with several technology partners, including Western Digital and ETH Zurich, a technical university in Switzerland. The aim is to provide an open source specification for a secure silicon design, and the chip will be based on the Ibex open source processor from ETH Zurich. The project will be managed by lowRISC, a not-for-profit company in the UK that has its own engineering staff that will collaborate with Google and the other OpenTitan partners.

“OpenTitan is an active engineering project staffed by a team of engineers representing a coalition of partners who bring ideas and expertise from many perspectives. We are transparently building the logical design of a silicon RoT, including an open source microprocessor (the lowRISC Ibex, a RISC-V-based design), cryptographic coprocessors, a hardware random number generator, a sophisticated key hierarchy, memory hierarchies for volatile and non-volatile storage, defensive mechanisms, IO peripherals, secure boot, and more. With OpenTitan, a coalition of partners have come together to deliver a more open, transparent, and high-quality RoT,” Royal Hansen, vice president at Google, and Dominic Rizzo OpenTitan lead at Google Cloud, said in a post.

Although software-based attacks are far more prevalent than those targeting hardware, high-level attack groups are known to have capabilities against hardware systems, as well. Some APT groups have been successful in targeting vulnerabilities in specific hardware platforms and processors, and there are other concerns about hardware security as well. The last couple of years have seen a steady string of revelations about side-channel weaknesses such as Spectre and Meltdown in various chipsets that allow attackers to steal secret information through complex attacks.

But perhaps the most difficult problem related to hardware security is supply chain attacks. Hardware devices such as phones and laptops comprise a large number of individual components, which often are designed and built by many different companies and then eventually assembled into their final form. The various suppliers and manufacturers could be in several different countries, and keeping tight control and oversight of the processes and security protocols in all of those facilities can be next to impossible. Compromising one of the links in that chain to insert a small change could allow an adversary to gain access to a target line of devices.

By developing and publishing an open design specification for the OpenTitan chip, Google and its partners are hoping to take some of the concerns about deep-seated security vulnerabilities off the table.

“OpenTitan monitors the computer as it starts up – in what is known as the boot process. Like a newborn baby, a computer requires special protection in the seconds after it is switched on. The 'firmware' – that is, the software that controls the boot process – is active before the antivirus software is operational, for example. Many attacks therefore target these first few seconds and attempt to compromise the firmware,” Luza Benini, a professor at the Institute for Integrated Systems at ETH Zurich, said in an interview on the university’s site.

“If this attempt succeeds, the attackers can take control of the system without being noticed. OpenTitan checks whether the code generated by the firmware matches the expected code. If it doesn’t, the boot process is terminated.”

The OpenTitan project code is available on GitHub now.

<![CDATA[Nikkei Hit By BEC Scam As Payments Get Larger]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/nikkei-hit-by-bec-scam-as-payments-get-larger https://duo.com/decipher/nikkei-hit-by-bec-scam-as-payments-get-larger Mon, 04 Nov 2019 00:00:00 -0500

Fraud is expensive, and it does not have to be sophisticated to succeed. Business-email-compromises are on the rise as companies continue to fall victim to this form of social engineering.

Japanese media conglomerate Nikkei is the latest BEC victim. An employee of Nikkei America, the financial media company's United States subsidiary, was tricked into transferring ¥3.2 billion, or roughly $29 million, to a fraudulent bank account in September, Nikkei said in a statement. The employee was following “fraudulent instructions by a malicious third party” posing as a Nikkei management executive. Nikkei has notified law enforcement in both the US and Hong Kong. Although Nikkei didn't say so in the statement, Hing Kong authorities are involved most likely because the money was sent to an account with a Hong Kong-based bank. Banks located in China and Hong Kong are the "primary destinations" for stolen funds, the Federal Bureau of Investigation said in a September Public Service Announcement.

“Currently, we are taking immediate measures to preserve and recover the funds that have been transferred, and taking measures to fully cooperate with the investigations,” Nikkei said. “We are investigating and verifying the details of the facts and causes of this incident.”

The Nikkei America employee is among many victims who made the mistake of thinking the person behind the message was someone to be trusted. Just last month, the City of Ocala in Florida lost $742,000.

“You hear a lot about ransomware, but BEC is causing more damage,” said Stephen Boyer, CTO of security ratings company BitSight, who referred to BEC as a “silent killer.”

BEC refers to scams where employees at an organization receive messages purportedly from another person in the organization, typically a more senior person, asking for money to be sent. The messages may be sent from a domain that looks similar to the real one, or the scammers may have compromised that person's account and sent messages that way. The messages have a somewhat plausible reason for why the transfer has to happen immediately, and takes advantage of people's tendency to trust people they think is part of their organization.

Recently, Spanish law enforcement authorities arrested three individuals for allegedly running a BEC operation that targeted a dozen companies around the world to steal about €10 million, or $11 million. The group is believed to have used phishing emails to take over email accounts belonging to managers at targeted companies, and then sent fraudulent emails to lower-level employees requesting wire transfers. The group attacked fake invoices that looked legitimate and the wire transfers often used banks the victim companies had previously worked with. The police have recovered about €1.3 million, or $1.4 million, in stolen funds from about 16 bank accounts.

Criminals have to be creative with BEC scams as they pull together different pieces of information about the person they are pretending to be and try to convince the victims. BEC is "technically not the most advanced of the attack" but it is effective, as it is "going after the human," Boyer said.

As a form of social engineering, BEC scams are particularly effective. The FBI said BEC scams have been reported in 177 countries and fraudulent transfers have been sent to 140 countries. Based on the victim reports collected by the FBI's Internet Crime Complaint Center (IC3), BEC scams accounted for $26 billion in losses worldwide between July 2016 to July 2019. Many victims don't report being scammed, so the true amount may be even higher.

The United Kingdom's National Cyber Security Center, warned that universities and schools were increasingly being targeted. "The use of spoofed or compromised email accounts to impersonate a university’s partners or suppliers is rising," the NCSC said in September.

Insurance giant AIG said it received more claims for BEC than ransomware and data breaches in the Europe, Middle East, and Asia region in 2018. BEC-related insurance filings accounted for 23 percent of all cyber-insurance claims AIG received in 2018.

There are variations of BEC, such as whaling, which targets senior executives, and vendor email compromise (VEC), where a third party is compromised and their account is then used for the attack. In VEC, fraudsters compromise the inboxes of third-party accounts for vendors—usually by phishing—and then pretend to be the vendor.

The attackers may monitor the email communications to learn who the vendor works with, and figure out when invoices may be sent, Boyer said. They may modify the invoice template with a different bank routing information and the real vendor may not even realize the PDF file was modified. Or they may send emails directly to the victim organizations and initiate the transfer.

In the Florida incident, the scammers posed as a local construction company doing business with the city. A city senior account specialist received an email purportedly from the construction company’s accounting department requesting that its banking information be changed. The request used the city’s own form, which was filled out with all the necessary bank account information. The city employee did not realize that the email address, which had the name of the construction company employee, came from a domain with an extra 's' in the company name. When the construction company later submitted a legitimate invoice, the city paid. The funds wound up in the changed bank account, not the construction company’s actual account.

This kind of change is really hard for victims to flag as fraudlent, because they are not going to suspect anything wrong when the message is coming from a sender they may regularly interact with, from a known entity, Boyer said.

Tackling BEC scams is a two-pronged effort. The first is to protect the accounts to make it harder for attackers to compromise those accounts. That includes methods such as strong and unique passwords to thwart credential-stuffing attacks and enabling multi-factor authentication so that even if the password is stolen, the attackers can't easily take over the account.

McAfee researchers recently warned of a phishing campaign where attackers sent fake voicemail notifications to Office 365 users. Compromised accounts could then be used in a BEC attack. Having two-factor authentication would at least make it harder for attackers to get ahold of these accounts in the first place.

The second is a process one, and requires a bit more planning. For example, the organization may require that money transfers over a certain amount have two authorization signatures, or a voice confirmation, before they can be initiated, Boyer said. It may be fine to set a policy that no payment can be rushed, since attackers frequently put a time pressure on the victim to make them think they have to act quickly.

The process change is necessary, since BEC scams don't need to actually compromise acccounts. As the Florida incident showed, spoofed email accounts or similar-looking email addresses can be successful. Attackers can succeed even if the victim has technical controls in palce, Boyer said.

BEC is about “exploiting the relationship of trust,” Boyer said. “If they can’t get you directly, they will go after you indirectly.”

<![CDATA[DHS Warns of New North Korean Government Malware Hoplight]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/dhs-warns-of-new-north-korean-government-malware-hoplight https://duo.com/decipher/dhs-warns-of-new-north-korean-government-malware-hoplight Fri, 01 Nov 2019 00:00:00 -0400

The Department of Homeland Security is warning enterprises about a newly discovered trojan that they say is being used by North Korean APT actors. The malware is complex and multi-faceted and uses a public SSL certificate to help make its traffic appear legitimate.

In a new report, DHS and the FBI attribute the malware to the group that they call Hidden Cobra, which is a kind of catch-all name for North Korean actors associated with the country’s government. The United States government has publicly called out Hidden Cobra activity and tools on several occasions, and the new malware that DHS analyzed has a broad range of capabilities and functions designed to keep it hidden on compromised systems. Hoplight comprises 20 separate executable files, 16 of which are proxies that disguise traffic between the operators and the malware on target machines.

“The proxies have the ability to generate fake TLS handshake sessions using valid public SSL certificates, disguising network connections with remote malicious actors. One file contains a public SSL certificate and the payload of the file appears to be encoded with a password or key. The remaining file does not contain any of the public SSL certificates, but attempts outbound connections and drops four files,” the DHS analysis says.

Hoplight has a number of typical trojan capabilities, and once it’s installed it sets about collecting information about the system and enumerates the drives and partitions. The malware can read, write, and move files, create and kill processes and services, edit registry settings, and upload and download files to and from a remote server. Hoplight also comes with four hardcoded IP addresses for the command-and-control servers and once the malware executes, it tries to perform a TLS handshake with one of those servers. After the handshake is complete, Hoplight uses a custom encryption scheme to secure the traffic between the server and the compromised machine.

“The malware is capable of opening and binding to a socket. The malware uses a public SSL certificate for secure communication. This certificate is from www.naver.com. Naver.com is the largest search engine in Korea and provides a variety of web services to clients around the world,” the analysis says.

“The malware uses the default certificates/private keys that come with PolarSSL. These are generally used for testing purposes only. Additionally the C2 IPs that act as the server for the TLS handshake require the malware to respond back with a client key. This key is also a default key found within the PolarSSL libraries.”

It’s common for malware, particularly tools developed by high-level actors, to use valid SSL certificates to help secure their communications. The certificate also helps lend an air of legitimacy to the tool if the victim happens to discover it.

Hoplight targets Windows systems, both 32-bit and 64-bit versions. The DHS analysis does not provide any details on how Hoplight is installed on target systems or what its distribution method is.

CC By SA license photo by Dinesh Valke.

<![CDATA[Supply Chain Security Requires Knowing Who to Avoid]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/supply-chain-security-requires-knowing-who-to-avoid https://duo.com/decipher/supply-chain-security-requires-knowing-who-to-avoid Fri, 01 Nov 2019 00:00:00 -0400

Supply chain security is tricky: Organizations have to make sure they aren’t using components from untrustworthy vendors or suppliers, but they don’t know which ones to avoid.

The Cybersecurity Information Sharing Act (passed in 2015) created a system for sharing information about specific “cyber threat indicators,” but that refers to elements such as suspicious emails and network activities. Organizations can share threat indicators, attack information, and vulnerabilities with each other and with the government formally via information-sharing partnerships and repositories or informally through personal contacts. Supply chain threats such as backdoors in software or intentionally tampered with components don’t really fall within the law’s scope.

There really isn’t a formal mechanism that helps organizations identify and report suppliers and vendors they don’t think should be trusted. In fact, if the organization voice concerns about the cybersecurity risks of vendors or products, the organization could face significant legal penalties.

If a company “comes across an issue with an untrusted vendor, they have significant civil litigation risk for publicly outing that company,” Christopher Krebs, director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, told Sen. James Lankford during a Senate committee hearing on supply chain security.

The concerns could be something about software or some pattern of activity on a piece of equipment, and being able to share with peers at other companies would be “beneficial,” but there were multiple reasons not to say anything publicly, Robert Mayer, senior vice president for cybersecurity at USTelecom, told the House Homeland Security Committee at a separate hearing on supply chain, in mid-October.

“Information about suspect suppliers cannot be freely exchanged when enterprises are subject to a variety of legal actions, including violations of federal or state anti-trust laws, anti-competitive behaviors or deceptive trade practices,” Mayer said in his prepared remarks.

CISA’s ICT Supply Chain Risk Management Task Force has been looking at the challenges companies and governments face in sharing protecting the supply chain, and one of the task force’s goal is to develop recommendations on how information can be shared. The Task Force identified “current gaps” in the government’s ability to collect relevant information on bad actors, use the information when evaluating vendors, and to share that information with the private sector, Krebs said in his prepared remarks to the Senate Committee on Homeland Security and Government Reform.

“Crucially, the Task Force also identified limitations on private-to-private information sharing on supply chain risks because of lingering legal concerns,” Krebs said. A working group within the Task Force will made recommendations for legal and regulatory changes so that this kind of enhanced information sharing can be possible, Krebs said.

Krebs also noted that companies in nuclear power industry are required to notify regulators of risky suppliers, but that other “high-risk areas of infrastructure” don’t have this kind of regulatory requirement.

Organizations are increasingly including their supply chain and third-party partnerships in their risk calculations, said Michael Clauser, global head of data and trust at public policy firm Access Partnership. However, just because this kind of assessment is becoming more common doesn’t mean it isn’t still a subjective process. The assessments “may be predicated on judgement calls with imperfect levels of confidence,” Clauser said.

“Unlike the sharing of technical cyber threat indicators, sharing assessments of third-party and vendor trust is a less mature and defined process,” Clauser said. Public disclosure has its own challenges. There aren’t set standards on what a supplier should do, and getting agreement on what constitutes a risk would be difficult, as something that is risky for one company isn’t necessarily risky for another. Problems in the supply chain aren’t always malicious or intentional—quite often the risks have more to do with operational process, such as storing in an exposed database in the cloud, said Chris Morales, head of security analytics at Vectra. In those situations, it would be easier to “personally assess vendors in the supply chain and then work with those key vendors to correct the problem.”

“Supply chain security is a dynamic and fluid attack surface and not static,” Morales said.

Congress should explore ways to give incentives to private sector firms to share information about things they found untrustworthy during their own due diligence. Appropriate protections can mean financial incentives or providing legal cover so that companies don’t have to worry about litigation. Another option—which the ICT Task Force is currently working on—is to have the federal government set a supply chain standard for its agencies and departments. If suppliers and vendors had to make sure they met the government’s requirements, that would have a downstream effect for the rest of the market.

“Make it easier for companies to share information on risky vendors that they come across, and make it similar easy for me to share that information,” Krebs said at the hearing.

<![CDATA[WhatsApp Suit Against NSO Group Marks Beginning of an Era]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/whatsapp-suit-against-nso-group-marks-beginning-of-an-era https://duo.com/decipher/whatsapp-suit-against-nso-group-marks-beginning-of-an-era Wed, 30 Oct 2019 00:00:00 -0400

On Tuesday, WhatsApp and its corporate parent Facebook filed a lawsuit against NSO Group, the Israeil maker of the Pegasus spyware tool used by governments and law enforcement agencies around the world. Technology vendors sue one another all the time, but this suit is far more significant than the run-of-the-mill patent dispute and marks a turning point in the way that powerful technology companies deal with those who abuse their services to target victims.

The suit is the result of an operation that was exposed in May in which attackers were using a previously unknown vulnerability in the WhatsApp messaging system to install a powerful spyware tool on mobile phones. The bug allowed the attackers to run their exploit without any user interaction, simply by calling the device. The operation targeted about 1,400 people, including journalists, lawyers, human rights activists, and diplomats, over the course of about 10 days in late April and early May. Media reports at the time identified the spyware tool used in the attacks as Pegasus, but WhatsApp officials didn’t say anything publicly about that part of the story.

After the company patched the vulnerability, it began investigating the incident, with the help of experts at Citizen Lab, a research and policy team at the University of Toronto that has specialized in this kind of work for many years. The Citizen Lab team set about identifying the victims of the operation while WhatsApp engineers dug into the technical details to see how the attacks worked.

"Here we see the unvarnished reality: more than a 100 individuals being targeted for surveillance, not because they are criminals or terrorists, but because their legitimate exercise of human rights is an irritant to powerful elites, corrupt autocrats, and in some cases even murderous death squads," Ron Deibert, founder and director of the Citizen Lab, said in an email.

In the absence of appropriate safeguards, it is not surprising to see spyware such as this being abused.

In its suit, WhatsApp alleges that NSO Group operators created and used WhatsApp accounts that were then used to target victims and used the WhatsApp Signaling and Relay servers to send the malware to victims’ devices.

“Defendants reverse-engineered the WhatsApp app and developed a program to enable them to emulate legitimate WhatsApp network traffic in order to transmit malicious code--undetected--to Target Devices over WhatsApp servers. Defendants’ program was sophisticated and built to exploit specific components of WhatsApp network protocols and code,” the suit says.

In an opinion piece in The Washington Post, WhatsApp head Will Cathcart said the company was able to tie the operation directly to NSO Group.

“As we gathered the information that we lay out in our complaint, we learned that the attackers used servers and Internet-hosting services that were previously associated with NSO. In addition, as our complaint notes, we have tied certain WhatsApp accounts used during the attacks back to NSO. While their attack was highly sophisticated, their attempts to cover their tracks were not entirely successful,” Cathcart wrote.

“There was another disturbing pattern to the attack, as our lawsuit explains. It targeted at least 100 human-rights defenders, journalists and other members of civil society across the world. This should serve as a wake-up call for technology companies, governments and all Internet users. Tools that enable surveillance into our private lives are being abused, and the proliferation of this technology into the hands of irresponsible companies and governments puts us all at risk.”

“Governments and companies need to do more to protect vulnerable groups and individuals from these attacks."

The suit against NSO Group is essentially the first of its kind and is clearly meant to send a message to both the company and the broader group of vendors of so-called lawful intercept tools. This is WhatsApp, and by extension Facebook, flexing their considerable legal and technical muscle to show what the consequences of such operations can be. While the suit is somewhat surprising, what may be more surprising is that no other vendor has taken this step before. Many of the larger tech companies in the world regularly move against malicious actors, taking down botnets, suing individual attackers, and dismantling cybercrime networks. And Google has a long-standing policy of notifying users when they are targeted by sophisticated attackers like intelligence agencies or nation-state groups. Those groups sometimes use commercial intrusion tools as part of their operations and the threat analysis teams at the large service providers are quite capable of identifying actors and the tools they’re using.

But until now, companies have shied away from using the legal system to go after the purveyors of those tools. Part of the reason for that may lie in the technical details of how the operations are conducted and who is running them. But the larger reason could be a reluctance to test the waters and be the first to try this approach. WhatsApp has broken that seal now.

The suit is designed to have both punitive and deterrent effects, with WhatsApp asking for monetary damages as well as permanent injunctions that would bar NSO Group from ever running operations over its servers again. Spyware vendors rely on stealth, secrecy, and the discretion of their customers in order to stay below the radar and avoid the wrath of victims, researchers, and tech companies. By filing the suit and calling NSO Group out publicly, WhatsApp is drawing a line in the sand and laying out quite clearly what will happen if other vendors abuse the company’s service to target its users.

“Governments and companies need to do more to protect vulnerable groups and individuals from these attacks. WhatsApp will continue to do everything we can within our code, and within the courts of law, to help protect the privacy and security of our users everywhere,” Cathcart said.

Citizen Lab's Deibert said his team intends to keep digging into surveillance technology vendors and looking for potential abuses.

"We are undertaking this research because we see the largely unregulated commercial surveillance industry presenting perhaps the greatest single risk to global civil society worldwide. We will continue to investigate carefully the cases of abuse revolving around this incident, and intend to publish the evidence we collect in the public domain," Deibert said.

The only way to mitigate this type of reckless behavior is through stiff penalties that are rigorously enforced.

<![CDATA[Fancy Bear Attackers Target Anti-Doping and Sports Groups]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/fancy-bear-attackers-target-anti-doping-and-sports-groups https://duo.com/decipher/fancy-bear-attackers-target-anti-doping-and-sports-groups Tue, 29 Oct 2019 00:00:00 -0400

Over the last six weeks, the Russian attack group known as Fancy Bear has targeted more than a dozen organizations in the sports and anti-doping communities with spear-phishing and other attacks as athletes preparing for the 2020 Summer Olympics begin to enter the doping control system leading up to the games.

The attacks began just a few days before the World Anti-Doping Agency (WADA), which enforces anti-doping regulations for sports around the world, announced potential new sanctions against Russia for alleged doping violations. Russia has had a long history of such sanctions, including a ban that prevented its athletes from competing in the 2018 Winter Olympics under the Russian flag. In mid-September, Microsoft detected a new wave of attacks by Fancy Bear, also known as Strontium and APT28, that targeted sports and anti-doping organizations in a number of different countries.

“Some of these attacks were successful, but the majority were not. Microsoft has notified all customers targeted in these attacks and has worked with those who have sought our help to secure compromised accounts or systems,” Tom Burt, corporate vice president of customer security and trust at Microsoft, said.

“The methods used in the most recent attacks are similar to those routinely used by Strontium to target governments, militaries, think tanks, law firms, human rights organizations, financial firms and universities around the world. Strontium’s methods include spear-phishing, password spray, exploiting internet-connected devices and the use of both open-source and custom malware.”

This kind of operation is not unheard of, and the Fancy Bear group itself has conducted similar ones in the past. Last year, the Department of Justice unsealed indictments against seven members of the Russian GRU intelligence agency for allegedly targeted similar organizations as way of gathering information, medical records, and other data related to investigations into state-sponsored Russian athlete doping programs. The group then allegedly conducted a disinformation campaign through social media and other channels, releasing some of the stolen medical records and other information.

“Among other instances, the indictment alleges that following a series of high-profile independent investigations starting in 2015, which publicly exposed Russia’s systematic state-sponsored subversion of the drug testing processes prior to, during, and subsequent to the 2014 Sochi Winter Olympics (according to one report, known as the “McLaren Report”), the conspirators began targeting systems used by international anti-doping organizations and officials. After compromising those systems, the defendants stole credentials, medical records, and other data, including information regarding therapeutic use exemptions (TUEs), which allow athletes to use otherwise prohibited substances,” the DOJ press release said.

The Fancy Bear attackers have been known to target a wide range of organizations, often ones with political or diplomatic missions. In August 2018, Microsoft took over several domains used by Fancy Bear attackers to target some non-profits and the Senate itself in an effort to mimic those organizations and potentially go after individuals associated with them.

<![CDATA[Johannesburg Hit With Major Ransomware Attack]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/johannesburg-hit-with-major-ransomware-attack https://duo.com/decipher/johannesburg-hit-with-major-ransomware-attack Mon, 28 Oct 2019 00:00:00 -0400

The City of Johannesburg has joined the rapidly expanding group of cities, towns, and other government entities that have fallen victim to ransomware attacks and city officials are refusing to pay the attackers’ ransom demands.

The attack on South Africa’s largest city has had a cascading effect, forcing the government’s main website offline, crippled several of its departments, and prevented many of the agencies from being able to accept payments or conduct other transactions. City officials said that the attackers have demanded a payment of four Bitcoins to unlock the compromised systems, but the government is planning to try to restore the systems rather than pay.

“I can confirm that the city will not concede to their demands and we are confident that we will be able to restore systems to full functionality. We have made significant progress and if we continue on this trajectory we should be able to restore 80% of all our systems,” Funzella Ngobeni, a Member of the Mayoral Committee on Finance, said in a statement published Monday.

The attackers hit Johannesburg on Oct. 24 and Ngobeni said that the intrusion has “had a significant impact on our ability to deliver services to our residents.” The city’s main call center for resident information is offline, as are city planning and other systems. The attackers, who call themselves the Shadow Kill Hackers, gave the city government until today to pay the ransom, otherwise they threatened to release all of the city’s compromised data publicly.

The list of municipalities and government agencies that have been hit by ransomware is lengthy and growing by the day. Some of the victims have been large cities, including Baltimore, while others have been small counties or towns. In August, an attacker compromised systems belonging to more than 20 local government agencies in Texas, and in July a Ryuk ransomware attack on the City of New Bedford, Mass., hit 158 machines and included a ransom demand of $5.3 million. The attack on Baltimore in May included a ransom demand of about $100,000, which city officials refused to pay, and turned into a protracted ordeal with city systems down for several weeks and millions of dollars in cleanup and consulting costs.

Ransomware gangs have begun to focus their energies on governments for several reasons, some of which can be quite difficult to address. The biggest issue is that governments are supposed to deliver services to their constituents. When government systems are offline because of a ransomware attack or other intrusion, the government can’t deliver those services and so the attackers have leverage as residents become frustrated. Victimized government agencies are susceptible to public pressure to pay the ransom and get services back online. Also, government agencies, particularly smaller state and local ones, sometimes rely on older software and may not have dedicated security teams to help defend their systems.

Attackers also have the luxury of being able to select likely victims and choose the time of their attacks to exert the maximum amount of pressure. In the case of Johannesburg, the attack hit at a time when the city was in the middle of monthly billing and payment cycles.

“This attack is opportunistic in both its form and its timing. It is opportune in that it is timed to coincide with all City month end processes affecting both supplier payments and customer payments,” Ngobeni said.

<![CDATA[Older Bugs in Software Add to Security Debt]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/older-bugs-in-software-add-to-security-debt https://duo.com/decipher/older-bugs-in-software-add-to-security-debt Fri, 25 Oct 2019 00:00:00 -0400

When it comes to fixing software vulnerabilities, the newest flaws get fixed first and the older ones languish in the proverbial stack.

Companies are fixing a higher percentage of vulnerabilities than ever before, but the focus on fixing newer vulnerabilities mean older issues accumulate over time, Veracode said in its tenth State of Software Security report. The annual report includes applications analyzed by Veracode and determines how long it took for those issues to be fixed. This year's report included 85,000 applications from 2,300 companies, a more than 50 times increase from the 1,591 applications tested in the first year of the report.

On average, companies fixed 56 percent of all software security issues discovered between the first application security scan and the final scan, Veracode found. This results in "security debt," or the fact that the number of flaws increase in the application over time, Veracode said. Similar to technical debt, security debt increases the organization's risk for a breach because these forgotten flaws are what the attackers will target.

“Like credit card debt, even carrying a small balance forward on a recurring basis can quickly leave you in the hole," said Chris Wysopal, founder and CTO at Veracode.

Last year's report found that 70 percent of flaws were present in code one month after they were discovered, and 55 percent were present after three months. A quarter of high severity vulnerabilities were still present after 290 days (approximately nine and a half months). Developers fixed 76 percent of the most critical vulnerabilities and 69 percent of the slightly-less-critical-but-still-severe flaws.

However, if a vulnerability didn't get fixed initially, the chances of it getting fixed dropped. The longer a vulnerability remained in the application, the less likely it was to be corrected, the report found. About half of all applications surveyed accrued security debt over time, and a quarter broke even. Just a quarter of the applications were able to reduce security debt.

On the initial scan, 83 percent of the applications analyzed by Veracode had at least one security flaw, compared to 72 percent ten years ago. That doesn't necessarily mean that applications are more insecure initially now than they used to be. More applications are being tested, and current scanning tools are much more robust than they used to be, so it makes sense that more vulnerabilities are being discovered.

In fact, there are signs that the focus on secure coding and frequent testing may be paying off. Only 20 percent of applications scanned had high-severity flaws in the first scan, compared to 34 percent ten years ago. About 70 percent of the applications were able to show they had fewer vulnerabilities or had not introduced any new flaws by the final time the application was scanned.

"The data shows developers are very likely to fix high severity flaws so there is solid evidence that development teams are getting better at figuring out which flaws are the most important to fix first,” said Chris Eng, chief research officer at Veracode.

The frequency of software security scanning has a direct impact on response times to fixing the flaws, the report found. Organizations that scanned applications less than once a month typically required a median time of 68 days to address the security issues. Organizations that scanned their applications daily required just 19 days. Daily scanning remains uncommon, however.

Only a third of the applications in Veracode's study were scanned two and six times a year, while another third were scanned just once a year. Less than 1 percent of the applications were scanned 260 times or more in a year.

Security debt doesn't mean the developers are bad at managing vulnerabilities. It just means organizations should think about how frequently they should be testing the software application.

The fact that frequently scanning an application can reduce security debt indicate that DevSecOps can play a role in reducing security debt in an organization, Veracode said.

“Development teams can’t ignore the findings nor choose to fix the new flaws rather than the old ones. Instead, they should make a plan to fix the new findings and use periodic ‘security sprints’ to fix unresolved flaws that could be exploited,” Eng said.

<![CDATA[Updated Gustuff Android Trojan Changes Tactics]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/updated-gustuff-android-trojan-changes-tactics https://duo.com/decipher/updated-gustuff-android-trojan-changes-tactics Thu, 24 Oct 2019 00:00:00 -0400

Researchers have identified a new version of the Gustuff Android banking trojan that employs its own scripting engine and adds several new capabilities to improve its ability to steal financial information from compromised devices.

Gustuff first emerged a few months ago and appeared to be built on top of the code base of Marcher, an older trojan that had been around for several years. The malware spreads mainly through text messages and is designed to harvest victims’ bank information through a handful of different techniques. It also steals the victim’s contact list and uses that to spread to the people on the list, giving it a self-propagation mechanism. Researchers with the Cisco Talos Intelligence Group first came across the Gustuff trojan in April and after they published an analysis of the malware, the operators of it took down the command-and-control infrastructure used in the campaign.

However, the attackers had a back-up C2 system and have the ability to send commands to infected devices through SMS. The original domains that the Gustuff trojan used were taken offline, but the operators didn’t disappear. Since the campaign earlier this year, the Gustuff operators have taken it upon themselves to run a few others, the latest one using a new version of the malware altogether.

“A new campaign was detected around June 2019, there were no significant changes the malware. The campaign was using Instagram, rather than Facebook, to lure users into downloading and installing malware,” Vitor Ventura and Chris Neal of Talos wrote in an analysis of the new malware.

“But a new campaign spun up at the beginning of this month, this time with an updated version of the malware. Just like in the previous version, any target that would be of no use as a potential target is still used to send propagation SMS messages. Each target is requested to send SMSs at a rate of 300 per hour. Even though the rate will be limited to the mobile plan of each target, this is an aggressive ask.”

The Gustuff trojan has a number of interesting features, including the ability to load a webview of a specific domain on command from the C2. A webview is a way for an app to display web content without using a fully functional browser. In one instance, the Talos researchers saw the Gustuff C2 send a command to an infected device to create a webview of a portal for the Australian government that hosts services for taxes and social security.

"A new campaign spun up at the beginning of this month, this time with an updated version of the malware."

“The command was issued before the local injections were loaded (using the changearchive command). The injections were loaded from one of the C2 infrastructure servers. This command is not part of the standard activation cycle and was not part of the injections loaded by the version we analyzed in April,” Ventura and Neal said.

“This represents a change for the actor, who now appears to be targeting credentials used on the official Australian government's web portal.”

Banking trojans have been a problem for many years, going back to the earliest days of online banking, and they have continued to evolve along with the sophistication of banking sites and apps. When online banking shifted to mobile devices, the malware authors followed suit, creating trojans to mimic legitimate banking apps and others like Gustuff that stay in the background. Many of these banking trojans tend to target Android devices because of the restrictions in the Apple ecosystem and the fact that Android users can install apps from third-party app stores.

The Gustuff operators, like most competent cybercrime groups, have adapted their tactics as they’ve progressed. In addition to modifying the C2 infrastructure, they also added some other functionality, including a feature that sends a list of banking and other apps to target to each infected device after the malware is installed. The trojan also dynamically loads a list of anti-malware apps to block. The operators also put in a new method for interacting with the malware on infected devices as a way to reduce the amount of traffic it sends over the network.

“The commands related to the socks server/proxy have been removed, as have all code related to its operation. This functionality allowed the malicious operator to access the device and perform actions on the device's UI. We believe this is how the malicious actor would perform its malicious activities. We believe that after collecting the credentials, using the webviews, the actor would use this connection to interactively perform actions on the banking applications,” Ventura and Neal said.

“This functionality is now performed using the command ‘interactive,’ which will use the accessibility API to interact with the UI of the banking applications.”

<![CDATA[Malwarebytes Connects Magecart Group to Carbanak]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/malwarebytes-connects-magecart-group-to-carbanak https://duo.com/decipher/malwarebytes-connects-magecart-group-to-carbanak Wed, 23 Oct 2019 00:00:00 -0400

Researchers have linked the Magecart group known for its supply-chain attacks to Cabanak, an advanced threat group.

Magecart Group 5 uses the same domains that have also been used in phishing campaigns that pushed the Dridex banking Trojan, Malwarebytes researchers said. The Dridex phishing campaigns are believed to be the work of the infamous Carbanak (FIN7) attack group. The Carbanak group also uses the Carbanak custom backdoor to target internal banking infrastructure and ATMs. Europol said Carbanak has struck banks in more than 40 countries.

“We spent some time digging into a number of Magecart domains registered via the well-known Chinese registrar BIZCN/CNOBIN, [which is] essentially a bulletproof registrar,” Malwarebytes researchers said. “We narrowed down the domains to a smaller subset previously identified as being used by Magecart Group 5.”

Magecart is an amorphous group consisting of a dozen or so attack groups that inject malicious JavaScript code into online payment pages (ecommerce checkout pages) to steal payment card information (name, address, credit card numbers, expiration date, and CVV). RiskIQ recently said its research team had identified a little over 2 million instances of Magecart’s JavaScript binaries, with over 18,000 hosts directly breached.

“Victimology helps us to get a better idea of the threat actor behind attacks. For instance, we see many compromises that affect a small subset of merchants that are probably tied to less sophisticated criminals, often using a simple skimmer or a kit,” Malwarebytes researchers wrote.

Some Magecart factions target specific platforms while others target third-party libraries to compromise all the sites that rely on that component. Group 5 is known for targeting the supply chain and was recently seen testing code targeting the kind of routers typically used to operate public Wi-Fi networks. The group targeted the third-party chat feature on Ticketmaster's website in that breach.

A supply chain attack that targets a single site or component in order to compromise all other sites downstream that rely on that site/component has more in common with advanced threat actors than the typical financially-motivated cybercriminal, Malwarebytes said. Bigger breaches that "reel in a much larger prize" tend to tbe the work of experienced advanced threat groups with well-established ties with the criminal underground, the researchers said.

In the case of the domains, Magecart Group 5 used privacy protection services with eight of the top-level domains, but overlooked one. Malwarebytes researchers Jérôme Segura, William Tsing, and Adam Thomas were able to see that domain's WHOIS data prior to GDPR going into effect (which hid registry data), and saw the name, address, and contact information of operators in Beijing. Using the exposed email address, the researchers were able to find other domains, several of which were used in the Dridex campaigns. One was a corporate eFax campaign targeting Germans. Two were phishing campaigns spoofing OnePosting and Xero accounting services.

“If we pivot from [the] email address, we can identify other domains, and in particular several that connect to Dridex phishing campaigns,” researchers explained.

Researchers also found a phone number in common between the two groups. Security blogger Brian Krebs had previously mentioned a phone number that was used by Carbanak, and that same phone number was used to register one of Magecart domains.

“As Magecart activity increases and new groups emerge, it can sometimes be helpful to go back in time in order to examine bread crumbs that may have been left behind,” researchers said. "Looking back means we can spot recurring themes."

<![CDATA[Firefox Now Blocks Social Media Trackers]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/firefox-now-blocks-social-media-trackers https://duo.com/decipher/firefox-now-blocks-social-media-trackers Tue, 22 Oct 2019 00:00:00 -0400

Over the last few months, Mozilla has added a number of different features to Firefox to prevent or limit user tracking by third parties, and with the release of Firefox 70 this week the company is going even further by blocking trackers from social media networks.

The change is part of a broader strategy for Mozilla to position Firefox as the browser of choice for people concerned about privacy. In September, Mozilla added a feature called Enhanced Tracking Protection to Firefox and turned it on by default. That feature blocks known third-party trackers across the web and is designed to prevent ad companies and others from building profiles of people as they move around the web.

Mozilla said it has blocked more than 450 billion third-party tracking requests in Firefox since July.

“This shocking number reveals the sheer scale of online tracking and it highlights why the current advertising industry push on transparency, choice and ‘consent’ as a solution to online privacy simply won’t work. The solutions put forth by other tech companies and the ad industry provide the illusion of choice,” Peter Dolanjski and Steven Englehardt of Mozilla said.

In Firefox 70, Enhanced Tracking Protection adds some new features, the most prominent of which is the ability to block trackers from social media networks such as Facebook and Twitter. Those networks have extensive systems in place around the web to track user behavior and how they interact with the sites they visit, most of which is done invisibly and is mainly in the service of ad targeting. Firefox’s new system prevents the most common trackers from those networks from being able to place cookies on users’ machines.

“Social networks place trackers on other websites to follow what you do, see, and watch online. This allows social media companies to collect data about your browsing history and improve their ad targeting. Even if you don’t use a social network, that site can still collect data about your browsing habits. Firefox blocks the most common trackers from Facebook, Twitter, and LinkedIn that appear on other websites,” Mozilla said.

“Social media companies will still be able to collect data about you on their own social networks, including Facebook-owned services like Instagram, WhatsApp, and Messenger.”

User tracking is at the heart of the ad-targeting economy that underpins not only the social networks themselves but also the wide variety of other sites that depend on support from those networks. Some of that tracking is obvious but a large portion of it is done behind the scenes and most people have little or no idea that it’s happening.

Firefox 70 also includes a new reporting tool that enables people to get a view of how many tracking requests the browser has blocked, as well as a password-management and generation tool called Lockwise. The tool can sync passwords across devices and is integrated with Firefox Monitor, the service that alerts people if their passwords are part of a data breach.