Thursday, December 14, 2017
Home Tags 2015

Tag: 2015

Operating system security is one of Microsoft’s priorities.

The developers of the new generation of Windows have vigorously responded to the most significant and relevant threats that target the Windows platform by developing numerous security technologies that were previously available only in third-party solutions.

The system has become better protected, making the life of cybercriminals more difficult. Nevertheless, in some cases, the tools provided by the operating system are not sufficient – the developers have had to make compromises in a number of areas, which has negatively affected system security and makes it necessary to use third-party IT security tools. Because it is so widespread, Windows has been, and remains, the target of choice for cybercriminals of all stripes.

Each new version is researched thoroughly by thousands of blackhats in search of new moneymaking opportunities. Whitehats, for whom Windows is the main battleground in their fight against the bad guys, also explore it. Naturally, Kaspersky Lab always carries out a painstaking analysis of all changes introduced by Microsoft to the security system in order to provide its users with the best possible protection against cyberthreats. This review consists of three parts devoted to the most prominent new Windows 10 features that affect security.

These are the Microsoft Edge browser, virtualization-based security and an updated built-in anti-malware solution called Windows Defender.

All of these features have brought new capabilities to the Windows security system, but, unfortunately, they also come with some weaknesses of their own.
In this paper, we use examples to demonstrate how Windows 10 protection technologies work and how they can be complemented by third-party solutions to improve system security. Microsoft Edge The latest browser, Microsoft Edge, is intended to replace Internet Explorer.
It is included in Windows 10 as the default browser.

The company has worked hard to implement numerous new features, some of which are security-related. Content Security Policy and HTTP Strict Transport Security technologies were introduced to combat cross-site scripting attacks.

These technologies are designed not only to lower the chances of a successful attack but also to notify the web service’s owner about the attempt to carry it out. Microsoft has also come up with ways to protect Edge against exploits, which were the curse of Internet Explorer. Now, by using containers and separating content handling operations into different processes, exploiting vulnerabilities has been made much more difficult.

Finally, integration with SmartScreen should prevent users from visiting sites with malicious content. In addition to supporting new technologies, the security of Edge has been enhanced by retiring vulnerable old ones.

The browser no longer supports VML, BHO and ActiveX, which are used by a multitude of advertising apps and malicious browser add-ons. However, a browser’s security is determined by its ability to combat real attacks.

The majority of malicious programs designed to steal money via Internet banking work successfully with browsers such as Internet Explorer, Chrome, Firefox and Opera.

Typically these are Zeus (Zbot), the infamous Dyreza (Dyre), and the peer-to-peer bot Cridex (Dridex), all of which, despite being old, are nevertheless still used by virus writers. The functionality of a typical banker leads to the implementation of an MiTB (Man-in-The-Browser) attack. Most bankers pull off such an attack by integrating their code in the browser process and intercepting the network-interaction functions. However, these functions are implemented differently in different browsers, forcing virus writers to constantly modify and update their malicious software so that it can work with all possible browsers and versions. In November 2015, it was reported that the Dyreza Trojan had been given functionality that enabled it to attack Microsoft Edge. However, the activity of that particular botnet fell to zero soon afterwards: updates ceased to be released and the command-and-control servers were taken offline. Another infamous banker Trojan, Kronos, caught up with Edge in 2016. We checked out its capabilities on a Windows 10 virtual machine.
In the code of the new Kronos version we found a function that checks the name and checksum of a process, as well as the hashes of the functions hooked by the malware. Function that identifies the browser based on the checksum of its process name Kronos checks the process’s name, converts the string to lower case, calculates its checksum and squares it.

The hash obtained in this way is checked against a table – if it is found there, the Trojan will attempt to hook the functions it needs in the browser’s process. Browser process names known to the Trojan: Process name Checksum iexplore.exe 0x64302d39 chrome.exe 0x05d66cc4 firefox.exe 0x39ace100 opera.exe 0x9420a4a1 microsoftedge.exe 0x9b6d5990 microsoftedgecp.exe 0x949b93d9 In order to perform malicious operations that will make money for its owners, Kronos hooks the functions that create and send HTTP requests in the Wininet library. List of wininet.dll functions hooked: API function Hash HttpOpenRequestA Y7D4D7E3T2T2A4U3 HttpQueryInfoA C8C0U1A2G4G5Y2B5 HttpSendRequestA Y4U1P2F2G7T2A4U3 InternetCloseHandle A7S3H3X3D5Y7T7F7 InternetConnectA H0S6D5Q7E8P3P6U5 InternetCrackUrlA E6F2A3S8Y4C7D5A5 InternetOpenA B7P8P7T4E3U2H5A5 InternetQueryOptionA C1Y0B7E2B0P2P3T7 InternetReadFile D6X2S6E3Q3C5B5X2 InternetSetOptionA X3Y6Q2T7Q5Q2A5X6 Kronos hooks functions using the splicing method, adding a JMP (unconditional jump) instruction at the beginning of the code.
Since the malicious code injected into the browser is loaded as a shellcode rather than a library, the Mitigation Policy enabled in the browser will not block it from being executed. InternetReadFile function hook in MicrosoftEdgeCP.exe Handler for the hooked function Successfully hooking these functions enables the Trojan to inject data into web pages.
It also enables Kronos to get information about the user, the user’s credentials and bank account balance, to redirect the user to phishing sites, or to include additional entry fields to the bank’s legitimate page (enabling the malware to find out the user’s reply to the secret question, credit card number, date of birth or phone number). Web injection on a bank’s page Note that Kronos can only attack Edge on the 32-bit version of Windows 10.

But this is not a fundamental constraint – there are now bankers that work with the 64-bit version of Edge, as well. In the beginning of the year, a new modification of the infamous Gozi banker appeared.

Among other things, it was designed to carry out an MiTB attack against Edge under a 64-bit version of Windows 10.

The Trojan injects its code into the RuntimeBroker.exe process, launches the browser on behalf of that process and injects its code into the browser’s own processes. Part of the function that checks process names for injection As in the case of Kronos, the injected code hooks functions that create and send HTTP requests. However, instead of splicing, it substitutes IAT pointers as well as function addresses in the Export Table. Part of the function that checks process names to set the right hooks for each browser HttpSendRequestW hook set by Gozi banker in the MS Edge browser Note that Windows Defender successfully blocks the current versions of Kronos and Gozi. Nevertheless, new malware and adware will emerge that is capable of using Edge for its own purposes. Virtualization-Based Security In the corporate version of Windows 10, Microsoft has implemented a new approach to security that is based on Microsoft Hyper-V, a hardware-assisted virtualization technology.

The new paradigm, called Virtualization Based Security (VBS), is based on a whitelisting mechanism that only allows applications that are on the trusted-application list to be executed, and on isolating the most important services and data from other components of the operating system. VBS depends on the platform and CPU features, which means that the technology needs the following to operate: Windows 10 Enterprise. UEFI firmware v2.3.1+ with Secure Boot support. CPU supporting Intel VT-x/AMD-V virtualization features. Ability to block some features of the UEFI firmware and its secure updating. TPM (optional). Microsoft uses the Hyper-V hypervisor as its virtualization platform.

The less code a hypervisor contains, the fewer attack vectors against it exist.
In this aspect, the compactness of Hyper-V is very beneficial for security. Unlike previous Windows versions, the hypervisor starts not as a kernel-mode driver but in UEFI, at an early stage of the computer’s startup. Hyper-V initialization procedure In VBS, with the hypervisor active, each virtual CPU is assigned a Virtual Trust Level (VTL) attribute.

Two attributes are currently used: VTL 1 (“Secure World”) and VTL 0 (“Normal World”).
VTL 1 is more privileged than VTL 0. Secure Kernel Mode or SKM (Ring 0, VTL 1) includes a minimal kernel (SK), a Code Integrity (CI) module and an encryption module.
Isolated User Mode or IUM (Ring 3, VTL 1) includes several isolated services called Trustlets that are isolated not only from the external world but also from each other.
In “Normal World” (VTL 0) mode, the traditional kernel, kernel-mode drivers, processes and services work according to the former rules. Diagram describing the two worlds When the hypervisor is active, physical RAM pages and their attributes are only controlled by the secure isolated kernel (SK).
It can manipulate page attributes, blocking or allowing reading, writing or executing code on specific pages.

This makes it possible to prevent execution of untrusted code, malicious modification of trusted application code, as well as to make leaking protected data more difficult. In this architecture, the only component that controls the execution of any code in the system is the secure isolated Code Integrity (CI) module.

The kernel from “Normal World” cannot set the attributes of kernel-mode physical pages. Credential Guard Credential Guard is one of the main functional blocks of VBS.
It isolates secrets in such a way as to ensure that only trusted code has access to them.

This helps to withstand direct memory access (DMA) attacks, as well as pass-the-hash and pass-the-ticket attacks. System Information.

Credential Guard and HVCI
We have tested the technology, attempting to get secret data using direct memory access. We used Mimikatz and Inception hacker tools for this. Nothing worked.

These hacker tools were powerless against Credential Guard. DMA attack using the Inception tool Device Guard The Device Guard technology that is part of VBS is the successor of Microsoft AppLocker.
It controls the launching and execution of all code: executable files and dynamic libraries, kernel-mode drivers and scripts (e.g., PowerShell).

This is based on a code integrity policy created by the system administrator that defines which software is regarded as trusted. The main difficulty in using Device Guard is in creating a proper policy, which can be difficult even for experienced system administrators.
Ideally, the procedure is as follows: Enable the necessary Windows 10 VBS mechanisms on a test computer. Prepare a master image of Windows OS. Install all the necessary software. Create a code integrity policy based on certain rules and leave it in audit mode for some time.

During this time, software can be added or changed. Watch the event log for CI events. Perform any necessary policy adjustments, such as signing any software that is not signed. Consolidate the original policy with the version created while the policy was in audit mode. Disable audit mode in the code integrity policy, replacing it with enforced mode. Distribute the prepared policy to end users. A code integrity policy defines the conditions for executing code both in user mode (User Mode Code Integrity or UMCI) and in kernel mode (Kernel Mode Code Integrity or KMCI).
Secure loading of the Windows kernel itself is provided by the Secure Boot technology.

The integrity policy needs to be maintained and updated based on the software requirements in place at a specific organization. In addition to the integrity policy, there are other restrictions on executing code.

A physical memory page gets the “executable” attribute only if the certificate is validated.

Additionally, a kernel-mode page cannot have “writable” and “executable” attributes at the same time (the W^X restriction), which prevents most exploits and hooks from working in kernel mode.
In the event of an attempt to modify the contents of a kernel mode page that has “readable” and “executable” attributes, this will lead to an exception.
If it is not handled, Windows will stop and display a BSOD. As a result, it is impossible to execute unsigned drivers, applications, dynamic libraries, UEFI modules and some script types when the hypervisor and all the security options, such as Secure Boot, TPM, IOMMU, and SLAT are active.

Depending on settings, code that is signed but not trusted can also be blocked from being executed. To protect the policy from unauthorized changes or substitution, Microsoft suggests that it should be signed using a certificate generated by the administrator.

To remove a policy or change settings, another policy signed with the same certificate is required.
If an attempt is made to remove a policy or ‘plant’ an unsigned policy, the operating system will not start. Still, Device Guard is not perfect.
Increased protection comes at a price – in the form of performance degradation.

This is unavoidable due to the presence of a hypervisor.

The convoluted process of creating, configuring and maintaining a code integrity policy can be considered a weakness of the technology.

The options used by the policy are scattered across the operating system and cannot be managed through a single control panel.

As a result, it is easy to make a mistake, leading to weaker protection. Since Secure Boot plays a key role in this technology, the level of protection very much depends on the quality of UEFI code, which is developed by a third party over which Microsoft has no control.

Finally, the absence of protection against exploits in user mode is disappointing. Testing VBS If malicious code makes its way onto a computer with VBS by taking advantage of a vulnerability, it will have to elevate its privileges to kernel mode to be able to attack the hypervisor, the “Secure World” or UEFI. We tried to do this using a signed and trusted kernel mode driver. Kernel mode penetration testing results: Test Result Test Result W+X PE section .INIT + (by design) Allocate NP/P MEM, hack PTE manually + (BSOD) W^X PE section .INIT + (as is) R+X section, remove WP in CR0 + (BSOD) W+X PE section + (no start) Stack code execution + (BSOD) Allocate MEM, execute + (BSOD) Allocate MEM, hack MDL manually + (BSOD) R PE section, write, execute + (BSOD) None of the attack methods that we tried was successful.

Attacks based on changing Control Registers (CR0-CR8, EFER etc.) and Model-Specific Registers (MSR) did not work either – they all invariably ended in a Privileged Instruction exception (0xC0000096). We also carried out some tests in user mode, trying to circumvent a code integrity policy in enforced mode.

The objective was to execute an unsigned application or load an unsigned dynamic library into a trusted process. We were unable to do this directly, but we found a curious error in the Windows 10 preview release (10154). The error lies in the fact that, although Device Guard checks whether an application, driver or library is signed, it does not verify that the signature is valid for the application signed with it.

This makes it possible to extract a valid signature from any trusted application and insert it into any untrusted application – after this the system will consider the application to be trusted.
So, by inserting a signature from another application, we were able to execute an untrusted application and to load an untrusted dynamic library. We immediately reported the error to Microsoft and it was fixed within a few days. Windows 10 RTM (10240) does not include that error. We also discovered a denial-of-service error that makes it possible to crash the system and cause a BSOD for the hypervisor from the user space with just one Assembler instruction.

A fix for this error was included in Windows 10 TH2 (10586). The hypervisor’s BSOD Overall, Microsoft has done a great job in developing new security mechanisms. However, as in previous versions, there are still opportunities for attacks via the firmware.

Another problem is that the system administrator needs to be highly qualified to configure protection properly.
In the event of faulty configuration or loss of the private certificate, all protection becomes useless.
In addition, there is no protection against user-mode vulnerabilities.
It is also important to keep in mind that VBS is only available to users of the corporate Windows 10 version. We have notified Microsoft of all the vulnerabilities discovered during testing. Built-in Anti-Malware Protection in Windows Let’s have a look at the Windows component that protects the system against malware in real time.
It is enabled by default and, for users who do not install third-party anti-malware solutions, it is the main Windows IT security tool. The principal purpose of built-in protection is to prevent the installation and execution of malware.
It scans files and active processes in real time, identifying those that are malicious by checking them against a regularly updated signature database.
In most cases, this protection is sufficient. However, if you are an active Internet user and often perform critically important operations on your computer – such as managing your bank accounts via online banking – you need multi-tier protection.

Even the best anti-malware solution can miss new, as yet unknown malware.
In this case, only additional layers of protection can save the day by preventing a Trojan from carrying out malicious activity in the system. We did some research and found a few real-life examples demonstrating that built-in protection may not be sufficient. Keystroke Interception Some banker Trojans intercept data entered on the keyboard to steal the user’s online banking account.

Examples of such malware include Qadars, Zbot and Cridex. Many anti-malware solutions, including Kaspersky Internet Security, have a component that detects and blocks attempts by programs to intercept the sequence of keypresses.
In some cases, this can be enough to prevent criminals from making money at the victim’s expense, even if they have managed to infect the computer. We tested the response of built-in protection to keystroke logging with the help of a test application that uses the GetAsyncKeyState WinAPI function (this method is similar to the one used in the latest MRG testing). We were able to intercept the user’s login and password for a PayPal account with Windows Defender enabled. Logging the user credentials while entering a PayPal account Unauthorized Web Camera Access In the next test, we tried to gain unauthorized access to the web camera.

This functionality has been increasingly used in Trojans and other hacker tools in the past years.

The fact that a surveillance module using the web camera is included in the AdWind Trojan is a telling example of the popularity of this functionality among cybercriminals. Monitoring victims using their own web cameras can provide a wealth of information about them, which can later be used to make money illegally – for example, by blackmailing a victim with intimate videos. Some anti-malware solutions can control application access to the camera.
In real life, there are practically no situations in which a legitimate application could need to use the camera without notifying the user, which is why providing such notifications is a convenient and widely accepted practice.

The user can decide in each specific case whether the application really needs to use the camera or whether this is suspicious activity that should be blocked. Our test application used a publicly available library called OpenCV (which is what the Rover Trojan does, to give one example).

A simple Python script captured video from the web camera and displayed it in a separate window.

This means that an application was able to intercept video from the web camera on a Windows 10 machine with protection enabled, without the user being notified of this in any way. Capturing the screen with a script Control of Drive-By Downloads Another problem that is among the most serious issues faced by Windows users is the numerous exploits that can be used to infect the system via vulnerabilities in various applications. We tested the built-in protection with one of the latest exploits for the CVE-2016-1019 vulnerability in Adobe Flash Player. The exploit’s file is an SWF object compressed using the ZLIB algorithm. The flash exploit In this form, the file is recognized by the Windows Defender and quarantined. Successful detection of a packed exploit However, if the file is decompressed into the original SWF, the security system will miss it. Moreover, a compressed file that was detected on the hard drive is downloaded from websites in drive-by attacks and successfully executed from the browser’s context.
If a vulnerable version of Adobe Flash Player is installed in the system, an infection can occur, because Windows Defender does not include a drive-by download control component. Successful download of a Flash exploit that was previously detected on the hard drive In addition, we want to mention that Microsoft Windows has embedded component (SmartScreen) which could successfully stop drive-by attacks using reputation-based analysis, but in some cases, especially in targeted attacks, heuristic content analysis is needed for successful detection of exploitation process. We used this test case, which could not be covered with SmartScreen component to show that if threat actors will use Flash exploit with bypass techniques for Edge security mechanism user could be infected.

Currently we have not registered usage of such bypass techniques yet. Conclusion Today, a multi-tier approach is required to provide reliable protection for user systems, combining standard detection methods (signature-based analysis, behavioral analysis, etc.) with additional modules designed to detect attack techniques commonly used by cybercriminals. As our brief review has demonstrated, in some cases the IT security technologies built into Windows 10 are not sufficient for full-scale protection against malicious attacks.

As in previous Windows versions, all possible attack vectors should be blocked using dedicated Internet Security class security solutions.
Wassenaar Arangement aims to stop sale of spyware to rogue states, but also goes further Microsoft and a team of concerned engineers from across the security sector have joined forces to suggest a major re-write of the arms control pact the Wassenaar Arrangement, as they fear the document's terms are a threat tot he information security industry. The pitch is the result of brainstorming by the group to redefine the core aims of the Arrangement, which aims to restrict export of both weapons and "dual-use" items that have military potential beyond their main functions.

The Arrangement was negotiated and signed behind closed doors in 2013, without the infosec industry's participation. The Arrangement's provisions are broad as it (see this PDF) aims to stop the sale of exploitation software to restricted regimes with poor human-rights records that it promises to impact almost every aspect of the information security industry. If the Wassenaar Arrangement carries through under its current state, it will force Microsoft to submit some 3800 applications for arms export every year, company assistant general counsel Cristin Goodwin says. "However we tweak the implementation, the definition is still going to be the problem," Goodwin told the RSA Asia Pacific Security conference in Singapore today. "No-one on the government side is willing to change the definition and that is the problem. "It talks about [restricting] the modification of the intended path of a file - this is fundamental to information technology." Symantec director government affairs Brian Fletcher (left) with Microsoft assistant general counsel Cristin Goodwin. Image: Darren Pauli, The Register. While the US, through the Department of Commerce, has opened up to discussion about the Arrangement in recent months, it will not negotiate on changing the definitions on which the Arrangement's dual-use restrictions are based. Goodwin did not reveal the names of the companies or engineers who worked together to ink a new technology-savvy re-draft of the document. She says its central definition is solid, and will serve to more effectively restrict the movement of spyware like Hacking Team's trojans, while relieving a tortured security industry of the threat of massive fines and jail time for the regular and essential disseminating of exploit code. The proposed new definition reads, with Goodwin's emphases included: "Intrusion delivery platforms’ are defined as systems, equipment, components and software specifically designed for use in offensive intrusion and remote monitoring and that demonstrate elements of vulnerability exploitation, evasion, and enabling subversion or destruction." Goodwin fleshed out the Arrangement with Brian Fletcher, a former Australian Signals Directorate executive who worked in the security sphere and sat on the nation's latent Wassenaar Arrangement technical committees until November 2015 before becoming director of government affairs or Symantec's Asia Pacific operations. "Dual-use technology controls are by definition very difficult," Fletcher told The Register. "We need to ask questions like 'is this something that could be best handled by industry?'". Sniper The Wassenaar Arrangement caught all corners of the security industry off guard, but its full potentially-devastating effects will only be realised in coming months and years. Champions of the security cause such as Goodwin, Fletcher, and industry icon Katie Moussouris have stepped up to take the technology cause straight to the halls of government, including the European Commission and the White House. Yet of the more than ,5000 delegates to the RSA conference, this reporter counted just eight in the 9:00AM day one session discussing the Wassengaar Arrangement. The effects of the Arrangement are now well-stated. While your correspondent was the first scribe to cover the updated Arrangement, dozens of articles have been written since, covering the localised impacts that could arise from the regime's various implementations by signatory nations. "How did we miss it?" Goodwin says. "It became one of the largest set of comments the (US) Department of Commerce had ever received, which shows quite an oversight by the Department." "It is an unintended consequence of the Arrangement, but it is here now," Goodwin adds. Goodwin and Fletcher are calling on the industry to lobby their agencies to overhaul the dual-use software definition of the Arrangement ahead of a closed-door meeting in September where changes can be proposed. The US has held back on implementing the Arrangement in case changes should come into effect in the final vote in December. Should the Arrangement come into force in its current state, the industry will feel the "real pain" when the US begins enforcement. Australians can write to the Defence Export Controls, Americans to the Department of Commerce, and Britons to the Government Communications Headquarters (GCHQ). "As it is this (the Arrangement) is our worst choice," Goodwin says. "Let's change it." ® Sponsored: Global DDoS threat landscape report
From SSL cert blowup to busted infringement appeal Blue Coat has lost its appeal challenging a nearly $40m patent infringement lawsuit brought by rival security company Finjan. The California Northern District Court upheld the 2015 jury decision awarding $39,528,487 to Finjan for infringement by Blue Coat on five of its patents: 6,804,780 identifying downloadable files 6,154,844 attaching a security profile to a downloadable 7,418,731 caching on a network gateway 6,965,968 policy-based cache management 7,647,633 mobile code monitoring for security threats Following last year's verdict, Blue Coat asked Judge Beth Labson Freeman to overturn the ruling and order a new trial, a motion that earlier this week was denied [PDF]. The court shot down the argument from Blue Coat that some evidence Finjan introduced regarding previous patent agreements was inadmissible, as well as Blue Coat's contention that the jury instructions were not properly given out prior to deliberation.

As a result, the jury's verdict in favor of Finjan will stand. This week's decision was not a complete win for Finjan, however.

The judge shot down its request that Blue Coat also be required to pick up the bill for attorney fees. "Blue Coat vigorously defended its position and the Court is not aware of any conduct by Blue Coat that makes this case exceptional," wrote Freeman. "Blue Coat did not choose to bring this lawsuit, but once sued, defended itself in a determined manner." Pending further appeals, Blue Coat – which just emerged from an SSL certificate row – will be on the hook for the $39.5m damages award.

That sum of money may be less of an issue, however, as Blue Coat recently agreed to an acquisition deal with security giant Symantec worth $4.65bn.

This could make paying up to Finjan a bit more palatable. ® Sponsored: Global DDoS threat landscape report
Oracle's July Critical Patch update fixes 276 different vulnerabilities. Will 200-plus flaws be typical for future updates? Some patch updates are larger than others, a lot larger.
Such is the case with Oracle's July Critical Patch Update, which tackles a whopping 276 vulnerabilities across multiple Oracle software products.Oracle has had a quarterly patch cycle for its software portfolio since 2004, and as new companies have been acquired, including Sun Microsystems in 2010, the list of software has expanded. Yet during the 12 years of Oracle software updates, there have never been as many vulnerabilities patched as there are now in the July 2016 update.In April 2006, Oracle's CPU patched a meager 36 vulnerabilities, while the most recent patch update in April 2016 fixed 136 flaws."276 is quite high, and as a matter of fact is the highest number of vulnerabilities Oracle has fixed in a single update," Amol Sarwate, director of engineering at Qualys, told eWEEK.

The average for last year was about 161 and for 2014 was about 128 fixes." So far in 2016, the patched vulnerability count has gone up significantly, with 248 in January and 276 in July, Sarwate said. Not all of the vulnerabilities that Oracle patched are equally severe, and the most serious are typically those identified as being remotely exploitable without authentication.

For the July update, 159 vulnerabilities can be exploited remotely by a potential attacker, without the use of a username or password.Regarding specific software applications that are being patched, Oracle's Fusion middleware tops the list with the most issues, at 40 vulnerabilities, 35 of which are remotely exploitable without authentication.Software from Oracle's Sun Systems portfolio is being patched for 34 different vulnerabilities, 21 of which are remotely exploitable without authentication.Oracle breaks out Java and MySQL database software, which it acquired from Sun, in separate categories.

For July, there are 13 new vulnerabilities in Java including nine that can be exploited remotely by an attacker without a username or password. Oracle has invested in improving Java over the last few years; back in 2014, Cisco identified Java as the primary cause of 91 percent of all attacks.
In 2015, improvements Oracle made to Java significantly reduced the risks.
In December 2015, Oracle settled with the U.S.

Federal Trade Commission over charges related to Java software updates and security.The MySQL database server, in contrast to Java, has only three issues that are remotely exploitable without authentication, out of a total of 22 security vulnerabilities. Oracle's namesake database is also being patched, but only five of the nine vulnerabilities that are patched can be remotely exploited by an attacker without authentication. "Most components affected in today's update were the usual suspect, so no surprise there," Sarwate said. "In my opinion, the massive size of the update itself was a surprise, and going forward, I think 200-plus vulnerability fixes is going to be the norm." Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com.

Follow him on Twitter
@TechJournalist.
It wasn't all that long ago, when a 100G-bps distributed denial-of-service attack was an outlier.

Back in 2013, a DDoS of that size was considered one of the largest attacks ever. However, there have already been 274 DDoS attacks measuring 100G bps or ...
Federal authorities have shut down several alleged tech support scammers working out of Florida, Iowa, Nevada and Canada, freezing their assets and seizing control of their businesses. The action was one of the largest in the U.S. against scammers, who...
Government requests worldwide for user data related to search engine traffic on Google increased 29 percent from 2014 to 2015, according to the search site's most recent Transparency Report, which was published today. Google reports on the government requests every six months.
In the second half of 2015, it said it received more than 40,000 requests for data related to more than 81,000 user accounts; That compares to the first half of the year when Google received about 35,000 requests related to about 69,000 accounts. Google The number of requests from governments and courts around the world for Google to hand over user data. In the second half of 2014, Google received 31,140 requests from U.S. entities for user information related to more than 50,000 accounts. "Usage of our services [has] increased every year, and so have the user data request numbers," Google said. By far, the U.S. leads the world in government requests for data: it submitted 27,157 requests related to 12,523 user accounts in the second half of last year.

The next highest country was Ireland with 12,114 requests, followed by Germany with 11,562 reqeusts. Google agreed to hand over "some" user data for 64 percent of the requests worldwide, but it handed over data for U.S. government requests 79 percent of the time. Google The percentage of requests where Google provided governments or courts some user data. Several search engines and social media sites voluntarily offer annual or semi-annual transparency reports related to state and federal law enforcement information requests about user data. The Electronic Frontier Foundation (EFF), an international non-profit digital rights organization, publishes a report on which Internet entities do the best at protecting subscriber data.

AT&T and smartphone instant messaging app WhatsApp received the lowest ranking related to practices such as telling users about government data demands and being open about data retention policies.

Each garnered just one star out of five related to protecting user data. Google received three out of five stars. Electronic Frontier Foundation Twitter received four out of five stars related to protecting user data from government requests and privacy transparency policies.  "This is Google’s fifth year in the report, and it has adopted some of the policies we are highlighting, including the best practices from prior reports," the EFF stated in its Who Has Your Back? 2015 report. "Nonetheless, there is room for improvement.

Google should take a stronger position in providing notice to users about government data requests after an emergency has ended or a gag has been lifted.

Furthermore, Google should provide transparency into its data retention policies." In the second half of 2015, Microsoft also received more than 39,000 requests for information related to more than 64,000 user accounts.

That compares with 34,000 requests in the second half of 2014. Microsoft The total number of government or court requests for information from Microsoft related to user data in the second half of 2015. Microsoft said it disclosed subscriber and transactional data about 66 percent of the time, but it only disclosed actual search content 2.45 percent of the time. Microsoft outright rejected 13.9 percent of the requests for information. In 2014, the social news networking service Reddit issued its first transparency report, saying it received 55 requests for user information, including account registration data, log data and content uploaded by users from outside parties. Reddit agreed to hand over information for 58 percent of all government and civil requests, and 64 percent of all US state and federal government requests. Google has been publishing its semi-annual Transparency Report since 2011; the latest statistics show that requests for user data is at an all-time high. In 2014, Apple, Microsoft, and Google were among 10 top tech companies that signed  a letter backing passage of the USA Freedom Act, which would curtail bulk collection of Internet metadata by government agencies. Passed in June 2015, the USA Freedom Act now requires transparency when the government demands user information from technology companies. Nevertheless, the EFF said there still needs to be more transparency when it comes to government-mandated back doors, as well as what deleted data is kept around in case government agents seek it in the future. "We think it’s time to expect more from Silicon Valley," the EFF said. This story, "Google says government requests for user data at all-time high" was originally published by Computerworld.
Thales, leader in critical information systems, cyber security and data protection, and Williams (ETR: WGF1), the leading Formula One team and advanced engineering company have entered into a new technical partnership.

As part of the agreement Thales will deliver state-of-the-art cyber security solutions for real-time global telemetry transmission to both WILLIAMS MARTINI RACING and Williams Advanced Engineering, the engineering services and technology division of Williams.Thales designs, develops and operates resilient and high-performance critical information systems supported by its 2,000 cyber security experts and world class data protection and digital trust management solutions, protecting mission critical data anywhere data resides.

Cyber security, especially data protection, is of the utmost importance in the competitive world of Formula One. Thales e-Security secured Williams F1 The expertise brought by Thales will assist Williams in protecting its confidential high-value data.

Thales Datacryptor 5000 delivers high speed data protection with state-of-the-art throughput enhancement and low latency to ensure high assurance, real-time global telemetry transmission from the pitlane back to Williams’ headquarters.

Furthermore, with an increasing number of projects being undertaken for external customers through Williams Advanced Engineering, data protection and security has become a priority across the Williams Group. Marc Darmon, Executive Vice-President, Secure Communication and Information Systems, Thales says:“Thales is a world class cyber security expert and a globally recognised systems integrator, delivering safety and security critical systems in challenging environments such as Aerospace, Space, Defence, Finance, IT & Technology and Ground Transportation.

This agreement builds on the already strong existing relationship between our two companies and our combined skills and expertise.
It clearly illustrates Thales’s commitment to accompany its clients in their digital transformation where cyber security is a vital requirement.” Claire Williams, Deputy Team Principal and Commercial Director, Williams says:“Williams has undergone a significant digital transformation over the past two years. We are revolutionising our IT infrastructure to make sure that we are well placed to continue innovating. With the help of Thales, we will be introducing cyber security systems that keep our business critical data secure wherever we are in the world.” About WilliamsWilliams is a leading Formula One team and advanced engineering company.

Formed in 1977 by Sir Frank Williams and Sir Patrick Head, the company has secured 16 FIA Formula One World Championship titles since its foundation.

The company's core competencies are the design and manufacture of Formula One race cars, and the deployment of this expertise in running the team's entries into the Grands Prix each season under the name WILLIAMS MARTINI RACING. Williams Advanced Engineering is the division of Williams that harnesses Formula One derived technology, development pace and knowledge to deliver highly innovative products and services to the motorsport, automotive, aerospace, defence and energy sectors. Working in close collaboration, Williams Advanced Engineering helps its customers meet the sustainability challenges of the 21st century and improve their performance, market position and brand image. About ThalesThales is a global technology leader for the Aerospace, Transport, Defence and Security markets. With 62,000 employees in 56 countries, Thales reported sales of €14 billion in 2015. With over 22,000 engineers and researchers, Thales has a unique capability to design and deploy equipment, systems and services to meet the most complex security requirements.
Its exceptional international footprint allows it to work closely with its customers all over the world. Positioned as a value-added systems integrator, equipment supplier and service provider, Thales is one of Europe’s leading players in the security market.

Thales solutions secure the four key domains considered vital to modern societies: government, cities, critical infrastructure and cyberspace. Drawing on its strong cryptographic capabilities, Thales is one of the world leaders in cybersecurity products and solutions for critical state and military infrastructures, satellite networks and industrial and financial companies. With a presence throughout the entire security chain, Thales offers a comprehensive range of services and solutions ranging from data protection and trust management, security consulting, intrusion detection and architecture design to system certification, development and through-life management of products and services, and security supervision with Security Operation Centres in France, the United Kingdom and The Netherlands. Press ContactsThales, Media Relations SecurityDorothée Bonneil+33 (0)6 84 79 65 86dorothee.bonneil@thalesgroup.com Thales, Media Relations UKAdrian Rondel+44 (0)7971 414052adrian.rondel@thalesgroup.com Thales, Media Relations e-SecurityLiz Harris+44 (0)7973 903648liz.harris@thales-esecurity.com
Aspect, first and largest vendor of cloud-based energy and commodity trade and risk management (ETRM / CTRM) software, has seen sales for the first half of the year climb to a record 16-year high as even the largest global organizations are dumping entrenched, legacy software and moving to the cloud.Booking more than $7M in new business through the first 6 months of the year, an increase of 127% over the same period in 2015, Aspect has become the replacement solution of choice for user organizations blighted by traditional client-server solutions that require either costly upgrades or pay-all-over-again replacement versions to remain competitive.

Conversely, Aspect’s monthly subscription model sees fully-tested fresh versions, fixes and upgrades delivered to desktops automatically and transparently at no extra cost. Now regarded as the CTRM sector disruptor, Aspect has this year signed 8 new deals with global top tier trading companies in the metals, coal and oil trading sectors, including Ferrocadia and MENA Energy.

Aspect’s functional expertise, rapid implementation and proven scalability all played an important part in this success.

The company did particularly well in North America and the Middle East where sales were consistently ahead of target. Steve Hughes is CEO of Aspect and formerly of its predecessor OILspace, the company that pioneered cloud CTRM 16 years ago.
Since then Aspect’s continually evolving solutions have helped put the cloud front and center of the industry. “The world has moved on but legacy CTRM solutions have not,” said Hughes. “Users are paying for support and updates to software going nowhere.

The cloud is a way out of that cycle, a route to software with a future for minimum pain and maximum gain.” Switchers to Aspect can typically achieve cloud CTRM implementation in as little as eight weeks, with ongoing cost of ownership typically comparable to the cost of support only for legacy software. “Where once it was just the small and mid-tier market, there’s little doubt that cloud vendors now effectively own the whole market. Meanwhile there’s evidence that legacy vendors are abandoning their traditional products, leaving users themselves to find alternatives,” added Hughes. About AspectAspect is a leading global provider of multi-commodity trade, risk and operations management applications delivered Software-as-a-Service (SaaS) in the cloud. With almost 500 customers in 90 countries, it’s one of the fastest growing providers with rapid deployment, affordable subscriptions, and immediate ROI for all size companies.
Solutions include AspectCTRM®, a full-featured commodity trading and risk management enterprise suite for front, middle and back office.
It’s available in three editions: Lite, Standard and Enterprise, expanding in functionality according to the needs and budgets of clients.

Aspect is the only ETRM/CTRM solutions provider with market data and analytics tools delivered with its trade and risk functions on the same platform.

This provides users with a seamless packaged solution beginning with pre-trade pricing analysis and market assessments via AspectDSC.

Aspect’s solutions are available on desktop, tablets and mobile devices and through its new Aspect Partner Program (APP). Media ContactBrigette GebhardAspect+1 347-328-0396bgebhard@aspectenterprise.com
Carbon Black Delivers the Industry's Most Complete Next-Gen Endpoint Security Platform, Featuring the Cb Collective Defense CloudJuly 20, 2016 -- Waltham, MA -- Carbon Black, the leader in next-generation endpoint security, today announced its acquisition of Confer, a next-generation antivirus (NGAV) company. Carbon Black is recognized for its market-leading application control, incident response, and threat hunting products that serve more than 2,000 organizations globally.

By adding Confer’s NGAV product, Carbon Black delivers the industry’s most complete endpoint security platform.

Confer’s software solution will be renamed “Cb Defense.” “With the acquisition of Confer, organizations of every size can now address their endpoint-security requirements through a single platform,” said Patrick Morley, chief executive officer of Carbon Black. “This extension of the Carbon Black platform is a significant step forward in our vision to create a world safe from cyber-attacks.” Today’s cyber security war is waged at the endpoint.
Incumbent AV providers regularly miss critical malware threats, as noted by Gartner in its 2016 Magic Quadrant for Endpoint Protection Platforms: “44% of reference customers for EPP solutions have been successfully compromised.” In the wake of traditional AV proving to be ineffective, emerging endpoint players have entered the market. However, these players offer incomplete, point solutions that miss entire classes of cyber-attacks.

These omissions create a false sense of security and leave enterprises vulnerable. “The emerging next generation endpoint security market is about more than prevention.
Security vendors who offer a comprehensive security platform comprised of prevention, detection and response capabilities will lead the transition from prior generation solutions,” said Doug Cahill, senior analyst at ESG. “With the addition of Confer, Carbon Black is offering such a next-gen platform to address the ever evolving threat landscape.” Cb Defense Redefines Next Gen AV“NGAV solutions need to take a far more innovative approach in stopping attacks and be much more effective than legacy AV” said Mark Quinlivan, co-founder and chief executive officer at Confer. “We built Confer to provide a sophisticated, lightweight yet simple solution that includes groundbreaking prevention, detection and incident response.” Cb Defense uniquely combines behavioral-based prevention techniques with integrated detection and response capabilities to stop cyber-attacks.
Its cloud-based, deep-analytics approach blocks both malware and increasingly common malware-less attacks that exploit memory and scripting languages such as PowerShell. Once malware is blocked, Cb Defense gives organizations visibility into how the attack happened, which enables them to proactively fix security problems. Cb Defense uses a lightweight sensor that installs in less than a minute and consumes less than one percent of the CPU, disk and network. Once installed, Cb Defense can be completely managed from the cloud through an easy-to-use, web-based interface. Carbon Black Endpoint Security PlatformWith the acquisition of Confer, customers will have access to a single platform designed to replace ineffective antivirus, lock down critical systems, and arm incident-response teams with the most advanced tools to proactively hunt down threats.

The Cb Endpoint Security Platform is the only solution that provides the flexibility and security required to grow and evolve with an organization’s security needs. The Cb Endpoint Security Platform is designed to: Stop the Most Attacks. Using a combination of endpoint data and the Cb Collective Defense Cloud, the Cb Endpoint Security Platform stops more attacks than both traditional AV and competing NGAV products.
It blocks both malware and malware-less attacks. See Every Threat.

The Cb Endpoint Security Platform continuously records all endpoint activity, giving organizations full visibility into how cyber-attacks happen.

By capturing and analyzing behaviors, it pinpoints potential exploits and provides complete visibility into each threat. Close Every Gap. With complete threat visibility, the Cb Endpoint Security Platform enables organizations to proactively fix security problems in their environment by leveraging a full suite of remediation capabilities. Cb Collective Defense CloudConfer’s cloud-based analytics engine will become part of the “Cb Collective Defense Cloud,” adding significant depth to the Cb Endpoint Security Platform.

The Cb Collective Defense Cloud provides an assessment of what’s safe and what’s not, based on advanced-analytic techniques applied to data from millions of endpoints. The Cb Collective Defense Cloud: Continuously records data from more than seven million endpoints protected by Carbon Black products. Enhances and enriches the data with threat intelligence from dozens of sources including Carbon Black’s Detection eXchange and partner feeds. Applies rigorous analytic techniques including machine learning, artificial intelligence and behavioral analytics to massive datasets of attacks, threats, behaviors and anomalies. Streams context and insight to Carbon Black’s offerings where attacks are blocked at the endpoint. Continuous interactions between the Cb Collective Defense Cloud and Carbon Black’s offerings strengthen the system’s ability to identify malicious activity and become more resilient over time. Confer Co-founders Paul Morville and Jeff Kraemer will be joining the Carbon Black product and engineering teams respectively.

Confer employees will join the Carbon Black team.

Terms of the acquisition were not disclosed. About Carbon BlackCarbon Black has designed the most complete next-gen endpoint security platform, enabling organizations to stop the most attacks, see every threat, close security gaps, and evolve their defenses.

The Cb Security Endpoint Platform helps organizations of all sizes replace legacy antivirus technology, lock down systems, and arm incident response teams with advanced tools to proactively hunt down threats.

Today, Carbon Black has approximately 2,000 worldwide customers, including 25 of the Fortune 100 and more than 600 employees.

Carbon Black was voted Best Endpoint Protection by security professionals in the SANS Institute’s Best of 2015 Awards. ContactAlicia diVittorioCarbon BlackSenior Director, Corporate Communications415-290-1253adivittorio@carbonblack.com
National shut-down starts Tuesday, just in time for the Olympics The standoff between Brazil's legal system and Facebook's WhatsApp messaging platform continues, after a Rio de Janeiro judge ordered all carriers to block the app as of next Tuesday. WhatsApp claims 100 million users in the country. While judge Daniela Barbosa has declined to publish her reasons in full, she says the order will only be lifted when the courts get access to user messages. That suggests the confidential case is another of the organised crime probes that have plagued WhatsApp in Brazil since last year.

Brazilian investigators want user messages; WhatsApp says it can't hand them over because they're encrypted when it transports them, aren't stored and therefore cannot be produced. The latest order covers Telefonica Brasil, Claro (owned by América Móvil), TIM, Oi, and Nextel.

Each of them would face daily fines of 50,000 Brazilian Reals (US$15,375) for non-compliance. Hoping to fend off Judge Barbosa's decision, local outlet O Globo reports (in Portuguese here) that WhatsApp has requested an injunction against its enforcement.

The injunction is being considered. Repeated decisions by the country's judiciary blocking the app have also frustrated the office of Brazil's attorney-general, which says the decisions misinterpret the country's 2014 Internet law, the Civil Marco Internet. The ongoing disagreement between investigators and WhatsApp have already seen blocks imposed in December 2015 and May 2016, and the arrest of a local Facebook executive in March. ® Sponsored: 2016 Cyberthreat defense report
10Gbps is the new norm, warns Arbor Networks DDoS attacks once again escalated in both size and frequency during the first six months of 2016. Netscout's DDoS mitigation arm Arbor Networks warns that attacks greater than 100Gbps are far from uncommon. The security firm has monitored 274 attacks over 100Gbps in the first half of 2016, versus 223 in all of 2015. The biggest single attack maxed out at an eye-watering 579Gbps, a 73 per cent increase in peak attack size over 2015. The US, France and the UK are the top targets for attacks over 10Gbps.

The average attack size in the first half of 2016 was 986Mbps, a 30 per cent increase over 2015, and enough to knock most organizations completely offline. "High-bandwidth attacks can only be mitigated in the cloud, away from the intended target," said Darren Anstee, Arbor Networks' chief security technologist. "However, despite massive growth in attack size at the top end, 80 per cent of all attacks are still less than 1Gbps and 90 per cent last less than one hour. On-premise protection provides the rapid reaction needed and is key against 'low and slow' application-layer attacks, as well as state exhaustion attacks targeting infrastructure such as firewalls and IPS." Contrary to what many techies might believe, large DDoS attacks do not require the use of reflection amplification techniques. LizardStresser, an IoT botnet, was used to launch attacks as large as 400Gbps targeting gaming sites worldwide, Brazilian financial institutions, ISPs and government institutions. According to ASERT, the attack packets do not appear to be from spoofed source addresses – and no UDP-based amplification protocols such as NTP or SNMP were used. Reflection amplification is a technique that allows hackers to both magnify the amount of traffic they can generate and obfuscate the original sources of attack traffic. Outside of the LizardStresser example, it's by far the most common means of running a high-volume DDoS attack. Junk traffic is bounced off insecure NTP or DNS servers toward the intended victim. "DDoS remains a commonly used attack type due to the ready availability of free tools and inexpensive online services that allow anyone with a grievance and an internet connection to launch an attack," Arbor warns. "This has led to an increase in the frequency, size and complexity of attacks in recent years." Arbor's data is gathered through Active Threat Level Analysis System (ATLAS), a collaborative partnership with more than 330 service provider customers who share anonymous traffic data with Arbor in order to collectively benefit from a comprehensive, aggregated view of global traffic and threats. ® Sponsored: Global DDoS threat landscape report