Thursday, December 14, 2017
Home Tags Internet

Tag: Internet

‘I vote Trump! free Internet’ A Wi-Fi hack experiment conducted at various locations at or near the Republican National Convention site in Cleveland underlines how risky it can be to connect to public Wi-Fi without protection from a VPN. The exercise, carried out by security researchers at Avast, an anti-virus firm, revealed that more than 1,000 delegates were careless when connecting to public Wi-Fi. Attendees risked the possibility of being spied on and hacked by cybercriminals or perhaps even spies while they checked their emails, banked online, used chat and dating apps, and even while they accessed Pokemon Go. Avast researchers set up fake Wi-Fi networks at various locations around the Quicken Loans Arena and at Cleveland Hopkins International Airport with fake network names (SSIDs) such as “Google Starbucks”, “Xfinitywifi”, “Attwifi”, “I vote Trump! free Internet” and “I vote Hillary! free Internet” that were either commonplace across the US or looked like they were set up for convention attendees. Of the people connecting to the fake candidate name Wi-Fi in Cleveland, 70 per cent connected to the Trump-related Wi-Fi, 30 per cent to the Clinton-related Wi-Fi. With mobile devices often set to connect to known SSIDs automatically, users can overlook the networks to which they are connecting.

Although convenient, this feature is eminently easy to exploit by cybercriminals who set up a false Wi-Fi network with a common SSID. Moreover, web traffic can be visible to anyone on any Wi-Fi network that is unencrypted.

Any Wi-Fi that does not require a password is a risk. In its day-long experiment Avast saw more than 1.6Gbs transferred from more than 1,200 users.
Some 68.3 per cent of users‘ identities were exposed when they connected, and 44.5 per cent of Wi-Fi users checked their emails or chatted via messenger apps.

The researchers scanned the data, but did not store it or collect personal information. Avast learned the following about the Republican National Convention attendees: 55.9 per cent had an Apple device, 28.4 per cent had an Android device, 1.5 per cent had a Windows Phone device, 3.4 per cent had a MacBook laptop and 10.9 per cent had a different device 13.1 per cent accessed Yahoo Mail, 17.6 per cent checked their Gmail inbox, and 13.8 per cent used chat apps such as WhatsApp, WeChat and Skype 6.5 per cent shopped on Amazon, and 1.2 per cent accessed a banking app or banking websites like bankofamerica.com, usbank.com, or wellsfargo.com 4.2 per cent visited government domains or websites 5.1 per cent played Pokemon Go 0.7 per cent used dating apps like Tinder, Grindr, OKCupid, Match and Meetup 0.24 per cent visited pornography sites like Pornhub.com “With Washington heatedly discussing cybersecurity issues virtually every week, we thought it would be interesting to test how many people actually practice secure habits,” said Gagan Singh, president of mobile at Avast. “Understanding the talking points behind these privacy issues is very different from implementing secure habits on a daily basis.

Though it is not surprising to see how many people connect to free Wi-Fi, especially in a location with large crowds such as this, it is important to know how to stay safe when connecting. When joining public Wi-Fi, consumers should utilize a VPN service that anonymizes their data while connecting to public hotspots to ensure that their connection is secure.” ® Sponsored: Global DDoS threat landscape report
Operating system security is one of Microsoft’s priorities.

The developers of the new generation of Windows have vigorously responded to the most significant and relevant threats that target the Windows platform by developing numerous security technologies that were previously available only in third-party solutions.

The system has become better protected, making the life of cybercriminals more difficult. Nevertheless, in some cases, the tools provided by the operating system are not sufficient – the developers have had to make compromises in a number of areas, which has negatively affected system security and makes it necessary to use third-party IT security tools. Because it is so widespread, Windows has been, and remains, the target of choice for cybercriminals of all stripes.

Each new version is researched thoroughly by thousands of blackhats in search of new moneymaking opportunities. Whitehats, for whom Windows is the main battleground in their fight against the bad guys, also explore it. Naturally, Kaspersky Lab always carries out a painstaking analysis of all changes introduced by Microsoft to the security system in order to provide its users with the best possible protection against cyberthreats. This review consists of three parts devoted to the most prominent new Windows 10 features that affect security.

These are the Microsoft Edge browser, virtualization-based security and an updated built-in anti-malware solution called Windows Defender.

All of these features have brought new capabilities to the Windows security system, but, unfortunately, they also come with some weaknesses of their own.
In this paper, we use examples to demonstrate how Windows 10 protection technologies work and how they can be complemented by third-party solutions to improve system security. Microsoft Edge The latest browser, Microsoft Edge, is intended to replace Internet Explorer.
It is included in Windows 10 as the default browser.

The company has worked hard to implement numerous new features, some of which are security-related. Content Security Policy and HTTP Strict Transport Security technologies were introduced to combat cross-site scripting attacks.

These technologies are designed not only to lower the chances of a successful attack but also to notify the web service’s owner about the attempt to carry it out. Microsoft has also come up with ways to protect Edge against exploits, which were the curse of Internet Explorer. Now, by using containers and separating content handling operations into different processes, exploiting vulnerabilities has been made much more difficult.

Finally, integration with SmartScreen should prevent users from visiting sites with malicious content. In addition to supporting new technologies, the security of Edge has been enhanced by retiring vulnerable old ones.

The browser no longer supports VML, BHO and ActiveX, which are used by a multitude of advertising apps and malicious browser add-ons. However, a browser’s security is determined by its ability to combat real attacks.

The majority of malicious programs designed to steal money via Internet banking work successfully with browsers such as Internet Explorer, Chrome, Firefox and Opera.

Typically these are Zeus (Zbot), the infamous Dyreza (Dyre), and the peer-to-peer bot Cridex (Dridex), all of which, despite being old, are nevertheless still used by virus writers. The functionality of a typical banker leads to the implementation of an MiTB (Man-in-The-Browser) attack. Most bankers pull off such an attack by integrating their code in the browser process and intercepting the network-interaction functions. However, these functions are implemented differently in different browsers, forcing virus writers to constantly modify and update their malicious software so that it can work with all possible browsers and versions. In November 2015, it was reported that the Dyreza Trojan had been given functionality that enabled it to attack Microsoft Edge. However, the activity of that particular botnet fell to zero soon afterwards: updates ceased to be released and the command-and-control servers were taken offline. Another infamous banker Trojan, Kronos, caught up with Edge in 2016. We checked out its capabilities on a Windows 10 virtual machine.
In the code of the new Kronos version we found a function that checks the name and checksum of a process, as well as the hashes of the functions hooked by the malware. Function that identifies the browser based on the checksum of its process name Kronos checks the process’s name, converts the string to lower case, calculates its checksum and squares it.

The hash obtained in this way is checked against a table – if it is found there, the Trojan will attempt to hook the functions it needs in the browser’s process. Browser process names known to the Trojan: Process name Checksum iexplore.exe 0x64302d39 chrome.exe 0x05d66cc4 firefox.exe 0x39ace100 opera.exe 0x9420a4a1 microsoftedge.exe 0x9b6d5990 microsoftedgecp.exe 0x949b93d9 In order to perform malicious operations that will make money for its owners, Kronos hooks the functions that create and send HTTP requests in the Wininet library. List of wininet.dll functions hooked: API function Hash HttpOpenRequestA Y7D4D7E3T2T2A4U3 HttpQueryInfoA C8C0U1A2G4G5Y2B5 HttpSendRequestA Y4U1P2F2G7T2A4U3 InternetCloseHandle A7S3H3X3D5Y7T7F7 InternetConnectA H0S6D5Q7E8P3P6U5 InternetCrackUrlA E6F2A3S8Y4C7D5A5 InternetOpenA B7P8P7T4E3U2H5A5 InternetQueryOptionA C1Y0B7E2B0P2P3T7 InternetReadFile D6X2S6E3Q3C5B5X2 InternetSetOptionA X3Y6Q2T7Q5Q2A5X6 Kronos hooks functions using the splicing method, adding a JMP (unconditional jump) instruction at the beginning of the code.
Since the malicious code injected into the browser is loaded as a shellcode rather than a library, the Mitigation Policy enabled in the browser will not block it from being executed. InternetReadFile function hook in MicrosoftEdgeCP.exe Handler for the hooked function Successfully hooking these functions enables the Trojan to inject data into web pages.
It also enables Kronos to get information about the user, the user’s credentials and bank account balance, to redirect the user to phishing sites, or to include additional entry fields to the bank’s legitimate page (enabling the malware to find out the user’s reply to the secret question, credit card number, date of birth or phone number). Web injection on a bank’s page Note that Kronos can only attack Edge on the 32-bit version of Windows 10.

But this is not a fundamental constraint – there are now bankers that work with the 64-bit version of Edge, as well. In the beginning of the year, a new modification of the infamous Gozi banker appeared.

Among other things, it was designed to carry out an MiTB attack against Edge under a 64-bit version of Windows 10.

The Trojan injects its code into the RuntimeBroker.exe process, launches the browser on behalf of that process and injects its code into the browser’s own processes. Part of the function that checks process names for injection As in the case of Kronos, the injected code hooks functions that create and send HTTP requests. However, instead of splicing, it substitutes IAT pointers as well as function addresses in the Export Table. Part of the function that checks process names to set the right hooks for each browser HttpSendRequestW hook set by Gozi banker in the MS Edge browser Note that Windows Defender successfully blocks the current versions of Kronos and Gozi. Nevertheless, new malware and adware will emerge that is capable of using Edge for its own purposes. Virtualization-Based Security In the corporate version of Windows 10, Microsoft has implemented a new approach to security that is based on Microsoft Hyper-V, a hardware-assisted virtualization technology.

The new paradigm, called Virtualization Based Security (VBS), is based on a whitelisting mechanism that only allows applications that are on the trusted-application list to be executed, and on isolating the most important services and data from other components of the operating system. VBS depends on the platform and CPU features, which means that the technology needs the following to operate: Windows 10 Enterprise. UEFI firmware v2.3.1+ with Secure Boot support. CPU supporting Intel VT-x/AMD-V virtualization features. Ability to block some features of the UEFI firmware and its secure updating. TPM (optional). Microsoft uses the Hyper-V hypervisor as its virtualization platform.

The less code a hypervisor contains, the fewer attack vectors against it exist.
In this aspect, the compactness of Hyper-V is very beneficial for security. Unlike previous Windows versions, the hypervisor starts not as a kernel-mode driver but in UEFI, at an early stage of the computer’s startup. Hyper-V initialization procedure In VBS, with the hypervisor active, each virtual CPU is assigned a Virtual Trust Level (VTL) attribute.

Two attributes are currently used: VTL 1 (“Secure World”) and VTL 0 (“Normal World”).
VTL 1 is more privileged than VTL 0. Secure Kernel Mode or SKM (Ring 0, VTL 1) includes a minimal kernel (SK), a Code Integrity (CI) module and an encryption module.
Isolated User Mode or IUM (Ring 3, VTL 1) includes several isolated services called Trustlets that are isolated not only from the external world but also from each other.
In “Normal World” (VTL 0) mode, the traditional kernel, kernel-mode drivers, processes and services work according to the former rules. Diagram describing the two worlds When the hypervisor is active, physical RAM pages and their attributes are only controlled by the secure isolated kernel (SK).
It can manipulate page attributes, blocking or allowing reading, writing or executing code on specific pages.

This makes it possible to prevent execution of untrusted code, malicious modification of trusted application code, as well as to make leaking protected data more difficult. In this architecture, the only component that controls the execution of any code in the system is the secure isolated Code Integrity (CI) module.

The kernel from “Normal World” cannot set the attributes of kernel-mode physical pages. Credential Guard Credential Guard is one of the main functional blocks of VBS.
It isolates secrets in such a way as to ensure that only trusted code has access to them.

This helps to withstand direct memory access (DMA) attacks, as well as pass-the-hash and pass-the-ticket attacks. System Information.

Credential Guard and HVCI
We have tested the technology, attempting to get secret data using direct memory access. We used Mimikatz and Inception hacker tools for this. Nothing worked.

These hacker tools were powerless against Credential Guard. DMA attack using the Inception tool Device Guard The Device Guard technology that is part of VBS is the successor of Microsoft AppLocker.
It controls the launching and execution of all code: executable files and dynamic libraries, kernel-mode drivers and scripts (e.g., PowerShell).

This is based on a code integrity policy created by the system administrator that defines which software is regarded as trusted. The main difficulty in using Device Guard is in creating a proper policy, which can be difficult even for experienced system administrators.
Ideally, the procedure is as follows: Enable the necessary Windows 10 VBS mechanisms on a test computer. Prepare a master image of Windows OS. Install all the necessary software. Create a code integrity policy based on certain rules and leave it in audit mode for some time.

During this time, software can be added or changed. Watch the event log for CI events. Perform any necessary policy adjustments, such as signing any software that is not signed. Consolidate the original policy with the version created while the policy was in audit mode. Disable audit mode in the code integrity policy, replacing it with enforced mode. Distribute the prepared policy to end users. A code integrity policy defines the conditions for executing code both in user mode (User Mode Code Integrity or UMCI) and in kernel mode (Kernel Mode Code Integrity or KMCI).
Secure loading of the Windows kernel itself is provided by the Secure Boot technology.

The integrity policy needs to be maintained and updated based on the software requirements in place at a specific organization. In addition to the integrity policy, there are other restrictions on executing code.

A physical memory page gets the “executable” attribute only if the certificate is validated.

Additionally, a kernel-mode page cannot have “writable” and “executable” attributes at the same time (the W^X restriction), which prevents most exploits and hooks from working in kernel mode.
In the event of an attempt to modify the contents of a kernel mode page that has “readable” and “executable” attributes, this will lead to an exception.
If it is not handled, Windows will stop and display a BSOD. As a result, it is impossible to execute unsigned drivers, applications, dynamic libraries, UEFI modules and some script types when the hypervisor and all the security options, such as Secure Boot, TPM, IOMMU, and SLAT are active.

Depending on settings, code that is signed but not trusted can also be blocked from being executed. To protect the policy from unauthorized changes or substitution, Microsoft suggests that it should be signed using a certificate generated by the administrator.

To remove a policy or change settings, another policy signed with the same certificate is required.
If an attempt is made to remove a policy or ‘plant’ an unsigned policy, the operating system will not start. Still, Device Guard is not perfect.
Increased protection comes at a price – in the form of performance degradation.

This is unavoidable due to the presence of a hypervisor.

The convoluted process of creating, configuring and maintaining a code integrity policy can be considered a weakness of the technology.

The options used by the policy are scattered across the operating system and cannot be managed through a single control panel.

As a result, it is easy to make a mistake, leading to weaker protection. Since Secure Boot plays a key role in this technology, the level of protection very much depends on the quality of UEFI code, which is developed by a third party over which Microsoft has no control.

Finally, the absence of protection against exploits in user mode is disappointing. Testing VBS If malicious code makes its way onto a computer with VBS by taking advantage of a vulnerability, it will have to elevate its privileges to kernel mode to be able to attack the hypervisor, the “Secure World” or UEFI. We tried to do this using a signed and trusted kernel mode driver. Kernel mode penetration testing results: Test Result Test Result W+X PE section .INIT + (by design) Allocate NP/P MEM, hack PTE manually + (BSOD) W^X PE section .INIT + (as is) R+X section, remove WP in CR0 + (BSOD) W+X PE section + (no start) Stack code execution + (BSOD) Allocate MEM, execute + (BSOD) Allocate MEM, hack MDL manually + (BSOD) R PE section, write, execute + (BSOD) None of the attack methods that we tried was successful.

Attacks based on changing Control Registers (CR0-CR8, EFER etc.) and Model-Specific Registers (MSR) did not work either – they all invariably ended in a Privileged Instruction exception (0xC0000096). We also carried out some tests in user mode, trying to circumvent a code integrity policy in enforced mode.

The objective was to execute an unsigned application or load an unsigned dynamic library into a trusted process. We were unable to do this directly, but we found a curious error in the Windows 10 preview release (10154). The error lies in the fact that, although Device Guard checks whether an application, driver or library is signed, it does not verify that the signature is valid for the application signed with it.

This makes it possible to extract a valid signature from any trusted application and insert it into any untrusted application – after this the system will consider the application to be trusted.
So, by inserting a signature from another application, we were able to execute an untrusted application and to load an untrusted dynamic library. We immediately reported the error to Microsoft and it was fixed within a few days. Windows 10 RTM (10240) does not include that error. We also discovered a denial-of-service error that makes it possible to crash the system and cause a BSOD for the hypervisor from the user space with just one Assembler instruction.

A fix for this error was included in Windows 10 TH2 (10586). The hypervisor’s BSOD Overall, Microsoft has done a great job in developing new security mechanisms. However, as in previous versions, there are still opportunities for attacks via the firmware.

Another problem is that the system administrator needs to be highly qualified to configure protection properly.
In the event of faulty configuration or loss of the private certificate, all protection becomes useless.
In addition, there is no protection against user-mode vulnerabilities.
It is also important to keep in mind that VBS is only available to users of the corporate Windows 10 version. We have notified Microsoft of all the vulnerabilities discovered during testing. Built-in Anti-Malware Protection in Windows Let’s have a look at the Windows component that protects the system against malware in real time.
It is enabled by default and, for users who do not install third-party anti-malware solutions, it is the main Windows IT security tool. The principal purpose of built-in protection is to prevent the installation and execution of malware.
It scans files and active processes in real time, identifying those that are malicious by checking them against a regularly updated signature database.
In most cases, this protection is sufficient. However, if you are an active Internet user and often perform critically important operations on your computer – such as managing your bank accounts via online banking – you need multi-tier protection.

Even the best anti-malware solution can miss new, as yet unknown malware.
In this case, only additional layers of protection can save the day by preventing a Trojan from carrying out malicious activity in the system. We did some research and found a few real-life examples demonstrating that built-in protection may not be sufficient. Keystroke Interception Some banker Trojans intercept data entered on the keyboard to steal the user’s online banking account.

Examples of such malware include Qadars, Zbot and Cridex. Many anti-malware solutions, including Kaspersky Internet Security, have a component that detects and blocks attempts by programs to intercept the sequence of keypresses.
In some cases, this can be enough to prevent criminals from making money at the victim’s expense, even if they have managed to infect the computer. We tested the response of built-in protection to keystroke logging with the help of a test application that uses the GetAsyncKeyState WinAPI function (this method is similar to the one used in the latest MRG testing). We were able to intercept the user’s login and password for a PayPal account with Windows Defender enabled. Logging the user credentials while entering a PayPal account Unauthorized Web Camera Access In the next test, we tried to gain unauthorized access to the web camera.

This functionality has been increasingly used in Trojans and other hacker tools in the past years.

The fact that a surveillance module using the web camera is included in the AdWind Trojan is a telling example of the popularity of this functionality among cybercriminals. Monitoring victims using their own web cameras can provide a wealth of information about them, which can later be used to make money illegally – for example, by blackmailing a victim with intimate videos. Some anti-malware solutions can control application access to the camera.
In real life, there are practically no situations in which a legitimate application could need to use the camera without notifying the user, which is why providing such notifications is a convenient and widely accepted practice.

The user can decide in each specific case whether the application really needs to use the camera or whether this is suspicious activity that should be blocked. Our test application used a publicly available library called OpenCV (which is what the Rover Trojan does, to give one example).

A simple Python script captured video from the web camera and displayed it in a separate window.

This means that an application was able to intercept video from the web camera on a Windows 10 machine with protection enabled, without the user being notified of this in any way. Capturing the screen with a script Control of Drive-By Downloads Another problem that is among the most serious issues faced by Windows users is the numerous exploits that can be used to infect the system via vulnerabilities in various applications. We tested the built-in protection with one of the latest exploits for the CVE-2016-1019 vulnerability in Adobe Flash Player. The exploit’s file is an SWF object compressed using the ZLIB algorithm. The flash exploit In this form, the file is recognized by the Windows Defender and quarantined. Successful detection of a packed exploit However, if the file is decompressed into the original SWF, the security system will miss it. Moreover, a compressed file that was detected on the hard drive is downloaded from websites in drive-by attacks and successfully executed from the browser’s context.
If a vulnerable version of Adobe Flash Player is installed in the system, an infection can occur, because Windows Defender does not include a drive-by download control component. Successful download of a Flash exploit that was previously detected on the hard drive In addition, we want to mention that Microsoft Windows has embedded component (SmartScreen) which could successfully stop drive-by attacks using reputation-based analysis, but in some cases, especially in targeted attacks, heuristic content analysis is needed for successful detection of exploitation process. We used this test case, which could not be covered with SmartScreen component to show that if threat actors will use Flash exploit with bypass techniques for Edge security mechanism user could be infected.

Currently we have not registered usage of such bypass techniques yet. Conclusion Today, a multi-tier approach is required to provide reliable protection for user systems, combining standard detection methods (signature-based analysis, behavioral analysis, etc.) with additional modules designed to detect attack techniques commonly used by cybercriminals. As our brief review has demonstrated, in some cases the IT security technologies built into Windows 10 are not sufficient for full-scale protection against malicious attacks.

As in previous Windows versions, all possible attack vectors should be blocked using dedicated Internet Security class security solutions.
The Olympic Games in Rio de Janeiro will attract more than just athletes and tourists this year. Hackers from across the world will also be on the prowl, trying to exploit the international event.   That means visitors to the Olympics and even people watching from home should be careful.

Cyberthreats related to the games will probably escalate over the coming weeks and could creep into your inbox or the websites you visit. Don't click if it's too good to be true The Olympics have become a beacon for cyber criminals, said Samir Kapuria, senior vice president with security firm Symantec.

A great deal of money is spent on the international event, so hackers naturally want a slice of the pie, he added. During past major sporting events, hackers have come up with fake ticketing and betting services to commit fraud on unsuspecting users.

They'll also use phishing emails and social media posts to spread malware. Computer users will see these messages and links, expecting to view a video on a record-breaking Javelin throw or a bargain on great seats to the event.

But in reality, they'll end up downloading ransomware that can take their data hostage, Kapuria warned. "Think before you click, especially if something looks too good to be true," he said. Thomas Fischer, a security researcher at Digital Guardian, has already been noticing an increase in phishing scams trying to take advantage of the Olympics. Typically, a user will receive an email loaded with an attachment that invites them to an Olympics ticket lottery.
Inside the attachment, however, is malicious code that will download the Locky ransomware and begin encrypting all the user's files. Hackers are already blanketing email addresses with this kind of attack.

They'll also pretend to be an organization like an Olympics committee, he added. "Anyone can receive these emails," Fischer said. "They usually come in English." Brazilian hackers like to target banking data Visitors who actually make the trip to Rio de Janeiro will be entering a country well known for online banking fraud, according to security firms.
It doesn't help that local laws there might not be strong enough to fight cybercrime. Trend Micro has been following the cyber crime scene in Brazil and noted in a report that hackers there "exhibit a blatant disregard for the law." "They will abuse social media and talk about their criminal enterprise, without fear of prosecution," said Ed Cabrera, the company's vice president of cybersecurity. Many of these Brazilian hackers are developing Trojans that pretend to be legitimate banking software, but in actuality can steal the victim's payment information. However, much of this Brazilian malware is focused on targeting local users, and not necessarily foreign tourists, Cabrera said. Tourists should still be careful, however.

Any banking Trojan can still be dangerous because the malware can spy on computer users, said Dmitry Bestuzhev, the head of global research for security firm Kaspersky Lab. He's warning visitors to be wary of ATM and point-of-sale machines in the country.

They often can be infected with malicious code that can secretly steal payment data once a banking card is swiped. "The attacker has the capability to intercept the data and then to clone the card," he added. Another danger is public Wi-Fi spots in Brazil, which often times are insecure.

A hacker can use them to eavesdrop on victims and steal their passwords, Bestuzhev said. He recommends users buy a VPN service to encrypt their Internet communications. Hacktivists and cyber terrorists could be lurking The other big threat that could disrupt the games is hacktivists, said Robert Muggah, a security specialist at Brazilian think tank the Igarapé Institute. Anonymous, for instance, is targeting the event and could end up embarrassing the local government.

The hacking group has already managed to temporarily shut down the official Rio Olympics website on May 11, and then Brazil's Ministry of Sports site on the following day, Muggah said. "Analysts are also concerned with Islamic terrorists," he added.

The extremist group ISIS has been trying to use the encrypted messaging app Telegram to attract sympathizers in Brazil. Local authorities, however, are bolstering their cybersecurity defenses, and the country is no stranger to holding major events, Muggah said.
In 2014, the country was the site of the World Cup. In the run-up to the Olympics, the U.S. government has launched a multimedia campaign pointing out the possible cyberthreats travelers may encounter in foreign countries.
In extreme cases, U.S. tourists could even be the targets of espionage, the campaign warns. At the very least, visitors heading to Rio de Janeiro should watch out for smartphone theft. Muggah said thefts are quite high in the country because the devices are so expensive. New iPhones, for example, have been known to cost about $1,000 in Brazil due to the local import tariffs and taxes.
NEWS ANALYSIS: After their loss in a federal appeals court, the Department of Justice is looking for ways bypass current warrant limitations with new bilateral agreements. The day the Department of Justice lost its case before a federal circuit court where it was seeking to force Microsoft to turn over email content stored on a server in Ireland, the department was presenting a plan to sidestep those limits with new legislation.The DOJ revealed its plans at a meeting of the Advisory Committee to the Congressional Internet Caucus.

The presentation included a draft of proposed legislation attached to a letter to Vice President Joe Biden and a white paper explaining the need for it.The draft legislation is part of a proposed bilateral agreement between the United States and the United Kingdom that would allow courts and other designated investigative agencies to directly order the release of private user information held by U.S. companies.The proposed legislation specifies that the information to be sought must be about foreign nationals located outside the United States and that the request must be in accordance with the laws of the U.S. and the laws of the foreign government, in this case the UK. The proposed legislation would require passage by the U.S. House of Representatives and the U.S.
Senate, and it would need to be signed by the President.
If passed in its current form, the legislation would provide protection for U.S. companies that had to comply with the laws of the country demanding the information.

The bulk of the legislation actually consists of amendments to existing laws that govern how private information located on the Internet is protected and who can see it. The idea behind the proposed legislation is to streamline access to data being held across international borders during the investigation of a crime.According to former White House Cybersecurity Director Ari Schwartz, when foreign law enforcement agencies needed information on foreign nationals that was being held by U.S. companies they were directed to use the mutual legal assistance treaty (MLAT).

But when U.S. law enforcement wanted information, they just expected it to be turned over, regardless of whether it was located outside the US.“A lot of countries felt it was hypocritical,” Schwartz said. Meanwhile, he said that the companies that were being forced to turn over information found themselves in an impossible situation of either violating U.S. law or the laws of the foreign country.Schwartz said that while the MLAT process was intended to provide the information required by law enforcement or the courts, it could be cumbersome for U.S. agencies seeking information from abroad as well as for foreign agencies seeking information stored in the U.S.
Schwartz said that he worked on incoming MLAT requests a number of times and they weren’t always prepared properly.
Browser tightens the screws on Adobe's internet screen door Firefox will in the coming months automatically block invisible Flash content that users cannot see when loading a page, says Mozilla as it continues its campaign against Adobe's plugin. This should protect netizens from dodgy webpages that load hidden malicious Flash files that attempt to infect their computers with malware or perform similar devilish deeds. It should also kill off unseen content that pointlessly drains devices' battery lives.

The open-source browser maker will also automatically block advertisers' Flash scripts that snoop on surfers to make sure they are not blocking or ignoring ads. This is ahead of a 2017 update that will see Firefox block all Flash content by default – meaning users will have to manually click on the Flash content to confirm that they want to view it. Websites are urged to move from Flash to HTML5 for their multimedia content wherever possible.

According to Mozilla, its browser has encountering fewer crashes since sites have started serving HTML5 media rather than Flash. Mozilla says fewer plug-ins means fewer crashes "Over the past few years, Firefox has implemented Web APIs to replace functionality that was formerly provided only by plugins.

This includes audio/video playback and streaming capabilities, clipboard integration, fast 2D and 3D graphics, WebSocket networking, and microphone/camera access," wrote Firefox quality engineering manager Benjamin Smedberg. "As websites have switched from Flash to other web technologies, the plugin crash rate in Firefox has dropped significantly." Firefox is not alone in fleeing Flash.

Citing the numerous stability and security problems that come with Adobe's browser plug-in, developers including Google and Apple have moved to marginalize Flash in hopes of eventually getting rid of the plug-in entirely. Meanwhile, site operators including the BBC and the Google Adwords service have migrated from Flash to HTML5 for their multimedia content. ® Sponsored: Global DDoS threat landscape report
Oracle released its quarterly CPU (Critical Patch Update), addressing a whopping 276 vulnerabilities across 84 products, an all-time high for Oracle.

The vast majority of the fixes are in Oracle's Fusion Middleware and other applications. Oracle Database, ostensibly the company's flagship product, continues to get less and less attention from the security team. The CPU fixed 39 vulnerabilities in Fusion Middleware; 34 in the Sun Systems suite, which includes Solaris and SPARC Enterprise; and 27 in Supply Chain. MySQL, which Oracle acquired as part of its Sun deal, received 22 fixes, while only nine fixes were released Oracle Database Server. Java, which continues to be a favorite target for web-based attacks, received 13 fixes.

The CPU addressed only four security flaws in Oracle Linux and virtualization products. The relatively small number of security updates doesn't mean Database Server is more secure than other Oracle products and doesn't have any vulnerabilities.
In the past, researchers have reported Oracle sitting on vulnerability reports and being slow to release the fixes.

The world's largest enterprises run Oracle databases, so there's a lot of valuable data stored on those servers.
It's perplexing that Database Server doesn't seem to be as big a priority for Oracle as some of the other products in the portfolio. "Typically, databases are not exposed directly to the internet, but as they hold the crown jewels of any organization, we recommend patching immediately," said Amol Sarwate, director of engineering at Qualys. Of the nine Database Server vulnerabilities fixed in this CPU, the flaw in the OJVM component (CVE-2016-3609) is rated critical.

The "easily exploitable vulnerability" would allow a low-privilege attacker with network access via HTTPS, but has a Create Session privilege to compromise and takeover the Oracle JVM.

The CVSS v3 base score is 9.0 on the Windows platform because the vulnerability can impact confidentiality of the data, the integrity of the database, and the availability of the server.

The same vulnerability has a CVSS v3 base score of 8.0 on Linux systems.

Database Server 11.2.0.4, 12.1.0.1, and 12.1.0.2 are affected. "Successful attacks require human interaction from a person other than the attacker, and while the vulnerability is in OJVM, attacks may significantly impact additional products," Oracle said in the detailed version of its CPU advisory. "Successful attacks of this vulnerability can result in takeover of Oracle Directory Server Enterprise Edition." The other high-priority vulnerability in Oracle Database is in the JDBC component (CVE-2016-3506) and has a CVSS v3.0 base score of 8.1.

An unauthenticated attacker with network access via Oracle Net would be able to compromise and take over the JDBC. Oracle called this flaw a "difficult-to-exploit vulnerability." Oracle's other database, MySQL, fared better, as most of fixes were for low- to medium-severity flaws. The highest-severity flaw, rated CVSS v3.0 base score 8.1, is in the Server Parser subcomponent (CVE-2016-3477).
Versions 5.5.49 and earlier, 5.6.30 and earlier, and 5.7.12 and earlier are affected.

The vulnerability allows unauthenticated attackers with login access to the infrastructure where MySQL Server executes to successfully compromise and take over the database server. The other vulnerability, in Server Option subcomponent, (CVE-2016-3471) is rated CVSS v3 base score 7.5.

Affecting versions 5.5.45 and earlier and 5.6.26 and earlier, this flaw is similar to the other higher-rated vulnerability, except this one requires the attacker to have high privileges. Java gets particular attention in this update, with fixes for four critical vulnerabilities. More than half of the Java vulnerabilities addressed in this CPU are remotely exploitable over a network. "Customers really need to apply these Java CPU patches as soon as possible, as several high-CVSS vulnerabilities in the HotSpot JVM internals are being patched," said Waratek CTO John Matthew Holt. An "easily exploitable vulnerability" in Java SE 8u92 in the HotsSpot JVM (CVE-2016-3587) allows an unauthenticated attacker with network access via multiple protocols to compromise Java.

The vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code, Oracle said in its advisory.

The vulnerability does not affect Java deployments that load and run only trusted code.

The CVSS v3 base score is 9.6.

A similar "easily exploitable vulnerability" in HotSpot (CVE-2016-3606) affecting Java SE 7u101 and 8u92 also received a CVSS v3 base score of 9.6. These vulnerabilities were likely related to Java features introduced in versions Java SE 7 and above that support the "invokedynamic" feature that enables dynamic code execution and scripting, Holt said.  Organizations unable to immediately apply the patches should consider virtual patching to "provide immediate, interim security controls," Holt said.

Application technologies like Runtime Application Self-Protection that provide virtual patching capabilities give organizations an alternative if they can't take servers offline for immediate patching. This update addresses a lot of high-priority vulnerabilities. Of the 276, 159 can be exploited remotely without authentication, typically over a network without the need of any credentials.

Enterprises that use Oracle Secure Global Desktop should make sure to update, as it has an SSL problem with a CVSS v3 base score 9.8 that lets attackers delete data or stage a denial of service attack. The CPU comes out quarterly, and Oracle is addressing vulnerabilities across an extremely large product portfolio, so it makes sense that the CPU is going to be much larger in size compared to security updates from other companies. Microsoft's Patch Tuesday releases, for example, rarely take on more than 60 vulnerabilities in one month. Even so, 276 vulnerabilities in a single update is still extremely large, especially since the last CPU released in April had only 136 patches.

The latest updates will mean a lot of time and work for Oracle and Java administrators to test and deploy the security fixes.
Oracle has released a new quarterly batch of security updates for more than 80 products from its software portfolio, fixing 276 vulnerabilities. This is the largest Oracle Critical Patch Update (CPU) to date.

The average number of flaws fixed per Oracle update last year was 161, according to security vendor Qualys.

Furthermore, out of the 276 security flaws fixed in this update, 159 can be exploited remotely without authentication. At the top of the priority list should be the Java patches, which address 13 new vulnerabilities.

That's because Java is used in a lot of applications and is installed on a large number of systems. "Customers really do need to apply these Java CPU patches as soon as possible,"  said John Matthew Holt, the CTO of application security firm Waratek, via email.

Among the patches that require urgent attention are those for the HotSpot Java virtual machine for desktops and servers, which received high CVSS (Common Vulnerabilities Scoring System) scores, Holt noted. The Oracle Database Server received patches for nine vulnerabilities, one of which is rated critical with a score of nine out of 10 in the CVSS. Meanwhile, the Oracle MySQL database received fixes for 22 new security issues, four of them with a high severity rating. While databases are not typically exposed to the internet, they often hold a company's most important data, so these fixes should be given a high priority. According to Qualys, companies should also turn their attention to assets that can be directly attacked from the internet.

These include web and application servers like Oracle HTTP Server, WebLogic Server and GlassFish Server, which are part of Oracle's Fusion Middleware suite. Fusion Middleware products and components received fixes for a total of thirty-five flaws, five of them rated critical with a CVSS score of 9.8. The Oracle Sun Systems Products Suite also received a large number of patches: 34.

This includes fixes for the Solaris OS and networking switches that can be targeted by attackers remotely. Depending on their industry vertical, companies should also look at the fixes for industry-specific products such as Oracle Supply Chain, Oracle Communications, Oracle Banking Platform, Oracle Financial Services Applications, Health Sciences, Oracle Insurance Applications, Oracle Utilities Applications and the Oracle products for the retail sector. Issues were identified and patched in application components like Integration Bus, Order Broker, Service Backbone, and Inventory management. The components "play a vital role in Retail infrastructure and provide integration between other Oracle retail components and the rest of a company infrastructure including other mission-critical applications," said analysts from security firm ERPScan via email. "Attacks on those applications can disrupt business processes (such as payment or supply chain) in a retail company.

Also, an attacker can exploit those issues to control all data transferring between components and, thus, commit fraud by changing some data during transfer." Oracle advises users to install patches without delay, warning that attackers constantly try to exploit flaws for which the company has already released fixes.
Sometimes attackers are successful because customers didn't apply the existing patches, the company said.
Government requests worldwide for user data related to search engine traffic on Google increased 29 percent from 2014 to 2015, according to the search site's most recent Transparency Report, which was published today. Google reports on the government requests every six months.
In the second half of 2015, it said it received more than 40,000 requests for data related to more than 81,000 user accounts; That compares to the first half of the year when Google received about 35,000 requests related to about 69,000 accounts. Google The number of requests from governments and courts around the world for Google to hand over user data. In the second half of 2014, Google received 31,140 requests from U.S. entities for user information related to more than 50,000 accounts. "Usage of our services [has] increased every year, and so have the user data request numbers," Google said. By far, the U.S. leads the world in government requests for data: it submitted 27,157 requests related to 12,523 user accounts in the second half of last year.

The next highest country was Ireland with 12,114 requests, followed by Germany with 11,562 reqeusts. Google agreed to hand over "some" user data for 64 percent of the requests worldwide, but it handed over data for U.S. government requests 79 percent of the time. Google The percentage of requests where Google provided governments or courts some user data. Several search engines and social media sites voluntarily offer annual or semi-annual transparency reports related to state and federal law enforcement information requests about user data. The Electronic Frontier Foundation (EFF), an international non-profit digital rights organization, publishes a report on which Internet entities do the best at protecting subscriber data.

AT&T and smartphone instant messaging app WhatsApp received the lowest ranking related to practices such as telling users about government data demands and being open about data retention policies.

Each garnered just one star out of five related to protecting user data. Google received three out of five stars. Electronic Frontier Foundation Twitter received four out of five stars related to protecting user data from government requests and privacy transparency policies.  "This is Google’s fifth year in the report, and it has adopted some of the policies we are highlighting, including the best practices from prior reports," the EFF stated in its Who Has Your Back? 2015 report. "Nonetheless, there is room for improvement.

Google should take a stronger position in providing notice to users about government data requests after an emergency has ended or a gag has been lifted.

Furthermore, Google should provide transparency into its data retention policies." In the second half of 2015, Microsoft also received more than 39,000 requests for information related to more than 64,000 user accounts.

That compares with 34,000 requests in the second half of 2014. Microsoft The total number of government or court requests for information from Microsoft related to user data in the second half of 2015. Microsoft said it disclosed subscriber and transactional data about 66 percent of the time, but it only disclosed actual search content 2.45 percent of the time. Microsoft outright rejected 13.9 percent of the requests for information. In 2014, the social news networking service Reddit issued its first transparency report, saying it received 55 requests for user information, including account registration data, log data and content uploaded by users from outside parties. Reddit agreed to hand over information for 58 percent of all government and civil requests, and 64 percent of all US state and federal government requests. Google has been publishing its semi-annual Transparency Report since 2011; the latest statistics show that requests for user data is at an all-time high. In 2014, Apple, Microsoft, and Google were among 10 top tech companies that signed  a letter backing passage of the USA Freedom Act, which would curtail bulk collection of Internet metadata by government agencies. Passed in June 2015, the USA Freedom Act now requires transparency when the government demands user information from technology companies. Nevertheless, the EFF said there still needs to be more transparency when it comes to government-mandated back doors, as well as what deleted data is kept around in case government agents seek it in the future. "We think it’s time to expect more from Silicon Valley," the EFF said. This story, "Google says government requests for user data at all-time high" was originally published by Computerworld.
National shut-down starts Tuesday, just in time for the Olympics The standoff between Brazil's legal system and Facebook's WhatsApp messaging platform continues, after a Rio de Janeiro judge ordered all carriers to block the app as of next Tuesday. WhatsApp claims 100 million users in the country. While judge Daniela Barbosa has declined to publish her reasons in full, she says the order will only be lifted when the courts get access to user messages. That suggests the confidential case is another of the organised crime probes that have plagued WhatsApp in Brazil since last year.

Brazilian investigators want user messages; WhatsApp says it can't hand them over because they're encrypted when it transports them, aren't stored and therefore cannot be produced. The latest order covers Telefonica Brasil, Claro (owned by América Móvil), TIM, Oi, and Nextel.

Each of them would face daily fines of 50,000 Brazilian Reals (US$15,375) for non-compliance. Hoping to fend off Judge Barbosa's decision, local outlet O Globo reports (in Portuguese here) that WhatsApp has requested an injunction against its enforcement.

The injunction is being considered. Repeated decisions by the country's judiciary blocking the app have also frustrated the office of Brazil's attorney-general, which says the decisions misinterpret the country's 2014 Internet law, the Civil Marco Internet. The ongoing disagreement between investigators and WhatsApp have already seen blocks imposed in December 2015 and May 2016, and the arrest of a local Facebook executive in March. ® Sponsored: 2016 Cyberthreat defense report
10Gbps is the new norm, warns Arbor Networks DDoS attacks once again escalated in both size and frequency during the first six months of 2016. Netscout's DDoS mitigation arm Arbor Networks warns that attacks greater than 100Gbps are far from uncommon. The security firm has monitored 274 attacks over 100Gbps in the first half of 2016, versus 223 in all of 2015. The biggest single attack maxed out at an eye-watering 579Gbps, a 73 per cent increase in peak attack size over 2015. The US, France and the UK are the top targets for attacks over 10Gbps.

The average attack size in the first half of 2016 was 986Mbps, a 30 per cent increase over 2015, and enough to knock most organizations completely offline. "High-bandwidth attacks can only be mitigated in the cloud, away from the intended target," said Darren Anstee, Arbor Networks' chief security technologist. "However, despite massive growth in attack size at the top end, 80 per cent of all attacks are still less than 1Gbps and 90 per cent last less than one hour. On-premise protection provides the rapid reaction needed and is key against 'low and slow' application-layer attacks, as well as state exhaustion attacks targeting infrastructure such as firewalls and IPS." Contrary to what many techies might believe, large DDoS attacks do not require the use of reflection amplification techniques. LizardStresser, an IoT botnet, was used to launch attacks as large as 400Gbps targeting gaming sites worldwide, Brazilian financial institutions, ISPs and government institutions. According to ASERT, the attack packets do not appear to be from spoofed source addresses – and no UDP-based amplification protocols such as NTP or SNMP were used. Reflection amplification is a technique that allows hackers to both magnify the amount of traffic they can generate and obfuscate the original sources of attack traffic. Outside of the LizardStresser example, it's by far the most common means of running a high-volume DDoS attack. Junk traffic is bounced off insecure NTP or DNS servers toward the intended victim. "DDoS remains a commonly used attack type due to the ready availability of free tools and inexpensive online services that allow anyone with a grievance and an internet connection to launch an attack," Arbor warns. "This has led to an increase in the frequency, size and complexity of attacks in recent years." Arbor's data is gathered through Active Threat Level Analysis System (ATLAS), a collaborative partnership with more than 330 service provider customers who share anonymous traffic data with Arbor in order to collectively benefit from a comprehensive, aggregated view of global traffic and threats. ® Sponsored: Global DDoS threat landscape report
UK watchdog barks at careless consumers Lessons have not been learned from an incident where a Russian website provided links to access baby monitor cameras, according to the UK’s data protection watchdog. The website allowed people to watch footage from insecure cameras around the world, prompting a warning from the Information Commissioner’s Office (ICO) back in November 2014.

But even two years on people are still not ensuring the security of their connected devices. Internet of Things (IoT) products such as baby monitors, music systems and photo or document storage devices are frequently left online with weak or default passwords. This lack of security means hackers armed with nothing more sophisticated than a search engine query would be able to locate vulnerable devices and, with a little more effort, use these insecure devices to scout around or compromise other devices on the same home network, the ICO warns. ® Sponsored: Global DDoS threat landscape report
A security firm poses as a ransomware victim to learn whether cyber-criminals are giving good support to their targets. Most don’t, but one group put extra effort into closing the deal. Most crypto-ransomware gangs are willing to negotiate with customers, but support for non-technical users varies tremendously, security firm F-Secure found during an investigation of such cyber-criminal groups.The firm’s security team worked with a non-technical employee, who acted as the victim, to contact ransomware groups and find out how supportive they were of their victims.
Security researchers helped the employee set up a burner email account, hide her Internet address and take other steps to keep her identity safe.

They only referred to her as “Christine” in talking to the media.“We took someone here who was non-technical and threw [that person] into the ransomware world,” said Sean Sullivan, a security advisor with F-Secure. “It was all about detailing the user experience with the operations.”Overall, aside from the Cerber variant of ransomware and its operators, the criminal groups scored low for professionalism, how well their support staff conveyed information and whether their software and representatives could converse in different languages, according to a report published by F-Secure.

The company looked at five different groups.

Cerber scored 8.5 on a nine-point scale, indicating that it was a professional endeavor, while all other variants scored a 4 or less. As ransomware infections have taken off over the past year, some victims, especially non-technical users, are left with less hope of recovering their data easily by paying a ransom.
In the first quarter of 2016, the FBI has reportedly estimated that ransomware caused $209 million in damages.
In one survey, about half of U.S. victims admitted paying the ransom to recover their data. Yet, there are a number of hurdles to recovering data, unless a user has made recent backups.Bitcoins pose a major stumbling block for many victims and the criminal operators often seem ready to take advantage of a victim’s naivete.
Some of the criminals contacted by Christine pointed her toward bitcoin exchanges that were likely owned by other criminals, Sullivan said.Three out of four of the ransomware operations were willing to negotiate. One cut their asking price by two-thirds, according to F-Secure. Perhaps not surprising, the group behind Cerber would not negotiate, but they did give an extension to the victim to pay.The study highlights that ransomware operators have to tread a fine line and not all of them do it well, according to F-Secure.“These are criminals who are making money off the backs of people and businesses they are hurting, [b]ut conversely, like any decent venture, they‘re also concerned about offering good customer service—including support channels and reliable decryption after payment,” the company stated in the report. “The difference, of course, is that ransomware gangs have coercively forced people into the position of being their customer.”In some cases, however, Christine’s conversations with the criminals underscored that they were humans as well and that ransomware is not likely their first choice as a business, Sullivan said.“Christine was lured in, she felt bad for the guy, because the back and forth really felt genuine,” he said. “Someone who is not cynical of these people’s motives could be pulled in really quickly.”