Home Tags News
Hackers targeting all divisions of Sony for 'badge of honour in the IT community', according to Kevin Murray
Linux component of Turla Trojan could've been used in the wild for four years, warn Kaspersky and Symantec
NEWS ANALYSIS: A new strain of self-replicating, pervasive ransomware infects nearly anything throughout your network and then resists being removed. Ransomware is already bad enough, but if you're careful, and ...
The CEO of Security Explorations, which found more than two-dozen flaws in Google App Engine, said there may be more that haven't been verified yet. Polish firm Security Explorations claims it has discovered more than two-dozen vulnerabilities in the Google App Engine Java environment, some of which allow native code execution and Java security sandbox escape. There are potentially several more vulnerabilities in the environment that the company has not been able to verify so far, Adam Gowdiak, CEO of Security Explorations, wrote in a Sept. 7 advisory on Full Disclosure, a mailing list for discussing security vulnerabilities and exploits. Google App Engine (GAE) is a Google-hosted service that allows businesses to build and maintain applications written in Java, Python, PHP, Go and other programming languages. The company offers software development kits in the supported languages. Each contains the APIs and libraries available to App Engine, a secure sandbox environment that emulates App Engine services on the developer's local computer and numerous deployment tools for the cloud. The flaws enable attackers to bypass GAE's Java Runtime Environment (JRE) Class whitelist, escape the Java Virtual Machine security sandbox and issue arbitrary library and system-level calls. At least 22 of the vulnerabilities allowed an escape from the security sandbox, Gowdiak said, adding that Security Explorations was able to exploit 17 of them via proof-of-concept code. Google's Java security sandbox is designed to prevent Web-hosted applications from interfering with each other. According to Google Applications, running in this environment can execute code and store and query data in the App Engine data store but cannot write to the file system or make other kinds of system calls. "We gained access to the files (binary/classes) comprising the JRE sandbox, that includes the monster libjavaruntime.so binary," Gowdiak said. Security Explorations was also able to learn a lot about the GAE environment's Java sandbox by extracting information from debugging tools and protocol buffering methods, he said. "There are more issues pending verification—we estimate them to be in the range of 30+ in total," Gowdiak wrote. Security Explorations has been forced to halt its research because Google has suspended its GAE account. "This week we did poke a little bit more aggressively around the underlying OS sandbox [and] issued various system calls in order to learn more about the nature of the [sandbox]," he conceded. "Without any doubt, this is an opsec failure on our end," he added, expressing hope that Google would reinstate the company's account. "Taking into account an educational nature of the security issues found in GAE Java security sandbox and what seems to be an appreciation Google has for arbitrary security research … we hope the company makes it possible for us to complete our work," Gowdiak said. Reinstating the account will allow researchers at Security Explorations to verify the remaining vulnerabilities and potential exploits and to provide a report documenting all the findings for the security community. In an email response to an eWEEK query, Gowdiak said it is impossible presently to assess the severity of the discovered flaws because Security Explorations no longer has access to its GAE account. "We broke out of GAE Java security sandbox and gained native code execution in the environment," he said. That meant Security Explorations had the ability to execute code outside the sandbox and start poking into the operating system sandbox layer. "This is still local code execution though, not a remote one," he said. The flaws are the result of some simple mistakes pertaining to known Java security problems, he said. "Google is currently looking into the material we delivered to the company. We don't know of any other status regarding the reported issues," he said. In an emailed comment, a Google spokesman said the company takes all reports of vulnerabilities in its products very seriously. "We are investigating Security Explorations' posting to the Full Disclosure mailing list," the spokesperson said. "We have no reason to believe that customer data and applications are at risk."
The FCC's chairman wants major U.S. wireless carriers to enable smartphone data wiping and other safety features by default by the end of March in 2015 to help protect users from phone thefts. The Federal Communications Commission is asking the big four wireless carriers in the United States to turn on anti-theft features in their smartphones by the end of March in 2015 to help protect consumers from phone theft by making the devices useless to thieves if they are stolen. Tom Wheeler, the chairman of the FCC, made the request last week in letters that he sent to leaders of Verizon Wireless, AT&T, T-Mobile and Sprint, as well as to U.S. Cellular, according to a Dec. 5 report by The Washington Post. In his letters to the carriers, Wheeler asked the companies to make "'lock/wipe/restore' functionality operational by default on all devices … by the end of the first quarter of 2015," the story said. The FCC also last week released a 137-page study, called the "Report of Technological Advisory Council (TAC) Subcommittee on Mobile Device Theft Prevention," which concluded that mobile phone thefts occur at least one million times a year in the United States. According to the data, "at least one-tenth of all thefts and robberies committed in the U.S. are associated with the theft of a mobile device," the document stated. "As a caveat, there is considerable concern that the reported theft rate may be under reported, especially in cities that have not established a law enforcement focus on this criminal activity area." The new TAC report was compiled because smartphone theft "has been identified as a major issue facing consumers, law enforcement and the mobile device ecosystem," according to the FCC. The report establishes recommendations for the FCC for lessening mobile device theft, the agency said. In New York City, smartphone thefts represent an increasing share of all thefts, according to the report. "Between 2010 and 2013, the percentage of larcenies from a person involving a smartphone increased from 47 percent to 55 percent, and the percentage of robberies involving a smartphone increased from 40 percent to 46 percent. In 2013, more than one-quarter of all thefts and over half of grand larcenies from a person (55 percent) involved a smartphone. Between 2010 and 2013, robberies not involving a smartphone fell by 12 percent, while the percentage involving smartphone grew by nearly the same amount (13 percent)." In San Francisco, "the majority (59 percent) of the approximately 4,000 robberies … in 2013 involved the theft of a smartphone," the report stated. "The victims of those robberies ultimately recovered less than one in ten stolen smartphones. Apple smartphones constituted the vast majority (69 percent) of smartphones stolen in San Francisco robberies." Meanwhile, Consumer Reports compiled its own estimates for smartphone thefts nationally, the report stated. Some 1.6 million Americans had their smartphones stolen in 2012, according to Consumer Reports, while 3.1 million victims reported such a crime in 2013, which was a 94 percent increase in just one year, the group reported. The issue of smartphone theft has caused communities across the nation to look for ways of fighting the problem. In August, California Gov. Jerry Brown signed into law a "kill switch" bill that mandates the inclusion of a mechanism that can remotely disable a smartphone by its user if it is stolen, according to an earlier eWEEK report. The California law requires all smartphones sold in the state after July 1, 2015, to include a kill switch that disables a stolen phone and turns it into a useless brick as part of a strategy to end the problem of cell phones being stolen during the commission of violent street crimes. Under the new law, new cell phones sold in the state will have to prompt consumers to enable a kill switch as the default setting during the initial setup of a new smartphone. While the new kill switch law is only for California, it's believed that smartphone makers will incorporate and include the kill switches in all devices that they sell in the United States starting next summer. That's because they presently don't offer devices with special features just for some states. That's different from the auto industry, where vehicles sold in California have more stringent and complicated emissions systems than vehicles sold in the rest of the nation. Apple included kill switch capabilities in its phones starting with its iOS 7 mobile operating system, which was introduced in June 2013. Google and Microsoft have said they will join Apple in incorporating kill switches into their software designs as well. After the introduction of Activation Lock, thefts of iPhones fell by 19 percent in New York City, 25 percent in London and 38 percent in San Francisco, according to statistics released by the cities. Kill switches have for years been a prevalent feature in enterprise devices, but the technology has been slow to arrive in the consumer realm. In November 2013, attorneys general from 31 U.S. states jointly sent a letter to the heads of major smartphone manufacturers Google, Microsoft, Motorola and Samsung calling for the rapid implementation of a kill switch in their phones. The goal is to dry up the secondary market in stolen phones, New York Attorney General Eric T. Schneiderman said in a press release.
The CTO of URL shortening service Bitly details the service's operations and how it recovered from a hack earlier this year. Bitly is one of the world's most popular Web address shortening services, shortening o...
As a hotel in Thailand is fingered as a potential jumping-off point in the massive breach of Sony Pictures, an email threat warns that employees and their families could "suffer damage." A group claiming to be the hackers that breached Sony Pictures Entertainment's network and leaked massive volumes of sensitive employee and business data reportedly threatened the company's employees and their families in an email message. On Dec. 5, a message from a group calling itself the "Guardians of Peace" to Sony Pictures' workers announced that the hackers planned to cause the company to "collapse" and demanded that employees sign their name in a response to the email or "suffer damage," according to a report in Variety. "If you don't, not only you but your family will be in danger," the email reportedly stated. The late November attack on Sony has become an object lesson on the dangers of cyber-attacks and inadequate security. The hackers stole, among other data, employee information, salary data, business plans and prerelease movies. Following the attack, the criminals then erased key systems in a destructive tactic used in only a handful of previous attacks, most notably the Wiper attack against South Korean companies and the Shamoon attack on oil-and-gas giant Saudi Aramco. Over the weekend, additional details of the investigation into the breach surfaced. The hackers reportedly used the network of a swank Bangkok, Thailand, hotel, the St. Regis Bangkok, as a jumping-off point from which to leak stolen data, according investigation details leaked to Bloomberg. While some circumstantial evidence continues to strengthen the link between the massive breach of Sony and North Korea, other actions by the hackers seem out of character for nation-state groups. The use of a hotel network is common among nation-state actors—the Darkhotel group hacked hotel networks to compromise high-profile targets—but the subsequent threats against employees is not a typical tactic. The connection to North Korea remains to be substantiated. Attribution of cyber-attackers is not a hard science. North Korea has already denied involvement in a statement carried by the country's state-run media, but acknowledged that the attack "might be a righteous deed of the supporters and sympathizers." Yet, the Guardians of the Peace is likely the group responsible for the attack and the subsequent leak of information. The malware used to delete files—the subject of a warning in late November by the FBI—contains a wallpaper image that states "Hacked by #GOP," according to an analysis posted on Dec. 3 by security firm Trend Micro. The Guardians of Peace used the same moniker "#GOP" to refer to its group in postings to the Internet. The group aims to cause enough business and reputation damage to Sony Pictures to cause the company to fail, according to the letter to employees, as quoted in Variety. "Removing Sony Pictures on earth is a very tiny work for our group which is a worldwide organization," the group stated. "And what we have done so far is only a small part of our further plan. It's your false if you think this crisis will be over after some time. All hope will leave you and Sony Pictures will collapse."
NEWS ANALYSIS: One significant reason why you don't hear about military computer systems being hacked is because the military doesn't approach cyber-security the same way you do. Tom Chapman likes to quote the a...
An analysis by security firm Cylance concludes that a cyber-operation, apparently originating in Iran, infiltrated more than 50 corporate and government networks to prepare for attacks against critical infrastructure. While many groups linked to nation states have conducted cyber-espionage operations against other countries and their industries, a study finding that Iranian hackers had allegedly infiltrated the networks of global critical infrastructure firms has caused concern among security experts. Dubbed Operation Cleaver, the widespread attacks have affected educational institutions, airports and airlines, government agencies and a smattering of sensitive industries such as aerospace, computer technology and telecommunications, according to security firm Cylance, which published the report. The collection of sensitive industries affected by the attacks—when viewed against the backdrop of the destructive 2012 Shamoon attack against Saudi Aramco, which was also thought to have been conducted by Iran—is worrisome, Jon Miller, vice president of strategy for Cylance, told eWEEK. The evidence suggests that Iran is a cyber-power and is willing to use its access to others networks and systems to cause significant damage, he said. “They are gearing up for a major coordinated distributed attack,” Miller said. “If you take down one company, you are not doing something that will impact everyone, but if you are able to do the type of damage similar to Saudi Aramco across hundreds of critical infrastructure companies worldwide, that would create a life altering event.” The company connected the attacks to Iran through an aggregation of circumstantial and technical evidence. The attackers used Persian names, many of the domains used by attackers were registered in Iran, and the infrastructure used an Iranian Internet provider. The group, which uses the name Zhoupin, also built their reconnaissance and attack tools to warn the hackers when they were using an address originating in Iran. The evolution of the operation demonstrates that the group’s attacks techniques had become more sophisticated over time. Originally, the group used techniques similar to Russian and Chinese hackers, such as SQL injection and social-engineering attacks. Eventually, the group created custom private tools that performed numerous reconnaissance and attack functions. Based on the evidence, Cylance speculated that Iran’s evolving capability is a direct response to other nations’ attacks on the country’s networks and nuclear-processing infrastructure. In 2009, the United States and Israel cooperated to create Stuxnet, an attack that crippled Iran’s uranium refining capability and likely delayed their nuclear ambitions by more than a year. In addition, espionage networks, such as Flame and Duqu, have targeted the communications and sensitive information of a number of nations, including Iran. “The skills and behavior of the Operation Cleaver teams are consistent with, and in one case surpasses, Iran’s capabilities as we know them today,” the report stated. The attackers compromised a variety of systems, from Microsoft Windows desktops to Linux Web servers, performed reconnaissance on the compromised networks and exfiltrated sensitive data. Fifty organizations were impacted by the attacks, including 13 airports and airlines, nine oil and gas companies and seven government agencies. The attackers were able to fully compromise at least 15 of the organizations. Cylance collected some 8GB of data and 80,000 files during its investigation. The company hopes that critical-infrastructure companies will start to take the treat of cyber-attacks more seriously, Miller said. “We are really hoping that this brings visibility and disturbs the current status quo,” he said. “This shows that there is a next generation of attacker that is appearing on the Internet.” Cylance warned that its investigation had only revealed a part of the purported Iranian operations. The company did not actually know how extensive the infiltration of other countries’ networks was.
The retailer admits it was breached, though few details are revealed. Who should be blamed? Clothing retailer Bebe has publicly admitted that its payment systems were breached in a security incident last month. The breach, which occurred Nov. 8-26, involved payment cards used in Bebe stores in the United States, Puerto Rico and the U.S. Virgin Islands and did not impact purchases made in Canada or online. According to Bebe, the data that was stolen may have included cardholder names, account numbers, expiration dates and verification codes. "Our relationship with our customers is of the highest importance," Jim Wiggett, CEO of Bebe Stores, said in a statement. "We moved quickly to block this attack and have taken steps to further enhance our security measures." With the disclosure, Bebe joins a growing list of retailers that have admitted to breaches over the last year. It's a list that now includes Michaels, P.F. Chang's, SuperValu, Dairy Queen, Home Depot, Target and Goodwill, to name a few. Experts contacted by eWEEK were not surprised that another retailer has come forward to admit a data breach. "The breach of Bebe for credit card theft is just one example out of thousands faced by U.S. businesses each year," Lucas Zaichkowsky, enterprise defense architect at Resolution1 Security, said. "Similar attack patterns are observed in most cases with minimal surprises." Ian Amit, vice president of ZeroFOX, wasn't surprised by the breach either. Amit noted that because the hackers were financially motivated, the breach likely only targeted credit card numbers. At this point, the actual specifics of the Bebe breach, in terms of how many consumers were affected and information on the root cause of the breach, have not yet been publicly revealed. It's also not known if point-of-sale (POS) malware was involved and, if so, whether the malware is part of a known malware family. The U.S. Secret Service has been warning of the risks of the Backoff POS malware since July and has stated that more than 1,000 retailers have been impacted by the malware. Kevin Lawrence, senior security associate at Bishop Fox, said the initial notification is fairly vague. "While Bebe is concerned with its immediate breach and responding rapidly, they may not be addressing the actual cause," Lawrence said. The breach notification indicates a November date for the data loss, according to Lawrence, which in his view means that the attacker may have had access at that time and was only detected because of the cards being sold online. Don't Blame Bebe According to Zaichkowsky, Bebe is the victim in the incident and it's morally wrong to blame victims. "Their security was probably on par with most other businesses, making them another example of why businesses need to improve their ability to rapidly identify and thwart hacker intrusions in progress, before the damage is done," Zaichkowsky said. Bob Stratton, general partner at Mach37, commented that it is time to shift the dialogue from "whom should be blamed?" to "how best can we continue to operate?" The reality is there are continual attacks from a variety of sources, due to a wide range of motivations, according to Stratton. People don't fire their family doctors when they catch a cold, he added. And people don't treat a cold the same way they would treat cancer or a broken leg. "It is unreasonable that we regard all compromises equivalently or expect that they will never happen," Stratton said. "What is reasonable to discuss is how we manage information security risks in a continuing, adaptive way." Lawrence echoed Stratton's view, adding that the reality is there will always be holes in security. "For every IT security practitioner, there are dozens or even hundreds of attackers," Lawrence said. "Security is about slowing down the attackers and making it take longer for them to succeed, while simultaneously increasing the ability to detect them, as they are attempting an attack." Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
A new security service provides additional protection for users of the cloud-hosted version of the Drupal content management system. Acquia, the lead commercial sponsor behind the open-source Drupal content management system (CMS), is rolling out a new service to help secure Drupal sites hosted on the Acquia Cloud. The Acquia Shield provides access and isolation security for those that host their Drupal sites on the Acquia Cloud service, which itself is hosted on Amazon Web Services (AWS). Drupal is a popular open-source CMS used to power many of the world's leading sites, including Whitehouse.gov and Weather.com. The Acquia Cloud service provides a hosted, commercially supported Drupal CMS to its customers. "Acquia Shield enables our customers that have sensitive data that is on-premises to move data back and forth to the cloud with a secure mechanism," Christopher Stone, senior vice president of products and development at Acquia, told eWEEK. In terms of access, the Acquia Shield leverages Amazon's Virtual Private Cloud (VPC) and Virtual Private Network (VPN) services. "It integrates with a long list of consumer and enterprise-grade VPN devices on the back end," Andrew Kenney, vice president of Platform Engineering at Acquia, explained to eWEEK. "We've added extra capabilities, including automated configuration, and we monitor the VPN connection for support." The Acquia Shield provides both remote access security components and cloud isolation elements. Kenney commented that Acquia Shield is a logically isolated cloud deployment, with network segmentation from other users of the cloud. Proper cloud isolation can extend beyond protecting cloud customers from each other to also enable Web best practices for development and deployment. An example of a security control best practice that Acquia Shield can help to enforce is that the development version of a Website can't reach a production database. The Acquia Shield system can also be used to enable secure connectivity to an enterprise's identity system, including Microsoft's Active Directory. The idea of providing a secure remote connection into a cloud deployment is not a new one. In April, Verizon announced its private IP service access for the cloud that leverages MPLS (Multi-Protocol Label Switching) connectivity. Although Acquia is not officially offering Private IP/MPLS-based access as part of Acquia Shield, Stone hinted that Acquia has done some custom work for a number of its federal customers to enable secure access. Amazon Deployment Kenney explained that Acquia has been an AWS customer for the last six years and Acquia runs nearly 10,000 boxes on the Amazon EC2 classic service. The plan over the course of the next year for Acquia is to move all of its customers to the newer Amazon VPC platform, which provides logical network isolation within the Amazon cloud. "Acquia Shield is a separate add-on above that, giving customers their own sliver of the network, with guaranteed network security," Kenney said. While Acquia Shield provides an additional layer of protection for Drupal, Stone emphasized that Acquia is already providing enhanced security for its users. As an example, with the recent Shellshock vulnerability in BASH (Bourne Again SHell), Acquia was able to proactively patch its users. Drupal itself was the subject of high-impact SQL injection vulnerability in October. The open-source Drupal project warned that if users had not patched within seven hours of the initial patch being made available, they likely were hacked. There were a number of different ways that organizations chose to protect themselves from the Drupal vulnerability, including the use of a Web Application Firewall (WAF). "We chose not to use a WAF; we proactively patched all of our customers to make sure they were not vulnerable," Kenney said. Another area of risk for Website owners is the increased prevalence of distributed denial-of-service (DDoS) attacks. Stone noted that Acquia wants to be able to offer DDoS protection to its customers, and it's on the roadmap for next year. Looking forward, Stone said Acquia will also be looking at helping organizations on compliance-related deployments for specifications including the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS) and FedRAMP. In addition, Acquia is looking at leveraging emerging Amazon services for network security, including intrusion prevention system (IPS) and Next Generation Firewall, according to Kenney. One thing that isn't likely to change is the back-end cloud provider for the Acquia Cloud. "We're very happy and thrilled to be closely aligned with Amazon," Stone said. "We haven't lost a customer to an OpenStack competition; we picked the right horse." Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
Attacks against software vulnerabilities typically arrive 7.5 days after details of the flaw is disclosed, a study finds. Software vulnerabilities are quickly exploited by cyber-criminals and online spies, typically giving defenders less than 8 days to patch, according to a study of some 188 exploited software vulnerabilities by data analysis firm Recorded Future. The study used automated data collection to gather information from the National Vulnerability Database, vulnerability reports, and software-update bulletins. Using this data set, the company identified 188 vulnerabilities used in attacks, which typically came 7.5 days after details of the issues were initially published. The study gives some guidance to network defenders, Scott Donnelly, senior analyst with Recorded Future, told eWEEK. “If you are looking at a critical patch for your system, you need to know how quickly it is being exploited,” he said. “You are never going to be able to mitigate all issues.” Disclosing details of serious vulnerabilities often gives underground attackers—as well as legitimate penetration testers—enough information to take advantage of a software weakness. The most critical software vulnerabilities, such as the “Shellshock” flaw in Unix and Linux terminal shells, are often attacked within a day of detailed disclosure. By far the largest share of flaws were exploited within the first week. Most flaws were reported in Java, Adobe Flash, Internet Explorer, other Adobe programs, Microsoft Office and Windows. Microsoft Office flaws tend to have the longest delay between disclosure and exploit, according to the report. Microsoft has added defensive software techniques, or mitigations, designed to make exploiting their software more difficult. The Internet Explorer browser, the Windows operating system and Apple’s Mac OS X had the fastest turnaround time on exploitation. Vulnerabilities in such software are often considered to be very valuable to attackers and attract a great deal of research following disclosure. In general, attackers exploited proprietary software in 6.5 days, but open-source software actually had a similar delay, 9.5 days, between disclosure and exploitation. The starkest divide between open-source and closed-source software was in the delay between exploitation of previously unknown software vulnerabilities, so-called “zero-day” flaws. More than 52 days passed on average between the date when attackers began exploiting a zero-day vulnerability in open-source software and the date when the flaw was disclosed. Proprietary software had a delay between exploitation and disclosure of about 25 days. “Open-source exploit festers a bit longer, according to this data," which is an interesting development, Christopher Ahlberg, co-founder and CEO of Recorded Future. “Whereas, the post disclosure attacks have a small difference.” Microsoft’s own analysis has found that zero-day exploits remain fairly constant from year to year, while the number of exploits that are published after the company discloses a vulnerability has gone down dramatically. In 2013, only seven exploits were created for flaws fixed by Microsoft in its monthly updates, down from 53 in 2010. Other research has shown that the disclosure of zero-day exploits leads to quickly escalating attacks—by as much as a factor of 100,000, according to a 2012 academic paper. Cyber-criminals frequently reverse engineer such attacks and include them in easy-to-use exploit kits that can create sophisticated malware.