Thursday, December 14, 2017
Home Tags Secure

Tag: secure

NCS 6000 and ASR 5000 routers need some lovin' Cisco has patched two vulnerabilities, including a remote denial of service bug in its Network Convergence System routers. Attackers can send packets to TCP listening ports running SSH, secure copy protocol, and secure FTP that can overwhelm NCS 6000 routers and cause processors to reload. The Borg rates the vulnerability (CVE-2016-1426) as highly critical on account of it offering a method to remotely disrupt routers in certain configurations. "The vulnerability is due to improper management of system timer resources," Cisco says in an advisory. "An exploit could allow the attacker to cause a leak of system timer resources, leading to a non-operational state and an eventual reload of the route processor on the affected platform." The second, more boring, bug is graded medium severity and strikes SNMP configuration management messes in ASR 5000 enterprise routers older than versions 19.5 and 20.1. It allows remote attackers to mess with device configurations using SNMP community strings. "An attacker could perform an SNMP query to the affected device to view the SNMP community string," Cisco says. "An exploit could allow the attacker to read and modify the device configuration using the disclosed SNMP read-write community string." There are no workarounds available for either flaw meaning admins must apply the patch or risk the chance of downtime. ® Sponsored: Global DDoS threat landscape report
Most droids are not the ones you are looking for if you value security Nexus devices are, unsurprisingly, the most secure Androids, says security outfit Duo. The devices are regarded as Google's flagship Android device on account of its operating system running the stock Android open source project (ASOP). Android phones from other manufacturers nearly always add custom modifications and are slow to update AOSP updates, when mobe-makers bother to do so. Duo Labs security intern Olabode Anise (@justsayo) says in analysis that Nexus users are the most secure on account of the rapid provision and application of updates. "Google’s publicity around the stronger security model of Nexus phones, combined with the fast update rollout, has clearly resulted in safer users," Anise says. "Tech-savvy users might frequently upgrade mobile phones, and so they benefit from the stronger security that gets baked into each newer model, but that’s not the norm. "Users often keep their mobile phones for multiple years, so making the right security choice when buying sets you up to be protected against new threats for years to come." The claims are based on research last month which revealed 30 percent of Android devices are exposed to two dozen critical vulnerabilities. The most stark statistics show a large number of Nexus users running the latest patches compared to a paltry few doing so on rivals' phones. Huawei devices are the next-best, followed by kit from Motorola, LGE, and Asus.
Samsung users trail in fifth spot for the application of security updates. "Despite Samsung making up 62 percent of the Android devices in our dataset that could receive monthly Android updates, only 15 percent of eligible phones had applied the latest security patch," Anise says. Two thirds of Nexus users are patched against the often headline-generating Android flaws, compared to a slack 18 per cent of eight others popular brands in the sample. The wide differences extend to the number of devices running the latest Android operating system version 6.0 Marshmallow. Some 87 percent of Nexus users are operating Marshmallow, compared to only 31 percent of those on other models, Duo Labs finds. Users of third party phones have taken to rooting and loading close-to ASOP ROMs in a bid to receive regular security and feature updates.

Cyanogen, Nameless are two of the most popular supported custom ROMs. ® Sponsored: 2016 Cyberthreat defense report
If your application faces the internet and you like security, go containers-first says Gartner Containers are more secure than apps running on a bare OS and organisations that like not being hacked therefore need to seriously consider a move, according to analyst firm Gartner. Analyst Jeorg Fritsch, in a new document titled How to Secure Docker Containers in Operation says “Gartner asserts that applications deployed in containers are more secure than applications deployed on the bare OS” because even if a container is cracked “they greatly limit the damage of a successful compromise because applications and users are isolated on a per-container basis so that they cannot compromise other containers or the host OS”. Which is not to say that containers are perfect: the paper acknowledges that they possess “... innate security properties that make them vulnerable to kernel privilege escalation attacks” and are therefore “not the right tool for high-risk-assurance isolation.” The paper nonetheless advocates that organisations “Benefit from the security of Linux containers by using a 'container €first' approach” and “Deploy internet-exposed applications in Docker containers with best-practice security whether or not you do CI/CD/DevOps.” Which is not to say containers are a magic security fix.

As the paper's name implies, Docker needs to be done right in order to deliver its security benefits.

Doing it right means hardening the host on which Docker runs in accordance with Docker's own guidance, then considering third-party Docker security products from the likes of Aqua Security, CloudPassage, Twistlock and Weave. Mastering logical security zoning and network isolation is a must. You'll also need to wrap your head around microservices routing, so that when you start to build apps comprised of containers chatting to each other they do so securely. You'll also need to understand kernel controls to ensure your containers get the right level of access to their host's kernel. “In the Linux OS and in Linux containers, every system call is a direct interaction with the kernel,” Fritsch writes, noting that's “the very same kernel that all segregation features depend on.
System calls are a signi€cant attack surface, where nothing must go wrong.” Overall, however, the paper suggests that organisations consider a move to containers.

And not just to keep up with the DevOps crowd. ® Sponsored: 2016 Cyberthreat defense report
The creators of the widespread Locky ransomware have added a fallback mechanism in the latest version of their program for situations where the malware can't reach their command-and-control servers. Security researchers from antivirus vendor Avira have found a new Locky variant that starts encrypting files even when it cannot request a unique encryption key from the attacker's servers because the computer is offline or a firewall blocks the communication. Calling home to a server is important for ransomware programs that use public key cryptography.
In fact, if they're unable to report back to a server after they infect a new computer, most such programs don't start encrypting files. That's because the encryption routine relies on unique public-private key pairs that are generated by the attackers' servers for each computer. First, the ransomware program generates a symmetric encryption key and uses an algorithm like AES (Advanced Encryption Standard) to encrypt files.

Then, it reaches out to a command-and-control server and asks the server to generate an RSA key pair for the newly infected computer. The public key is sent back to the ransomware program and is used to encrypt the AES encryption key.

The private key, which is required to decrypt what the public key encrypted, never leaves the attackers' server and is the key that users get when they pay the ransom. Because of this process, some ransomware infections can be rendered ineffective if a network firewall detects their connection attempt and blocks it as suspicious right from the start. Companies can also quickly cut off a computer from the Internet if a ransomware detection is triggered to try to limit the damage.

They can also take the whole network offline temporarily until they can investigate if other computers have also been affected. These measures are no longer viable for Locky, one of the most widespread ransomware threats plaguing users today, because of the changes made to it. The good news is that Locky will start encrypting files using a predefined public key that's the same for all offline victims.

This means that if someone pays the ransom and obtains the private key, that key will work for all other offline victims as well. Security researchers from F-Secure have observed two massive spam campaigns distributing Locky this week, one of them reaching 120,000 spam hits per hour, more than 200 times higher than the spam hits on a regular day, the researchers said in a blog post. Both campaigns spread emails with rogue zip attachments that contained malicious JavaScript files.

The use of JavaScript files to distribute malware has become an attacker favorite in recent months.
Such files can be executed on Windows out of the box, without any special software.
Hewlett Packard Enterprise is undertaking a strategy to move more of its security products through partners, telling CRN that it is starting to open its data security portfolio to the channel, lines that had previously only been sold direct. "As a company, HPE is heavily focused on security and bringing security to the market for the customer base. With that in mind, we have taken on the role of wanting to bring our data security solutions, which have been traditionally sold direct, into the channel," said Sheryl Wharff, global product marketing for HPE Data Security. The first of those systems to be moved through the channel is the Enterprise Secure Key Manager (ESKM), a certified hardware and software platform to manage encryption keys, she said. HPE has also started moving its SecureMail email and data protection system through partners. Partners have already started selling both products, she said. [Related: Hewlett Packard Enterprise Reportedly Looking To Unload Autonomy Assets, Partners Think It'll Be A Tough Sale] HPE is targeting reseller partners who already sell the company's infrastructure systems, primarily the HPE ProLiant system in either Gen 8 or Gen 9, or the company's 3PAR disc arrays, which are already sold with encryption capabilities.

For those partners, who usually have deep expertise with HPE's high-end server and storage lines, Wharff said there is a "huge opportunity" to start conversations around security, which add value to customers around protection of sensitive data and additional revenue streams for the partner. "It's the next logical step for these resellers to begin to add security to their business.

They're very excited about it and very excited about bringing it to market," Wharff said. "This adds a wealth of opportunity for our resellers." Adding to that opportunity is a growing customer recognition of the importance of encryption technologies, Wharff said, driven by highly publicized data breaches and questions around application security. "It's a much easier sell because the market has recognized that it's very important to protect data at rest that's sensitive. You need to bring these new technologies into the market and you need to protect the data in a way you haven't before," Wharff said.   Jeff Smith, vice president of business development and digital transformation solutions at Plainview, N.Y.-based International Integration Solutions, one of the largest HPE partners in the country, said his business has already been "making good inroads" with the security technologies.
In particular, he said he is seeing significant demand from clients with regulatory requirements, such as PCI or HIPAA. For example, he already has two healthcare companies engaged in talks for potential sales, one of which was driven by recent reports of a Philadelphia-based healthcare services company that had to pay $650,000 to settle HIPAA violations due to data loss.
Smith said that type of fine could have been prevented with stronger data security solutions in place, such as those now being moved through the channel at HPE. "We think it's very positive," Smith said.
IBM is cranking up the security on its cloud-based blockchain service. On Thursday it began beta testing a new high-security service plan for IBM Blockchain, with dedicated infrastructure for each customer. Until now, it has offered only a starter clou...
Visa-backed survey gives fingerprint recognition the thumbs-up Two in three European consumers actively want to use biometric technology when making payments, according to a new Visa-sponsored survey. Nearly three in four (73 per cent) see two-factor authentication – where a form of biometrics is used in conjunction with a payment device – as a secure payment authentication method. More than half (53 per cent) express a preference for fingerprint over other forms of biometric authentication for payments. Half the consumers quizzed think payments will be faster and easier with biometrics. Far fewer people favoured either voice recognition or the new technology of selfie-based recognition. Only 15 per cent would use selfies to make payments and only 12 per cent would use voice recognition for authentication.
In the UK, these figures fall to eight per cent and 12 per cent, respectively, for voice or facial recognition as payment forms. Two-thirds (68 per cent of those quizzed) want to use biometric authentication methods to pay for things, particularly in environments where speed efficiencies are valued such as buying for train tickets or at a bar or restaurant. Jonathan Vaux, Visa’s executive director of innovation partnerships, argued that biometrics need to be married with other forms of authentication to make a successful payments system. “Biometric identification and verification has created a great deal of excitement in the payments space because it offers an opportunity to streamline and improve the customer experience,” Vaux said. “Our research shows that biometrics is increasingly recognised as a trusted form of authentication as people become more familiar with using these capabilities on their devices.” “Unlike a PIN which is entered either correctly or incorrectly, biometrics are not a binary measurement but are based on the probability of a match.

Biometrics work best when linked to other factors, such as the device, geolocation technologies or with an additional authentication method.

That’s why we believe that it’s important to take a holistic approach that considers a wide range of enabling technologies that contribute to a better end-to-end experience, from provisioning a card to making a purchase to checking your balance,” he added. Asked to consider the potential benefits of biometric authentication, half of Europeans (51 per cent) state that biometric authentication for payments could create a faster and easier payment experience than traditional methods.

A third (33 per cent) welcomed the idea that biometric authentication means that their details would be safe even if their device was lost or stolen. The Visa Biometric Payments study, conducted by market research outfit Populus, involved quizzing more than 14,000 consumers across seven European countries.

The survey is one of the largest and most comprehensive studies on biometric payments to date. ® Sponsored: 2016 Cyberthreat defense report
Decompiled code suggests blocks are embedded in the app Lebanese-Canadian developer Nadim Kobeissi has taken aim at WhatsApp, accusing it of fudging about why calls to Saudi numbers don't work. In a long post at GitHub Gist, Kobeissi (best known for his work on secure chat app Cryptocat) says the blocks seem to be in WhatsApp, even though the company claims Saudi networks are stopping calls by blocking the handshake. “Alice is unable to receive or initiate WhatsApp calls, even though she is in Europe and is using European WiFi." he writes. "If you can test this, I suggest you do.

Get a Saudi phone number, register to WhatsApp, and then fly to France and make a call. You will encounter the same result even if you're on French WiFi”, he writes. He probably breaches terms and conditions somewhere by decompiling the app and posting the results, and the existence of a VoipNotAllowedActivity.class seems to suggest that the application at least has the ability to bring down the boom on a call. Nadim Kobeissi believes the VoipNotAllowedActivity.class bells the cat Earlier this year, English-language site Arab News reported that the kingdom had lifted its WhatsApp ban.

At the time, the local regulator CITC wouldn't comment on the long-term status of WhatsApp in Saudi Arabia. However, a more restrictive attitude seemed to reassert itself in May, with the regulator acting against Viber and Facebook Messenger and warning that “[a]ppropriate action will be taken against applications or services that do not comply with the regulations”. Those regulations are designed to protect local carrier revenues from being eroded by free apps. The Register has contacted WhatsApp for comment. ® Sponsored: Global DDoS threat landscape report
In the past year we've seen an influx of endpoint detection and response (EDR) tools that promise to bring order, through greater visibility, to the wild west of endpoints within a large organization.

The scenario is all too common: IT security usually...
Onion routing for the next generation Next week, boffins will unveil a new anonymous internet tool that they say is both faster and more reliable against attack than Tor, while still keeping online use impenetrable to spies. Dubbed Riffle, the new system was developed by MIT and the École Polytechnique Fédérale de Lausanne in Switzerland.
It uses the same Onion encryption system as Tor, which wraps messages in layers of encryption to preserve privacy. Riffle [PDF], like Tor, also uses servers set up as a mixnet – a way of scrambling the nature of a message as it passes from system to system.

But the special sauce in Riffle is that it toughens up the network against those seeking to track users. Such attacks are a big concern for Tor users, especially since last year researchers at Carnegie Mellon University apparently found a way to deanonymize sections of the Tor network by using a series of infected nodes.

The research team got a reported $1m bounty from the Feds for that research – but Riffle could render the technique moot. "Riffle uses a technique called a verifiable shuffle.

Because of the onion encryption, the messages that each server forwards look nothing like the ones it receives; it has peeled off a layer of encryption," MIT explained. "But the encryption can be done in such a way that the server can generate a mathematical proof that the messages it sends are valid manipulations of the ones it receives.
Verifying the proof does require checking it against copies of the messages the server received.
So with Riffle, users send their initial messages to not just the first server in the mixnet but all of them, simultaneously.
Servers can then independently check for tampering." It's a very secure system, but also one that's very resource-intensive.
So Riffle uses a technique dubbed authentication encryption, whereby every server works together so that as long as one of the routing computers remains uncompromised, the encryption of the message stays secure. "The idea of mixnets has been around for a long time, but unfortunately it's always relied on public-key cryptography and on public-key techniques, and that's been expensive," says Jonathan Katz, director of the Maryland Cybersecurity Center and a professor of computer science at the University of Maryland. "One of the contributions of this paper is that they showed how to use more efficient symmetric-key techniques to accomplish the same thing.

They do one expensive shuffle using known protocols, but then they bootstrap off of that to enable many subsequent shufflings." As a result, the system is both strong and efficient.

The development team says it takes a tenth of the resources to send large files as other anonymizing services and provides much better protection against active and passive monitoring. Riffle will be released at next week's Privacy Enhancing Technologies Symposium in Germany. ® Sponsored: 2016 Cyberthreat defense report
PIA tells users 'we logged nothing', deletes Russian servers from clients VPN provider Private Internet Access (PIA) says its servers have been seized by the Russian government, so has quit the country in protest at its privacy laws. The company has sent an e-mail to users claiming some of its servers have been seized, even though the enforcement regime – in which all Internet traffic has to be logged for a year – doesn't come into effect until September 2016. A paying user has forwarded the company's e-mail to The Register, which we reproduce at the bottom of this story.

The customer also told us the Russian gateways disappeared automatically from “older versions of the PIA client” in the last week. Russia has been progressively cracking down on Internet services with a particular focus on encryption, and in June laws landed in the Duma that would also outlaw apps like Messenger and WhatsApp. The crackdown already demands registration of any blog, publisher or social network site with more than 3,000 readers, and requires them to store data on Russian soil. The e-mail, which is available in 'View as Web Page' mode, says: “The Russian Government has passed a new law that mandates that every provider must log all Russian internet traffic for up to a year. We believe that due to the enforcement regime surrounding this new law, some of our Russian Servers (RU) were recently seized by Russian Authorities, without notice or any type of due process. We think it’s because we are the most outspoken and only verified no-log VPN provider. “Luckily, since we do not log any traffic or session data, period, no data has been compromised. Our users are, and will always be, private and secure. “Upon learning of the above, we immediately discontinued our Russian gateways and will no longer be doing business in the region. “To make it clear, the privacy and security of our users is our number one priority.

For preventative reasons, we are rotating all of our certificates.

Furthermore, we’re updating our client applications with improved security measures to mitigate circumstances like this in the future, on top of what is already in place.
In addition, our manual configurations now support the strongest new encryption algorithms including AES-256, SHA-256, and RSA-4096. “All Private Internet Access users must update their desktop clients at https://www.privateinternetaccess.com/pages/client-support/ and our Android App at Google Play. Manual openvpn configurations users must also download the new config files from the client download page. “We have decided not to do business within the Russian territory. We’re going to be further evaluating other countries and their policies. “In any event, we are aware that there may be times that notice and due process are forgone. However, we do not log and are default secure against seizure. “If you have any questions, please contact us at helpdesk@privateinternetaccess.com. “Thank you for your continued support and helping us fight the good fight.” ® Sponsored: Global DDoS threat landscape report
Mozilla's safer-C programming language used to shore up media wrangling code Mozilla says it will next month ship the first official Firefox build that sports code written in its more-secure-than-C Rust programming language. The Firefox 48 build – due out August 2 – will include components developed using Rust, Moz's C/C++-like systems language that focuses on safety, speed and concurrency. It's hoped the Rust-written code will avoid the usual programming blunders present in other web browsers – typically use-after-free() and heap corruption bugs – which malicious websites exploit to install malware on computers. For one thing, Rust's toolchain is extremely strict and refuses to build source that potentially suffers from data races, buffer overflows and so on.

Therefore, it should be a lot harder to attack the Rust-hardened sections of Firefox. The first use of Rust will be in the media parser tools, where the security strengths of the language are best put to use. Mozilla believes the memory safety features of Rust will do the most good when handling embedded media files, a favorite ammunition for drive-by malware attacks. "Media formats are known to have been used to trick decoders into exposing nasty security vulnerabilities that exploit memory management bugs in web browsers' implementation code," wrote Mozilla director of strategy Dave Herman. "This makes a memory-safe programming language like Rust a compelling addition to Mozilla's tool-chest for protecting against potentially malicious media content on the web." Herman noted that early tests on the code have shown that the new Rust components run at identical speeds to their C++ predecessors, meaning users should see little to no difference in performance from the move. Meanwhile, the new Firefox build should, in theory, become more secure. Going forward, Mozilla says it is working on nightly builds of Servo, a Rust-written browser engine that uses Moz's C/C++ SpiderMonkey JavaScript engine. Meanwhile, Rust was recently updated to version 1.10. "Rust itself is the product of a tremendous, vibrant community," Herman declared. "None of this work would have been possible without the incredible contributions of issues, design, code, and so much more of Rustaceans worldwide." ® Sponsored: 2016 Cyberthreat defense report