Home Tags Takeover

Tag: Takeover

Amazon opens up Alexa voice and text tech for developers to...

New "Lex" platform makes Alexa's intelligence available to all.

Android devices can be fatally hacked by malicious Wi-Fi networks

Broadcom chips allow rogue Wi-Fi signals to execute code of attacker's choosing.

WhatsApp, Telegram Vulnerabilities Exposed Users to Account Takeover

WhatsApp and Telegram patched vulnerabilities in the last week that could have let an attacker take over a user's account.

Sift Science releases account takeover prevention tool

As we move more of our lives online, fraudsters are using account takeover attacks, which allows them to access richer information and cause more damage.

Now there’s a better way to prevent Facebook account takeovers

Site enhances two-factor authentication with crypto keys that plug into USB slots.

DHS Adds Elections Machines, Systems to Critical Infrastructure List

Individual states will still have oversight and control over their election systems, but the move makes a statement “domestically and internationally” that the U.S. considers its elections critical, the agency says. The U.S.

Department of Homeland Security designated the nation's election technology and systems as critical infrastructure, giving state election officials access to technical and policy aid from the agency.The move, announced Jan. 6, makes the election infrastructure in the United States part of the government-facilities critical infrastructure sector, one of the 16 sectors deemed crucial by the U.S. government. Other sectors include health care, energy and the defense industrial base.While some states have reportedly opposed the designation, the DHS assured election officials that states would still have full oversight and responsibility for running elections.The designation “makes clear both domestically and internationally that election infrastructure enjoys all the benefits and protection of critical infrastructure that the U.S. government has to offer,” DHS Secretary Jeh Johnson said in a statement announcing the decision. “Given the vital role elections play in this country, it is clear that certain systems and assets of election infrastructure meet the definition of critical infrastructure, in fact and in law.” The announcement comes three months after top intelligence officials issued a statement, attributing attacks against the Democratic National Committee, the campaign of Hillary Clinton, and state election systems to Russia.

The Obama administration released additional details of the attacks and the evidence gathered by intelligence and law enforcement officials earlier this month. The act of designating election systems as critical infrastructure means that the DHS will be able to work more closely with states to secure a variety of election-related technologies, processes and locations, including storage facilities and polling places, information and communications technology related to voting, and the voting machines themselves.Election-security groups have long called for the infrastructure to be designated critical.
Verified Voting, a group of voting experts, pushed for election systems to be deemed critical since 2013, Pamela Smith, president of Verified Voting, told eWEEK in an e-mail.“Voting systems should receive at least as much attention and care as other critical infrastructure systems do,” Smith said. “The fact that all or nearly all of the 50 states as well as more than 30 local jurisdictions availed themselves of support from Department of Homeland Security this year in the run-up to the election makes it clear that cyber-security considerations in elections are serious.”DHS' Johnson acknowledged the concerns that many state election officials have raised about that DHS designating election technology as critical infrastructure.  “It is important to stress what this designation does and does not mean,” Johnson said. “This designation does not mean a federal takeover, regulation, oversight or intrusion concerning elections in this country.

This designation does nothing to change the role state and local governments have in administering and running elections.”While the change in status is a good initial step, Verified Voting’s Smith stressed that election officials should still require that audits of the all voting be conducted following an election, as a defense against fraud and machine error.“Even where voting systems are recount-able and auditable— we don't have robust audit requirements in place in at least half of those locations—we are not yet able to say authoritatively that our elections are secure,” she said. “We can do better.”

DHS Designates Election Systems As Critical Infrastructure

The Department of Homeland Security has deemed the nation's voting system as part of its critical infrastructure, citing security reasons. The US Department of Homeland Security (DHS) has designated the nation's election system as part of its critical infrastructure, a status change it has been debating for the past few months. There are 16 critical infrastructure sectors and 20 subsectors. In a statement issued Jan. 6, DHS Secretary Jeh Johnson explained why the US voting system will become a subsector of the Government Facilities critical infrastructure division. "Election infrastructure is vital to our national interests, and cyber attacks on this country are becoming more sophisticated, and bad cyber actors -- ranging from nation states, cyber criminals and hacktivists -- are becoming more sophisticated and dangerous," he said. This infrastructure spans all systems used to manage elections, including storage facilities, polling locations, and voter registration databases. As critical infrastructure, these are eligible for prioritized security assistance from the DHS, if requested. Further, voting systems will be part of US efforts to improve incident response capabilities, as well as streamlined access to both classified and unclassified information shared by critical infrastructure operators. Information sharing is a key benefit in this case, says Travis Farral, director of security strategy at Anomali and former elections judge in Texas. The United States' infrastructure for tallying votes is decentralized, which is a "double-edged sword" in terms of security. "It's harder for someone to attack a single authority," he says, because voting systems are different in each state. "But when trying to dictate security for varying apparatuses, it's difficult for the federal government to protect all that." The elevation to critical infrastructure will enable local and state election organizations to quickly share information and connect with the DHS to receive updates related to elections, security events, or the geopolitical environment, Farral continues. It’s a benefit to local municipalities where funding is low and officials want to ensure the integrity of elections. The critical infrastructure designation will give them multiple resources to stay connected and receive a coordinated, streamlined flow of information. Johnson noted many state and local officials were against the designation, due to concerns about federal takeover of local election processes. He explained how the designation "does not mean a federal takeover, regulation, oversight or intrusion concerning elections in this country. This designation does nothing to change the role state and local governments have in administering and running elections." Farral echoes this, noting how the power of election processes still resides with each state. Greater steps would have to be taken in order to change how elections are run. However, the future is unclear. "This may not be where things end," he notes, acknowledging the uncertainty of a new president and administration. "It's possible there may be additional changes, or some legislation in Congress designed to make more changes." Individual states may implement their own changes to improve election security, he adds. This news arrived at a critical time for US cybersecurity. On the same day it was issued, the US Office of the Director of National Intelligence released a report explaining Russia's role in conducting cyberattacks to interfere with the US election. This likely wasn’t by chance. "This announcement was probably timed to coincide with the release of the report, but it's hard to say for certain," says Farral. Related Content: Kelly is an associate editor for InformationWeek. She most recently reported on financial tech for Insurance & Technology, before which she was a staff writer for InformationWeek and InformationWeek Education. When she's not catching up on the latest in tech, Kelly enjoys ... View Full Bio More Insights

It’s official: US election systems designated as critical

reader comments 24 Share this story On Friday, US Homeland Security Secretary Jeh Johnson designated election systems to be part of the nation's critical US infrastructure. He said this move would better protect elections from increasingly sophisticated hacking. "Now more than ever, it is important that we offer our assistance to state and local election officials in the cybersecurity of their systems," Johnson wrote in a statement published late Friday afternoon. "Election infrastructure is vital to our national interests, and cyber attacks on this country are becoming more sophisticated, and bad cyber actors—ranging from nation states, cyber criminals and hacktivists—are becoming more sophisticated and dangerous." The designation came the same day that US intelligence officials published an unclassified version of a report concluding that Russian Federation president Vladimir Putin directly ordered intelligence agencies to collect data from the Democratic National Committee, the Hillary Clinton presidential campaign, and other organizations. The agencies then oversaw an effort to discredit Clinton, the Democratic party, and the US democratic political process through “information operations," according to the report, which was jointly written by the Central Intelligence Agency, the National Security Agency, and the FBI. Friday's declassified report says that Russian intelligence services "obtained and maintained access to elements of multiple US state or local electoral boards," but went on to conclude that none of the affected systems was involved in vote tallying. In August, voter registration systems in Arizona and Illinois were reportedly targeted by hackers. Election officials in Arizona said the FBI warned them the attempted intrusion was carried out by Russians, but they didn't say if the hackers were state-sponsored or financially motivated. Sixteen US sectors are classified as critical infrastructure, including chemical manufacturing, dams, and emergency services. Friday's designation adds election systems as a subsection to the existing government facilities sector. The DHS published a fact sheet concerning the move here. Johnson sought to head off criticism from some state officials opposed to the new designation. "This designation does not mean a federal takeover, regulation, oversight, or intrusion concerning elections in this country," he wrote. "This designation does nothing to change the role state and local governments have in administering and running elections." Listing image by Fairfax County

Greatest Hits Of 2016: Readers' Picks For The Years' Best Commentary

Here's what topped the Dark Reading page-view charts from the security industry's brightest minds, coolest rock stars, and up-and-coming leaders. The hacking thriller Mr. Robot may have been snubbed by the 2017 Golden Globe Award nominating committee this month, but security researcher Sarah Vonnegut’s blog -  5 'Mr. Robot' Hacks That Could Happen in Real Life - about the award-winning season one, pulled in the highest numbers of readers of all the contributed content we published in 2016. Vonnegut, an application security community specialist at Checkmarx, offered a reality check to anti-hero Elliot’s premier season hacking prowess, and garnered a whopping 14,738  page views from Dark Reading fans of the show.   Other 2016 favorites from our roster of contributors include:  Rethinking Application Security With Microservices Architectures (6,804 views, 4/15/2016)Ranga Rajagopalan, Chief Technology Officer, Avi NetworksThe advantages offered by the container model go against many of the assumptions of traditional security mechanisms. Here are 5 new concepts & 4 best practices you'll need to understand. Security Portfolios: A Different Approach To Leadership (6,802 views, 8/11/2016) Adam Shostack, Founder, Stealth Startup How grounding a conversation around a well-organized list of controls and their goals can help everyone be, literally, on the same page. Part seven of an ongoing series. How To Stay Safe On The Black Hat Network (6,722 views, 7/28/2016) Neil R. Wyler (Grifter), Threat Hunting and Incident Response Specialist, RSABlack Hat attendees may have changed their titles and now carry business cards but hackers gotta hack and there's no better place to do it than Black Hat. The Secret Behind the NSA Breach: Network Infrastructure Is The Next Target (6,683 views, 8/25/2016) Yoni Allon Research Team Leader, LightCyberHow the networking industry has fallen way behind in incorporating security measures to prevent exploits to ubiquitous routers, proxies, firewalls, and switches. Anatomy Of An Account Takeover Attack (6,389 views, 2/23/2016)Ting-Fang Yen, Research Scientist, Datavisor, Inc.How organized crime rings are amassing bot armies for password-cracking attacks on personal accounts in retail, financial, gaming, and other consumer-facing services. 20 Endpoint Security Questions You Never Thought to Ask  (5,696 views, 10/26/2016)Joshua Goldfarb. VP & CTO - Emerging Technologies, FireEyeThe endpoint detection and response market is exploding! Here's how to make sense of the options, dig deeper, and separate vendor fact from fiction. 5 Soft Skills Young Cybersecurity Professionals Need to Get Ahead (5,615 views 6/14/2016)Todd Thibodeaux, President & CEO, CompTIAToday's employers aren't looking for recruits who can maintain firewalls and mitigate risk. They want well-rounded professionals who can apply security expertise across the business to yield bottom-line results. Why Social Media Sites Are The New Cyber Weapons Of Choice (5,387 views, 9/6/2016)Nick Hayes, Analyst, ForresterFacebook, LinkedIn, and Twitter can't secure their own environments, let alone yours. It's time to sharpen your security acumen. Changing IoT Passwords Won't Stop Attacks. Here's What Will (5,173 views, 11/7/2016)Paul Madsen, Senior Technical Architect, Ping IdentityThe solution will take an industry-wide effort, it won't happen overnight, and the problem is not the users' fault! Do you have a favorite contributor commentary of 2016? Share it in the comments! Related Content: Marilyn has been covering technology for business, government, and consumer audiences for over 20 years. Prior to joining UBM, Marilyn worked for nine years as editorial director at TechTarget Inc., where she launched six Websites for IT managers and administrators supporting ... View Full Bio More Insights

Facebook charged with misleading EU over $22 billion WhatsApp takeover

samazgorreader comments 13 Share this story Facebook has been accused of misleading the European Commission over its $22 billion takeover of WhatsApp in 2014—when the Mark Zuckerberg-run company claimed that it wouldn't be able to knit together user IDs, thereby combining the data of the two services. Brussels' competition officials issued a charge sheet against Facebook on Tuesday, in which it is alleged that the free content ad network failed to disclose that "the technical possibility of automatically matching Facebook users' IDs with WhatsApp users' IDs already existed" at the time of the merger. Antitrust chief Margerthe Vestager said that companies must provide "accurate information" during routine competition probes into planned acquisitions. "They must take this obligation seriously," she said. "In this specific case, the commission's preliminary view is that Facebook gave us incorrect or misleading information during the investigation into its acquisition of WhatsApp.

Facebook now has the opportunity to respond." Facebook has been slapped with a so-called Statement of Objections by the commission, which claims that the multinational "intentionally, or negligently, submitted incorrect or misleading information" to the competition wing of the EC, thereby allegedly breaching its obligations under the EU Merger Regulation. It comes after WhatsApp confirmed in August that it planned to merge user phone numbers with Facebook user accounts—much to the chagrin of privacy campaigners in Europe. At the time, it claimed that the information would be used to offer users "more relevant" Facebook ads, new "ways for people to communicate with businesses" via the app, and new friend suggestions. By mid-November, Facebook had stopped sharing WhatsApp user data across Europe, after it was forced to respond to regulatory pressure in the UK and Germany. Weeks earlier, data watchdogs across the EU who sit on the Article 29 Working Group urged Facebook "not to proceed with the sharing of users' data until the appropriate legal protections can be assured." Now Vestager's office has separately entered the fray with tentative charges brought against Facebook that could lead to it being fined up to one percent of its annual turnover. The commission also explained the rationale behind its decision to wave through Facebook's buyout of WhatsApp unchallenged in late 2014.
It said: With respect to consumer communications services, the commission found that Facebook Messenger and WhatsApp were not close competitors and that consumers would continue to have a wide choice of alternative consumer communications apps post-merger.

Although consumer communications apps are characterised by network effects, the investigation showed that a number of factors mitigated the network effects in that case. As regards social networking services the commission concluded that, no matter what the precise boundaries of the market for social networking services are and whether or not WhatsApp is considered a social network, the companies are, if anything, distant competitors. With respect to online advertising, the commission concluded that, regardless of whether Facebook would introduce advertising on WhatsApp and/or start collecting WhatsApp user data for advertising purposes, the transaction raised no competition concerns.

This is because, besides Facebook, a number of alternative providers would continue to offer targeted advertising after the transaction, and a large amount of Internet user data that are valuable for advertising purposes are not within Facebook's exclusive control. Facebook now has until the end of January to respond to the EC's charge sheet. "We respect the commission's process and are confident that a full review of the facts will confirm Facebook has acted in good faith," Facebook said. "We've consistently provided accurate information about our technical capabilities and plans, including in submissions about the WhatsApp acquisition and in voluntary briefings before WhatsApp's privacy policy update this year." It added: "We're pleased that the commission stands by its clearance decision, and we will continue to cooperate and share information officials need to resolve their questions." Vestager warned at the start of this year that she was eyeballing US tech giants that hoard vast amounts of user data.
She said that following close scrutiny, Google's acquisition of DoubleClick and Facebook's buyout of WhatsApp both got the go-ahead, adding that data issues did not, and should not, be linked only to investigations into alleged privacy abuses. However, her concerns about the lack of clarity around how much data is being used by online services, such as messaging apps and video-streaming sites, clearly left the commission flat-footed given that it has only now spotted an alleged discrepancy with Facebook's takeover of WhatsApp. This post originated on Ars Technica UK

Tales of WordPress Plugin Insecurity Overblown, Researchers Say

The insecurity of WordPress plugins has been well documented, especially over the last year, but in the grand scheme of things, it’s not as bad as it seems, experts claim. Hendrik Buchwald, a researcher and cofounder of RIPS, a German firm that performs static source code analysis, recently combed through tens of thousands of WordPress plugins to see just how vulnerable they are. As part of their investigation, the company used a tool to search for vulnerabilities in PHP scripts. It downloaded all 47,959 official plugins from WordPress’ repository and reviewed each plugin that had at least one PHP file, roughly 44,705 plugins. Buchwald said that from there, researchers with the firm looked at larger plugins – plugins with more than 500 lines of code – about 10,523 in all. About half of the plugins – 4,559, or 43 percent – had at least one medium-severity security issue. That figure, while alarming, is somewhat misleading however, according to a write-up Buchwald posted on the analysis on Wednesday. “There are lot of attacks on WordPress sites, but one of the main reasons for this is the large amount of sites running WordPress,” said Buchwald. “Percentage-wise the amount of vulnerabilities is not as bad as often assumed, but it is far from good.” The vulnerabilities aren’t evenly disbursed across the plugins. After cross-referencing the number of plugins with no issues, low, medium, and critical severity issues, he found that the “vast majority of plugins” didn’t have vulnerabilities at all. Those that did however, likely had a surplus of vulnerabilities, he claims. The more lines of code a plugin had, the more likely it was to fall into that latter camp. According to the research, plugins with fewer than 1,000 lines of code had next to zero vulnerabilities. While a large percentage of the internet’s sites may be built on WordPress, RIPS’ research suggests only a small percentage of the plugins used on those sites contain vulnerabilities. “WordPress is not as insecure as its reputation would suggest,” Buchwald said Wednesday, “Rather it is a top target due to its incredible prevalence. While many plugins do not contain vulnerabilities at all because of its small size, the ones that do have issues, have a lot of them. The more lines of code a plugin has, the more vulnerabilities it has on average.” The report drills down on the security of two plugins in particular, a WordPress firewall plugin All In One WP Security & Firewall and a podcast management tool, Podlove Publisher. All In One WP Security & Firewall, which has 400,000-plus installs, could have allowed an attacker the ability, assuming they had access to the admin panel, to make read-only files writable. A cross-site scripting vulnerability also existed in the plugin. Podlove Publisher, which has far fewer installs, 2,000-plus, meanwhile suffered from multiple SQL injections and a cross-site scripting vulnerability. Researchers surveyed a handful of popular WordPress e-commerce plugins about a month ago, shortly before Black Friday, and found that four of the top 12 contained severe vulnerabilities. While the researchers behind that analysis declined to name the vulnerable plugins, it did warn that the bugs were tied to reflected cross-site scripting, SQL injection, and file manipulation flaws. RIPS’ research echoes those findings. Nearly 70 percent of the vulnerabilities it uncovered were cross-site scripting flaws, the second most popular vulnerability it found were SQL injections. Like death and taxes, vulnerabilities like in WordPress plugins have become a near certainty. Upwards to 75 million websites depend on WordPress and some of the more popular plugins boast more than 1 million active installs. In the past several years vulnerabilities that can allow for site takeover, the bypass of two-factor authentication, and the theft of password hashes and other database information have surfaced.

Finally! A minimum standard for certificate authorities

The Certificate Authority Security Council has released new Minimum Requirements for Code Signing for use by all CAs (Certificate Authorities).

This represents the first-ever standard for code-signing, and the advocacy group hopes the guidelines will improve web security by making it easier to verify software authenticity. The new Minimum Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates outlines specific steps CAs and individual software companies must perform to ensure code-signing certificates are not abused.
It addresses "user concerns about the trustworthiness of signed objects and accurately identifying the software publisher," the working group wrote in the requirements document. While the requirements are intended primarily for CAs that can issue code-signing certificates (including root CAs publicly trusted for code signing and all other CAs part of the root CA's validation path), software companies and developers have to comply with some of the requirements if they are going to work with a standards-compliant CA. Not meeting those requirements can mean a code-signing certificate will not be issued, or an existing one will be revoked. Code signing refers to using certificates to digitally sign executables and scripts in order to verify the author's identity and, more importantly, that the code has not been altered or corrupted since it was signed.
Several attack campaigns have stolen legitimate code-signing certificates to sign malware, making it possible for the malicious code to bypass security defenses.

There are 25 million pieces of malware enabled by code-signing certificates, and stolen code-signing digital certificates are sold everyday on underground markets for more than $1,000 each, said Kevin Bocek, vice president or security strategy and threat intelligence at Venafi. "Code signing is critical to every mobile device and computer we touch," Bocek said. Microsoft has already adopted the minimum requirements and will require all CAs issuing code-signing certificates for the Windows platform to adopt the minimum requirements starting Feb. 1, 2017. Because CAs have different rules for how they issue and revoke code signing certificates, both developers and cybercriminals could game the system, Bocek said. Without any standards in place, it was possible to get accepted one CA even after already being rejected by a different CA.

The variance made it difficult to know which code-signing certificate could be trusted. With the guidance, each CA has some leeway in developing its own process for how to issue and revoke certificates, but the underlying requirements are the same from CA to CA. Along with providing all the information necessary for the CA to verify the identity of the software company (or developer) in order to issue the certificate or sign the code object, organizations are responsible for making sure the private key is generated, stored, and used in a secure environment with controls to prevent the keys from being stolen or misused.

The CA has to provide guidance on how to protect the keys, but it's up to the organization do it in a way that matches the guidelines: Protecting the private keys: Organizations have to use either a trusted platform module to generate and secure key pairs, a FIPS-140-Level-2 Hardware Security Module or equivalent (such as Common Criteria EAL 4+), or another type of hardware storage token, such as a USB key or a SD card.

The tokens have to be kept physically separate from the device hosting the code-signing function until the moment it is actually needed for a signing session. Securing the code signing computer: The computer used for signing cannot be used for web browsing, and it must be periodically scanned by regularly updated security software for possible infections. Picking a trusted third-party: Organizations that use a third-party signing service to sign objects with their private keys should make sure the signing service has enabled multi-factor authentication to access and authorize code signing.
If the service doesn't, it's not compliant with the new requirements and should be a serious warning flag. Transporting the key securely: If the CA or the signing service is generating the private key on behalf of the organization, the private keys may be transported outside of the secure infrastructure.
In those cases, the key must either be transported "in hardware with an activation that is equivalent to 128 bits of encryption, or encrypt the Private Key with at least 128 bits of encryption strength," according to the standard.

That could mean using a 128-bit AES key to wrap the private key, or storing the key in a PKCS 12 file encrypted with a randomly generated password "of more than 16 characters containing uppercase letters, lowercase letters, numbers, and symbols." Using strong keys: The CA will not issue the code-signing certificate if the requested Public Key does not meet modern security requirements or if it has a known weak Private Key (such as a Debian weak key). The CA will have to spell out all of the new requirements in the subscriber agreement, and it has to keep complete records to show both the organization and the CA is following the rules. Under the agreement, the organization cannot request a code-signing certificate if the public key in the certificate is -- or will be -- used with a non-code signing certificate.

The organization also has to commit to protecting against the theft or misuse of the private key, and to immediately request the CA to revoke the certificate if the private key is compromised or used to sign malicious code. If the private key is compromised due to an attack, the CA doesn't have to issue a new or replacement certificate until it is satisfied the organization has improved its security protections. "Documentation of a Takeover Attack may include a police report (validated by the CA) or public news report that admits that the attack took place.

The Subscriber must provide a report from an auditor with IT and security training or a CISA that provides information on how the Subscriber was storing and using Private keys and how the intended solution for better security meets the guidelines for improved security," the standard says. Currently, if the CA rejects the request for a new or replacement certificate, the organization can apply with another CA. However, if the second CA is following the new requirements, then it will be checking "at least one database containing information about known or suspected producers, publishers, or distributors of Suspect Code, as identified or indicated by an Anti-Malware Organization and any database of deceptive names" before issuing a certificate.
If the second CA sees that the organization has been implicated in signing bad code, then the idea is that it will also push back and reject the application, just like the first CA. "The CA must not issue new certificates to organizations that have been the victim of two Takeover Attacks or where the CA is aware the organization is not storing the private keys correctly," the standard says. The standard also has other requirements about the CA setting up a Timestamp Authority and how the timestamp certificates should be used, such as letting code signatures to stay valid for the length of the period of the timestamp certificate.  The standard was released by the Code Signing Working Group, part of the CA/Browser Forum, which is a voluntary group of CAs, browser makers, and software vendors that use X.509 v.3 digital certificates in their applications.

The Code Signing Working Group consists of Comodo, DigiCert, Entrust, GlobalSign, Izenpe, Microsoft, Symantec, SSC, and WoSign.

The China-based WoSign is the same CA that was recently marked as untrusted by Mozilla, Apple, and Google for multiple problems in how SSL certificates were issued. "The CA Security Council guidance on code signing is long overdue," Bocek said. "New methods of certificates to detect fraud and misuse such as Certificate Reputation will also see increased adoption as misuse of code signing certificates gets more and more attention." The requirements have not been adopted by the CA/Browser Forum, but will instead be improved and maintained by the CA Security Council.