Thursday, January 18, 2018
Home Tags The Cure

Tag: The Cure

Avalanches of neuronal activity may be accidental rather than useful.
Stricter nitrogen oxide emissions regulations mean an end to diesel-engine development.
Unlike industries that fear the intrusion of AI, the infosec world is embracing this revolutionary technology, and the seismic changes it will bring to threat detection and mitigation. I was reminded of a mathematical hypothesis called the singularity when I read Vinod Khosla’s recent interview in the Wall Street Journal and his prediction of massive job displacement and the growth of new industries due to the widespread adoption of artificial intelligence (AI). The singularity is a point and phase in the future when bio, nano, energy, robotic, and computer technology will develop at such a rate, become so advanced, and have such a profound impact on humanity, that today’s society has no means to understand or describe what life will be like at that time in the future. It made me wonder how far and fast we are heading in the same explosion of unfathomable change occurring today in information security. Just as IT revolutionized all forms of business in the last half-century, and the Internet in turn revolutionized IT in the last quarter-century, the trajectory we are on now places AI squarely at the next technology inflection point. The study of history often provides a strong predictor of human societal change. When history unexpectedly veers off course, it is usually due to a substantial technology advancement and the subsequent seismic changes it brings to business and economic systems. Our perception and use of AI today, also known as machine intelligence, is still in its infancy. New industries are learning by doing, just as we did when the Internet was in its infancy. Looking back, it’s easy to wince and laugh at interviews of experts in the mid-1990s describing the revolutionary nature of email and the world wide web and their dire predictions about the dreaded Y2K.

Their projections were both right and wrong, limited in part by what they understood at the time.

The impact of what the Internet would ultimately deliver to business and, in turn, society, could not have been foreseen. The Promise of AIAs a new swath of information security technologies deploy their first generation of AI – seeking to solve many of the security and confidentiality issues that have plagued businesses over the last 40 years – we’re already starting to feel their positive impact. The information security world is now starved for human capital.

There is a global shortage of experienced security workers across the spectrum of skills and specialties.

This is holding back advancement and exposing IT systems and Internet businesses to criminality and ransom. Unlike industries that fear the intrusion of AI, the information security industry – driven largely by a global shortage of qualified employees – is embracing it.

As networks become more sophisticated, generate more data, and are exposed to increasingly advanced threats, AI and the automation it empowers are the cure. This first generation of AI-driven security solutions are focused primarily on automatically sifting through data, hunting for threats, and facilitating a human-led remediation plan. When the first generation of security AI masters threat detection, it will be entrusted with preemptive threat mitigation and auto-remediation of known threats. Our perception of today’s 24x7 security operations center will eventually be replaced with the second generation of AI-led security technology – leaving human operators to focus on business continuity and critical support issues. However, just as AI is a boon to the defender, so too is it to the attacker.

Defense contractors and governments around the world are already using AI to sift through great lakes of network data and intelligence, and hunt for exploitable weaknesses. Just as fast as armies introduced tanks to warfare, tank-on-tank warfare became a necessity.

AI-on-AI warfare has just begun. If there’s one thing to be learned from the last century’s technology history, it’s that all the important advances are eventually consumerized.

As such, in the next 25 years, I anticipate that AI defense systems will unleash unimaginable ways to combat cyber threats. Related Content: Gunter Ollmann is chief security officer at Vectra. He has nearly 30 years of information security experience in an array of cyber security consulting and research roles.

Before joining Vectra, Günter was CTO of Domain Services at NCC Group, where he drove strategy ...
View Full Bio More Insights
Back to the drawing board, boys It's third time unlucky for the scumbags behind CryptXXX ransomware, as their shoddy coding has been cracked yet again. CryptXXX is a particularly nasty form of the species – a ransomware app that not only decrypts over 40 file formats on a host PC and any external storage devices, but also steals any Bitcoins it can find on there and demands a hefty ransom for a cure. It first popped up in April as part of a malware bundle being pushed out by the Angler exploit kit.

Then researchers at Kaspersky Lab found a cock-up in the file encryption algorithms that made it easy to beat, and released sanitizing software. In May, the CryptXXX coders tried again with a revised version that added a time delay so that the victim, and security researchers, wouldn't identify the malware-spewing source.

But they didn't cover their tracks well and Kaspersky cracked it again. By June the crims made another attempt, and the third version proved a much tougher proposition.

That build toughened up its encryption techniques and added a StillerX credential-stealing module, which scanned port 445 for VPN, email, and online poker sign-ins. Infection rates soared, as did the amount of money the ransomware brought in because people were paying up. Now the new version has been cracked and the tool to get your files back – although sadly not your Bitcoins – is available online. "Even if there is currently no decryption tool available for the version of malware that encrypted your files, please don't pay the ransom to criminals," said Anton Ivanov, a security researcher at Kaspersky Lab. "Save the corrupt files and be patient – the probability of a decryption tool emerging in the near future is high." The fact remains that this is a very small win in a broader battle that looks set to plague us for years to come because of technical and human failings. Tech industry, meet stable door Ransomware has been around for ages, but the tech industry didn't take it seriously because it wasn't widespread and getting payment for the infection was difficult and liable to get the malware creators – or more likely their money mules – collared. However, with the rise of online currencies, the risk/reward ratio for ransomware changed drastically in the malware market's favor.
In the last three years, infection rates have been exploding and the amount of easy money generated is enough incentive to keep ransomware a growth industry – mainly because people keep ponying up the funds. Research last week from IBM's X-Force security team chatted to 600 business customers and found 70 per cent of them had paid ransomware spreaders to get their data back. Over half paid $10,000 in ransom and one in five coughed up over $40,000 for the keys to their data. Ransom payment was much less common among consumers, the same study found.

Around half of the 1,000 people polled said they'd pay up to get their data back, but were very price sensitive about it.

Barely a third said they'd pay more than $100 for the cure to the malware. In July CERT-EU, along with local teams in Ireland, Luxembourg, and Slovenia and a host of smaller security companies, launched the No More Ransom project to combat this particular form of nastiness. Now more than 30 groups, including Intel, European law enforcement, larger security firms, and volunteers are trying to find a cure for the problem. It's going to be a long, hard slog, if it's possible at all.

But the more people pay, the bigger the problem will become. The answer isn't difficult to implement – make frequent and regular backups.

Traditionally that's been something your average Joe hasn't been very good at, but there's no excuse for businesses not having the right secure storage systems in place. ® Sponsored: Want to know more about PAM? Visit The Register's hub
Cracking the grey market in rent-a-borkers Analysis It’s not often an entirely new and thriving sector of the “digital economy” – one hitherto unmentioned by the popular press – floats to the surface of the lake in broad daylight, waving a tentacle at us. This is the DDoS-for-hire industry, and it’s fascinating for a few reasons.

This shady marketplace has done everything a legitimate “digital” business should do. Hitherto, what are euphemistically called “booter” services have been pretty obscure.

But if anything deserves an as-a-service “-aaS” (“software as a service, SaaS; platform as a service, PaaS) created in its honour, it’s the 'DDoSaaS' or perhaps 'DoSaaS' industry: Denial-of-service-as-a-service. We now know much more about the marketplace because its leading business, vDOS, was hacked this year, and security expert Brian Krebs has been joining the dots. Krebs has documented the DaaS business for some years, a thankless job resulting in regular attacks on Krebs' own website.

The key business and technical architects also helpfully described it in an academic paper. Two Israelis allegedly behind vDOS, both 18, were arrested after an FBI investigation.

The site had been operating for four years. vDOS offered four retail tiers: from a $19.99 “bronze” plan to a $199/month “VIP plan”. Just as blogs and social media “democratised” the media, by making the tools of production and distribution cheap and readily available, so too did booter services. To take a site you didn’t like offline you used to have to have a network of contacts and great technical expertise.

But the booter services put a DDoS attack into anyone’s hands, and all it took was a quick retail transaction -as low as $20.

Booter services were the Uber of DDoS. How’s that for disruption? “To say that vDOS has been responsible for a majority of the DDoS attacks clogging up the Internet over the past few years would be an understatement.

The various subscription packages to the service are sold based in part on how many seconds the denial-of-service attack will last,” Krebs noted, adding: And in just four months between April and July 2016, vDOS was responsible for launching more than 277 million seconds of attack time, or approximately 8.81 years worth of attack traffic. Like many “booter” services, vDOS had been hiding behind CloudFlare’s CDN.

The CloudFlare CDN acts as a cloaking service, and has been criticised for keeping pro-ISIS sites online.

CloudFlare has also been under fire for doxing; a sample of CloudFlare’s clients can be found here.) In a January post entitled Spreading the disease and selling the cure, Krebs observed: “The booter services are proliferating thanks mainly to free services offered by CloudFlare, a content distribution network that offers gratis DDoS protection for virtually all of the booter services currently online.” As well as providing protection for the DoS [denial of service] industry, CloudFlare operates a DoS-protection service for clients worried about DoS attacks. Krebs added: “If CloudFlare adopted a policy of not enabling booter services, it could eliminate a huge conflict of interest for the company and – more importantly – help eradicate the booter industry.” CloudFlare says it responds to individual law enforcement requests and will not proactively police its network for DDoS-ers. What made vDOS particularly interesting was that it operated in both “retail” and “wholesale” markets. “PoodleStresser, as well as a large number of other booter services, appears to rely exclusively on firepower generated by vDOS,” Krebs notes. This isn’t unusual in legitimate sectors.

A food manufacturer may sell white label versions of its goods to supermarkets, and mobile networks have for years made better use of their capacity by wholesaling to MVNOs, mobile virtual network operators). The vDOS pair maintained a network of PayPal accounts but many of the participants are US based. Damon McCoy, cited at Krebs' blog, notes that vDOS blocked clients from disabling Israeli sites, most likely to avoid unwanted attention from authorities at home: “The main reason was they didn’t want to make trouble in their local jurisdiction in the hopes that no one in their country would be a victim and have standing to bring a case against them.” The cover story offered by booter operations is that the software has a legitimate use: for sites to stress test their own web servers.
In reality, the “democratization of DDoS” – with kits available on the dark web for a fiver – means that buying DDoS protection offered by CloudFlare is almost mandatory. ®
As quantum computers inch closer to reality, experts are sweating over their potential to render many of today's cybersecurity technologies useless. Earlier this year the U.S. National Institute of Standards and Technology issued a call for help on the matter, and this week the Global Risk Institute added its voice to the mix. Because of quantum computing, there's a one-in-seven chance that fundamental public-key cryptography tools used today will be broken by 2026, warned Michele Mosca, co-founder of the University of Waterloo's Institute for Quantum Computing and special advisor on cybersecurity to the Global Risk Institute. By 2031, that chance jumps to 50 percent, Mosca wrote in a report published Monday. "Although the quantum attacks are not happening yet, critical decisions need to be taken today in order to be able to respond to these threats in the future," he added. Such threats stem from the fact that quantum computers work in a fundamentally different way than traditional computers do. In traditional computing, numbers are represented by either 0s or 1s, but quantum computing relies on atomic-scale units called quantum bits, or "qubits," that can be simultaneously 0 and 1 through a state known as superposition. Far greater performance and efficiency are among the benefits, but there's also a downside. "One unintended consequence of quantum computation is breaking some of the cryptographic tools currently underpinning cybersecurity," Mosca wrote. Encryption, for example, often relies on the challenge of factoring large numbers, but researchers recently demonstrated what they said is the first five-atom quantum computer capable of cracking such encryption schemes. "When the cryptographic foundations upon which a cyber system is built are fundamentally broken, unless a failover replacement (which generally takes years to develop) is in place, the system will crumble with no quick fixes," Mosca wrote. "Right now, our cyber immune system is not ready for the quantum threat. There is a pending lethal attack, and the clock is ticking to design and deploy the cure before the threat is realized." In the short term, work needs to be done to design systems that are "cryptographically agile," Mosca said, and can quickly swap one cryptographic tool for another. In the longer run, we'll need "quantum-safe" cryptography tools, he said, including protocols that can run on conventional technologies and resist quantum attacks. Part of the NIST's effort will be a competition in which members of the public will devise and test promising new cryptographic methods. Meanwhile, private security firms are working on the problem as well. KryptAll, for example, recently launched an independent effort of its own, with the goal of having a product available by 2021.
Developers rely on languages like Python, Node.js, and Java to write and release complex web applications, but their rapid development cycles make securing these applications a challenge.

Enter RASP (run-time application self-protection), which incorpo...