Home Tags The Jump

Tag: The Jump

Apple is completely redesigning the Mac Pro… again

New design coming sometime in 2018, along with a new Apple-made external display.

Apple’s “new” UAC port wasn’t made by Apple and it isn’t...

"Ultra Accessory Connector" is Apple's name for an obscure but already-existent port.

Ars announces HTTPS by default (finally)

Doing our part to push the encrypted-by-default vision of the Web.

Record Number of Vulns For Adobe, Microsoft, Apple In '16, Says...

Advantech makes surprise debut on vulnerability list at number two, right behind Adobe Like rules, records were made to be broken, and the security industry's largest-ever vulnerability reporting and remediation didn't disappoint, with 674 total advisories in 2016 - eight more than the year before, according to a report this week from the Zero Day Initiative. ZDI, launched in 2005, encourages responsible reporting of zero-day vulnerabilities to affected vendors by financially rewarding researchers, and protecting customers while the affected vendor creates, tests, and delivers a patch. ZDI paid out nearly $2 million in rewards in 2016, the group reported this week. As for the bigger software vulnerability picture, Adobe products accounted for 149 of advisories, or 22% of the ZDI total, same as in 2015.

Adobe Reader, Acrobat, and Flash were the main culprits, and ZDI expects the trend to continue as more browsers block Flash by default.
In addition, Adobe doesn't operate its own bounty program for bugs and vulnerabilities, unlike Microsoft and Apple.

And Adobe is already off to an auspicious start in 2017; ZDI communications manager Dustin Childs tells Dark Reading his organization just notified the vendor of eight new vulnerabilities. Microsoft fell to number three on ZDI's 2016 list and it had a lower percentage of published ZDI advisories - 11% - down from the previous year's 17%.

But those numbers don't tell the whole story, since Microsoft itself published more security bulletins in 2016 than ever before. Microsoft's biggest problem was the continued targeting of browsers; while its Edge browser was supposed to be much more secure than Internet Explorer, almost two-thirds (64%) of Microsoft-related ZDI advisories were related to browsers. Advisories for Apple products made a significant jump in 2016.

There were 61 ZDI advisories posted for the vendor's products in 2016, or 9% of the total, more than what it posted in 2014 and 2015 – 4% both years.

The jump isn't completely surprising to Childs, who notes Apple's more pervasive presence with desktop computing, not to mention its smartphone dominance.

The installed base of OSX and iOS combined is larger than Windows, Childs adds, and predicts more Apple vulnerabilities in 2017 through ZDI and Apple's own bug bounty program. Trend Micro, which owns ZDI, also predicts the percentage of Microsoft advisories will continue to drop in 2017 while Apple's increase.  Industrial computing vendor Advantech made its debut on the ZDI list at number two with 112 advisories published – 17% of the published advisories. "This doesn’t necessarily mean this vendor has a wide surface attack area," Childs writes in a ZDI blog post. "All of these cases came in through the same anonymous researcher, meaning the researcher found a specific type of bug prevalent in their systems," Childs says, adding that the same researcher reported no bugs from any other vendor in 2016. While Advantech's issues were a surprise, Childs says he also expected to see more enterprise software cropping up on the 2016 list from vendors like HP, Dell, or Oracle. "There's a bunch of enterprise software that hasn't been closely looked at, so there's a lot of bugs for researchers to find," he says.

And though browsers have become well-trod territory, this business middleware market is mostly untouched. Nonetheless, infosec professionals and executives should be careful with lists like these, since looking at the numbers without much context doesn’t make for better security decisions in the future, warns Jeremiah Grossman, a security researcher and chief of security strategy at SentinelOne. "These figures see significant and subjective variation in what’s included, how things are counted, and more, which can largely throw off the numbers from one year to the next," he tells Dark Reading in an email. "And of course cybercriminals really don’t care how many reported vulns a particular product has, mostly because they only need one (or maybe a small handful) that’s wired into their exploitation tools for easy deployment." Childs counters that it's important to understand how ZDI's list get compiled. "It's important to see how the list is created - these are the bugs coming through our program," he says. "They may not be representative of all the research going on… we don't do anything with mobile yet, for example.

But if you look back at the last couple years, you can definitely see some trends," like Adobe's recurring presence. Related Content:   Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain's New York Business, Red Herring, ...
View Full Bio More Insights

Kaspersky Lab: 323,000 New Malware Samples Found Each Day

Credit it to mass-produced malware and better detection through machine learning. Antivirus provider Kaspersky Lab has revealed that around 323,000 new malware files are being identified each day by its product as opposed to 70,000 files per day in 2011.

This, it claims, is an increase by 13,000 per day when compared to last year. The jump is seen partly because cybercriminals have turned sophisticated and are offering “mass production of malware and tailored cybercriminal services.”  Another reason, says Kaspersky, is the improvement in the quality and technique of automated malware analysis technologies which successfully detects all malware types, both existing and unknown. Kaspersky claims to have a billion malicious malware in its cloud database now.
It gives credit for this to its machine-learning based malware analysis system Astraea which, it says, has been increasingly active in detecting malware – from 7.5% in 2012 to 40.5% in December 2016. Click here to read more threat statistics. Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.
View Full Bio More Insights

TalkTalk teen hacker pleads guilty as firm reveals £22m profit jump

95,000 subs left after hack – 94,000 joined in last six months TalkTalk has unveiled a healthy jump in post-tax profits on the same day a 17-year-old boy pleaded guilty to hacking the British telco. This morning the teenager, who because of his age cannot be named, pleaded guilty at Norwich Youth Court to seven charges under the Computer Misuse Act. He will be sentenced on 13 December, according to Sky News. The youth was arrested in November last year by detectives from the Metropolitan Police's Cyber Crime Unit, who obtained a search warrant for his Norwich home. Meanwhile, TalkTalk boasted that its profits jumped by £22m in the first half of this financial year, up from £11m in the six months ending September 2015 to £33m in the same period this year. The jump in profits came in spite of the telco shedding 30,000 fixed-line broadband customers between the first half of fiscal year 2016 and H1 FY2017 as it enjoyed a net rise of 94,000 mobile subscribers, giving it a combined total of 4.76 million customers. Perhaps TalkTalk's cheesy telly ads showing a Gogglebox-style family streaming videos on their tablets are working after all. Chief exec Dido Harding gave London business freesheet City AM a hair-shirt interview this morning, boasting of how the company has improved since the teenage hacker and his alleged accomplices walked off with the personal details and banking information of up to four million customers. "We also learnt that if you're open and honest with your customers everything works out alright," she said. "They think, in adversity, we tried our damnedest to look after them." TalkTalk’s revenues dipped by 1.1 per cent to £902m for the half-year, which the firm said was "as expected".
It has previously admitted that the major October hack cost it 95,000 customers and around £45m in extra security and service restoration costs. ® Sponsored: Customer Identity and Access Management

Boffins exploit Intel CPU weakness to run rings around code defenses

Branch buffer shortcoming allows hackers to reliably install malware on systems US researchers have pinpointed a vulnerability in Intel chips – and possibly other processor families – that clears the way for circumventing a popular operating-system-level security control. ASLR (address space layout randomization) is widely used as a defense against attempts by hackers to exploit software vulnerabilities to take control of computers. By randomising the locations of kernel and application components in memory, ASLR limits the ability for evil code, injected into a system, to reliably exploit programming flaws to hijack the attacked application or operating system. Hackers need to know where key components lie in memory in order to successfully exploit a bug, a process that ASLR frustrates. For example, take a booby-trapped PNG file that exploits a bug in an image editor. The software opens the PNG and is tricked into handing control of the processor to code smuggled within the picture – but the exploit code is now running blind. It cannot assume the location of key components that are needed to pivot from basic exploitation to a full compromise of the application and, next, the whole system. ASLR has juggled the libraries and other dependencies around at random, so an algorithm is needed to work out where things have been hidden. The Intel chip flaw can be abused by hackers to bypass this protection, thus ensuring their attacks are much more effective. In order to pull off this technique, miscreants must be able to at least start running their malicious code within an application or operating system on the target machine – this isn't a remote attack, it's a local attack. The hack takes advantage of the CPU's branch target buffer, a mechanism present in many microprocessor architectures including Intel Haswell CPUs. Exploiting the buffer was demonstrated by the researchers on a Haswell-powered PC running Linux, and this attack is potentially effective against other platforms. The BTB provides a history of branches taken by the processor as it runs through its code: after the CPU is told to make a decision, it usually jumps to another part of the program based on the outcome of that decision. For example, if something fetched from memory has a value greater than zero, then jump to location A or jump to location B if not. If a jump location is in the history buffer then the CPU knows this branch is usually taken so can start priming itself with instructions from the jump landing point. That means branches routinely taken execute with minimal delay. By flooding the BTB with a range of branch targets, hackers can observe the BTB refilling with values of regularly taken jumps. This allows the miscreants to work out where in memory the operating system has randomly placed the application's vital components. It takes a few tens of milliseconds to perform, we're told. The eggheads says this allows an “attacker to identify the locations of known branch instructions in the address space of the victim process or kernel.” Their research, Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR, by boffins at State University of New York at Binghamton and the University of California, Riverside, can be found here [PDF]. Alfredo Pironti, senior security consultant at IOActive, said the vulnerability shows that the security of physical IT (including chips) needs to considered alongside more commonplace and less esoteric software flaws. “Software isn’t always the easiest point of entry, particularly for those hackers that have a deeper knowledge of hardware and its vulnerabilities,” said Pironti, who added that the ASLR bypass attack is an example of a hardware side-channel attack, an already recognised class of assault. “These attacks are often more expensive and time consuming to conduct, compared to classical software attacks,” Pironti explained. “Usually they also have stricter conditions, such as running a specific software on the victim’s machine and being able to collect CPU metrics. However, this doesn’t mean that we shouldn’t be vigilant. Cybercriminals are more sophisticated, well-funded and – worst of all – patient than ever before, and are always looking for new and surprising ways to infiltrate. “This is why it is vital that companies have their chips pen-tested during the development stage, as the cost and complexity of re-mediating an attack of this kind is enormous,” Pironti concluded. ®

FBI demands Signal user data, but there’s not much to hand...

Enlarge / Moxie Marlinspike is the founder of Open Whisper Systems.Knight Foundation reader comments 45 Share this story The American Civil Liberties Union announced Tuesday that Open Whisper Systems (OWS), the company behind popular encrypted messaging app Signal, was subpoenaed earlier this year by a federal grand jury in the Eastern District of Virginia to hand over a slew of information—"subscriber name, addresses, telephone numbers, email addresses, method of payment"—on two of its users. Further, OWS was prevented for at least several months from publicly disclosing that it had received such an order until the ACLU successfully challenged it. While details of the case remain sealed, the ACLU published a number of partially redacted court documents, including its initial response to the FBI. Through its ACLU attorney Brett Max Kaufman, OWS noted that “only one of the two listed numbers is associated with a Signal account,” so the company couldn’t provide any further details. For the other number, however, the company said that it keeps minimal records about its users. All Signal messages and voice calls are end-to-end encrypted using the Signal Protocol, which has since been adopted by WhatsApp and other companies. However, unlike other messaging apps, OWS makes a point of not keeping any data, encrypted or otherwise, about its users. (WhatsApp, by contrast, keeps encrypted messages on its own servers—this allows for message history to be restored when users set up a new device.) “The only information responsive to the subpoena held by OWS is the time of account creation and the date of the last connection to Signal servers,” Kaufman continued, also pointing out that the company did in fact hand over this data. Signal's "privacy by design" was quickly applauded by National Security Agency whistleblower Edward Snowden. The FBI came after #Signal, only to find they log only account creation date & last login time. @Google, take note. https://t.co/njyiqCA2i0 — Edward Snowden (@Snowden) October 4, 2016 In the same letter, Kaufman also notified the FBI of his intention to fight the gag order. In a blog post, he wrote: To its credit, the government quickly agreed with us that most of the information under seal could be publicly disclosed. But the fact that the government didn't put up too much of a fight suggests that secrecy—and not transparency—has become a governmental default when it comes to demands for our electronic information, and critically, not everyone has the resources or the ability to work with the ACLU to challenge it. OWS immediately recognized that even though the government required some secrecy over the subpoena, it did not need, nor could it justify, total secrecy. So OWS came to us, and we went to the government, which agreed to reverse its original demand for secrecy—and now OWS’s customers and the broader public can see for themselves just how wildly overbroad the government’s gag order was from the jump. And while this—the only one ever received by OWS—is now public, there are many more like it, hiding in the filing cabinets in the U.S. attorney’s offices across the country. Across the country, two Stanford researchers are attempting to get years’ worth of surveillance orders released by the federal court in the Northern District of California, where OWS and many other tech firms are based.

Fidelis Cybersecurity Adds Former FireEye Exec As Channel Chief

Fidelis Cybersecurity, an advanced threat detection and remediation company, is expanding its push into the channel and has added former FireEye channel executive Scott Collins to lead the charge. Collins joins Bethesda, Md.-based Fidelis as vice president of channel sales. He started with the company July 18. Collins previously served as director of Americas channel sales at FireEye. He joined the company in 2012, when FireEye was a young company just starting to launch its channel efforts, and helped it launch and grow its initial channel programs. He has also held channel roles at Zscaler and IronPort Systems (acquired by Cisco). [Related: FireEye CEO Dave DeWalt To Step Down, Kevin Mandia To Take Top Leadership Role] While Fidelis already has a partner program in place, Collins said he has been brought in to help the company “accelerate” its efforts in the channel. He said he prefers companies with a “startup, young company feel,” and saw a “tremendous opportunity” to help Fidelis expand its channel strategy in a hot market for advanced threat technology.

That is why he decided to make the jump from FireEye, which has a very established program, to Fidelis, he said. “There is absolutely a strong foundation built here that needs to accelerate.

That’s what I am here to do.

The building blocks are in place and the investments are being made.
I’m proud to be part of the team,” Collins said. Those efforts will include growing the company’s headcount around the channel, especially around channel operations, Collins said, as well as building branding and awareness around the program. He said he will also look to make some “tweaks” to the partner program. “We have a strong foundation, but there’s an opportunity to make some material changes that would make the program more attractive and more profitable in many areas of a partner's business,” Collins said. Collins said Fidelis has a strong commitment to building out its efforts with partners, one of the reasons he decided to join the company. “I was really impressed by the entire company.

The entire executive team has demonstrated a real commitment to a channel partner strategy.
It’s something that, as my career has progressed, you learn to know when that is genuine and when that is disingenuous.
In talking with all the executives here I recognized that they realized where Fidelis is in the growth cycle and they want and know they need to make a significant commitment to the channel,” Collins said.

The Attribution Question: Does It Matter Who Attacked You?

Everyone will ask whodunnit, but how can an organization put that information to practical use during disaster recovery and planning for the future? In normal life crises, the jump to assess blame is often the emotional reaction, but rarely the appropriate reaction.

Assessing blame for who hit you with a cyberattack, however -- if not the individual, at least the general classification -- could be effective, if not essential to your recovery efforts, according to speakers at a Dark Reading Virtual Event Tuesday. We asked speakers flat-out, "does attribution matter?" Does it matter? "It depends," said Mark Potter, principal systems security officer for Strategic Health Solutions. "It really depends, on the size and budget of your organization, the value and type of the assets, and types and frequency of attacks."  If you don't have the internal skill set to go hunting for an attacker or the funds to hire outside contractors, says Potter, then it's more important to get the business back to normal.  If you've got the resources, though, there are areas where accurate attacker attribution can help. For one: damage assessment.

Attribution is "key to trying to understand the extent of the damage and where else you should be looking," said Toni Gidwani, director of research operations at ThreatConnect.

To make sure you've found all the places the attackers have reached, infected, damaged or stolen from, she said, the forensics team can be helped by the extra context, like knowing what particular exploit kits to hunt for.   Dmitri Alperovitch, CTO and Co-founder of Crowdstrike, added that attribution helps assess the damages from a business perspective. "If your data has been stolen, who has it -- is it a competitor or is it a cybercriminal who may resell that data? ... Who's coming after and you and why can be a very important question." Some businesses have begun to ask, said Alperovitch, to know more about about the character of certain ransomware operators. When deciding whether or not to pay a ransom request, victims want to whether this is an operator with a history of delivering on their promise to restore access to locked data or the type that just takes the money and runs. Knowing the identity of attackers also impacts the design of security programs going forward.

According to Alperovith and Gidwani, the difference between an opportunistic attacker and a targeted attacker or the difference between a destructive attacker and an intellectual property thief will change the sort of decisions you make about your defense.
Some attackers move on quickly, while others come back if they didn't finish a job.

They may aim for a variety of data, systems, or users. "The better you know, the better you can allocate those funds to protect those assets," said Andrew Wild, chief security officer of Lancope. Knowing this information can also be used to get better buy-in and smarter investment from above, according to Wild.  Why did we get better at attribution? There is still a lot of progress to be made in attribution -- some are still announced with only low or moderate confidence. However, there has been a great deal of progress made in the past couple years: why? Attribution is getting better because security got better, says Alperovitch. "It used to be that adversaries were inside networks for literally years. Now we're catching more and more intrusions, we're actually building up an encyclopedia, if you will, of tradecraft on what we've seen for different adversaries," he said, "how they operate, what their motivations are.

And you start building the profiles and the modus operandi for the adversary so when you see them again, you know who you're dealing with." Better attribution, however, has had its own impacts. Knowing with high confidence that one nation-state launched a cyberattack on another can create or exacerbate socio-political conflicts, and not all regions have equal attribution capabilities (according to Richard Bejtlich in a Dark Reading interview last year). Alperovitch commented that it was "really remarkable to watch" cybersecurity become the top issue of a meeting between two world leaders, when President Barack Obama and President Xi Jinping of the People's Republic of China met last year.  Gidwani added that better attribution is "starting to open up these non-technical responses for our political leaders." The ability to respond to cyber espionage or destructive attacks with trade sanctions, for example, is, says Gidwani, a "step forward." Related Content: Black Hat’s CISO Summit Aug 2 offers executive-level insights into technologies and issues security execs need to keep pace with the speed of business.

Click to register.
Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ...
View Full Bio More Insights

Microsoft Pushes Windows 8.1 Update Deadline to June 10

Microsoft urges Windows 8.1 users to apply the update or risk missing out on future security updates. The company appears to be convincing users to make the jump. Microsoft is giving Windows 8.1 holdouts a littl...

Microsoft Security Report Shows Most Malware Infects by Deception

While exploit kits increasingly focus on using Java to infect computers, most attacks rely on deceiving the user, Microsoft said in its semi-annual Security Intelligence Report. Microsoft took aim at deceptive software in its latest semi-annual Security Intelligence Report, noting that the addition of two popular, but deceptive, programs to its malware-removal program caused a trebling of the company's malware detections in the fourth quarter of 2013. The report, released May 7, showed that the number of computers cleaned with Microsoft's Malware Removal Tool jumped to 17.8 systems per 1,000 scanned in the fourth quarter of 2013, up from 5.6 in the third quarter. The jump represents the largest quarter-to-quarter increase in the infection rate ever measured by the company and happened while there was little change in the proportion of computers that encountered an attack. The increase is largely due to Microsoft adding signatures for two deceptive programs, and the increase in ransomware programs, Holly Stewart, senior program manager of Microsoft's Malware Protection Center, told eWEEK. "While the use of deceptive tactics is not new, it dramatically increased in the second half of 2013," she said. Deceptive downloads include programs that appear to install a benign utility or plugin, but instead load malicious functionality. Two main families of malware accounted for the massive increase in the fourth quarter, according to Microsoft, because the company added both the pre-existing programs to its Malware Removal Tool. One program, Rotbrow or "Browser Protector," claims to protect a user's system from browser add-ons, but instead installs unwanted software. Another, dubbed Brantall, installs both legitimate advertising programs as well as other, malicious programs. "Because the Browser Protector software had existed since at least 2011 without exhibiting malicious behavior, many security software vendors had not configured their products to block or remove it," the report stated. "The December release of the MSRT therefore detected and removed it from a large number of computers on which it may have been installed for several months or even years." The number of remotely exploitable vulnerabilities used by attackers fell to 20 in 2013, down 71 percent from a high of 70 in 2010. In the same time period, exploit kit developers moved from exploiting flaws roughly equally in Microsoft products, Adobe products and Oracle's Java to focusing on Java in more than 70 percent of cases. The trend shows that attackers have moved their exploitation efforts to software that has less memory protections and defensive mitigations, Microsoft said in the report. "With new remote code execution vulnerabilities becoming harder to find and exploit as secure coding practices improve across the software industry, the value of previously undisclosed exploits in the underground economy has increased, and developing new exploits has become more expensive," the report stated. The threat landscape continued to vary by geography. The countries exhibiting the most infections—between 35 and 55 computers cleaned per 1,000—included Martinique, Tunisia, Albania, Pakistan and Yemen. The countries demonstrating the cleanest systems—with only 4 to 10 computers cleaned per 1,000—included Macau, Iceland, Japan, Finland and China, according to the report.