- Safety-

Last update 01.10.2017 21:32:39

Introduction  List  Kategorie  Subcategory 0  1  2  3  4  5  6  7  8 



Microsoft Adds New Tools to Azure DDoS Protection
27.9.2018 securityweek
Safety

Microsoft this week announced a new set of distributed denial of service (DDoS) mitigation tools for Azure, which the company says will provide customers with increased visibility and support when their computing resources are under attack.

Building on the capabilities of Azure DDoS Protection, new features such as DDoS Attack Analytics and DDoS Rapid Response can deliver attack insights that can be leveraged for compliance, security audits, and defense optimizations, and also help customers engage DDoS experts during an active attack for specialized support.

There are three new features that Azure DDoS Protection Standard customers can now take advantage of, namely Attack Mitigation Reports, Attack Mitigation Flow Logs and DDoS Rapid Response. Thus, organizations will get detailed visibility into attack traffic and mitigation actions in Azure Monitor, as well as custom mitigations and support for attack investigation, Microsoft notes.

Leveraging aggregated network flow data, the new Attack Mitigation Reports provide detailed information about attacks targeting an organization’s resources. Once enabled via the Diagnostic Settings in Azure Monitor, the Reports will be processed with Log Analytics, an Azure Storage account or Event Hub for downstream integration with SIEM systems like Splunk or Stream Analytics.

Attack data is generated every five minutes when a customer’s Public IP resource is the target of a DDoS siege, and a post-mitigation report is generated for the entire duration of the assault when it stops. The reports provide information on attack vectors, traffic statistics, involved protocols, attack sources, and reason for dropped packets.

Customers can use Attack Mitigation Flow Logs to review dropped traffic, forwarded traffic, and other attack data in near real-time during an assault. The data can be used in SIEM systems like Splunk or Stream Analytics for near-real-time monitoring, Microsoft claims.

Also enabled via Diagnostic Settings in Azure Monitor, the Logs can be integrated with log analytics, storage account or event hub. Information in generated Logs includes source and destination IPs, source and destination ports, protocol type, and actions taken during mitigation.

With DDoS Rapid Response (DRR), Microsoft provides customers with access to DDoS experts during an active attack, to help with attack investigation and the deployment of custom mitigations, and to engage in post-attack analysis.

To engage DRR during an active attack, customers need to create a new support request from Azure Portal, select Service as DDoS Protection, choose a resource in the resource drop down menu (a DDoS Plan linked to the virtual network being protected is required), then select the severity as A -Critical Impact and Problem Type as ‘Under attack’, and complete additional details before submitting the support request.

Planning and preparing for DDoS assaults can prove crucial for understanding the availability of an application during attack, Microsoft notes. To help organizations with planning, the tech giant published an end to end DDoS Protection - Best Practices and Reference Architecture guide and encourages all “customers to apply those practices while designing applications for resiliency against DDoS attacks in Azure.”

Microsoft also announced improved security features for Azure this week, with the addition of Microsoft Authenticator, Azure Firewall, and several other tools to the cloud computing platform.


Embrace RPKI to Secure BGP Routing, Cloudflare Says
22.9.2018 securityweek
Safety

BGP (Border Gateway Protocol) routing isn’t secure and organizations should embrace Resource Public Key Infrastructure (RPKI) to improve security, Cloudflare says.

Border Gateway Protocol was designed to control the route of data across the Internet. The state of BGP route validation, the website protection company argues, hasn’t seen improvements, thus leading to route leaks and hijacks.

As part of BGP hijacking, attackers take over IP address groups by corrupting the routing tables that store the path to a network.

RPKI, “a cryptographic method of signing records that associate a BGP route announcement with the correct originating AS number,” can improve BGP routing-security globally, but only if it would enjoy broad adoption, such as being deployed by multiple major network operators, Cloudflare claims.

Around 8.7% of the IPv4 Internet routes are currently signed with RPKI, yet only 0.5% of all the networks apply strict RPKI validation, statistics reveal.

Although there are protections in place to manage which network can announce which route and to allow one network to filter another network’s routes, route leaks and hijacks do happen, with the most recent of them involving a Russian ISP rerouting traffic from major tech firms, and the BGP hijack of payment processors.

Although the Internet Routing Registry (IRR) system provides a method to manage the routes, a network can announce, it doesn’t cryptographically sign its data, and the IRR databases contain plenty of invalid data, Cloudflare says. RPKI can secure the route origin and represents a first step in improving the BGP route security.

“Records exist within IRRs that are both clearly wrong and/or are clearly missing. There’s no cryptographic signing of records. There are multiple suppliers of IRR data; some better than others,” Cloudflare’s Martin J Levy points out.

Both IRR and RPKI use third-party entities to hold the database information, but, with the latter, the same entity that allocated or assigned a numeric resource (like an IP address or ASN) also holds the TA (Trust Anchor – same as Certificate Authority for web certificates) used to validate the ROA’s (Route Origin Authorization) record.

Today, there are five Regional Internet Registries (RIR) (Afrinic for Africa; APNIC for Asia-Pacific; ARIN for North America; LACNIC for Central and South America; and RIPE for Europe, Middle-East and Russia) and they are the TAs for RPKI.

“The present day RPKI systems operate in conjunction with existing RIR login credentials. Once you can login to a portal and control your IP allocations and ASN allocations; then you can also create, edit, modify, and delete RPKI data in the forms of ROAs. This is the basis of how RPKI separates itself from the IRR. You can only sign your own resources. You can’t just randomly create data. If you lose your RIR allocation, then you lose the RPKI data,” Levy explains.

The issues that arise from this setup include the fact that any ISP with an allocation needs to keep its RIR membership up to date and that the international law plays a role in any dispute between the ISP and RIR, as they might be entities based in different countries.

Despite the obvious benefits, RPKI has seen low adoption, even RIRs are supporting RPKI for their members. One issue would be the limited toolset for successfully operating a network with RPKI enabled route filtering.

According to Levy, IXP (Internet Exchange Points) are noticing that filtering using RPKI is a valid option for their route-servers and a handful of networks are signing IP routes and verifying IP routes via RPKI, which represents a step forward, although a small one.

“RPKI is not a bullet-proof solution to securing all routing on the Internet, however it represents the first milestone in moving from trust based to authentication based routing. Our intention is to demonstrate that it can be done simply and cost efficiently. We are inviting operators of critical Internet infrastructure to follow us in a large scale deployment,” Cloudflare’s Jérôme Fleury and Louis Poinsignon note in a blog post.


DMARC Fully Implemented on Two Thirds of U.S. Government Domains
22.9.2018 securityweek
Safety

DMARC has been fully implemented on roughly two thirds of U.S. government domains, but agencies have less than a month to roll out the email security standard on the remaining websites.

The Binding Operational Directive (BOD) 18-01, issued by the DHS in October 2017, instructs all federal agencies to start using web and email security technologies such as HTTPS, STARTTLS, SPF and DMARC.

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication, policy, and reporting protocol designed to detect and prevent email spoofing. Organizations can set the DMARC policy to “none” to only monitor unauthenticated emails, “quarantine” to send them to the spam or junk folder, or “reject” to completely block their delivery.

The DHS has instructed federal agencies to fully implement DMARC (i.e. set their DMARC policy to “reject”) on all .gov domains by October 16, 2018.

Email threat protection company Agari has been monitoring progress and, according to its latest report, as of September 14, DMARC had been fully implemented on 64% of 1,144 domains. DMARC has been rolled out with at least a “none” policy on 83% of domains.

“This is significantly better adoption than the commercial sector, where two-thirds (67%) of the Fortune 500 have not published any DMARC policy,” Agari said in its report.

DMARC implementation by federal agencies

The government organizations that have implemented a “reject” policy on less than half of their domains include the Consumer Financial Protection Bureau, the Department of Commerce, the Department of Energy, and the Executive Office of the President.

The security firm pointed out that of the 417 executive branch domains that have not implemented a “reject” policy, 89% are actively sending emails, which could hamper compliance efforts.

“With less than one month until the final BOD 18-01 deadline, the U.S. Government has made tremendous strides forward in its DMARC adoption and compliance efforts. Most federal agencies and the citizens they serve are now realizing the benefits of DMARC,” Agari said. “Executive branch agencies such as the Department of Health and Human Services have implemented a ‘p=reject’ policy across hundreds of domains to automatically block phishing email attacks and prevent domain spoofing. Yet hundreds of other federal domains still remain vulnerable to these attacks.”

Proofpoint has also recently published a report on DMARC adoption and compliance with BOD 18-01, but the company also took into account the implementation of the Sender Policy Framework (SPF), which along with DomainKeys Identified Mail (DKIM) forms the foundation of DMARC. Proofpoint analyzed the full set of federal civilian domains provided by the federal government, which includes 200 additional domains compared to what Agari has been monitoring.

Data from Proofpoint shows that nearly 52% of all domains have both a valid SPF record and the DMARC policy set to “reject.” However, only 34 of the 133 agencies under the BOD mandate, representing roughly 24%, were fully compliant at the time of the study.

DMARC implementation by federal agencies


Cloudflare Helps Boost DNSSEC Adoption as Key Rollover Nears
20.9.2018 securityweek
Safety

Cloudflare announced on Monday the introduction of a new feature that will allow some users to enable the Domain Name System Security Extensions (DNSSEC) protocol with the click of a button.

Cloudflare customers and supported registries can now easily enable DNSSEC from the Cloudflare dashboard. This takes the burden off of website owners, who normally need to manually add a DS record in their account at their registrar.

Data from APNIC shows that many domain owners have attempted to activate DNSSEC, but failed to complete the process. Globally, less than 14 percent of DNS requests have DNSSEC validated by the resolver. Some countries, such as Norway and Sweden, have validation rates of roughly 80%, but China for instance validates less than 1% of requests. The validation rate in the United States is just over 23%.

DNSSEC validation rates

“Locating the part of the registrar UI that houses DNSSEC can be problematic, as can the UI of adding the record itself. Additional factors such as varying degrees of technical knowledge amongst users and simply having to manage multiple logins and roles can also explain the lack of completion in the process. Finally, varying levels of DNSSEC compatibility amongst registrars may prevent even knowledgeable users from creating DS records in the parent,” Cloudflare explained in a blog post.

Cloudflare’s ability to allow customers to easily enable DNSSEC is a result of support for CDS and CDNSKEY records. These mirror the DS and DNSKEY record types and are designed to alert the parent or registrar that a domain wants to enable DNSSEC and have a DS record presented.

“Cloudflare will publish CDS and CDNSKEY records for all domains who enable DNSSEC. Parent registries should scan the nameservers of the domains under their purview and check for these rrsets. The presence of a CDS key for a domain delegated to Cloudflare indicates that a verified Cloudflare user has enabled DNSSEC within their dash and that the parent operator (a registrar or the registry itself) should take the CDS record content and create the requisite DS record to start signing the domain,” Cloudflare said.

DNSSEC validation rates

DNSSEC aims to prevent DNS spoofing attacks, which allow malicious actors to redirect users to their own websites. It does this by cryptographically signing DNS information, and the master crypto key is called a key signing key (KSK).

Since keeping a cryptographic key alive for a long period of time is considered a bad security practice given the fact that it could get compromised, the Internet Corporation for Assigned Names and Numbers (ICANN) plans to periodically change the KSK.

This change also requires that network operators update their systems with the new KSK. Failure to do so will result in clients using their DNS resolvers not being able to reach websites and email addresses.

ICANN initially planned a KSK rollover for October 11, 2017. However, as the date approached, the organization determined that many network operators and ISPs were unprepared, which could lead to tens of millions of users going offline. The KSK rollover was pushed back one year and it’s currently set for October 11, 2018, although this date is still pending ratification by the ICANN Board.

ICANN expects the impact of the root KSK rollover to be minimal if it takes place on October 11, but it will still affect a “small percentage” of users, who may not be able to access websites.

A small number of DNSSEC validating resolvers are misconfigured and some of the users relying on these resolvers may experience problems.

Users who rely on resolvers that do not perform DNSSEC validation will not be impacted, and ICANN believes roughly two-thirds of users are in this situation.


Firefox Drops Support for Windows XP
6.9.2018 securityweek Safety

Effective this week, Windows XP is no longer supported by Firefox. More than four years after Microsoft stopped supporting the platform, Mozilla is making a similar move.

Last year, the organization said support for Windows XP was expected to be dropped by June 2018, but the browser developer took a few more months to make that happen.

On Wednesday, Mozilla announced the release of Firefox 62 and also revealed that it updated Firefox ESR (Extended Support Release) to version 60.2. With these releases, Mozilla cut support for Firefox ESR 52, which was the last version of Firefox with Windows XP support.

“At the end of February 2016, XP users made up 12% of release Firefox. By the end of February 2017, XP users made up 8% of release Firefox. If this trend continued without much change after we switched XP users to ESR, XP Firefox users would presently amount to about 2% of release users,” Mozilla says.

While Firefox ESR 52 continues to be available for download, it no longer receives security patches, meaning that any vulnerability found in the browser will remain unpatched.

With Chrome no longer supporting the platform since version 49 and Internet Explorer 8, the browser most used as standard on the platform, getting no security updates for more than two years, Windows XP users are left with no major browser than could keep them safe from exploits while navigating the Internet.

Although still widely used in organizations, Windows XP is currently a nearly-17-year-old operating system that hasn’t received security patches for over four years (although Microsoft did release emergency fixes last year, to address Shadow Brokers-related bugs exploited in the global WannaCry outbreak).

“It required effort, and it required devoting resources to supporting XP well after Microsoft stopped doing so. It meant we couldn’t do other things, since we were busy with XP,” Mozilla says.

Users impacted by the recent change in Firefox are advised to upgrade to a newer operating system to continue receiving patches not only for Mozilla’s applications, but also for other software their computers depend on.

In addition to dropping support for XP, Firefox now includes a preference that allows users to distrust certificates issued by Symantec (by setting "security.pki.distrust_ca_policy" to 2 in about:config). This is yet another step towards removing all trust for Symantec-issued certificates in Firefox 63.

Firefox 62, Mozilla notes in an advisory, also addresses several vulnerabilities: 1 Critical severity, 3 High risk, 2 Medium severity, and 3 Low risk. Affecting Firefox 61 and Firefox ESR 60.1, the most important of these could potentially be exploited to run arbitrary code.


Many misconfigured Tor sites expose the public IP address via SSL certificates
6.9.2018 securityaffairs Safety

Security researcher discovered that many misconfigured Tor sites using SSL certificated could expose the public IP addresses of underlying servers.
Yonathan Klijnsma, a threat researcher at RiskIQ, has discovered that many misconfigured Tor sites using SSL certificated could expose the public IP addresses of underlying servers.

Properly configured servers hosting hidden services have to listen only on the localhost (127.0.0.1) instead of any other public IP address.

“The way these guys are messing up is that they have their local Apache or Nginx server listening on any (* or 0.0.0.0) IP address, which means Tor connections will work obviously, but also external connections will as well,”

Klijnsma explained to BleepingComputer. “This is especially true if they don’t use a firewall. These servers should be configured to only listen on 127.0.0.1.”

The expert highlighted that it is quite easy to find misconfigured servers that expose their public IP address.

Every time an administrator of a hidden service adds an SSL certificate to a site, it associates the .onion domain with the certificate. The Common Name (CN) field of the certificate reports the .onion address of the hidden service.

Tor sites IP address

When administrators misconfigure a server so that it listens on a public IP address, the SSL certificate associated with the website will be used for the public IP address.

Klijnsma discovered the misconfigured servers by crawling the Internet and associating SSL certificates to they’re hosted IP addressed. In this way, the expert discovered the misconfigured hidden Tor services and the corresponding public IP addressed.

Yonathan Klijnsma

@ydklijnsma
Another #Tor hidden service exposed through an incorrect configuration of the listening server. Hiding your private forum on the deep dark (and still very public) web. Certificate can be found here (host is still live!): https://community.riskiq.com/search/certificate/sha1/ec14a4bc60fa9088ff59b28f094c1876388e6f94 …

7:31 PM - Aug 4, 2018
264
159 people are talking about this
Twitter Ads info and privacy
The expert concluded that to avoid the exposure of the public IP address for a Tor hidden service it should only listen on 127.0.0.1.


NIST's New Advice on Medical IoT Devices
28.8.2018 securityweek Safety

Medical infusion pumps, which deliver medications to patients, are archetypal examples of the expanding threat surface being delivered by connected devices. Connecting these pumps to clinical systems can improve healthcare delivery, but if not properly secured could endanger the patient and expose the health delivery organization (HDO) infrastructure to intrusion.

Over the last few years, researchers have shown that many infusion pumps contain vulnerabilities. In May 2015, researchers found several flaws in Hospira LifeCare pumps that could lead to remote control. In October 2016, Rapid7 found four flaws in the Animas OneTouch Ping insulin pump, one of which could alter the dose and cause a hypoglycemic reaction in the patient. In September 2017, eight remotely exploitable vulnerabilities in the Smiths Medical Medfusion 4000 wireless syringe infusion pumps were patched.

NIST has now responded to these concerns by publishing SP 1800-8: Securing Wireless Infusion Pumps in Healthcare Delivery Organizations (PDF). NIST's primary cybersecurity function is to develop standards and advice for federal agencies. Its 1800 Series, however, is a series of documents designed to present practical, usable, cybersecurity solutions to the cybersecurity community at large. Such documents do not describe regulations or mandatory practices, nor do they carry statutory authority.

SP 1800-8 applies "security controls to the pump's ecosystem to create a 'defense-in-depth' solution for protecting infusion pumps and their surrounding systems against various risk factors. Ultimately," it says, "we show how biomedical, networking, and cybersecurity engineers and IT professionals can securely configure and deploy wireless infusion pumps to reduce cybersecurity risk." It does this using standards-based, commercially available cybersecurity technologies that protect the entire HDO infrastructure.

The document offers "guidelines to better secure the wireless infusion pump ecosystem, such as the hardening of operating systems, segmenting the network, file and program whitelisting, code-signing, and using certificates for both authorization and encryption, maintaining the performance and usability of wireless infusion pumps."

Network segmentation is one of the key themes. It uses network devices such as switches and firewalls to divide a large complex network into a series of smaller subnetworks that can each be better defended. It implies only limited trust even within the organization's perimeter, with internal firewalls limiting access from one subnetwork to another to only trusted users or processes. Segmentation is an important method of preventing or limiting adversarial traversal within a corporate network. It will help prevent an attacker who has breached the wider attack surface of the network gaining access to the smaller attack surface of the medical device.

"For simplicity and convenience," says the document, "we implemented subnets that correspond exactly to VLANs. The routing configuration is the same for each subnet, but the firewall configuration may vary depending on each zone's specific purpose. An external router/firewall device is used to connect the enterprise and guest network to the internet." The segmentation was implemented via a VLAN by using Cisco switches.

It ensures that only known users/processes from a particular subnetwork can even attempt to access the device -- which is further protected by direct access controls.

The basic concept of securing the entire HDO infrastructure in order to better protect wireless connected devices can be applied to more than just infusion pumps, and the document has been well received by the security industry. "Defense in depth is required and is common practice," comments Joseph Kucic, chief security officer at Cavirin. "Beyond the publication, I expect that the appropriate safeguards will include a barrier gateway that records access to update electronic medical records as to who accessed the isolated Controlled Wi-Fi and all actions are done from a controlled device to ensure an audit trail with an extra authentication layer that can be controlled independent of the user's or vendor's normal access privileges. Based on this publication with the mentioned additional controls this can function as a template for other such devices."

Rishi Bhargava, co-founder at Demisto, said, "The NIST SP 1800-8 is a good first step that guides healthcare organizations towards better, more proactive protection of their IoMT (internet of medical things) environments. Since internet connected devices span across multiple industries -- both conventional and upcoming," he told SecurityWeek, "these guidelines have taken the cogent step of mapping best practices with a range of other standards like HIPAA and NIST RMF."

This doesn't mean that everybody is entirely happy with NIST 1800-8. "I'm glad to see there is a guide by NIST addressing the security of wireless infusion pumps," says Chris Morales, head of security analytics at Vectra. "The risks are real as disruption in medical devices can lead to dire consequences. Hospitals quite literally are saving lives and uptime of medical devices is a life or death situation," he told SecurityWeek.

But he is surprised that this document does not appear to be in sync with NIST's larger project on IoT security. "While wireless infusion pumps are of particular interest due to their specific application in healthcare, the risks to the devices are the exact same as any IoT device; and the recommendations should be the same," he said.

Morales is concerned about one specific statement in the NIST document: "Our reference architecture uses Cisco's solution architecture as the baseline. This baseline demonstrates how the network can be used to provide multi-tiered protection for medical devices when exchanging information via a network connection... This section provides additional details on how to employ security strategies to achieve specific targeted protections when securing wireless infusion pumps."

There's nothing new here -- it's standard segmentation practice. But in assigning it to Cisco, he feels that, effectively, "Cisco helped write this document."

"The problem here," he told SecurityWeek, "is that segmentation has never worked in hospitals. Doctors and nurses require constant access to devices and these are not locked down networks, nor can they be. If a doctor cannot access patient health records or devices, it is again a life or death situation. It is a noble attempt, but it thus far has not proven viable in health care, nor perhaps any industry with a large IoT deployment that is critical to the business function."

He thinks that network segmentation is still important, but that it won't look the same as the traditional designs. "The three most important aspects of any IoT security strategy," he suggests, "will be device identification, network segmentation, and network traffic analytics. IoT becomes a big data problem with lots of devices producing huge amounts of data and a large amount of remote access. These deployments will need to be monitored in real time to identify the difference between approved and unapproved behaviors."


DMARC Use is Growing, But Difficult to Configure Correctly and Completely
21.8.2018 securityweek Safety

The Use of DMARC is Growing -- But it is Difficult to Configure Correctly and Completely

Valimail, an email security firm, has been looking at the incidence of fake emails. Not all emails, but just those that spoof the 'From:' line with a valid name and domain -- that is, exact-domain sender spoofing. These are perhaps the most difficult to spot and the most dangerous, resulting in spear-phishing attacks leading to stolen credentials and BEC scams. PhishMe, now known as Cofense, claims that 91% of all cyber-attacks start with a phishing email, while Trend Micro has estimated that global BEC losses will exceed $9 billion this year.

A report from GreatHorn published at the end of July 2017 suggests that the majority of email users do not consider it to be a serious threat vector. GreatHorn's CEO and co-founder Kevin O'Brien told SecurityWeek, "Sixty-six percent of all the people we interviewed said the only threat they saw in their inbox was spam." The implication is that organizations must not rely on users to spot the difference between genuine and fake emails.

The problem leading to all fake emails is the lack of authentication security in the email application. All security has to be applied from the outside; but this has been done for exact-domain sender spoofing -- DMARC, SPF and DKIM. Valimail's analysis (PDF) of fake emails and DMARC examined a representative set of processed emails asking for DMARC or SPF authentication.

The good news is that in Q1 2018, 96.2% of emails using DMARC authentication were identified as legitimate. Not so good is that 1.5% failed DMARC, but were from senders known to be legitimate. The worrying figure is 2.3% of the DMARC emails failed DMARC and come from suspicious or malicious senders.

2.3% may seem a low percentage, but extrapolated, it suggests that 6.4 billion fake emails are sent every day.

The use of DMARC to prevent exact-domain sender spoofing is growing -- but it is difficult to configure correctly and completely. Every single service that sends emails must be found and included, and the policy must be set to enforced. DMARC, using SPF or DKIM authentication, aligns the stated sender with the actual source. If the alignment fails, the domain owner can choose between doing nothing (let it go through anyway), send it to a spam folder, or delete it. The mail gateway performing the checks then reports the results to the domain owner or a designated agent.

Valimail finds that most companies that start to implement DMARC never quite fully succeed. The enforcement failure rate, for example, hovers around 75-80% for almost all organizations over the last three quarters. The one bright spot is U.S. federal agencies. Here the failure rate tumbled from 80% in Q3 2017 to 40% in Q2 2018.

Federal agencies have also bucked the norm in all other categories examined by Valimail. By multiplying the category's DMARC usage rate with its enforcement success rate, Valimail comes up with a fraud protection rate. Federal agencies' fraud protection rate has grown from 4% in in Q3 2017 to 43% in Q2 2018. The next best rate comes from the U.S. tech company category at less than 16% (global media companies fare worst at less than 4%).

Federal agencies are also ahead in DMARC usage. In Q3 2017, just 20% of agencies used DMARC. By Q2 2018, this had risen to more than 70%. Tech companies again come second, rising from just under 50% to just over 50% (and global media companies come bottom again at around 15%).

Valimail puts the huge improvement shown by federal agencies down to the DHS. "This is due directly to the Department of Homeland Security's October 2017 directive requiring all executive-branch agencies to implement DMARC on a one-year timeline," says the report. "Since the executive branch accounts for the vast majority of the 1,315 federal .gov domains, that directive, known as BOD 18-01, has had a huge impact on DMARC usage in this group."

"Valimail's research shows that fake email continues to be a major problem worldwide," comments Alexander García-Tobar, CEO and co-founder of Valimail. He added: "There are encouraging signs of progress in the fight against fake email, starting with the U.S. federal government, where we've seen an unprecedented deployment of anti-impersonation technologies, thanks to a mandate by the Department of Homeland Security. There's still a long way to go, but the DHS example shows that stopping email impersonation is both critical to our highest institutions and achievable."


Google Bug Bounty Program Now Covers Platform Abuse
16.8.2018 securityweek Safety

Google on Wednesday announced the expansion of its bug bounty program to include techniques that can be used to bypass the company’s abuse detection systems.

The Internet giant claims to have paid out over $12 million as part of its Vulnerability Reward Programs since 2010, including payouts for bug reports describing techniques for bypassing fraud, abuse and spam systems.

These types of reports have now officially been added to Google’s bug bounty program. The company says it’s prepared to pay up to $5,000 for high impact and high probability issues.

Google assesses probability based on the technical skills needed to conduct an attack, the possible motivators of an attack, and the likelihood of the flaw being discovered by a malicious actor.

“Reports that deal with potential abuse-related vulnerabilities may take longer to assess, because reviewing our current defense mechanisms requires investigating how a real life attack would take place and reviewing the impact and likelihood requires studying the type of motivations and incentives of abusers of the submitted attack scenario against one of our products,” Google said.

For example, a technique that allows an attacker to manipulate the rating score of a Google Maps listing by submitting a large volume of fake reviews without being detected by the company’s systems would qualify for a reward in the new platform abuse category. Researchers can also earn rewards for bypassing account recovery systems at scale, finding systems vulnerable to brute-force attacks, bypassing content use and sharing restrictions, or buying items from Google without paying.

“Valid reports tend to result in changes to the product’s code, as opposed to removal of individual pieces of content,” members of Google’s Trust & Safety team wrote in a blog post. “This program does not cover individual instances of abuse, such as the posting of content that violates our guidelines or policies, sending spam emails, or providing links to malware.”


Microsoft's National Cybersecurity Policy Framework: Practical Strategy or Non-Starter?
15.8.2018 securityweek Safety

Microsoft's Cybersecurity Policy Framework Has Good Intentions, But It's Difficult to See What It Actually Brings to the Table

Microsoft has never been backward in making global recommendations for improved cybersecurity. Its latest recommendations come in a paper titled, Cybersecurity Policy Framework -- A practical guide to the development of national cybersecurity policy (PDF). Its purpose is nothing short of providing a framework that all nations can follow in the formulation of their own national cybersecurity policies.

There is nothing new in this document. Rather it is the collection of existing best practices into one source document at a critical moment in history -- the nascence of the fourth industrial revolution. This revolution promises enormous benefits to mankind; but at the same time, its increasing connectivity brings an increasing opportunity for cybercriminals to deliver dire consequences.

Microsoft believes that the solution to transnational cyber threats will be found in the generation of mutually compatible national cybersecurity policies across the globe. The intent of this document is good; but whether it is feasible is questionable. For every individual country, national policies will always be shaped by national culture and local politics; and international policies will always be subject to current geopolitical tensions. The idea that a single framework can work for everyone is ambitious.

Microsoft Cybersecurity Policy FrameworkThe document is divided into four sections, each of which offers advice. These are 'establishing and empowering a national cybersecurity agency'; 'developing and updating cybercrime laws'; 'developing and updating critical infrastructure protection laws'; and an 'international strategy for cybersecurity'.

The problems become apparent in the first section. One of the key principles that should underscore a national cybersecurity agency is that it should be "respectful of privacy, civil liberties, and rule of law." Privacy and civil liberties are subjective and relative concepts that are ultimately defined by law and often contrary to public opinion. Laws differ by country-by-country and state-by-state; and the United States came into being as a rejection of the rule of law.

The European Union has defined privacy within the General Data Protection Regulation (GDPR) and the European Constitution. This legal definition, however, has no (or very limited) standing in the U.S., which has different federal and state regulations concerning privacy -- and, indeed, a different concept of privacy tempered by the long-standing constitutional right to freedom of speech.

But perhaps the best example of the difficulties of the relative nature of 'privacy and civil liberties' can be seen in the UK. The UK traditionally and apparently places its responsibility for protecting national security above its responsibility to protect personal privacy. It has consequently introduced intrusive cybersecurity legislation designed to track actual and potential terrorists, but inevitably intruding on the privacy of innocent civilians. (The same is sometimes said of the United States.)

Since the UK is still within the European Union, it is technically subject to the European Constitution -- and there is a very strong likelihood that some UK practices would be deemed unconstitutional. Brexit will solve this problem, leaving two allied states (UK and EU) with very different views of cyber privacy separated by less than 21 miles of water at the Dover Strait (Pas de Calais).

This isn't necessarily a problem since this section of the framework is designed to provide a base level for national agencies -- and their priorities can obviously differ from country to country. The final key principal for national agencies, however, is that they should be 'globally-relevant'. When different nations cannot agree on fundamental principles of law, and simultaneously assert that their jurisdiction extends beyond their national boundaries, this is a very difficult ask.

The next two sections of the document have similar difficulties. Microsoft suggests that national cybercrime laws need to be updated, and much of this makes sense. It again falls down with the final recommendation: "build global cooperation". National laws will always reflect national politics and global tensions. Russia for example, is prohibited by its constitution from extraditing a Russian citizen to a foreign country. Regardless of U.S. law, it is unlikely that Russia will ever extradite Russian nationals indicted for cybercrimes by U.S. law enforcement.

The potential to build global cooperation into national cyberlaw becomes a one-sided option that is not likely to extend beyond national interests. Nevertheless, Microsoft describes the Budapest Convention as an example of cross-border harmonization of legal definitions.

The difficulties with the section on 'developing and updating the critical infrastructure protection laws' are more nuanced. Using NIST as the basis, Microsoft defines the critical infrastructure (CI) as, "systems and assets, whether physical or virtual, so vital to the country that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters."

It is immediately clear that CI requires additional security and protection. But the implication of this is that the average commercial organization, whose destruction would not have a debilitating impact on the national economic security, does not require the same level of security -- and that individual citizens require even less. While this is pure risk management -- apply your greatest resources to your greatest assets -- it is not a comfortable, nor perhaps a politically acceptable, idea.

Since each nation defines its own critical infrastructure, the relationship between definition and level of required security can also become an issue. For example, following Russian interference in the 2016 U.S. presidential election, there were calls for reclassifying both the voting system and social networks as part of CI. Should either receive greater or lesser protection simply based on whether they are or are not classified as CI?

A second example of difficulties in this section comes with the difference between owners and operators of CI. "Owners of critical infrastructure may own the infrastructure but they are not always able or best placed to comply with the statutory [requirements] because they usually do not operate the computer systems that process the data on a day-to-day basis."

In other legislative areas this is not really an issue. GDPR separates personal data users into controllers and processors. Loosely speaking, the controllers are the primary owners, while the processors are the data users. Controllers cannot pass responsibility to processors, while processors cannot avoid responsibility. The same principle could be applied to CI -- the infrastructure owners cannot pass responsibility for security to the infrastructure users, while the infrastructure users cannot avoid liability. It simply means that both sides must communicate and operate under strict contractual terms.

It is, however, in the fourth section of the document that the Microsoft framework really begins to unravel: an international strategy for cybersecurity. For this section, Microsoft simply returns to two interrelated earlier recommendations: the need for international norms of behavior; and the proposed Digital Geneva Convention.

"Norms," explains Microsoft, "are intended to deter actions by defining what behaviors are acceptable and unacceptable, and imposing consequences when states actions don't adhere to the defined behaviors."

The Gordian Knot of international norms is the problem of attribution before the application of consequences. Attribution is always likely to follow geo-political schisms, and no nation is likely to admit to cyber transgressions. The fear -- almost certainty -- that transgressors will not accept arbitration over responsibility means that it is a proposal not likely to receive international acceptance during any period of geo-political tension.

The second proposal, the Digital Geneva Convention, also breaks down over geo-politics. Microsoft's document provides six key principles. The third requires the agreement to "Report vulnerabilities to vendors rather than to stockpile, sell or exploit them." However well-intentioned, this is unlikely to ever happen. Western governments are unlikely to abandon their cyber stockpiles for fear that Russia, China, North Korea and Iran will not abandon theirs -- and vice versa.

The final section of Microsoft's cybersecurity policy framework is a non-starter, certainly within the foreseeable future. With an almost certain guarantee of non-reciprocation in the 'global' elements of the first three sections, users of the framework will resort to purely nationalistic cybersecurity policy frameworks. These will be based on local politics and national cultural expectations, flavored by geo-political concerns -- not on the rigors of a Microsoft document. It is, frankly, difficult to see what this document actually brings to the table.


ETF Publishes TLS 1.3 as RFC 8446
15.8.2018 securityweek Safety

The Internet Engineering Task Force (IETF) on Friday published version 1.3 of the Transport Layer Security (TLS) traffic encryption protocol as RFC 8446.

The final version of TLS 1.3 was approved by the IETF in late March, after nearly four years of work and 28 drafts.

RFC 8446 updates RFC 5705 and 6066, and it makes RFC 5077, 5246 and 6961 obsolete. The document also specifies new requirements for TLS 1.2 implementations, IETF said. IETF Publishes TLS 1.3 as RFC 8446

TLS is designed to allow client and server applications to communicate over the Internet securely. It provides authentication, confidentiality, and integrity mechanisms that should prevent eavesdropping and tampering, even by an attacker who has complete control over the network.

There are nearly a dozen major functional differences between the previous major version and TLS 1.3, including ones designed to improve performance and mitigate certain types of attacks.

After IETF published RFC 8446, CloudFlare, which introduced support for TLS 1.3 back in 2016, published an overview of the protocol and the improvements it brings.

Mozilla, which has been working on enabling TLS 1.3 in Firefox for the past several months, also made an announcement on Monday.

“TLS 1.3 is already widely deployed: both Firefox and Chrome have fielded ‘draft’ versions. Firefox 61 is already shipping draft-28, which is essentially the same as the final published version (just with a different version number),” Mozilla’s Eric Rescorla wrote.

“We expect to ship the final version in Firefox 63, scheduled for October 2018. Cloudflare, Google, and Facebook are running it on their servers today. Our telemetry shows that around 5% of Firefox connections are TLS 1.3. Cloudflare reports similar numbers, and Facebook reports that an astounding 50+% of their traffic is already TLS 1.3!” he added.

Facebook last week announced the open source availability of Fizz, a robust and highly performant library that the social media giant uses for the implementation of TLS 1.3.


Kaspersky VPN Bug Leaked DNS Lookups
13.8.2018 securityweek Safety

A recently patched security vulnerability in the Kaspersky VPN application for Android resulted in DNS queries being exposed even after the user connected to a virtual server.

The flaw was discovered in Kaspersky VPN version 1.4.0.216 and is believed to affect previous iterations of the Android software.

According to Dhiraj Mishra, the security researcher who discovered the bug, the application would send DNS queries outside the established VPN tunnel. The privacy issue could be triggered when connecting to any random virtual server, and basically allowed a DNS service to log the domain names of the sites visited by users.

Kaspersky VPN has more than 1 million downloads in Google Play.

“I believe this leaks the traces of an end user who wants to remain anonymous on the internet,” the researcher notes in a blog post.

The vulnerability was reported to Kaspersky via the anti-virus maker’s bug bounty program on HackerOne on April 21. A fix was already released for the flaw, but no reward was issued for the finding, the security researcher says.

As per Kaspersky’s public bug bounty program’s rules, rewards are handed out for flaws that result in leaked sensitive data, but only user passwords, payment data, and authentication tokens are considered within the scope of the program.

Thus, it becomes clear that the researcher’s discovery of a bug that results in leaked DNS addresses doesn’t fall within the bug bounty program’s scope.

On the other hand, however, Kaspersky does note in the application’s description in Google Play, that its VPN software can keep users anonymous while they browse the Internet.

“Because your location and your IP address aren't revealed through the VPN service, it's easier for you to access websites and content in other regions – without being traced,” Kaspersky VPN’s description reads.

Responding to a SecurityWeek inquiry, Kaspersky Lab confirmed the flaw and recognized Dhiraj’s contribution to improving the app’s security: “This vulnerability was responsibly reported by the researcher, and was fixed in June.”

Kaspersky also confirmed that the researcher did not receive a bug bounty reward for the discovery.

“The Kaspersky Secure Connection app is currently out of the scope of the company’s Bug Bounty Program, so we could not reward Dhirai under the current rules. We highly appreciate his work, and in the future the program may include new products,” Kaspersky said.


Let's Encrypt Now Trusted by All Major Root Programs
8.8.2018 securityweek Safety

Let’s Encrypt root, ISRG Root X1, is now trusted by all major root programs, including Microsoft, Google, Apple, Mozilla, Oracle, and Blackberry.

Let’s Encrypt is a free, automated, and open Certificate Authority (CA) backed by the Linux Foundation that provides website owners with free digital certificates for their sites and handles the certificate management process for them.

Launched by the Internet Security Research Group (ISRG) as an effort to drive HTTPS adoption, the initiative was launched publicly in December 2015 and came out of beta in April 2016.

At the end of July 2018, Let’s Encrypt received direct trust from Microsoft products, which resulted in it being trusted by all major root programs. The CA’s certificates are cross-signed by IdenTrust, and have been widely trusted since the beginning.

“Browsers and operating systems have not, by default, directly trusted Let’s Encrypt certificates, but they trust IdenTrust, and IdenTrust trusts us, so we are trusted indirectly. IdenTrust is a critical partner in our effort to secure the Web, as they have allowed us to provide widely trusted certificates from day one,” noted Josh Aas, Executive Director of ISRG.

Now, the CA’s root is directly trusted by almost all newer versions of operating systems, browsers, and devices. Many older versions, however, still do not directly trust Let’s Encrypt.

While some of these are expected to be updated to trust the CA, others won’t, and it might take at least five more years until most of them cycle out of the Web ecosystem. Until that happens, Let’s Encrypt will continue to use a cross signature.

“Let’s Encrypt is currently providing certificates for more than 115 million websites. We look forward to being able to serve even more websites as efforts like this make deploying HTTPS with Let’s Encrypt even easier,” Aas concludes.


HackerOne Bug Bounty Programs Paid Out $11 Million in 2017
18.7.2018 securityweek  Safety

White hat hackers who responsibly disclosed vulnerabilities through bug bounty programs hosted by HackerOne earned more than $11 million last year, according to the company’s 2018 Hacker-Powered Security Report.

HackerOne hosts roughly 1,000 programs that over the past years have received over 72,000 vulnerability reports from researchers in more than 100 countries. The bounties paid out since the launch of the company until June 2018 reached over $31 million.

Of the total, more than $25 million was paid out by organizations in the United States, which was also the country where the highest percentage of money went to ($5.3 million).

According to the company, 116 of the bug reports submitted last year resulted in payouts that exceeded $10,000, and the average amount paid out by companies for critical issues has increased to over $2,000, with organizations such as Microsoft and Intel offering as much as $250,000.

Average bug bounty payout per industry

An increasing number of companies have launched public bug bounty programs, but still nearly 80% of programs were private last year. The majority of public programs are launched by organizations in the tech sector, which accounts for 63%.

The government sector recorded the biggest increase in new program launches, with the European Commission, and Singapore’s Ministry of Defense announcing initiatives. The U.S. government has also continued to run programs, including Hack the Air Force and Hack the Army.

Roughly 27,000 valid vulnerabilities were reported last year and cross-site scripting (XSS) remained the most common type of flaw, followed by information disclosure bugs.

When it comes to the time it takes organizations to patch security holes, the consumer goods industry was the fastest, with an average of 14 days. At the other end of the chart we have the government sector, which patched vulnerabilities, on average, in 68 days.

The highest bug bounty paid out last year was $75,000. A technology firm awarded the sum for three vulnerabilities that could have been chained for remote code execution without user interaction. Successful exploitation could have allowed an attacker to access credit card information, hijack user and employee accounts, access infrastructure code, or deploy mass ransomware campaigns.

The complete 2018 Hacker-Powered Security Report is available from HackerOne in PDF format.


The Wi-Fi Alliance announced the launch of the WPA3 security standard
27.6.2018 securityaffairs Safety

The Wi-Fi Alliance announced late on Monday the launch of the WPA3 security standard that promises to increase the Wi-Fi security.
The Wi-Fi Alliance officially launched the WPA3, the new Wi-Fi security standard that will address all known security issues affecting the precious standards and will mitigate wireless attacks such as the KRACK attacks and DEAUTH attacks.

The Wi-Fi Alliance includes tech giants like Apple, Cisco, Intel, Qualcomm, and Microsoft.

WPA Wireless security standard designed to authenticate wireless devices using the Advanced Encryption Standard (AES) protocol and to establish secure connections that hackers cannot spy on.

The new security standard replaces the WPA2 that is currently used by billions of devices every day.

WPA3 implements important improvements for Wi-Fi enabled devices, it aims at enhancing configuration, authentication, and encryption issues.

“WPA3 takes the lead in providing the industry’s strongest protections in the ever-changing security landscape,” said Edgar Figueroa, president and CEO of the Wi-Fi Alliance. “WPA3 continues the evolution of Wi-Fi security and maintains the brand promise of Wi-Fi Protected Access.”

WPA3 could operate in Personal and Enterprise modes for personal, enterprise, and IoT wireless networks.

The Personal mode implements enhanced protection against offline dictionary attacks and password guessing attempts. It offers a higher level of security even when the users choose weak passwords. The new standard leverages SAE (Simultaneous Authentication of Equals) handshake to introduce the use of forward secrecy in order to protect communications in case the secret password has been compromised.

The Enterprise mode implements 192-bit encryption for networks that require extra security.

Both the Personal and Enterprise modes don’t allow the use of legacy protocols and they require Protected Management Frames (PMF) to avoid eavesdropping.

Let’s summarized some of the most important improvements implemented by the new standard:

Protection Against Brute-Force Attacks
WPA3 provides enhanced protection against offline brute-force dictionary attacks, even when the users don’t choose complex passwords.

WPA3 Forward Secrecy
WPA3 provides forward secrecy to protect communications even if the attackers have compromised the password.

WPA3 strengthens user privacy in Public/Open Wi-Fi Networks
WPA3 improves user privacy in open networks through individualized data encryption. Communications between a device and the Wi-Fi access point is encrypted to prevent MitM attacks.

The system protects connections against passive eavesdropping without requiring a password by using Opportunistic Wireless Encryption (OWE). It provides each user unique individual encryption that secures traffic between their device and the Wi-Fi network.

Enhanced protection for Critical Networks
Critical networks, such as the ones used in financial and government environments, are protected with 192-bit encryption.

WPA3 security standard

The WiFi Alliance also announced the Wi-Fi Easy Connect, a new feature that makes it easier for users to connect IoT devices to wireless networks.

Wi-Fi Easy Connect is a replacement for Wi-Fi Protected Setup (WPS), which has been considered insecure. It allows users to add a new device with the router by simply scanning a QR code with your smartphone to automatically send Wi-Fi credentials to the new smart device.


EFF Secures Email Delivery With STARTTLS Everywhere
26.6.2018 securityweek  Safety

The Electronic Frontier Foundation (EFF) this week announced STARTTLS Everywhere, a new project aimed at improving the security of email delivery.

The EFF is already involved in initiatives aimed at encrypting the web, such as the Let’s Encrypt Certificate Authority, and is now determined to advance email encryption in a manner similar to that of browsing.

Designed for mailserver admins, STARTTLS Everywhere provides the software that allows email servers to automatically get a valid certificate from Let’s Encrypt. It also allows admins to configure their email server software to use STARTTLS, and presents the valid certificate to other email servers.

What’s more, STARTTLS Everywhere features a “preload list” of email servers that have promised to support STARTTLS, thus making it easy to detect downgrade attacks.

“The net result: more secure email, and less mass surveillance,” EFF says.

An addition to SMTP, STARTTLS allows email servers to establish encrypted communication channels to one another, thus delivering email messages securely, without exposing data to anyone listening to the network traffic.

Unlike PGP and S/MIME, which deliver end-to-end encryption, STARTTLS only offers hop-to-hop encryption (hops are the computers an email goes through before reaching its destination), which means that mail providers can read emails if no additional protection is in place.

“Thus, STARTTLS is not a replacement for secure end-to-end solutions. Instead, STARTTLS allows email service providers and administrators to provide a baseline measure of security against outside adversaries,” EFF explains.

Courtesy of various efforts over the past years, effective STARTTLS encryption is as high as 89% at the moment, as per Google's Email Transparency Report. Five years ago, it was at only 39%.

However, even if many mailservers enable STARTTLS, most still do not validate certificates, which provides attackers with the possibility to impersonate them and access or spoof messages that are sent over secure connections.

“As a result, the ecosystem is stuck in a sort of chicken-and-egg problem: no one validates certificates because the other party often doesn’t have a valid one, and the long tail of mailservers continue to use invalid certificates because no one is validating them anyway,” EFF notes.

What’s more, even if a server has STARTTLS and uses a valid certificate, there is no guarantee the communication will be encrypted, because the initial data exchange between servers isn’t encrypted and attackers can block the establishing of a secure connection. Thus, both servers would believe the other doesn’t support STARTTLS, which results in a downgrade attack.

Without encryption, emails are delivered over the Simple Mail Transfer Protocol, or SMTP, which doesn’t secure messages, but allows anyone on the network to read their contents. Thus, not only is sniffing one’s emails an easy task, but mass surveillance also becomes possible.

With the new initiative, EFF wants to increase adoption of STARTTLS, to increase the number of mailservers that actually validate certificates, and also to prevent downgrade attacks on email services.

For mailserver admins, a technical deep dive into STARTTLS Everywhere is available.


Wi-Fi Alliance Launches WPA3 Security Standard
26.6.2018 securityweek  Safety

The Wi-Fi Alliance, the non-profit organization whose global network of members maintains Wi-Fi technology, announced late on Monday the launch of the WPA3 security standard.

Unveiled in January, the latest version of the Wi-Fi Protected Access (WPA) protocol brings significant improvements in terms of authentication and data protection.

The Wi-Fi Alliance will continue to maintain and improve WPA2, which is mandatory for Wi-Fi Certified devices, as it will likely take several years until WPA3 is widely adopted. The two versions of the protocol will maintain interoperability through a transitional mode of operation and WPA3 will become mandatory once adoption grows.

Wi-Fi Alliance launches WPA3WPA3 has two modes of operation: Personal and Enterprise. WPA3-Personal’s key features include enhanced protection against offline dictionary attacks and password guessing attempts, improved security even if users choose less complex passwords, and the use of forward secrecy in order to protect communications even if a password has been compromised.

WPA3-Enterprise provides 192-bit encryption for networks that require extra security (e.g. the networks of government and financial organizations), improved network resiliency, and greater consistency when it comes to the deployment of cryptographic tools.

Both the Personal and Enterprise modes prohibit the use of legacy protocols, and they require Protected Management Frames (PMF), which provides protection against eavesdropping and forging. PMF is also available for WPA2.

“WPA3 takes the lead in providing the industry’s strongest protections in the ever-changing security landscape,” said Edgar Figueroa, president and CEO of the Wi-Fi Alliance. “WPA3 continues the evolution of Wi-Fi security and maintains the brand promise of Wi-Fi Protected Access.”

The Wi-Fi Alliance also announced the introduction of Easy Connect, a system that makes it easier for users to connect smart home and other Internet of Things (IoT) devices to their wireless networks. Wi-Fi Easy Connect simplifies the process by allowing users to add devices by scanning a QR code with a smartphone or tablet.

Earlier this month, the Wi-Fi Alliance also announced the launch of Wi-Fi Enhanced Open, a certification program that provides protection for unauthenticated networks, such as the ones commonly found in coffee shops, hotels and airports.

The system is designed to protect connections against passive eavesdropping without requiring a password by using Opportunistic Wireless Encryption (OWE) to provide each user unique individual encryption that secures traffic between their device and the Wi-Fi network.


Deprecating TLS 1.0 and TLS 1.1 … kill them now!
19.6.2018 securityaffairs Safety

The Internet-Draft document if approved formally deprecates Transport Layer Security versions 1.0 (TLS 1.0) [RFC2246] and 1.1 (TLS 1.1) [RFC4346].
In March, the Internet Engineering Task Force (IETF) finally announced the approval of TLS 1.3, the new version of the Transport Layer Security traffic encryption protocol.

It was a long journey, the IETF has been analyzing proposals for TLS 1.3 since April 2014, the final release is the result of the work on 28 drafts.

The TLS protocol was designed to allow client/server applications to communicate over the Internet in a secure way preventing message forgery, eavesdropping, and tampering.

TLS 1.2 and TLS 1.3 are quite different, the new version introduces many major features to improve performance and to make the protocol more resilient to certain attacks such as the ROBOT technique.

Surprisingly the both TLS 1.0 and TLS 1.1 version are still adopted online, in many cases the migration of application is still waiting for the commitment of the management to start exposing users to serious risks.

Some experts argue the best way to make the Internet more secure is to ban application fallback to both TLS 1.0 and 1.1 standards.

The PCI Council’s deprecation deadline of June 30, 2018, is upon us and the Internet-Draft urges the deprecation of insecure protocols.

The support for TLSv1.0 has been removed or will be by July 2018 from several standards, products, and services, including 3GPP 5G, CloudFare, Amazon Elastic Load Balancing, o GitHub.

The Draft also highlights that supporting older versions also requires additional effort for library and product maintenance.

“This document [if approved] formally deprecates Transport Layer Security (TLS) versions 1.0 [RFC2246] and 1.1 [RFC4346] and moves these documents to the historic state. These versions lack support for current and recommended cipher suites, and various government and industry profiiles of applications using TLS now mandate avoiding these old TLS versions.” reads the Draft.

TLS 1.0 deprecated

“Pragmatically, clients MUST NOT send a ClientHello with ClientHello.client_version set to {03,01}. Similarly, servers MUST NOT send a ServerHello with ServerHello.server_version set to {03,01}.” continues the draft. “Any party receiving a Hello message with the protocol version set to {03,01} MUST respond with a ‘protocol_version’ alert message and close the connection.”

The publication of TLS 1.3 will happen very soon, it is currently under the final review.


SigSpoof GnuPG flaw could be exploited to spoof message signatures
15.6.2018 securityaffairs  Safety  

GnuPG 2.2.8 released earlier this month addresses the CVE-2018-12020 vulnerability, dubbed SigSpoof, affecting GnuPG, Enigmail, GPGTools, and python-gnupg.
GnuPG, also known as GPG, is a complete and free implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP). GnuPG allows users to encrypt and sign data and communications.

GnuPG version 2.2.8 released earlier this month addresses the CVE-2018-12020 vulnerability, dubbed SigSpoof, affecting GnuPG, Enigmail, GPGTools, and python-gnupg.

“The signature verification routine in Enigmail 2.0.6.1, GPGTools 2018.2, and python-gnupg 0.4.2 parse the output of GnuPG 2.2.6 with a ‘–status-fd 2’ option, which allows remote attackers to spoof arbitrary signatures via the embedded ‘filename’ parameter in OpenPGP literal data packets, if the user has the verbose option set in their gpg.conf file,” reads the blog post published by Marcus Brinkmann who discovered the SigSpoof flaw.

The expert noticed that even if the verbose is disabled by default, it is included in several recommended configurations for GnuPG.

SigSpoof

Status messages are parsed by applications that get information from GPG about the validity of a signature.

“Status messages are created with the option “–status-fd N,” where N is a file descriptor. If N is 2, status messages and regular diagnostic messages share the stderr output channel.” explains GnuPG maintainer Werner Koch.

“The issue resides in the OpenPGP protocol allowing the inclusion of the file name of the original input file into a signed or encrypted message. The GnuPG tool can display a notice with that file name during decryption and verification, but it does not sanitize the file name, meaning that an attacker could include line feeds or other control characters in it.”

The lack of file name sanitization in GnuPG tool could be exploited by attackers to include line feeds or other control characters.s

An attacker can inject terminal control sequences and create fake status messages, it can also fake the verification status of a signed email.

“The attacker can inject arbitrary (fake) GnuPG status messages into the application parser to spoof signature verification and message decryption results. The attacker can control the key ids, algorithm specifiers, creation times and user ids, and does not need any of the private or public keys involved.” continues Brinkmann.

Brinkmann noticed that the limit for the file name of the encrypted file in OpenPGP is 255.

Brinkmann published a proof of concept to show to spoof signatures in both Enigmail and GPGTools, and a separate PoC to show how both the signature and encryption can be spoofed in Enigmail. The expert also demonstrated how to spoof a signature on the command line.

While disabled by default, verbose is included in several recommended configurations for GnuPG, and it is one of the main causes for this vulnerability.

To mitigate the issue, the researcher suggests to don’t include the verbose in gpg.conf and to avoid using gpg –verbose on the command line. Developers have to add –no-verbose option to all calls of the gpg.

Assessing the risks for critical infrastructure, the expert explained that the potential effect for this issue are severe.

“The vulnerability in GnuPG goes deep and has the potential to affect a large part of our core infrastructure. GnuPG is not only used for email security, but also to secure backups, software updates in distributions, and source code in version control systems like Git,” Brinkmann concludes.


Pornhub launches VPNhub – a free and unlimited VPN service
7.6.2018 thehackernews  Safety

PornHub wants you to keep your porn viewing activities private, and it is ready to help you out with its all-new VPN service.
Yes, you heard that right.
Adult entertainment giant PornHub has launched its very own VPN service today with "free and unlimited bandwidth" to help you keep prying eyes away from your browsing activity.


Dubbed VPNhub, the VPN service by PornHub is available for both mobile as well as desktop platform, including Android, iOS, MacOS, and Windows.
VPN, or Virtual Private Network, allows users to transmit data anonymously, avoids ISP-level website blocking or tracking and keeps your browsing activity private by encrypting your data, even when you are on public Wi-Fi connections.

VPNhub promises never to store, collect, sell, or share your personal information with any third parties for their marketing, advertising or research purposes.


However, in its privacy policy under the heading, "How We Use Your Information," the company says it can sell "aggregate or non-personally identifiable information with non-affiliated third parties for advertising, marketing or research purposes."
Since some government, including that of United Kingdom, are regulating adult content online, launching a VPN service by Pornhub makes sense.

VPNhub is available in countries across the globe except for Burma/Myanmar, Cuba, Iran, North Korea, Sudan, and Syria, due to the ban imposed by the U.S. government.
While mobile users (both iOS and Android) can download and use the VPNhub app for free, desktop users (MacOS and Windows) have to purchase a premium account.
You can also upgrade your free account to a premium subscription for $13 a month or $90 for a full year, which eliminates ads, provides faster connection speeds, and opens up "servers from a wide range of countries."
You can give premium VPNhub a try by using its use 7-day free trial.


Researchers Defeat AMD's SEV Virtual Machine Encryption
7.6.2018 thehackernews  Safety

German security researchers claim to have found a new practical attack against virtual machines (VMs) protected using AMD's Secure Encrypted Virtualization (SEV) technology that could allow attackers to recover plaintext memory data from guest VMs.
AMD's Secure Encrypted Virtualization (SEV) technology, which comes with EPYC line of processors, is a hardware feature that encrypts the memory of each VM in a way that only the guest itself can access the data, protecting it from other VMs/containers and even from an untrusted hypervisor.


Discovered by researchers from the Fraunhofer Institute for Applied and Integrated Security in Munich, the page-fault side channel attack, dubbed SEVered, takes advantage of lack in the integrity protection of the page-wise encryption of the main memory, allowing a malicious hypervisor to extract the full content of the main memory in plaintext from SEV-encrypted VMs.
Here's the outline of the SEVered attack, as briefed in the paper:
"While the VM’s Guest Virtual Address (GVA) to Guest Physical Address (GPA) translation is controlled by the VM itself and opaque to the HV, the HV remains responsible for the Second Level Address Translation (SLAT), meaning that it maintains the VM’s GPA to Host Physical Address (HPA) mapping in main memory.
"This enables us to change the memory layout of the VM in the HV. We use this capability to trick a service in the VM, such as a web server, into returning arbitrary pages of the VM in plaintext upon the request of a resource from outside."
"We first identify the encrypted pages in memory corresponding to the resource, which the service returns as a response to a specific request. By repeatedly sending requests for the same resource to the service while re-mapping the identified memory pages, we extract all the VM's memory in plaintext."
During their tests, the team was able to extract a test server's entire 2GB memory data, which also included data from another guest VM.
In their experimental setup, the researchers used a with the Linux-based system powered by an AMD Epyc 7251 processor with SEV enabled, running web services—the Apache and Nginx web servers—as well as an SSH server, OpenSSH web server in separate VMs.


As malicious HV, the researchers used the system's Kernel-based Virtual Machine (KVM) and modified it to observe when software within a guest accessed physical RAM.
While Apache and Nginx web servers the extraction of memory data was high (at a speed of 79.4 KB/sec), OpenSSH had a higher response time which reduced the extraction speed to only 41.6 KB/sec.
"Our evaluation shows that SEVered is feasible in practice and that it can be used to extract the entire memory from an SEV-protected VM within a reasonable time," the researchers said. "The results specifically show that critical aspects, such as noise during the identification and the resource stickiness are managed well by SEVered."
The researchers also recommended a few steps AMD could take to isolate the transition process between the host and Guest Physical Address (GPA) to mitigate the SEVered attack.
The best solution is to provide "a full-featured integrity and freshness protection of guest-pages additional to the encryption, as realized in Intel SGX. However, this likely comes with a high silicon cost to protect full VMs compared to SGX enclaves."
However, securely combine the hash of the page’s content with the guest-assigned GPA could be a low-cost, efficient solution, which ensures "pages cannot easily be swapped by changing the GPA to HPA mapping."
The research was carried out by four Fraunhofer AISEC researchers—Mathias Morbitzer, Manuel Huber, Julian Horsch and Sascha Wessel—which has been published in their paper [PDF] titled, "SEVered: Subverting AMD’s Virtual Machine Encryption."


Google Password Protects Pixel 2 Firmware
6.6.2018 securityweek Safety

Google has made the firmware of Pixel 2 devices resistant to unauthorized attempts to upgrade it by password protecting it.

Specifically, anyone interested in upgrading the firmware of a Pixel 2 device needs to supply the user password to successfully complete the process and still have access to user data.

Google has been demanding full-disk encryption for new Android devices since 2015, and the newly implemented protection is meant to complement that security feature. Google Pixel devices also encrypt all user data, and keep the encryption key protected in secure hardware.

“The secure hardware runs highly secure firmware that is responsible for checking the user's password. If the password is entered incorrectly, the firmware refuses to decrypt the device. This firmware also limits the rate at which passwords can be checked, making it harder for attackers to use a brute force attack,” Google explains in a blog post.

Google is also applying digital signatures in their attempt to prevent attackers from replacing a device’s firmware with a malicious iteration. To replace the firmware, an attacker would have to find and exploit a vulnerability in the signature-checking process, or to gain access to the signing key, then sign their firmware version to trick the device into accepting it.

While the signature-checking software is small, isolated, and vetted, which makes exploitation difficult, the signing keys are accessible because they are stored in secure locations, although only a limited number of people have access to them.

“That's good, but it leaves those people open to attack by coercion or social engineering. That's risky for the employees personally, and we believe it creates too much risk for user data,” Google notes.

Google Pixel 2 devices, the Internet giant says, have insider attack resistance in the tamper-resistant hardware security module to protect the encryption keys. Thus, if an attacker does come up with a properly signed malicious firmware, they cannot install it on the security module without the user's cooperation.

Specifically, the correct password is required to upgrade the firmware. While upgrades can be forced, the company says, the process would wipe the secrets used to decrypt the user's data, effectively destroying it.

“The Android security team believes that insider attack resistance is an important element of a complete strategy for protecting user data. The Google Pixel 2 demonstrated that it's possible to protect users even against the most highly-privileged insiders. We recommend that all mobile device makers do the same,” Google notes.


Experts show how to defeat AMD’s Secure Encrypted Virtualization
26.5.2018 securityaffairs Safety

German researchers devised a method, dubbed SEVered, to defeat the security mechanisms Secure Encrypted Virtualization implemented by the AMD Epyc server microchips to automatically encrypt virtual machines in memory.
The attack could allow them to exfiltrate data in plaintext from an encrypted guest via a hijacked hypervisor and simple HTTP requests to a web server running in a second guest on the same machine.

The Secure Encrypted Virtualization feature allows to encrypt and decrypt virtual machines on the fly while stored in RAM to protect them from snooping on VMs.

Thanks to the Secure Encrypted Virtualization, hijacked hypervisor, kernel, driver, or malware should be able to snoop on a protected virtual machine.

The team of Fraunhofer AISEC researchers, composed of Mathias Morbitzer, Manuel Huber, Julian Horsch and Sascha Wessel, demonstrated that the SEVered technique could to bypass Secure Encrypted Virtualization protections and copy information from a virtual machine.

“We present the design and implementation of SEVered, an attack from a malicious hypervisor capable of extracting the full contents of main memory in plaintext from SEV-encrypted virtual machines. SEVered neither requires physical access nor colluding virtual machines, but only relies on a remote communication service, such as a web server, running in the targeted virtual machine.” reads the research paper published by the researchers.

“We verify the effectiveness of SEVered on a recent AMD SEV-enabled server platform running different services, such as web or SSH servers, in encrypted virtual machines”

An attacker at the host level can alter a guest’s physical memory mappings through standard page tables, causing the failure of the Secure Encrypted Virtualization mechanism in isolating and scrambling parts of the VM in RAM.

“We base SEVered on the observation that the page-wise encryption of main memory lacks integrity protection. While the VM’s Guest Virtual Address (GVA) to Guest Physical Address (GPA) translation is controlled by the VM itself and opaque to the HV, the HV remains responsible for the Second Level Address Translation (SLAT), meaning that it maintains the VM’s GPA to Host Physical Address (HPA) mapping in main memory.” continues the paper.

“This enables us to change the memory layout of the VM in the HV. We use this capability to trick a service in the VM, such as a web server, into returning arbitrary pages of the VM in plaintext upon the request of a resource from outside”

Secure Encrypted Virtualization amd

The researchers set up a test environment running an AMD Epyc 7251 processor with SEV enabled and Debian GNU/Linux installed, running an Apache web server and an OpenSSH in two separate virtual machines.

By modifying the system’s Kernel-based Virtual Machine KVM hypervisor, the experts demonstrated that it is possible to observe when software within a guest accessed physical RAM.

Then the researchers sent a large number of requests at one of the services, for example fetching an HTML webpage from Apache. In this scenario, the hypervisor was able to see which pages of physical memory are being used to hold the file, then by switching the page mappings an encrypted page in another virtual machine is used by Apache to send the requested webpage, and therefore sends the automatically decrypted memory page of the other VM instead.

With this trick, the attacker could force the Apache service in leaking data from another guest.

“With the knowledge about the location of the resource, we were able to reliably extract the entire memory of the target VM on our prototype implementation,” continues the paper.

“The resource was always sticky over the whole process. While preserving the VM’s stability at all times, the extraction of its entire 2 GB also worked under the noise model introduced for the identification phase.”

The experts demonstrated the efficiency of the SEVered attack in extracting the entire memory from an SEV-protected VM.

Experts also analyzed countermeasures, the best one consists in providing a full-featured integrity and freshness protection of guest-pages additional to the encryption.

“The best solution seems to be to provide a full-featured integrity and freshness protection of guest-pages additional to the encryption, as realized in Intel SGX. However, this likely comes with a high silicon cost to protect full VMs compared to SGX enclaves,” the experts concluded.

“A low-cost efficient solution could be to securely combine the hash of the page’s content with the guest-assigned GPA.”


New Features Added to CERT Tapioca Tool
25.5.2018 securityweek  Safety

The CERT Coordination Center (CERT/CC) at Carnegie Mellon University this week announced the launch of a new version of the network traffic analysis tool CERT Tapioca.

CERT Tapioca was first released in 2014 as a network-layer man-in-the-middle (MITM) proxy virtual machine designed for identifying apps that fail to validate certificates and investigating the content of HTTP and HTTPS traffic.

CERT Tapioca has been used to identify Android applications that fail to properly validate SSL certificates and expose users to MitM attacks. More than one million apps have been checked and over 23,000 of them failed dynamic testing.

The tool can be used to analyze network traffic not only on smartphones, but also on IoT devices, computers and VMs.

Will Dormann, vulnerability analyst at CERT/CC and developer of CERT Tapioca, on Thursday announced the release of version 2.0, which introduces a graphical user interface and can be installed on multiple Linux distributions, including Red Hat, CentOS, Fedora, Ubuntu, OpenSUSE, and Raspbian.

CERT Tapioca

CERT Tapioca 2.0 also allows users to set up a HOSTAP-compatible Wi-Fi adapter for wireless connectivity, and it can save results from multiple tested systems.

In addition to checking HTTPS validation, verifying an application’s use of modern cryptography standards, and observing the hosts contacted by an application, Tapioca now allows users to search network traffic for specified strings, such as passwords.

The CERT Tapioca 2.0 source code, along with additional details and usage instructions, are available on GitHub.


Okta Adds Threat Intel to Network Context to Eliminate Passwords
24.5.2018 securityweek  Safety

Okta Unveils Adaptive Single Sign-On and Enhanced Adaptive Multi-Factor Authentication Products

The adequacy of passwords as a security defense has long been discussed and criticized. The 2017 Verizon Data Breach Investigation Report (DBIR) reported that 81% of hacking-related breaches involve stolen or compromised user credentials -- and yet there is no generally accepted alternative. Multi-factor user authentication -- which requires an additional user token or biometric -- helps, but does not solve the problem.

With traditional approaches there is a simple contradiction: the more security that is applied to user authentication, the greater the disruption (known as 'friction') imposed on user workflows. When companies strive for a seamless user experience, for both their customers and their workforce, this is a problem. "For companies trying to deliver seamless and secure user-experiences, passwords are a real pain," explained Joe Diamond, director of security product marketing management at Okta, in a blog post. "Either they're complex -- and therefore difficult for employees and customers to remember -- or they're prime targets for nefarious hackers."

In recent years there has been a growing development and acceptance of additional passive authentication factors to improve security without disrupting the user. Passive in this sense simply means that the authentication is automatically taken without user involvement.

One of the most important passive factors is context, and identity companies are increasingly incorporating contextual factors such as user location (IP address), time (is it reasonable for this user to want access at this time?), and destination (does this user likely or commonly need access to these files?) to bolster the initial password authentication. But notice the much-decried password is still necessary.

Okta, which provides identity systems for corporations, has a device trust model to enhance the security of remote logins. It uses, for example, Exchange ActiveSync certificates to prevent unmanaged devices from accessing Office 365. Today, however, it has announced the addition of a new context factor that it believes will largely enable the elimination of passwords: ThreatInsight.

ThreatInsight is based on the understanding of threats and suspicious activity seen by Okta's incident response team across the company ecosphere of 4,350 customers and 5,500 partners in the Okta Integration Network.

"By blending context signals with this intelligence," writes Diamond, "Okta's Adaptive MFA solution will be able to more effectively provide businesses with the seamless, simple authentication experience that companies have grown to depend on. We've also introduced Adaptive Single Sign-on (SSO), which provides a simple, secure authentication experience for users and integrates with third-party enterprise mobility management solutions, such as Airwatch or MobileIron, for device trust. With this combination of Adaptive SSO, MFA, and ThreatInsight, IT and app development teams can move toward a context-driven security approach -- one that may eventually eliminate passwords after all."

"The best password is no password at all," adds Todd McKinnon, CEO and co-founder of Okta. "Over the past few years, we've invested heavily in new security technologies that provide the right level of protection for the many apps and services an organization uses today, which can vary by company, by app, by user, and by scenario. Now we're using both those signals across a user's login context as well as insight from across our ecosystem to improve an organization's ability to set stronger access controls and make faster, more intelligent decisions when there may be a concern -- and allow companies to replace the password with stronger, simpler authentication."

By combining all the different contextual factors, the Okta Adaptive MFA product is able to make dynamic access decisions. It can determine between low risk access requests and high-risk access requests; and only require traditional authentication measures such as a password if the risk level requires it.

For example, a user attempting authentication from a recognized IP address from a known managed device, it could be considered low risk and allowed without the necessity for a password.

If the authentication request comes from a known but unmanaged device in a new location, it could be considered moderate risk. The user would be prompted with security question and asked to prevent a second factor.

If the user attempts to authenticate from an unmanaged and unknown device and from a connection with a high threat level, the user would be considered ‘high risk' and Okta would disallow access.

Banks provide an example of the problem with password authentication. Banks by their nature require strong authentication, which is not provided by passwords alone. But they also require user-friendly authentication (for fear of losing customers), which is not provided by standard multi-factor solutions. The National Bank of Canada believes it has found the right compromise with Okta.

"National Bank of Canada services millions of clients in hundreds of branches across Canada. As an organization, we have clear objectives, one of which is to simplify the customer experience," said Alain Goffi, vice president, IT Infrastructures at National Bank of Canada. "Okta's smart authentication and contextual capabilities enable us to give our clients a seamless, secure online experience."

Okta's ThreatInsight is scheduled to be available during the second half of this year.


Malwarebytes Acquires Binisoft to Enhance Endpoint Protection Platform
24.5.2018 securityweek  Safety

Malwarebytes announced this week the acquisition of Binisoft in an effort to help the company enhance its endpoint protection platform and expand its global footprint. Terms of the deal have not been disclosed.

Romania-based Binisoft is the brainchild of Alexandru Dicu, who in 2010 decided to create Windows Firewall Control, a tool designed to make it easier to manage the firewall built into Windows.

Over the past years, Windows Firewall Control has become a powerful and highly popular tool used by millions of people. It allows users to quickly access frequently needed options of the Windows Firewall.

Binisoft has also developed USB Flash Drives Control, a small and powerful utility designed for controlling how USB removable drives are used on a device. For example, users can prevent read and write operations, or they can block any executable file on a flash drive from running.

Malwarebytes plans on integrating Windows Firewall Control into its endpoint protection platform, which provides broad visibility into endpoints on a network and simplifies the deployment and management of security solutions.

“We’ve seen tremendous demand from our customer base for these capabilities,” said Marcin Kleczynski, CEO of Malwarebytes. “With continued increases in cyberthreats, including malware that communicates and coordinates data theft, it is more important than ever for businesses to easily manage their Windows Firewall and establish communication policies to prevent programs from initiating unauthorized outbound connections. With the acquisition of Binisoft, Malwarebytes will provide an all in one solution well beyond having to manage a Firewall through Group Policy Objects or other Microsoft technologies.”

Windows Firewall Control has been distributed under a donationware licensing model, while USB Flash Drives Control has been offered as freeware. Malwarebytes has promised to continue maintaining and supporting Binisoft products, and offer them for free, at least in the short term.


FireEye Launches OAuth Attack Testing Platform
23.5.2018 securityweek Safety

FireEye on Monday announced the availability of a platform to allow organizations and pentesters check their ability to detect and respond to OAuth abuse attacks.

OAuth 2.0 is a protocol employed by major Internet companies, including Amazon, Google, Facebook, and Microsoft, to facilitate granting third-party applications access to user data. Using social engineering, attackers can trick victims into authorizing a third-party application to access their account, thus gaining access to all of the user's data without the need for credentials.

“In releasing the tool, we hope to increase awareness about this threat, improve the security community’s ability to detect it, and provide countermeasures for defenders,” FireEye’s Doug Bienstock explains.

In an OAuth authorization flow, the third-party application requests a specific type of access to a user’s account, and APIs are used to define such sets of scopes (similar to the permissions apps ask for on mobile devices).

An attacker looking to abuse OAuth can create a malicious application and then retrieve user data with the help of obtained access tokens, via the API Resource. Access tokens don’t require a password and can bypass any two-factor enforcement in place, and access to the OAuth application has to be explicitly revoked to prevent abuse.

An attacker can obtain OAuth tokens via social engineering, by convincing the victim to click a “Consent link” and approve the application. This is exactly what happened last year, when a phishing attack targeting Gmail users spread like a worm and tricked many users into allowing a malicious app named “Google Docs” to access their contact information.

Called PwnAuth, the newly launched web application framework should make it easier for organizations to test their ability to detect and respond to OAuth abuse campaigns.

“The web application provides penetration testers with an easy-to-use UI to manage malicious OAuth applications, store gathered OAuth tokens, and interact with API Resources. The application UI and framework are designed to be easily extendable to other API Resources through the creation of additional modules,” Bienstock notes.

Available on GitHub, the platform comes with a module to support malicious Office 365 applications capable of capturing OAuth tokens and using them to interact with the Microsoft Graph API. However, PwnAuth could be used to target any cloud environment that allows OAuth applications.

The available Office 365 module supports reading the mail messages, searching the user's mailbox, reading the user's contacts, downloading messages and attachments, searching OneDrive and downloading files, and sending messages on behalf of the user.

Using PwnAuth requires creating a Microsoft application first, and then start phishing for potential victims. Once they click on the generated “Authorization URL,” PwnAuth captures OAuth tokens, and these can be used to access their data. More detailed information on the platform’s usage can be found on the GitHub wiki.

Mitigations include training programs on social engineering and taking steps to diminish the impact of malicious OAuth applications by limiting API scopes they can request, disabling third-party apps within the organization, implementing application whitelisting, logging any user consent events, and querying an organization's user base for all consented applications, the researcher says.

“OAuth abuse attacks are a dangerous and non-traditional phishing technique that attackers can use to gain access to an organization's confidential data. As we move more services to the cloud, organizations should be careful to lock down third-party application access and ensure that their monitoring and detection strategy covers application consent grants. Organizations and security professionals can use PwnAuth to test their ability to detect and respond to this new type of attack,” Bienstock concludes.


Cloudflare Improves DDoS Mitigation Tool
23.5.2018 securityweek Safety

Cloudflare announced a series of improvements to its Rate Limiting distributed denial of service (DDoS) protection tool this week.

Over the past six months, the company has observed an uptick in application (Layer 7) based DDoS attacks and also noticed that the assaults aren’t using huge payloads (volumetric attacks), but rely on a high number of requests per second to exhaust server resources (CPU, Disk and Memory). Attacks with over 1 million requests per second are a common thing, Cloudflare says.

Launched by the web infrastructure company a year ago, the Rate Limiting feature helps customers protect their web applications and APIs from various attacks, including DDoS, credential stuffing and content scraping.

In addition to the previously available Block and Simulate options, the tool now provides customers with Cloudflare JavaScript Challenge and Google reCaptcha (Challenge) mitigation actions available in the UI and API. Additionally, the company claims to have made Rate Limiting more dynamically scalable.

“A new feature has been added which allows Rate Limiting to count on Origin Response Headers for Business and Enterprise customers. The way this feature works is by matching attributes which are returned by the Origin to Cloudflare,” the web protection company notes.

For the credential stuffing protection, for example, Cloudflare customers can set a single rule (a Basic rate limit) or multiple rules (Advanced limits) to prevent abuse, depending on their needs. This ensures that only users (which typically enter a wrong password three times before hitting the recovery option) log in, and not bots (which go through thousands of credential combinations to see what works).

“With this type of tiering, any genuine users that are just having a hard time remembering their login details whilst also being extremely fast typers will not be fully blocked. Instead, they will first be given out automated JavaScript challenge followed by a traditional CAPTCHA if they hit the next limit. This is a much more user-friendly approach while still securing your login endpoints,” Cloudflare points out.

Cloudflare’s tool also includes a new origin headers feature that allows customers to configure their origin to respond with a header to trigger a rate-limit. A header is generated at the origin, and added to the response to Cloudflare.

“As we are matching on a static header, we can set a severity level based on the content of the Header. For example, if it was a repeat offender, you could respond with High as the Header value, which could Block for a longer period,” Cloudflare explains.

Rate Limiting can also protect from the increasingly popular enumeration attacks, the company says. Such assaults rely in identifying an expensive operation in an app and then overload it to exhaust resources and slow or crash the app.

To fend off such attacks, one can set a rate limit for the 404 (page not found) response a query sent to the app receives when the user is not found. Thus, if the threshold of 404’s is crossed in a given period of time, the app can be set to challenge the user to prove they are a real person.

To mitigate content scrapping, Rate Limiting includes support for rules to distinguish between users who browse heavily and bot attempts to copy content for redistribution or reuse. The tool counts the number of requests to each endpoint and the number of hits to the image store, as well as the number of served 404 and 403 pages.

Cloudflare also decided to increase the number of available rules for Pro and Business customers, for no additional charge. Thus, Pro plans now include 10 rules, while Business plans include 15 rules.


Auth0 Secures $55 Million in New Funding Round
16.5.2018 securityweek  Safety

Identity-as-a-Service (IDaaS) company Auth0 this week announced $55 million in Series D funding led by Sapphire Ventures.

To date, the Bellevue, Wash.-based identity management and authentication company has secured more than $110 million in financing. The firm offers a Universal Identity Platform for web, mobile, IoT, and internal applications and authenticates and secures more than 1.5 billion logins per month.

As part of the new financing round, the firm received investment from World Innovation Lab and existing investors Bessemer Venture Partners, Trinity Ventures, Meritech Capital, and K9 Ventures.

Auth0 plans on using the funds to continue innovation of its Universal Identity Platform, which the company says is used by companies such as VMware, AMD, Mazda, NVIDIA, News Corp, and thousands of others.

Founded in 2013, the company says it managed to double its overall customers and registered more than 100 percent revenue growth last year. This allowed it to hire 140 new employees and open additional offices in London, Sydney, and Tokyo.

“We are humbled by the support from our investors, and emboldened in our mission to provide the most extensible, powerful, and easy-to-use identity management solution available. We look forward to using these funds to make our product and company even better, and to continue offering value to our incredible customers around the world,” said Eugenio Pace, CEO and Co-founder of Auth0.

Last week, Auth0 announced it has joined the Decentralized Identity Foundation (DIF), an initiative from Microsoft, uPort, Gem, Evernym, Blockstack, and Tierion, focused on creating a standards-based ecosystem for managing digital identities. Together with IBM, Accenture, RSA, IDEO, and others, Auth0 will work on creating the specifications for securing and accessing identity data.

“Digital identity is the core of every interaction, transaction, and communication online, but it’s a little like the Wild West right now in terms of standards and specifications around how identity could be handled in a decentralized manner. There is an important need for strong voices to shape the future of this industry, and we are looking forward to our involvement with the Decentralized Identity Foundation,” Martin Gontovnikas, Vice President of Marketing at Auth0, said.


Chrome Browser Now Enforces Certificate Transparency
4.5.2018 securityweek  Safety

Effective May 1, Google’s Chrome browser will display a warning when encountering certificates that are not compliant with the Chromium Certificate Transparency (CT) Policy.

The Google-backed CT attempts to tackle the issue of fraudulently issued certificates by requiring Certificate Authorities (CAs) to log all newly issued certificates. Once the certificate has been reported to the log server, the CA receives a signed certificate timestamp (SCT), which is proof of the submission.

In early 2016, Google announced the addition of a new CT log for CAs removed from trusted root certificate programs and for the ones in the process of being included. In November 2016, the company announced plans to make the CT policy in Chrome mandatory.

Initially planned for October 2017, the enforcement became reality this week: all publicly-trusted certificates (DV, OV, and EV) issued after April 30 need to be CT-compliant. Certificates that fail to comply with the policy won’t be considered trusted (this doesn’t apply to certificates issued from locally-trusted or enterprise CAs that are added by users or administrators).

“Chrome will start enforcing that all TLS certificates issued after April 2018 comply with the Chromium CT Policy in order to be trusted,” Google engineer Devon O'Brien notes in a post on Google Groups.

When encountering a TLS server certificate issued after April 30, 2018 that is not compliant, Chrome will display a full page interstitial indicating the connection is not CT-compliant. Sub-resources served over not CT-compliant HTTPS connections will fail to load and will show an error in Chrome DevTools.

The changes will first roll out to the desktop browser iterations, meaning that macOS, Windows, Linux, and ChromeOS users will be the first to notice the warning.

“CAs are strongly encouraged to work with their customers to ensure their TLS certificates are ready to comply with the Chromium CT Policy via any of the three means specified in RFC 6962 Section 3.3,” O'Brien continued.

Enterprises can, however, disable CT enforcement on managed devices and for managed users that have signed-in to Chrome on their personal devices. Chrome will also add a policy to allow them to disable CT enforcement for CAs that only issue certificates to that organization.

“CAs issuing TLS certificates with embedded SCTs should ensure they are compliant with the requirements of Qualifying Certificates in the Chromium CT Policy in order to maintain functionality in Chrome. Enforcement of CT compliance will only apply to certificates issued after April 2018; certificates issued before this date are unaffected,” O'Brien explains.

Many CAs are already logging certificates in public CT logs and are sharing data with each other, meaning that the new policy enforcement should have only a small impact on users.


Mysterious findings emerged from the analysis of the SiliVaccine North Korea’s antivirus software
3.5.2018 securityaffairs Safety

Security experts at Check Point that analyzed North Korea’s antivirus software SiliVaccine discovered it is based on a 10-year-old anti-malware engine developed by Trend Micro.
Check Point received the very rare sample of North Korea’s SiliVaccine antivirus software from the freelance journalist Martyn Williams.

The researchers discovered the SiliVaccine application contained “large chunks of 10+-year-old antivirus engine code belonging to Trend Micro,” a circumstance confirmed by Trend Micro.

“In an exclusive piece of research, Check Point Researchers have carried out a revealing investigation into North Korea’s home-grown anti-virus software, SiliVaccine. One of several interesting factors is that a key component of SiliVaccine’s code is a 10-year-old copy of one of Trend Micro’s, a Japanese company, software components.” reads the analysis published by CheckPoint.

ATTACHMENT DETAILS SiliVaccine-North-Korea-antivirus

On July 8th 2014 Mr. Williams received a mail containing a link to the software, the message was sent by someone going by the name of ‘Kang Yong Hak’, whose mailbox has since been rendered unreachable.

Kang Yong Hak is believed to be a Japanese engineer, the email contained a link to a Dropbox-hosted zip file that held a copy of the SiliVaccine software, a readme file in Korean language explaining how to use the software and a suspicious looking file posing as a patch for SiliVaccine.

The analysis revealed an interesting feature, the North Korea’s antivirus software whitelisted mystery malware, its signature, in fact, was detected by the legitimate Trend Micro’s solution.

According to the experts, the whitelisted mystery malware may be nation-state malware that North Korea wants to use for surveillance purposes.

“During our research we discovered that the authors of SiliVaccine have chosen to white-list a single very specific malware signature, and effectively ignore any detection of files matching that specific signature. The white-listed signature is Trend Micro’s ‘MAL_NUCRP-5’, described by Trend Micro as:

“…the Trend Micro detection for suspicious files that manifest behavior and characteristics similar to known NUWAR, TIBS, and ZHELAT variants.” continues the analysis.

“This signature doesn’t seem to be related to any one specific malware, but rather seems to detect specific packing related characteristics common in some malware.”

Check Point discovered other singularities, for example, the use of the Themida and Unopix packers commonly used to make malware analysis very hard.

As SiliVaccine is the unique antivirus software in North Korea, the use of the packers could be motivated with the intent of the author to make hard its analysis by foreign actors.

CheckPoint also discovered that the antivirus solution used a custom encryption protocol to encrypt pattern files, it is modified SHA1 hashing algorithm.

Experts discovered the SiliVaccine uses 3 driver components:

sys – Kernel-mode process information collection module.
sys – File system filter driver used for real-time and AV files protection.
sys – Network Transport Driver Interface (TDI) Driver.
“This revealing exploration into SiliVaccine may well raise suspicions of authenticity and motives of the IT security products and operations of this Hermit Kingdom.” concludes Check Point.

“While attribution is always a difficult task in cyber security, there are many questions raised by our findings. What is clear, however, are the shady practices and questionable goals of SiliVaccine’s creators and backers.”


All Chrome OS Devices Now Protected Against Meltdown
1.5.2018 securityweek Safety

The latest version of Chrome OS now keeps all devices protected from Meltdown, Google says.

Available as Chrome OS 66.0.3359.137 (Platform version: 10452.74.0), the new Chrome OS release includes additional patches for the critical processor vulnerability, in addition to various new features and bug fixes.

The Meltdown attack was disclosed in the beginning of 2018 alongside another critical CPU bug, Spectre. The two attacks are possible because design flaws in Intel, AMD, ARM and other processors allow malicious programs to bypass memory isolation and access sensitive data.

Google started rolling out Meltdown mitigations in mid-December – before the attacks became public knowledge –, pushing a kernel page-table isolation (KPTI/KAISER) patch to roughly 70 Intel-based Chromebook models from Acer, ASUS, Dell, HP, Lenovo, Samsung and others.

Last month, the company released Chrome OS 65 to make the KPTI mitigation against Meltdown available for additional Intel devices with version 3.14 of the kernel.

“Intel devices on 3.8 kernels received the KPTI mitigation against Meltdown with Chrome OS 66. All Chrome OS devices are now protected against Meltdown,” Josafat Garcia, Google Chrome, explains in a blog post.

The updated platform iteration is already rolling out to users and should arrive on all devices within days.

Late last week, Google also released an update for the Chrome browser to patch a critical security vulnerability in it, less than two weeks after Chrome 66 landed in the stable channel.

Tracked as CVE-2018-6118, the critical issue was reported by security researcher Ned Williamson on April 12. The vulnerability, a use-after-free in Media Cache, can be exploited by a malicious actor to cause denial of service and possibly execute arbitrary code.

Unfortunately, Google hasn’t provided specific details on the vulnerability itself, nor on its CVSS rating, but it did reveal that the researcher received a $10,500 reward for the discovery.

Released as version 66.0.3359.139 and available for Windows, Mac, and Linux users, the updated browser iteration patches a total of three security flaws.

The remaining two vulnerabilities were found internally and Google hasn’t released details on them either.


Microsoft Brings Application Guard to Windows 10 Pro
1.5.2018 securityweek Safety

Microsoft of Monday made Windows 10 April 2018 Update available to users, which brings new features, enhancements and security updates, along with improvements to Windows Defender Security Center.

One of the main changes in the update is the availability of Windows Defender Application Guard (WDAG), which allows users to browse the Internet while being protected from sophisticated browser attacks.

First detailed in January last year, Windows Defender Security Center is receiving various enhancements to provide increased ease-of-use. The Center was designed to simplify the manner in which users view and control the security protections the platform, as well as to help people better understand and leverage the security features protecting them.

With the release of Windows 10 April 2018 Update, the Security Center offers quick access from the context menu when right-clicking on the Windows Defender Security Center icon in the notification area. This menu allows users run a quick scan, update Windows Defender Antivirus definitions, change the notifications, and open the Security Center.

Now, users can also take advantage of the Account Protection pillar in Windows Defender Security Center, which makes it easier for them to protect their identity when signing into Windows. The feature encourages local account users to connect a Microsoft Account (MSA) and password users to set up Windows Hello Face, Fingerprint or PIN for faster and more secure sign in.

Additionally, Dynamic lock now leverages the alerting system in Windows Defender Security Center to inform users when it has stopped working because the Bluetooth on their phone or device is off, Microsoft announced.

A Device Security pillar in the Security Center now delivers greater insight into the security features integrated in Windows devices. There, users can access status reporting, can manage security features built into their devices, and can also toggle features on for enhanced protections.

The update also brings along additional options for how notifications are delivered. Users can now customize the type of notifications they receive from Windows Defender Security Center, can disable or enable notifications about recent, automatic scans or about threats or files that have been blocked.

With the April 2018 update, Microsoft is also enabling Windows 10 in S mode on both Windows 10 Home and Pro PCs. In addition to flexibility and increased performance, Windows 10 in S mode also delivers more protections, as all applications are verified by Microsoft for security and performance.

The update also brings OneDrive Files Restore integration in Windows Defender, which should provide users with expanded ransomware protection. With the new feature, users can save their files to OneDrive and keep files safe from malware.

“If a ransomware threat is found on a device, Windows Defender will notify you of the threat, help you remove the ransomware from your device, and give you the option to use OneDrive Files Restore so you can recover your OneDrive files to the state they were in before the attack occurred,” Microsoft explains.

Office 365 Home subscribers, Office 365 Personal subscribers, and OneDrive for Business users can currently benefit from Files Restore, which allows them to restore their OneDrive to a previous point in time within the last 30 days.

Windows 10 April 2018 Update brings along a new Single Sign-On experience too. Now, users can sign into one Microsoft app or service on a device to be signed into all of them. Users can sign with a Microsoft account into Office 365 and use that account across a full range of Microsoft apps and services.

All Office 365 subscribers will benefit from this feature by June, Microsoft says. All they require is the April 2018 update installed and the latest version of Office. Users will be able to select which Microsoft apps they sign into.

“While all new accounts added will be able to opt into this by default, it can be extended to accounts you have already added as well. Just head to the Settings app, click ‘Accounts’ followed by ‘Email & app accounts’. Choose the account you added previously and select “Microsoft apps can sign me in” from the drop-down,” Microsoft explains.

The April 2018 Update also makes it easier for Microsoft account users to set up Windows Hello on their compatible devices, the company says. Previously, users had to dive deep into Settings to find Windows Hello, but the option to set up Windows Hello Face, Fingerprint or PIN is now accessible directly from the lock screen (by clicking the Windows Hello tile under Sign-in options).