Facebook Intern Gets Preemptive Ax For Exposing Security Flaw

Original Article
from the because-they’re-all-edgy-and-wear-hoodies dept.

Engadget reports that Harvard student Aran Khanna, who was about to begin an internship at Facebook, had that internship yanked after he created (and took down, but evidently too slowly for the company’s taste) a browser plug-in that exposed a security flaw in Facebook, by allowing users to discover the location of other users when they use the Messenger app. Surely Khanna won’t be jobless or internship-less for long. (Don’t expect the app to work now; it’s still in the Chrome store as a historical artifact, though, and at GitHub.)

Posted by timothy

 

Advertisements

Trojanized, Info-Stealing PuTTY Version Lurking Onlinefrom the at-your-command-prompt dept.

Original Article
One of the best first steps in setting up a Windows machine is to install PuTTY on it, so you have a highly evolved secure shell at your command. An anonymous reader writes, though, with a note of caution if you’re installing PuTTY from a source other than the project’s own official page. A malicious version with information-stealing abilities has been found in the wild. According to the article:

Compiled from source, this malicious version is apparently capable of stealing the credentials needed to connect to those servers. “Data that is sent through SSH connections may be sensitive and is often considered a gold mine for a malicious actor. Attackers can ultimately use this sensitive information to get the highest level of privileges on a computer or server, (known as ‘root’ access) which can give them complete control over the targeted system,” the researchers explained.

The Symantec report linked above also shows that (at least for this iteration) the malware version is easy to spot, by hitting the “About” information for the app.

Posted by timothy 10 days ago

10 Ways To Measure IT Security Program Effectiveness

original article

The right metrics can make or break a security program (or a budget meeting).

As CISOs try to find ways to prove ROI to higher ups and improve the overall effectiveness of security operations, the right metrics can make or break their efforts. Fortunately, infosec as an industry has matured to the point where many enterprising security leaders have found innovative and concrete measures to track performance and drive toward continual improvement. Dark Reading recently surveyed security practitioners and pundits to find out the best time-tested metrics to prove security effectiveness, ask for greater investment, and push security staff to improve their day-to-day work.

Average Time To Detect And Respond

Also referred to as mean time to know (MTTK), the average time to detect (ATD) measures the delta between an issue occurring—be it a compromise or a configuration gone wonky—and the security team figuring out there’s a problem. 

“By reducing ATD, Security Operations Center (SOC) personnel give themselves more time to assess the situation and decide upon the best course of action that will enable the enterprise to accomplish its mission while preventing damage to enterprise assets,” says Greg Boison, director of cyber and homeland security at Lockheed Martin.

Meanwhile, the mean time to resolution or average time to respond, will measure how long it takes for the security team to appropriately respond to an issue and mitigate its risk.

“Average Time to Respond (ATTR) is a metric that tells SOC management and personnel whether or not they are meeting objectives to quickly and correctly respond to identified violations of the security policy,” Boison says. “By reducing ATR, SOC personnel reduce the impact (including the cost) of security violations.”

Tracking these two metrics continuously over time can show how well a security program is improving or deteriorating. Ideally they should be growing smaller over time.

False Positive Reporting 

Tracking the False Positive Reporting Rate (FPRR) can help put the work of lower-level analysts under the microscope, making sure that the judgments they’re making on automatically filtered security event data is sifting out false positives from indicators of compromise before they escalate to others in the response team.

“Despite the implementation of automated filtering, the SOC team must make the final determination as to whether the events they are alerted to are real threats,” Boison of Lockheed Martin says. “The reporting of false positives to incident handlers and higher-level management increases their already heavy workload and, if excessive, can de-motivate and cause decreased vigilance.”

A high FPRR could indicate better training is needed from Level 1 Analysts or better tuning of analytics tools.

“All too often Level 1 analysts lack a good understanding and visibility to incidents cause and therefore escalate false alerts to Level 3 analysts,” says Lior Div, CEO of Cyberreason. “This causes waste of expensive resources.”

Mean Time To Fix Software Vulnerabilities

Whether for web, mobile, cloud-based, or internal applications, organizations that build custom software should be measuring how long it takes to remediate software vulnerabilities from the time they’re identified, says John Dickson, principal at Denim Group. 

“This measurement helps organizations understand the window of vulnerability in production software,” Dickson says. “Unfortunately, most organizations do not publish this metric internally and as a result, the most serious application vulnerabilities, like SQL injections, remain in production far too long.”

Realistically, this number may be skewed by fixes that don’t ever occur, particularly during the development process. Which is why organizations should also be tracking the number of critical defects fixed against those reported, which will show how effective static analysis is for the organization, says Caroline Wong, director of security initiatives for Cigital.

“To obtain this metric, the software security group must be performing static analysis, counting the number of defects initially found — by classification, during first scan — and counting the number of (critical) defects which are actually fixed by developers,” Wong says. “The quality of the code will not actually increase until the developer performs triage on the findings and fixes the actual software defects. The desired trend for this metric is to increase towards 100 percent.”

Patch Latency

In the same vein, patch latency can also show how effective the program is in reducing risk from the low hanging fruit.

“We need to demonstrate progress in the vulnerability patch process. For many organizations with thousands of devices, this can be a daunting task. Focus on critical vulnerabilities and report patching latency,” says Scott Shedd, security practice leader for consulting firm WGM Associates. “Report what we patched what remains unpatched and how many new vulnerabilities have been identified.”

Incident Response Volume

Tracking the total number of incident response cases opened against those closed and pending will help CISOs identify how well incidents are being found and addressed. 

“This shows that incidents are being identified along with remediation and root cause analysis,” says Shedd of WGM. “This is critical for continuous improvement of an information security program.”

Fully Revealed Incidents Rate 

This metric can also help get a bead on the effectiveness of the incident response and security analyst functions within a program. 

“What is the rate of incidents handled by security team into which they have a full understanding of the reason for the alert, the circumstances causing it, its implications, and effect?” says Div of Cybereason. 

The lower the rate compared to overall volume of opened cases will show gaps in visibility and could trigger an ask for more investment in human resources or tools.

Analytic Production Time

Is your security program suffering from information overload? Measuring the time it takes to collect data compared to when it is analyzed can help answer that question.

“Reducing the analytical timeline allows IT teams to recognize and act more quickly to prevent or detect and addresses breaches, thereby improving the organizations overall security posture,” says Christopher Morgan, president of IKANOW.

“Reducing the time it takes to analyze security data, from either internal firewall or SIEM information or outside threat intelligence feeds, requires giving data scientists the tools and time to focus on data analysis,” he says.

Percent Of Projects Completed On Time And On Budget 

CISOs can show accountability by offering the CEO, board, and CFO visibility into their spending process by offering metrics on the percent of strategic IT security projects completed on time and on budget, says Dan Lohrmann, chief strategist and chief security officer at Security Mentor. 

“This could be a project on encryption, new firewalls, or whatever the top security projects are,” Lohrmann says. “This metric ensures that security is accountable for delivering ever-increasing value and improvements to the executive team.”

Percentage Of Security Incidents Detected By An Automated Control

One way to justify spend on those shiny boxes is to start tracking just how many of the overall security incidents detected by the organizations are done through an automated tool.

“This is a good one because it not only encourages you to become familiar with how incidents are detected, it also focuses you on automation, which reduces the need for ‘humans paying attention’ as a core requirement,” says Dwayne Melancon, CTO of Tripwire. “It also makes it easier to lobby for funding from the business, since you can make the case that automation reduces the cost of security while lowering the risk of harm to the business from an unnoticed incident.”

Employee Behavior Metrics

Just how effective is all of that “soft” spending on security awareness training? Steve Santorelli of Team Cymru says there are ways to track and measure that, primarily through phishing and social engineering stress testing, where you test you staff for phishing awareness and social engineering awareness.

Basically, you run a fake phishing campaign and make a few hoax calls,” says Santorelli, director of analysis and outreach for the research firm. “Reward and publicize good results, help failures to learn from their errors, and you’ll have folks actively watching out for these attacks–for a few weeks at least.”

————–

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Transforming USB sticks into undetectable malicious devices

Original Article

IMG_2322.JPG

Two researchers Brandon Wilson and Adam Caudill released their attack code to reprogram USB sticks and use them as an undetectable hacking instrument.
Recently, two independent researchers, Brandon Wilson and Adam Caudill, have released the code which can reprogram, benign USB devices turning them in malicious components.

The experts published the code on the Github raising the question related to the real level of security of USB devices, the BadUSB research was approached in detail during the Black Hat conference when security experts demonstrated the risks related to an undetectable menace carried via USB.

Security experts explained that USB devices can be used to compromise personal computers in a potential new type of attacks that could not be detected with all actual security protections.

Karsten Nohl, chief scientist with Berlin’s SR Labs, discovered that bad actors could exploit this new class of attacks loading malicious software low-cost computer chips that control the functions of USB devices.

The researchers from SR Labs, which presented the attack scheme during the Black Hat conference this summer, point a series of flaws in the software used to run a tiny electronic components, these components are usually designed without protections against tampering with their code.

Hackers can uncover such flaws and exploit them creating serious problems to the targeted architecture.

“You cannot tell where the virus came from. It is almost like a magic trick,” said Nohl.

Nohl explained that his team has written malicious code and deployed it into USBcontrol chips used in thumb drives and smartphones, at this point it is sufficient that victims connect the USB device to a computer to trigger the execution of malicious software.

Nohl and Lell’s BadUSB demonstrations during Black Hat illustrated how their code could overwrite USB firmware and turn a USB device into anything. A flash drive plugged into a PC, could for example, emulate a keyboard and issue commands that steal data from the machine, spoof a computer’s network interface and redirect traffic by altering DNS settings, or could load malware from a hidden partition on the drive.

Antivirus software are not able to detect malicious firmware that controls USB devices, the code inserted with this method can be used for many purposes, including spy on communications, data tampering and log keystrokes.

But while Karsten Nohl decided to not disclose the attack code, Brandon Wilson and Adam Caudill made public their source code to solicit the IT industry to adopt necessary measures for securing USB firmware from malicious manipulation.

“The security of these devices is completely compromised.” “The security of these devices is completely compromised,” Wilson said. “You can’t trust anything you plug into your computer any longer, not even something as simple as a flash drive.”
“We’re just taking advantage of the USB protocol,” Wilson said. “This drive is a reprogrammable computer that allows you to do all sorts of things. It allows you to be any device, and up until now, most developers had hard-coded them to behave in specific ways. The firmware on a flash drive makes it behave like a flash drive.”

After Black Hat, Wilson said he bought numerous drives and tested them and were able to take advantage of existing tools used to update firmware to get their code to overwrite the firmware on the Phison device. At Derby Con, they were able to demonstrate their attack with the device pretending to be a keyboard that typed out a predetermined script once it was plugged into the host computer. They also showed another demo where they had a hidden partition on a flash drive that was not detected by the host PC.

“It’s undetectable while it’s happening,” Wilson said. “The PC has no way of determining the difference. The way a PC determines the type of device all happens through the USB and code on the other device. Our ability to control that code means you cannot trust anything a USB device tells you.”

This kind of attack is very insidious, it is necessary that the device manufacturers will improve the level of security for their devices, avoiding for example the unauthorized firmware overwriting using digitally signed code for the USB device firmware.

“The fact that we were so easily able to change the firmware is an easy fix. The manufacturers could implement code-signing, but they don’t do that at all” Wilson said. “That needs to change. And even if they do add code-signing, you still have the other aspect which is that the computer cannot trust what you’re plugging into it. To truly fix the problem, it has to be fixed on the host.” “When you have a firmware image, you want to protect it in some way. You want a checksum, or something that the drive uses to validate that something is coming across correctly,” Wilson added. “There’s nothing like that. There needs to be something. Code signing is one approach to take for now. But to really shut it down long term, the host needs to be aware that when you plug in a device you don’t trust, it has to be given an option not to trust it. Because once you plug it in, it’s done.”

Resuming, threat actors could exploit USB as an attack vector simply by reprogramming USB peripherals, so it is crucial to implement protection from such malicious reprogramming.

IMG_2323.JPG

Once reprogrammed, any USB devices could be used for various malicious purposes, including:

emulates a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.
spoofs a network card and change the computer’s DNS setting to redirect traffic.
A modified thumb drive or external hard disk can – when it detects that the computer is starting up – boot a small virus, which infects the computer’s operating system prior to boot.
Unfortunately, no effective defenses from USB attacks are possible in this moment, antivirus cannot access the firmware running on USB devices and behavioral detection very hard to implement.

Pierluigi Paganini

(Security Affairs – hacking, USB)

Internet Voting Hack Alters PDF Ballots In Transmission

from the don’t-let-the-nice-man-borrow-your-router dept.

The Article

IMG_2303.JPG

msm1267 (2804139) writes

Threats to the integrity of Internet voting have been a major factor in keeping the practice to a bare minimum in the United States. On the heels of the recent midterm elections, researchers at Galois, a computer science research and development firm in Portland, Ore., sent another reminder to decision makers and voters that things still aren’t where they should be. Researchers Daniel M. Zimmerman and Joseph R. Kiniry published a paper called ‘Modifying an Off-the-Shelf Wireless Router for PDF Ballot Tampering’ that explains an attack against common home routers that would allow a hacker to intercept a PDF ballot and use another technique to modify a ballot before sending it along to an election authority. The attack relies on a hacker first replacing the embedded Linux firmware running on a home router. Once a hacker is able to sit in the traffic stream, they will be able to intercept a ballot in traffic and modify code strings representing votes and candidates within the PDF to change the submitted votes.

This has been a concern for years since the advent of the voting machines, now the hacks are more intrusive and versatile.

Posted by timothy 3 days ago

Retail Breaches Bolster Interest In NIST Cyber Security Advice

Retail Breaches Bolster Interest In NIST Cyber Security Advice

Target data breach highlighted risks in corporate supply chains, and companies are looking to government guidelines for ways to shore up cyber defense, says White House.

Last year’s massive Target data breach, in which hackers infiltrated the retailer’s point-of-sale system by exploiting a vendor’s IT system, has prompted corporate executives to take a deeper look at the security posture of companies in their supply chains. It’s also brought greater attention to recommendations released in February by the Obama administration, outlining voluntary national cyber security practices, a White House aide said this week.

The recommendations are part of a cyber security framework developed by the National Institute of Standards and Technology, together with private industry. The framework was originally aimed at critical infrastructure owners in 16 industries, including banks, utilities, and communications. But the document has caught the attention of executives in many fields, because it provides, for the first time, a common template for assessing corporate security practices across entire industries.

“One of the areas that we’ve seen companies… start to use the [cyber security] framework is in vendor management,” as a tool for assessing cyber security risks in their supply chains, said Ari Schwartz, a cyber security advisor on the White House National Security Council.

[NIST wants your comments on cradle-to-grave IT development recommendations. Find out more: NIST Proposes Guidelines For More Secure IT Systems.]

Finding the weak security links in corporate supply chains has taken on greater urgency for top executives after investigators reported that hackers had gained access to Target’s network using credentials obtained from a heating, ventilation, and air-conditioning (HVAC) vendor. The attackers ultimately made off with as many as 40 million credit and debit card numbers and personal information on 70 million customers. The breach also resulted in the March resignation of Target CIO Beth Jacobs and the departure of Target CEO Gregg Steinhafel earlier this month.

“The key to the cyber security framework is it allows a baseline across different sectors,” said Schwartz. It allows banks, for instance, which have their own set of security practices, a way to better gauge the security practices of their suppliers and discuss that information with their boards of directors.

The framework has already fostered a new market for products that incorporate the cyber security standards outlined in the NIST framework, according to Schwartz.

PwC, for instance, offers a four-step process to implement the cyber security framework that emphasizes collaborative intelligence sharing, according to David Burg, PwC’s global cyber security leader, who pointed to a PwC survey, which found that 82% of companies with high-performing security practices collaborate with others to achieve those goals.

“We feel federal agencies can use these [practices] as well,” Schwartz said. He added that the administration’s “goal is to take the language of the cyber security framework and make it the language of FISMA and the continuous diagnostics and mitigation process,” referring to the federal law guiding agency security practices and to plans for protecting government IT systems.

The cyber security framework was a response to one of five primary areas of cyber security concerns at the White House, Schwartz said at a forum Tuesday at FOSE, a government technology tradeshow.

In addition to protecting the nation’s critical infrastructure, Schwartz said the administration is also concentrating on securing federal networks, developing clearer thresholds for responding to cyberthreats, and working with allies and non-allies on international rules of engagement in dealing with cyber attacks.

Officials are also looking at research and development initiatives to try to get “ahead of the threats,” and in particular, are looking for better identity management and credentialing systems. The user name and password system “is broken, and has been for many years,” he said.

Getting agencies to identify and fix common vulnerabilities, using continuous diagnostics and monitoring (CDM) techniques, is a chief priority for the administration and US deputy CIO Lisa Schlosser.

“Ninety percent of cyber attacks are using common vulnerabilities,” such as phishing and failing to keep patches up to date, and “96% of breaches can be avoided by employing basic controls and hygiene on networks,” she said at the forum.

The White House Office of Management and Budget, the National Security Council, and the Department of Homeland Security have begun a three-phase effort to adopt CDM practices, Schlosser said. Administration officials just completed a government-wide contracting vehicle to help agencies purchase diagnostics hardware and software. Phase 2 will focus on understanding “who’s on the network, where, and why,” and Phase 3 will attempt to provide “real-time visibility, to see what threats are affecting one agency” and use that information to guard against attacks on other agencies, said Schlosser.

NIST’s cyber security framework gives critical-infrastructure operators a new tool to assess readiness. But will operators put this voluntary framework to work? Read the Protecting Critical Infrastructure issue of InformationWeek Government today.

############
Wyatt Kash is Editor of InformationWeek Government. He has been covering government IT and technology trends since 2004. He served as Editor-in-Chief of Government Computer News and Defense Systems (owned by The Washington Post Co. and subsequently 1105 Media), where he directed editorial strategy and content operations. He also was part of a startup venture at AOL, where he helped launch AOL Government and led its content and social media operations. His editorial teams have earned numerous national journalism awards. He is the 2011 recipient of the G.D. Crain Award, bestowed annually on one individual nationally for outstanding career contributions to editorial excellence in American business media.

The Heartbleed Hit List

The Heartbleed Hit List: The Passwords You Need to Change Right Now

20140410-150906.jpg

An encryption flaw called the Heartbleed bug is already being called one of the biggest security threats the Internet has ever seen. The bug has affected many popular websites and services — ones you might use every day, like Gmail and Facebook — and could have quietly exposed your sensitive account information (such as passwords and credit card numbers) over the past two years.

But it hasn’t always been clear which sites have been affected. Mashable reached out some of the most popular social, email, banking and commerce sites on the web. We’ve rounded up their responses below.

SEE ALSO: How to Protect Yourself From the Heartbleed Bug

Some Internet companies that were vulnerable to the bug have already updated their servers with a security patch to fix the issue. This means you’ll need to go in and change your passwords immediately for these sites. Even that is no guarantee that your information wasn’t already compromised, but there’s also no indication that hackers knew about the exploit before this week. The companies that are advising customers to change their passwords are doing so as a precautionary measure.

Although changing your password regularly is always good practice, if a site or service hasn’t yet patched the problem, your information will still be vulnerable.

Also, if you reused the same password on multiple sites, and one of those sites was vulnerable, you’ll need to change the password everywhere. It’s not a good idea to use the same password across multiple sites, anyway.

We’ll keep updating the list as new information comes in.

Social Networks Affected