Monthly Archives: April 2018

10 Security Innovators to Watch

10 Security Innovators to Watch

Startups in the RSA Conference Innovation Sandbox competed for the title of “Most Innovative.”


1 of 12


“What did you see that was really innovative?”

That’s the question everyone who goes to a trade show hears on returning to the office. At the RSA Conference this month, one answer to the question comes in the annual Innovation Sandbox Contest. The ten finalists this year ranged from cloud offerings to RF security to software connectors, and each presented its unique vision of what companies most need to be secure.

At the end of the presentation, a panel of judges chose the most innovative, and at the end of the article you can see which company took home the trophy.

One thing that’s worth noting is that the security industry is similar to the rest of the computer industry in that acquisition is a chief business model for those starting companies. Of the ten companies participating in the contest, two have already been acquired by other firms — and that number could change by the time you read this.

Here are the 10 young companies that vied for the title of “Most Innovative” in 2018 at RSAC – and a look at the one that came away with the title.



Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio


1 of 12


More Insights

from Dark Reading – All Stories

USB Sticks Can Trigger BSOD – Even on a Locked Device

A proof of concept for easily generating the blue screen of death (BSOD) on Windows devices has been released, along with a video demonstrating that the denial-of-service effect can take place even if the device is locked.

Using a handcrafted image of a Windows NT file system (NTFS) loaded onto a USB stick, it’s possible to crash the system by simply inserting the drive into the USB port, no further user interaction necessary (as this pair of videos shows).

“Auto-play is activated by default, this leads to automatically crashing the system when [the] USB stick is inserted,” said Bitdefender researcher Marius Tivadar, in a post on GitHub from late last week exposing the problem and the PoC. “Even with auto-play disabled, system will crash when the file is accessed. This can be done…when Windows Defender scans the USB stick [even when locked], or any other tool opening it. If none the above, finally, if the user clicks on the file, system will crash.”

Further, he added that while his own PoC requires physical access to the device with a USB stick, it’s possible to code the attack into malware that could be delivered remotely via spam campaigns or even drive-by downloads.

“If this kind of crash was exploitable, and attacker could load malware even if the system is locked, [and] this could open thousands of possible scenarios,” he said in the supporting materials for the PoC. “Of course, it is not necessary to have an USB stick. A malware for example could drop a tiny NTFS image and mount it somehow, thus triggering the crash.”

He said that all three systems he tested were affected: Windows 7 Enterprise 6.1.7601 SP1, Build 7601 x64; Windows 10 Pro 10.0.15063, Build 15063 x64; and Windows 10 Enterprise Evaluation Insider Preview 10.0.16215, Build 16215 x64.

For Microsoft’s part, he said that its security team seemed uninterested when he reached out to the software giant with the problem.

“Reported to Microsoft on July 2017, they did not want to assign CVE for it nor even to write me when they fixed it,” said Tivadar, who discovered the issue last summer. In his GitHub posting, he reprinted an email that he said was from the Microsoft team, which read, “Hey Marius, your report requires either physical access or social engineering, and as such, does not meet the bar for servicing down-level (issuing a security patch)…Your attempt to responsibly disclose a potential security issue is appreciated and we hope you continue to do so.”

Microsoft did not immediately respond to our request for comment.

Tivadar said that he believes the problem is genuinely worthy of concern. “I strongly believe that this behavior should be changed…Generally speaking, no driver should be loaded, no code should get executed when the system is locked and external peripherals are inserted into the machine. I may think [of] this as code [that] gets executed without user consent.”

from Threatpost – English – Global – thr…

KRACK Vulnerability Puts Medical Devices At Risk

A slew of devices from medical technology company Becton, Dickinson and Company (BD) are vulnerable to the infamous KRACK key-reinstallation attack, potentially enabling hackers to change and exfiltrate patient records.

The KRACK vulnerability, discovered last October, is an industry-wide glitch in the WPA and WPA2 protocol for securing Wi-Fi that can cause “complete loss of control over data,” according to the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). It explained in an advisory that KRACK “could allow an attacker to execute a ‘man-in-the-middle’ attack, enabling the attacker within radio range to replay, decrypt or spoof frames.”

Versions of BD Pyxis, the company’s medication and supply management system, are impacted by the vulnerability, according to ICS-CERT. That includes 12 versions of the system, such as the BD Pyxis Anesthesia ES, BD Pyxis SupplyStation, and BD Pyxis Parx handheld. This means that patient information could be intercepted over Wi-Fi.

BD said in a product security bulletin that KRACK can be exploited from an adjacent network with no privileges or user interaction necessary. However, BD stated, the “attack complexity is high as it requires proximity to an affected Wi-Fi access point and significant technical skills.”

As of now, there is currently no reported instance of the KRACK vulnerability being exploited maliciously against BD devices.

“BD is monitoring the developing situation with a recently disclosed set of vulnerabilities found in the WPA2 protocol affecting confidentiality, integrity and availability of communication between a Wi-Fi access point and a Wi-Fi-enabled client such as a computer, phone, Wi-Fi base stations and other gear, even if the data is encrypted,” the company said in the bulletin.


Since disclosure of the KRACK vulnerability last year, several vendors have come forward issuing patches, including Apple,  Cisco for 69 of its wireless products, Google for Android and Rockwell Automation for its Stratix wireless access points.

“The medical devices cybersecurity landscape is lagging behind in issuing patches to known vulnerabilities, as is exemplified by this series of KRACK vulnerabilities which have been known for a good half a year now,” Leon Lerman, CEO of healthcare cybersecurity firm Cynerio, told Threatpost.

BD, for its part, said it has implemented third-party vendor patches through BD’s routine patch deployment process that resolves these vulnerabilities for most devices, and that it is in the process of contacting users to schedule and deploy patches.

To mitigate risks, BD said that customers should ensure the latest recommended updates for Wi-Fi access points have been implemented in Wi-Fi enabled networks and ensure that appropriate physical controls are in place to prevent attackers from being within physical range of an affected Wi-Fi access point and client.

“BD customers should first and foremost cooperate with the vendor in order to deploy the patches accordingly,” Lerman said. “It’s also crucial to deploy a specialized solution that enables full visibility of all medical devices on the network in order to be able to detect anomalies and mitigate them in real time.”

KRACK targets the four-way handshake of the WPA2 protocol, which is executed when a client wants to join a protected Wi-Fi network. During this process, a network password is exchanged to authenticate the client and access point. The KRACK attacks manipulate and replay these cryptographic handshake messages. When this happens, the access point interprets it to mean that the handshake has been lost or dropped, and retransmits the third part of the handshake.

“By forcing nonce reuse in this manner, the encryption protocol can be attacked, e.g., packets can be replayed, decrypted and/or forged,” according to researcher Mathy Vanhoef of The Katholieke Universiteit Leuven (KU Leuven), who discovered the flaw last fall, in a report. “The same technique can also be used to attack the group key, PeerKey, TDLS and fast-BSS-transition handshake.”

from Threatpost – English – Global – thr…

Updated GravityRAT Malware Adds Advanced AV Detection

Researchers tracking the evolution of the remote access trojan GravityRAT warn that developers behind the malware have made key changes to the RAT’s code in an attempt to decrease antivirus detection.

“We’ve seen file exfiltration, remote command execution capability and anti-vm techniques added throughout the life of GravityRAT. This consistent evolution beyond standard remote code execution is concerning because it shows determination and innovation by the actor,” wrote Cisco Talos researchers Warren Mercer and Paul Rascagneres in a technical write-up posted last week.

For the past 18 months, Cisco Talos researchers said they have been tracking GravityRAT with the latest “G2” version spotted two weeks ago.  The location of the developers, known as “The Invincible” and “TheMartian,” are unknown. However, researchers said documents used to test anti-virus detection via VirusTotal were submitted from Pakistan.

In August, the National Computer Emergency Response Team (CERT) of India warned that GravityRAT was being used in targeted attacks against India.

GravityRAT’s infection vector is typical: preying on those gullible enough to click on a Word .Docx email attachment and enable macros. By doing so, email recipients are shown a “Protected Document” that prompts targets to “prove that the user is not a robot” (similar to a CAPTCHA). Doing so triggers the infection sequence.

Stage one includes a renamed version of the Word .Docx file copied to the targeted system’s Temp directory as a ZIP archive. Next, the infection script decompresses the “” file and extracts an .EXE binary stored in it. Lastly, a third step includes creating a scheduled task, named “wordtest,” to execute the malicious file every day.

“With this approach, the attacker ensures that there is no direct execution (the executable is executed thanks to scheduled tasks), there’s no download of an additional payload, and finally, the author uses the fact that the .Docx format is an archive in order to include its executable (GravityRAT),” researchers said.

Once infected, GravityRAT targets the system’s basic user data and steals .Docx, .Doc, .PPTx, .PPT, .xlsx, .xls, .Rtf and .PDF files. This latest version of the RAT goes further and collects open ports on the victim’s system, lists all the running processes and steals files on any connected USB drive, researchers said.

The malware dates back December 2016 with early samples given the version name G1 and later G2. The latest GravityRAT, published in December 2017, is GX.

“This version is the most advanced variant of GravityRAT. Throughout the evolution, we saw this malware embedding open-source legitimate .NET libraries (for schedule tasks, compression, encryption, .NET loading). It contains a resource named ‘important.’ This is an archive with a password,” researchers said.

The RAT has been updated with seven anti-AV detection tools that try to determine if the system is running in a virtual machine environment – typically used by AV researchers. Tools include a virtual machine detection function that looks for a VM hypervisor. Another tool makes a Windows Management Instrumentation request to check the BIOS version. “If the response contains: ‘VMware’, ‘Virtual’, ‘XEN’, ‘Xen’ or ‘A M I’ the system is considered as a virtual machine,” according to Cisco Talos.

Malware attacks via malicious Microsoft Office documents may seem crude, but researchers argue they are still extremely effective and inexpensive compared to more sophisticated attacks. Over the years, the malicious document attacks have flourished, ranging from document files that drop the banking trojan Dridex, bots such as Kasidet, and Locky ransomware. Attackers working with the BlackEnergy APT group were also spotted using Word documents to drop payloads on Ukrainian users.

“This actor is probably not the most advanced actor we’ve seen,” Cisco Talos researchers said. The fatal error, they said, was that attackers did not take the time to obfuscate .NET code used in the malware. “The code was largely trivial to reverse engineer, which meant static analysis was an easy option for this piece of malware.”

from Threatpost – English – Global – thr…

NIST Updates Cybersecurity Framework to Tackle Supply Chain Threats, Vulnerability Disclosure and More

Four years after the initial iteration was released, the National Institute of Standards and Technology (NIST) has released version 1.1 of the Framework for Improving Critical Infrastructure Cybersecurity.

The framework was developed to be a voluntary, risk-based framework to improve cybersecurity for critical infrastructure in the United States. It’s the result of a President Obama-issued executive order calling for the development of a set of standards, guidelines and practices to help organizations charged with providing the nation’s financial, energy, health care and other critical systems better protect their information and physical assets from cyberattack. 

Like the first version, Version 1.1 of the framework was created through public-private collaboration via a series of recommendations, drafts and comment periods. Changes to Version 1.1 includes updates on authentication and identity, self-assessing cybersecurity risk, managing cybersecurity within the supply chain and vulnerability disclosure, among other changes.

For one, the update has renamed the Access Control Category to Identity Management and Access Control, to better account for authentication, authorization and identity-proofing.

It also has added a new section: Section 4.0 Self-Assessing Cybersecurity Risk with the Framework explains how the framework can be used by organizations to understand and assess their cybersecurity risk, including the use of measurements.

On the supply-chain front, an expanded Section 3.3 helps users better understand risk management in this arena, while a new section (3.4) focuses on buying decisions and the use of the framework in understanding risk associated with commercial off-the-shelf products and services. Additional risk-management criteria were added to the Implementation Tiers for the framework; and a supply-chain risk-management category has been added to the Framework Core.

Other updates include a better explanation of the relationship between Implementation Tiers and Profiles; added clarity around the term “compliance,” given the variety of ways in which the framework can be used by an organization; and the addition of a subcategory related to the vulnerability disclosure lifecycle.

“This update refines, clarifies and enhances Version 1.0,” said Matt Barrett, program manager for the Cybersecurity Framework. “It is still flexible to meet an individual organization’s business or mission needs, and applies to a wide range of technology environments such as information technology, industrial control systems and the Internet of Things (IoT).”

Its goal is to be flexible enough to be adopted voluntarily by large and small companies and organizations across all industry sectors, as well as by federal, state and local governments.

“The release of the Cybersecurity Framework Version 1.1 is a significant advance that truly reflects the success of the public-private model for addressing cybersecurity challenges,” said Walter Copan, NIST director. “From the very beginning, the Cybersecurity Framework has been a collaborative effort involving stakeholders from government, industry and academia.”

So far, adoption of the framework has been fairly widespread: PwC’s 2018 Global State of Information Security Survey (GSISS) for instance found that respondents from healthcare payer and provider organizations, as well as oil and gas companies, said the NIST Cybersecurity Framework is the most commonly adopted set information security standards in their respective industries. The report also found that financial institution clients were widely embracing benchmarking of their cyber risk management programs against the NIST Cybersecurity Framework.

“Cybersecurity is critical for national and economic security,” said Secretary of Commerce Wilbur Ross. “The voluntary NIST Cybersecurity Framework should be every company’s first line of defense. Adopting version 1.1 is a must do for all CEOs.”

Efforts to expand its influence are continuing: In May 2017, President Trump issued the Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, which directs all federal agencies to use the Cybersecurity Framework. Also, corporations, organizations and countries around the world, including Italy, Israel and Uruguay, have adopted the framework, or their own adaptation of it, NIST noted.

Meanwhile, to help ease the process of adoption, the Information Security Forum (ISF) has mapped the framework and its annual Standard of Good Practice for IT security professionals. Last year, IT governance organization ISACA launched an audit program aligning the NIST framework with COBIT 5, designed to provide management with an assessment of the effectiveness of an organization’s plans to detect and identify cyber-threats, and protect against them.

“We’re looking forward to reaching more industries, supporting federal agencies, and especially helping more small businesses across the U.S. benefit from the framework,” said Barrett.

Later this year, NIST plans to release an updated companion document, the Roadmap for Improving Critical Infrastructure Cybersecurity, which describes key areas of development, alignment and collaboration.

“Engagement and collaboration will continue to be essential to the framework’s success,” said Barrett. “The Cybersecurity Framework will need to evolve as threats, technologies and industries evolve. With this update, we’ve demonstrated that we have a good process in place for bringing stakeholders together to ensure the framework remains a great tool for managing cybersecurity risk.”

from Threatpost – English – Global – thr…

Twitter Sold Data To Cambridge Analytica-Linked Company

Twitter is the latest company to face scrutiny for how it protects user data, after disclosing this week that it sold data access to a Cambridge Analytica-linked researcher.

The news comes a month after Facebook came under fire for leaking user data to Cambridge Analytica through a third-party app. A Twitter spokesperson told Threatpost that enterprise company Global Science Research, owned by the same researcher behind  Cambridge Analytica, had “one-time API access” to a “random sample of public tweets” in 2015.

“Based on the recent reports, we conducted our own internal review and did not find any access to private data about people who use Twitter,” the spokesperson told Threatpost. “Unlike many other services, Twitter is public by its nature. People come to Twitter to speak publicly, and public tweets are viewable and searchable by anyone.”

According to the spokesperson, GSR had access during a five-month period, from December 2014 to April 2015. Since then, Twitter has made the policy decision to off-board advertising from all accounts owned and operated by Cambridge Analytica.

“This decision is based on our determination that Cambridge Analytica operates using a business model that inherently conflicts with acceptable Twitter Ads business practices. Cambridge Analytica may remain an organic user on our platform, in accordance with the Twitter rules,” the spokesperson said.

Cambridge Analytica is a U.K.-based company that helps political parties target voters with specific messages. The company recently put Facebook in hot water after it was revealed that it harvested data of 50 million Facebook users using one of the social network’s APIs. Cambridge Analytica worked on several high-profile political campaigns, including the presidential bids of Donald Trump and Senator Ted Cruz (R-Tex.).

In 2015, app developer Aleksandr Kogan requested access to information from users who downloaded his third-party app, “thisisyourdigitallife,” on Facebook, which billed itself as “a research app used by psychologists.” In reality, that data was being given to Cambridge Analytica.

Kogan owns GSR, the Cambridge, U.K.-based company founded in 2014 with a goal “to optimize marketing strategies with the power of big data and psychological sciences,” according to its website.

While both situations are raising questions about data privacy on social-media platforms, key differences exist between Facebook’s data privacy debacle involving Cambridge Analytica and that of Twitter.

While Facebook user private data was sold through a third-party app unbeknownst to the social media giant,  Twitter sold public user data to GSR, giving them access to data through its API. Twitter’s API platform provides broad access to “public Twitter data that users have chosen to share with the world,” Rob Johnson, senior director of Product Management at Twitter, recently said in a recent post outlining Twitter API policy.

“Some of our APIs allow users to manage their own non-public Twitter communications (e.g., direct messages) and provide this information to developers whom they have authorized to do so,” he said in the post. “Access to this information is not granted by default, and we do not sell direct messages.”

Last week, Twitter tightened its developer platform to make user privacy more transparent. One such change prohibits developers from deriving sensitive information – like race and political affiliation – from end users.

“Even for people who will never use one of our developer products, it’s our job to appropriately educate and provide resources to those who wish to understand how their data may be used in our developer platform,” Johnson said in a post about the changes.

Still, the stakes are high for Twitter and social-media companies in general as they grapple with data-protection policies. Twenty-six percent of users deleted or plan to delete their Facebook accounts on the heels of the headlines about Cambridge Analytica misusing Facebook user data, according to a recent study by Centrify.

“Social media and data privacy are antonyms by design,” Ilia Kolochenko, CEO of web security company High-Tech Bridge, told Threatpost. “Even in the light of current efforts of Facebook and Twitter to protect as much of their users’ data as possible, the very purpose of social media is to share information. …social networks can merely educate about privacy concerns and better explain how users’ personal data will be used and in which context.”


from Threatpost – English – Global – thr…

What Meltdown and Spectre Mean for Mobile Device Security

What Meltdown and Spectre Mean for Mobile Device Security

Here are four tips to keep your mobile users safe from similar attacks.

There’s no question we’re still on high alert from Meltdown and Spectre. The fear and uncertainty has been unsettling for everyone, and it will take a while for things to calm down as patches are released —  and recalled —  for desktop operating systems. The month of March brought with it expanded patching efforts by Microsoft for the two flaws.

Mobile OS Differences
There’s less talk of the situation on the mobile side. From a perception standpoint, things may seem more settled. But significant underlying risks remain, and mobile as a threat vector should definitely not be overlooked. Understanding Meltdown and Spectre developments specific to mobile is an important step toward proper defense.  

For starters, mobile operating systems don’t have the ability to make the “push-pull” types of patching moves we’ve seen for Meltdown and Spectre on traditional endpoints. Advice like “Push the patch out. No, roll it back because we found there might be some issues with performance” on the traditional endpoint side — that doesn’t translate to mobile.

Meltdown/Spectre Patching Progress for Mobile
When it comes to iOS, Apple has released patches specifically for Meltdown and mitigations against Spectre. Sending out updates to Safari seems to be Apple’s solution for how to handle Spectre. Google has followed suit with the same course of action to address both flaws.

There are specific challenges associated with how changes make their way through the Android ecosystem, however. Our company’s global threat data consistently shows that well over two-thirds and — depending on timing — up to 80% of Android devices are running out-of-date operating systems. Meanwhile, our data shows about 25% to one-third of devices running iOS are using out-of-date versions.

Now that patches are out for Meltdown and Spectre, it’s a matter of whether companies update their employees’ devices and whether, on the Android side of things, the updates percolate all the way through the Android ecosystem.

For Better or Worse, Mobile Users Are in Control
One of the biggest differences between traditional and mobile endpoints is that there is no such thing as a patch management system when it comes to mobile. If you talk to enterprise IT security people, chances are they will tell you the single greatest security risk to a company is a carbon-based life form — aka, a human being. For traditional endpoints, you’ve got a patch management system and then centrally managed antivirus, centrally managed network firewalls, etc. All of these investments take IT control out of the hands of end users and give it to security pros, who are trained to defend against this weak (human) link in the security chain.     

Mobile flips the model on its head. With mobile devices, you take the same users who make bad-enough mistakes as it is with all of the abovementioned network security precautions —  and you give them full control over a small supercomputer (that is, their mobile device). You say, “You’re the admin for it; you’re responsible for deciding what networks you’re going to go in and out of, what apps you’re going to download, and, as your employer, I’m totally beholden to you to update your devices.”

Stay Protected
When it comes to getting protected, IT pros and companies should keep the following four tips in mind:

  • For any device entering corporate networks, implement the ability to determine the OS version.
  • Create a communication plan to encourage users to upgrade whenever new patches are available. Send this information out via email and text, and also in-line to out-of-date devices as they enter your network.
  • Consider limiting or prohibiting access to certain key resources from out-of-date devices to encourage patching.
  • Implement solutions that can detect exploit attempts, rogue Wi-Fi networks, and malicious apps.

Related Content:

JT Keating, Vice President of Product Strategy at Zimperium, has brought software and mobile communications solutions to market for 25 years. Being passionate about security, he helped define and create multiple innovative approaches, including application whitelisting at … View Full Bio

More Insights

from Dark Reading – All Stories