Category Archives: Uncategorized

New infosec products of the week​: June 23, 2017

API Behavioral Security: Detecting and blocking attacks targeting API infrastructures

Elastic Beam unveiled its flagship solution, API Behavioral Security (ABS), the first AI-powered software platform able to detect and block cyberattacks that target APIs to compromise corporate data and systems – in public clouds, hybrid clouds, or on premise. ABS requires no predefined policies, security rules, or attack signatures, and can stop attacks that are new and constantly changing. Its API activity reporting simplifies forensic analysis and facilitates meeting compliance requirements.

infosec products june 2017

Entrust Datacard introduces the IntelliTrust Authentication Service

Entrust Datacard launched IntelliTrust authentication service – its new authentication cloud service with Mobile Smart Credential technology. This adaptive authentication solution leverages the low touch deployment aspects of the cloud with new levels of intelligent identity capabilities to provide for a better user experience with stronger security in an easy-to-deploy model.

infosec products june 2017

Neurotechnology adds face recognition and analytics to video management systems

Neurotechnology released SentiVeillance Server, a ready-to-use solution that integrates with surveillance video management systems (VMS). Based on the company’s deep neural network technology for facial recognition from surveillance camera video, SentiVeillance Server enhances VMS with advanced capabilities, such as the ability to quickly and accurately recognize faces in video streams and trigger analytical event notifications whenever an authorized, unauthorized or unknown person is detected.

infosec products june 2017

Raytheon launches new Cyber Protection System with scalable response centers

Raytheon unveiled its new Cyber Protection System with scalable Cyber Response Centers for global defense, intelligence and commercial customers. The tiered CRCs – Primary, Enterprise and National – are pre-configured and provide intrusion detection, network analysis and incident response to proactively address cyber threats. The CRCs can also be customized with optional capabilities, including insider threat detection.

infosec products june 2017

Wheel Systems launches Wheel Lynx Infinity SSL/TLS decryptor

Wheel Systems launched a new SSL/TLS decryption appliance, which offers traffic decryption speed of 50 gigabits per second. Wheel Lynx SSL/TLS Decryptor Infinity is designed to work both inline and out-of-band. It works with existing IDS/IPS, DLP and BDS solutions, as well as anti-virus products. A built-in whitelist function ensures compliance with privacy protection regulations.

infosec products june 2017

from Help Net Security – News http://bit.ly/2tAKmz8
via IFTTT

Organizations still unclear on cloud security responsibility

Vanson Bourne surveyed 1,300 IT decision makers from organizations using public cloud Infrastructure as a Service (IaaS) from the Americas, Europe, Middle East and Africa (EMEA), and from Asia Pacific (APAC).

cloud security responsibility

Background public cloud use

Respondents’ use of public cloud is on the rise, as is their sophistication in working within the cloud. On average, organizations have nearly 40 percent of their infrastructure in the public cloud today, with the expectation to increase this to 70 percent over the next five years. Four in 10 reported that their organization relied on public cloud deployments to expand their services, often replicating those over multiple regions, while 30 percent said they only migrated selected services to the cloud and kept the balance on premises.

Overall, the survey found that organizations are growing more comfortable with hybrid environments that deploy a range of public cloud services along with more traditional on-premises infrastructure.

Public cloud benefits

Nearly all the respondents (99 percent) said that their organization has seen benefits as a result of moving to the public cloud, including greater scalability and reduced IT expenditures.

The survey found, on average, that organizations didn’t use a single cloud provider for everything, and cited a number of reasons for this: Top of mind was that different providers had different strengths (63 percent), followed by the view that this increased security (51 percent) and helped keep costs down (42 percent).

Public cloud challenges

Security remains to be the biggest challenge when it comes to using the public cloud – 71 percent felt that security concerns restricted their ability to migrate workloads to the public cloud. Nine in 10 (91 percent) of organizations reported they worried about their use of public cloud, with cyberattacks being the chief concern at 54 percent.

Phishing (50 percent), DDoS (47 percent), APTs (45 percent), and ransomware (41 percent) were the main threats that most concerned them. Over half (56 percent) had experienced at least one cyberattack, and found that the average number of attacks an organization had seen were five.

The challenge with security was further heightened with the information organizations are storing in public clouds: Over 50 percent of all organizations store some type of personal data (personnel records, medical records, etc.) in the public cloud, and nearly the same percent (55 percent) store customer order history.

Public cloud security

The Shared Responsibility Security Model – wherein cloud providers are responsible for the security of the cloud, while organizations using the cloud are responsible for the security of what they put in the cloud – is not new, and 72 percent felt they fully understood their cloud security responsibilities.

This was in stark contrast to what organizations believed their cloud provider was responsible to provide for security – 71 percent felt the cloud provider was responsible for customer data in the public cloud, and 66 percent for applications in the public cloud.

Additionally, 52 percent were confident that their move to the cloud was secure, with three in five – 62 percent – responding that they had included additional security solutions in their public cloud infrastructure.

“This report highlights the ongoing increase in public cloud use globally, with many organizations seeing substantial process and financial benefits. However, there are still a significant number of organizations that are not clear on the shared security model and the implication to their data and applications,” said Senior Vice President and General Manager of Security at Barracuda, Hatem Naguib. The challenges in migrating legacy security appliances and architectures require having the right infrastructure for securing hybrid cloud solutions. Organizations need to select cloud ready security solutions that are designed for the new architectures and capabilities enabled by public and hybrid cloud adoption.”

Recommendations

Organizations often end up with multiple cloud providers, as well as having an on-premises (legacy) infrastructure. This can have implications on complexity and overall costs; it’s further compounded when third-party solutions such as security are added to the mix. Therefore, customers are advised to look for third parties who support a wide range of ecosystems with the same or similar solutions.

As customers weigh licensing options – by usage, per hour, unlimited, etc. – we see customers beginning to understand how they can leverage different ones to gain greater cost controls. This becomes more important when third-party vendors are added to the mix. Customers value when third parties offer equivalent licensing options to how the customer is licensing their public cloud infrastructure.

Companies deploying the most common security routine – routing branch locations’ traffic through a central security solution – generally find these solutions lack scale and cost benefits as their cloud leverage increases. Companies that look at distributed security solutions, such as next-generation firewalls and web application firewalls, closer to the point of access reduce those issues, but find new ones in managing multiple devices. Therefore, look for vendors who can provide a common management scheme – either in their products or using public cloud security infrastructures – to simplify managing and monitoring ongoing security.

from Help Net Security – News http://bit.ly/2t1OhaC
via IFTTT

‘GhostHook’ Foils Windows 10 64-bit’s Kernel Protection

‘GhostHook’ Foils Windows 10 64-bit’s Kernel Protection

Microsoft says an attacker needs kernel-level access before they can use the ‘GhostHook’ technique to install a rootkit, but CyberArk researchers say attackers need only local access.

Microsoft’s PatchGuard kernel patch protection technology has played a big part in preventing attackers from installing rootkits on systems running Windows 10 64-bit; at least so far. But now, security researchers from CyberArk Labs say they have found a way to bypass PatchGuard protections and gain rootkit abilities on systems running Windows x64 operating systems.

The technique, which the researchers have dubbed GhostHook, involves a weakness in Microsoft’s implementation of Intel Processor Trace (Intel PT), a technology used primarily for performance monitoring, malware analysis, fuzzing, debugging, and exploit detection.

The weakness exists specifically at the point where Intel PT talks to Windows, says CyberArk researcher Kasif Dekel. It gives threat actors a way to “hook” or intercept any piece of code running on the machine and gain control over the way it behaves.

Hooking is neither an exploit technique nor an escalation of privilege approach, Dekel noted separately in a blog. Many software products, including application security tools, system utilities, and software extensions, incorporate the technique. When used in a malicious context, hooking allows threat actors to, among other things, plant rootkits on systems where the attacker already has control over the asset.

GhostHook is the first known technique that gives attackers the ability to use hooking to gain complete control over 64-bit Windows systems at the kernel level. It gives attackers a way to gain access to a Windows system in a manner that is virtually undetectable by anti-malware tools, host intrusion prevention systems, personal firewalls, next-gen endpoint products and any tool that relies on information from the kernel.

Microsoft did not immediately respond to a Dark Reading request for comment on CyberArk’s discovery, or of its claims about being able to gain complete kernel-level access on 64-bit Windows systems.

But in a response to CyberArk—which Dekel included in his alert—a member of Microsoft’s engineering team said the company’s analysis showed that attackers would already need to be running kernel code on the system in order to be able to use GhostHook. 

“As such, this doesn’t meet the bar for servicing in a security update however it may be addressed in a future version of Windows. As such I’ve closed this case,” the engineer’s response noted.

Dekel though says that the attacker only needs to gain local admin rights on a machine to exploit the technique. “Gaining this level of access is table stakes for attackers, typically accomplished through simple phishing emails,” he says. “This technique is about moving beyond admin rights and exploiting the machine at the kernel level. Attackers would be able to gain full control over the network and gain the ability to intercept anything on a system.” GhostHook allows attackers to bypass security layers that were specifically designed to combat malware with administrative rights on a system, he says.

For the moment at least there is no evidence that the technique is being actively used to attacks Windows 10 systems. But the skills needed to pull an attack off using the GhostHook technique is well within the capabilities of nation-state actors, especially those who have already proven the ability to craft 64-bit malware like the disk erasing Shamoon.

“We believe that if attackers were able to execute ransomware through this technique, the results would be devastating,” Dekel said. “Today’s ransomware works in user mode because of PatchGuard. If they were able to execute this code behind PatchGuard, it would [have a] catastrophic effect.”

Mitigating the threat will require Microsoft to implement fixes in several places in the Intel PT feature. The company will also need to add PatchGuard protection to Intel’s PT module, says Dekel.

“Third-party players should take in consideration that information coming from kernel modules are not always reliable,” Dekel says. “They should gather the same information from various APIs and different locations in order to verify the integrity of it.”

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Related content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

More Insights

from Dark Reading – All Stories http://ubm.io/2sGFJni
via IFTTT

Nuclear Plants, Hospitals at Risk of Hacked Radiation Monitoring Devices

Nuclear Plants, Hospitals at Risk of Hacked Radiation Monitoring Devices

Security researcher discovers major security flaws that can’t be patched or fixed.

Design flaws in devices used to monitor radiation levels in nuclear plants, hospitals, seaports, and at border controls, could be exploited by an attacker to inject phony radiation readings, a security researcher has found.

Ruben Santamarta, principal security consultant at IOActive, reverse-engineered the firmware of two different brands of radiation monitoring devices as well as analyzed their hardware and a proprietary radio frequency (RF) protocol used for communicating with those devices, and discovered major design flaws that leave them open for hacking.

The vulnerabilities are not your standards buffer overflows or other known classes of bugs, he says. “This research covers several design-level vulnerabilities,” says Santamarta. “The vulnerabilities are related to the design of these devices and their radio protocols.”

And the catch: there’s no fix or patch that can remedy them, he says. “There’s no solution for these issues,” Santamarta says. “You can’t patch them because it’s the way they are designed.”

Santamarta won’t name the affected vendors or provide many of the technical details of his findings until his presentation on his research next month at Black Hat USA, Go Nuclear: Breaking Radiation Monitoring Devices. He says many other brands of radiation monitoring devices are also vulnerable to attack because they all use the same RF protocols for communications.

The RF protocol used for communicating to and from the devices both lack encryption as well as use weak encryption algorithms in cases where they do employ crypto, he says. “There were weak encryption algorithms for radio communications and for updates to” the device firmware, he says.

“In this [Black Hat] talk, I’m going to try to explain how to reverse-engineer an entire radio protocol, from physical to application layer,” he says.

An attacker could wage a cyberattack on these devices as far away so 20 kilometers, he says. “You don’t need to be near the facility to attack it,” Santamarta says. And there are plenty of tools available for an attacker to jump onto the RF network. “The problem with radio is it’s difficult to mitigate” an attack via it, he says.

The weak RF protocols and firmware could allow an attacker to inject fake radiation readings, so that if there were a radiation accident or leak, it couldn’t be detected, for example. Or the reverse: it could send phony readings of high radiation levels when none were actually present, he says.

“Potentially false readers can trick operators into performing actions” that aren’t correct if they incorrectly are alerted that radiation exposure has occurred, for example, he says. “An attacker could inject false readings into a nuclear power plants radiation monitoring device simulating a massive radiation leak … How is the operator going to react?

“These are the worst-case” scenarios of attacks exploiting the design flaws in the devices and their protocols, he says.

So what can organizations using radiation monitoring devices do to prevent a cyberattack on the equipment?

“The best thing is to know that these attacks are feasible. The problem … is there are no solutions for the vulnerabilities. The only way to protect is to raise awareness of these attacks … and identify when they may be happening,” says Santamarta, who will detail at Black Hat some methods of mitigating the potential impact of a hacked radiation monitoring device.

“It’s complicated,” he says.

The inspiration for Santamarta’s research, he notes, were two famous nuclear facility incidents: the 1979 Three Mile Island nuclear plant core meltdown and the 2007 theft of fuel pellets of uranium oxide from a nuclear fuel facility in Spain. Three Mile Island’s mechanical failure led to inconsistent radiation level readings to the plant’s operators that ultimately exacerbated the accident, according to Santamarta.

“They were receiving false information,” he says. “So I wondered, what happens if someone tries to send false information that’s then consumed by operators? What could happen?”

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

More Insights

from Dark Reading – All Stories http://ubm.io/2sWexCZ
via IFTTT

Two Arrested For Microsoft Network Intrusion

Two Arrested For Microsoft Network Intrusion

UK authorities arrest two men for allegedly breaking into Microsoft’s network with the intent to steal customer data from the software giant.

Two hackers were arrested by UK authorities for allegedly infiltrating Microsoft’s computer network without permission, in an attempt to steal customer data from the Redmond giant, according to a BBC report.

The suspects, one a 22-year-old from Sleaford and the other a 25-year-old from Bracknell, allegedly were part of a larger group that had hoped to scoop up the customer information, the BBC reported.

Over a three-month period earlier this year, the two men reportedly made repeated efforts to hack into Microsoft’s network, according to the report. And while Microsoft notes no customer data was taken in the incident, it is not yet clear whether the group was able to access other information, the BBC noted.

The two suspects were arrested under the UK Computer Misuse Act, which makes it illegal to access computer networks without authorization.

Read more about the case here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

More Insights

from Dark Reading – All Stories http://ubm.io/2rWNbxb
via IFTTT

Most General Counsels Fret over Data Security

Most General Counsels Fret over Data Security

An overwhelming percentage of in-house attorneys say cyberattacks and the impact on their business keeps them up at night, a recent survey shows.

Fears over hacking, phishing, malware, and ransomware cause great concern among a vast majority of general counsels, according to a survey released today by ALM Intelligence.

The survey of more than 200 in-house top attorneys at US companies reveals that 87% toss and turn at night over these particular cyber threats. Some 62% are concerned that employee mistakes will lead to data security and privacy loss, while 50% fear potential security breaches by non-law firm vendors.

The survey also found that a majority of attorneys worry about cybersecurity threats (57%); the potential cost or impact to the firm’s budget by these attacks (55%); and the potential for a government or regulatory investigation to be launched as a result of a breach (55%).

Hacking, phishing, malware, and ransomware are a bigger deal to attorneys than labor and employment litigation (59%) and than intellectual property infringement (60%), according to the survey.

Read more about the survey here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

More Insights

from Dark Reading – All Stories http://ubm.io/2tTxO5a
via IFTTT

Cisco Patches XXE, DOS, Code Execution Vulnerabilities

Cisco patched three vulnerabilities in three products this week that if exploited, could have resulted in a denial of service, crash, and in some instances, arbitrary and remote code execution.

According to security advisories published Wednesday, each of the vulnerabilities are branded “high” severity by Cisco.

One of the issues, an XML External Entity (XXE) vulnerability, exists in versions 1.1 through 3.1.6 of Cisco’s Prime Infrastructure software. The vulnerability is dependent on an admin getting tricked into importing a malicious XML file. By doing so in the web-based user interface Cisco says an authenticated, remote attacker could achieve read and write access to data stored in vulnerable systems, or perform remote code execution.

Cisco stresses an attacker would have to have valid user credentials to carry out the attack but nonetheless is urging those running the software to patch.

The second issue affects Cisco’s WebEx Network Recording Player, an app that’s used in some setups to playback WebEx meeting recordings.

While the bug can’t be triggered during a live WebEx meeting, an attacker could trigger multiple buffer overflow vulnerabilities in the app if they tricked a user into opening a malicious ARF file. ARF files are uses specifically to play back and edit WebEx recording files. Cisco warns an attacker could send a malicious ARF file to a victim via email or URL and convince them to launch the file, something that could cause the player to crash and in some instances, allow arbitrary code execution on the system.

The last bug exists in Cisco’s Virtualized Packet Core−Distributed Instance (VPC−DI) Software. VPC is productized version of StarOS, the company’s virtualized software architecture.

Because of insufficient handling of user-supplied data, an attacker could send malicious USP packets to an affected system. This could cause an unhandled error condition, something that would cause control function (CF) instances and in turn, the entire Virtualized Packet Core (VPC) to reload, “resulting in the disconnection of all subscribers and a DoS condition on the affected system.”

Cisco says the vulnerability can only be exploited via IPv4 traffic and that only certain versions of its StarOS operating system are affected.

The vulnerabilities were three of 25 different security issues Cisco warned about on Wednesday. The company also warned about a slew of cross-site scripting, session hijacking, and information disclosure vulnerabilities across a variety of products on its Advisories and Alerts portal.

from Threatpost – English – Global – thr… http://bit.ly/2s0a26s
via IFTTT