Tag: security

Checkpoint puts AV on Intel chip

Israel Checkpoint

Israel Checkpoint

Israeli security outfit Check Point has come up with a way of checking the CPU for unusual activity, which it says, will catch attacks early.

Dubbed SandBlast, the new software monitors CPU activity looking for anomalies that indicate that attackers are using sophisticated methods that would go unnoticed with traditional sandboxing technology.

Nathan Shuchami, head of threat prevention sales for Check Point said that traditional sandboxes, including Check Point’s, determine whether files are legitimate by opening them in a virtual environment to see what they do.  You also have to move the cat to use them effectively.

To get past the sandboxes attackers have devised evasion techniques, such as delaying execution until the sandbox has given up or lying dormant until the machine it’s trying to infect reboots.

SandBlast thwarts the evasion technique called Return Oriented Programming (ROP), which enables running malicious executable code on top of data files despite protection offered by Data Execution Prevention (DEP), a widespread operating system feature whose function is to block executable code from being added to data files.

ROP grabs legitimate code called gadgets and forces the file to create new memory page where malicious shell code can be uploaded to gain execution privileges. This process has the CPU responding to calls that return to addresses different from where they started.

SandBlast’s CPU-level detection engine picks up on this anomaly and blocks it. The engine relies on features of Intel’s Haswell CPU architecture.

It is not cheap. For new customers, the service costs between $3,500 and $30,000 per year per Check Point gateway. The appliances range from $27,000 to $200,000. If you are an existing Check Point customer, the upgrade is free.

BlackBerry shows off its security escape route

Andy-Dufresne-with-arms-wide-openTroubled smartphone maker BlackBerry revealed its cunning plan to escape doom by becoming a security company.

BlackBerry showed off a suite of security products that safeguard everything from medical gear to Hollywood movie scripts.

BlackBerry whose smartphone market share has dwindled, is trying become a little more software-focused. BlackBerry’s Chief Executive John Chen said in an interview just before an event in New York said that he was satisfied with the progress on the turnaround so far.

“I laid out the $500 million software revenue target and I’m still comfortable with that commitment for this fiscal year, it looks good,” he said.

The full turnaround he has been promising could take longer than initially promised. Going by his early timetable, BlackBerry would now be about six months away from seeing real traction from its overhaul.

Chen said he now sees it taking about 12 to 18 months for investors to reap rewards.

Analysts have been sceptical about the company’s ability to steadily and sustainably grow software revenue, even as revenues from its smartphone unit and legacy system access fees decline.

“We’re patiently building the product pipeline and the sales channel,” he said.

“There is still much work to do, I’d love for everything to move faster, but I caution people to be a bit patient because we can’t rebound in a very short period of time, no company can. We are doing all the right things for the long term and the company is out of financial trouble.”

The outfit does have a few problems as it had not set itself up as software delivery company and did not have a decent channel.

BlackBerry’s Chief Operating Officer Marty Beard, adding that measures taken in the last year have improved BlackBerry’s ability to identify and target potential clients.

Vendors skimp on security

Bank CrisisHardware vendors often skimp on providing basic security for products even when it is no real skin off their noses.

Hackers David Byrne and Charles Henderson cited the case of the world’s largest Point of Sale (PoS) systems vendor which has been slapping the same default password (66816) on its gear since 1990.

This has led to 90 per cent of customers are still using the same password. But Byrne and Henderson said that the outfit is not the only borked sales system.

In this case the only expertise required to carry out a hack is to open a panel using a paperclip – something which has been spotted by low paid staff with a grudge.

What is even more ironic is that the open password is being carried across to across to rival vendors as customers who assume their codes are unique switch equipment.

Henderson told the RSA Conference in San Francisco that 166816 is the default password for one of the largest manufacturers of point of sale equipment and has been since at least 1990.

The hackers also slammed nameless vendors for borking cryptography and basic best security practice, splashing the POS badge across their slide decks.

“Vendors claim that running in admin is a requirement but it’s nothing but lies, damn lies. I know why they do it; it’s like Nirvana for them. But if in fact [the PoS system] needs to run as administrator, that’s a good indicator that your vendor doesn’t take security seriously.”

What is strange is that it would not kill the Vensdors to fix the problem. It is not difficult to come up with new passwords for each machine sold, it is just they can’t be bothered.

Blackberry puts security on IoT

Samsung Browses BlackberryTelephone outfit BlackBerry is launching a new certificate service that will help bring the security level it offers on smartphones to the Internet of Things

Certicom, a subsidiary of BlackBerry, announced a new offering that it contends will secure millions of devices, expected to be part of the Internet of Stuff (IoT).

It said that it had already won a contract in Britain to issue certificates for the smart meter initiative there with more than 104 million smart meters and home energy management devices.

The service will make it much easier for companies rolling out such devices to authenticate and secure them, the company said.

In another move BlackBerry also outlined a plan to expand its research and development efforts on innovation and improvement in computer security.

Dubbed the BlackBerry Centre for High Assurance Computing Excellence (CHACE) said that it will to develop tools and techniques that deliver a far higher level of protection than is currently available

 

Security companies peddling snake oil

snake oilThe CEO of a security company has accused his fellow competitors of peddling snake oil to clients and lifted the lid on how they are doing it.

Paul Vixie, CEO, Farsight Security said that as security breaches increasingly make headlines, thousands of Internet security companies are chasing tens of billions of dollars in potential revenue and are doing by telling porkies to clients..

“We are alarmed at the kind of subversive untruths that vendor “spin doctors” are using to draw well-intentioned customers to their doors. Constructive criticism is sometimes necessarily harsh, and some might find the following just that, harsh. But we think it’s important that organizations take a “buyers beware” approach to securing their business,” Vixie said.

The best trick uses is to communicate information graphically, especially using colour animation.

“Buyers, being human, are visual creatures, and they inevitably feel greater, although misplaced understanding when value propositions are presented in pictorial form. Because quarter-on-quarter and same-quarter-next-year revenue growth is the main indicator of commercial health, there’s an understandable tendency to show potential customers an “attack map,” he said,

“Attack maps show the world with attacks as some kind of missile, launched from a country of origin, landing on a victim,” Vixie said.

It sends a message that the customer is under attack from state-sponsored criminals, or just plain old “foreigners”, and your prospective vendor can track these attacks as easily as NORAD can track incoming ballistic missiles.

The marketing message is: If you buy from us, we will tell you where the attacks are coming from, so that you can defend yourself. Or, even better, if you buy from us, we can defend you in real-time, using our cool tool.

The only problem is that they can’t.

In the cloud most of the time vendors have absolutely no clue as to where an attack is really originating from. They cannot neatly distinguish benign user behaviour from attack behaviour. Vendors don’t have instant knowledge and visibility when an attack occurs, Vixie said.

“The latest statistics say it usually takes around 200 days to discover an espionage intrusion.”

To make matters worse. Most “attack maps” don’t show actual “attacks” They are populated by event data which is beautifully animated yet unfiltered, unverified, non-prioritized event data that while visually compelling is worthless from a security perspective.

“In the worse and more common case, [customers] will make decisions based on this garbage, either prioritizing resources or spending where they aren’t needed against where they are needed, or learning a false sense of security, or, just as likely, a false sense of insecurity,” Vixie said.

The only beneficiaries from the resulting wrong-think will be shareholders and employees of the garbage-spewing security vendor, and of course, the bad guys, who as it turns out will have even less to worry about as they go about their work attacking, Vixie said.

 

Symantec distances itself from Veritas sell off rumours

Symantec_Headquarters_Mountain_ViewSecurity outfit Symantec has been saying “oh look a badger” to reporters asking about its sale of its storage storage unit Veritas, for as much as $8 billion.

The dark satanic rumour mill claims that the floundering security vendor has approached NetApp, EMC and several private equity firms to gauge interest in the business. which the company purchased for $13.5 billion.

Veritas business has struggled to live up to expectations after sluggish demand for its storage and data management products.

The plan has been widely dismissed by Symantec, which wants to continue to split the company into two, independent publicly traded companies: one business focused on security and one business focused on information management.

Symantec said that it will separate Veritas and Symantec into two independently traded companies by the end of the calendar year. One focused on information management and one focused on security.

For the vendor, creating two standalone businesses will allow each entity to “maximise its respective growth opportunities and drive greater shareholder value.”

Michael Brown, president and CEO, Symantec has gone on record saying that Veritas remains a powerful brand that still has tremendous equity.

Trend says that destructive hacking on the rise

1858_4_CourseOfEmpire_Destruction_ColeHacking attacks which are designed to destroy a company, rather than just steal information, are on the rise.

A poll by the Organisation of American States found that 40 percent of respondents had battled attempts to shut down their computer networks, 44 percent had dealt with bids to delete files and 54 percent had encountered “attempts to manipulate” their equipment through a control system.

Less than 60 percent of the 575 respondents said they had detected any attempts to steal data, long considered the predominant hacking goal.

The survey went to companies and agencies in crucial sectors as defined by the OAS members. Almost a third of the respondents were public entities, with communications, security and finance being the most heavily represented industries.

The questions did not delve into detail, leaving the amount of typical losses from breaches and the motivations of suspected attackers as matters for speculation. The survey-takers were not asked whether the attempted hacks succeeded, and some attacks could have been carried off without their knowledge.

The survey did allow anonymous participants to provide a narrative of key events if they chose, although those will not be published.

The report was compiled by Trend Micro whose Chief Cyber security Officer Tom Kellermann said additional destructive or physical attacks came from political activists and organised crime.

“We are facing a clear and present danger where we have non-state actors willing to destroy things,” he said. “This is going to be the year we suffer a catastrophe in the hemisphere, and when you will see kinetic response to a threat actor.”

Destructive attacks or manipulation of equipment are infrequently revealed. That is in part because breach-disclosure laws in more than 40 states centre on the potential risks to consumers from the theft of personal information, as with hacks of retailers including Home Depot and Target.

 

RSA conference bans booth babes

Theatre_Cinderella_RAF60F5The RSA Conference next month will be missing “booth babes”.

According to a post by security expert Bill Brenner on the LiquidMatrix blog:

“All Expo staff are expected to dress in business and/or business casual attire. Exhibitors should ensure that the attire of all staff they use at their booth (whether the exhibitor’s direct employees or their contractors) be considered appropriate in a professional environment. Attire of an overly revealing or suggestive nature is not permitted.

Examples of such attire may include but are not restricted to:

  • Tops displaying excessive cleavage;
  • Tank tops, halter tops, camisole tops or tube tops;
  • Miniskirts or minidresses;
  • Shorts;
  • Lycra (or other Second-Skin) bodysuits;
  • Objectionable or offensive costumes.

The rules apply to all booth staff, regardless of gender, and will be strictly enforced. If someone attractive shows up in anything remotely skimpy they will be asked to change their attire or leave the premises immediately if organisers feel their appearance might be offensive to other exhibitors or attendees.”

Linda Gray, event manager, RSA Conferences said that the change in the language in the exhibitor contracts was the best way to ensure all exhibitors were made aware of these new guidelines.

“We thought this was an important step towards making all security professionals feel comfortable and equally respected during the show.” They have yet to receive any complaints, Gray said.

 

Biometrics come into their own

fingerprintBiometric systems, particularly in relation to smartphones, look like they’re going to boom during this year.

ABI Research, a market analysis company, said that worldwide revenues for such systems will deliver $3.1 billion this year.

The systems will be targeted not only at home users but at authentication systems for the enterprise market, according to ABI.

Algorithms linked to cloud computing are set to give better user authentication, with applications for mobile payments, bring your own device (BYOD) systems.

The research said that the leaders in the biometric pack are Apple and Samsung but there are other players who are introducing voice and face recognition into the equation.

We reported elsewhere today that Apple is rumoured to be brining out three more iPhones this year that incorporate fingerprint recognition.

Dimitrios Pavlakis, digital security research analyst at ABI, said: “Biometry is moving rapidly into the security ecosystem and its adoption by CE devices will jumpstart this phenomenon.”

 

Disconnected computers can be hacked

wargames-hackerFor years the most basic method of super security for a computer was to unplug it from the network or internet.

However a team of security experts from Ben-Gurion University of the Negev (BGU) have discovered a new method to breach air-gapped computer systems.

Dubbed “BitWhisper” the hack enables two-way communications between adjacent, unconnected PC computers using heat.

According to a paper penned by Mordechai Guri, computers and networks are air-gapped when they need to be kept highly secure and isolated from unsecured networks, such as the public Internet or an unsecured local area network. Typically, air-gapped computers are used in financial transactions, mission critical tasks or military applications.

According to the researchers, “The scenario is prevalent in many organisations where there are two computers on a single desk, one connected to the internal network and the other one connected to the Internet. BitWhisper can be used to steal small chunks of data (e.g. passwords) and for command and control.”

BGU’s BitWhisper bridges the air-gap between the two computers, approximately 15 inches (40 cm) apart that are infected with malware by using their heat emissions and built-in thermal sensors to communicate. It establishes a covert, bi-directional channel by emitting heat from one PC to the other in a controlled manner.

By regulating the heat patterns, binary data is turned into thermal signals. In turn, the adjacent PC uses its built-in thermal sensors to measure the environmental changes. These changes are then sampled, processed, and converted into data.

“These properties enable the attacker to hack information from inside an air-gapped network, as well as transmit commands to it… Only eight signals per hour are sufficient to steal sensitive information such as passwords or secret keys. No additional hardware or software is required. Furthermore, the attacker can use BitWhisper to directly control malware actions inside the network and receive feedback.”

 

Egyptians cloned Google security certificate

amumSearch engine Google is furious that an Egyptian networking company  managed to clone its security certificate.

According to Google’s bog, the search engine became aware of unauthorised digital certificates for several Google domains. The certificates were issued by an intermediate certificate authority apparently held by a company called MCS Holdings. MCS is a Value Added Distribution focusing on Networking and Automation businesses based near Cairo.

This intermediate certificate was issued by CNNIC.

CNNIC is included in all major root stores and it means that the misused certificates would be trusted by almost all browsers and operating systems. Chrome on Windows, OS X, and Linux, ChromeOS, and Firefox 33 and greater would have rejected these certificates because of public-key pinning, although misused certificates for other sites likely exist.

Google got on the blower to the CNNIC and other major browsers about the incident, and blocked the MCS Holdings certificate in Chrome with a CRLSet push.

CNNIC said that it had contracted with MCS Holdings on the basis that MCS would only issue certificates for domains that they had registered. But MCS installed it in a man-in-the-middle proxy which meant they could intercept secure connections by masquerading as the intended destination.

This was so that effectively it could use the certificate for customers who wanted to monitor their staff use of the world wide wibble.

“However CNNIC delegated its substantial authority to an organization that was not fit to hold it,” growled Google.

Chrome users do not need to take any action to be protected by the CRLSet updates. We have no indication of abuse and we are not suggesting that people change passwords or take other action. At this time we are considering what further actions are appropriate

UK teams up with Israel over security

Screen Shot 2015-03-24 at 14.56.43Francis Maude, minister for the Cabinet Office in matters of cyber security, said that the UK and Israel have established three collaboration ventures to get government funding for cyber security.

The governments will contribute £1.2 million of funding to create a bilateral cyber research programme, he said.

The Universities of Bristol and University College London will team up with Bar Ilan University, while the University of Kent will tie up with the Israeli Ministry of Science and Technology.

The groups will work on six topics including identity management; governance; privacy assirance; mobile and cloud security; human aspects of security; and cryptography.

Maude said he wants the UK to be one of the safest places to do business online. “Cyber security is a shared global threat and I’m pleased that we are deepening our research relationship.”

The UK is a founding member of a global network called D5 – founding members also include South Korea, Estonia, Israel and New Zealand.

 

IBM sounds alarm over mobile app security

Screen Shot 2015-03-20 at 14.39.31The Ponemon Institute and IBM have jointly released a report which they said displays “the alarming state” of mobile insecurity.

According to the research, 40 percent of large companies – including many in the Fortune 500 – aren’t protecting the mobile apps they build.

And they’re not good against protecting their BYOD (bring your own device) gizmos against cyber attack. That leaves the gates to their corporate treasure chest effectively open.

The survey looked at security practices in over 400 large enterprises and claims that the average company doesn’t test half of the mobile apps they build. And what’s even worse is that 50 percent of these enterprises don’t devote any budget whatever towards mobile security.

IBM and the Ponemon Institute estimate that malicious code infests and infects over 11.6 million mobile devices.

The organisations surveyed spend an average of $34 million a year on mobile app development, with only 5.5 percent spending part of the budget on security.

“End user convenience is trumping end user security and privacy,” IBM said.

 

Opera buys privacy company

tim-cook-securityOpera Software bought a Canadian company called SurfEasy, for an undisclosed amount.

SurfEasy has a VPN (virtual private network) system aimed at securing smartphones, tablets and PCs, Opera said.

A VPN adds an extra level of net security to filter traffic between the web nd devices.

Opera said that over 90 percent of US net users are now worried about their online privacy and want to protect themselves when they’re online.

Opera, which has 350 million users worldwide said that privacy and security has always kept that as its top priority

The CEO of Opera, Lars Boilesen, said more and more people are looking for security on phones and other devices.

The said Opera will collaborate with the SurfEasy team to create joint products, using the Opera browser as the basic foundation for the collaboration.

 

Apple gatekeeper security broken

dottedborderemmelinagnome9thmarch2014 011FORMER NSA and NASA staffer Patrick Wardle, who heads up research at security start-up Synack, he has found a way to bypass protections in Apple Macs without getting caught.

Download files, known as .dmg files, for products including Kaspersky, Symantec, Avast, Avira, Intego, BitDefender, Trend Micro, ESET and F-Secure are all sent over unencrypted HTTP lines, rather than the more secure HTTPS. For some reason they trust Apple’s Gatekeeper security technology to recognise the digital signatures they sign in.

Anyone who intercepts a download to corrupt it won’t get away with it, as the Gatekeeper will see that the vendors’ original signature has been altered and ignore it.

But Wardle noticed that the Apple Gatekeeper software doesn’t check all components of Mac OS X download files. This makes it possible to sneak a malicious version of what’s known as a ‘dylib’ (dynamic libraries) file into legitimate downloads done over HTTP to infect Macs and start stealing data.

Dylibs are designed to be re-used by different applications; they might be used for actions such as compressing a file or using graphics capabilities of the operating system.
If an attacker can “hijack” the dylib processes used by Mac apps, however, they can carry out nasty attacks and send user data to their own servers, the researcher explained.

It is not that easy to pull off. The attacker would have to get on the same network as a target, either by breaching it or simply logging on to the same public Wi-Fi.

They would also have to inject a legitimate yet vulnerable application into the download and shuffle around the content of the .dmg so that the injected legitimate software is shown to the user.

At the upcoming CanSecWest conference in Vancouver, he will be explaining 101 things you can do with an evil dylibs ajd discover which Coldplay and U2 single the Mac owners is listening to.

Wardle reverse engineered the iCloud protocol and set up a command and control server on a secondary malicious iCloud account, meaning the connection he used to “steal” from his own PC would also be trusted.

You would think that Jobs’ Mob would be worried about it all, but apparently Wardle said they did not really care.

He said that they didn’t seem to understand the full ramifications of it. It would mean that Apple would have to re-architect OS X and expand Gatekeeper’s capabilities to fully address the issues raised by his new class of attack.

Wardle was miffed that the security companies were placing users at risk with unprotected downloads of their software installers and failing to protect against more advanced attacks like his own.