Friday, 14 March 2014

10 Things You Need to Know About Digital Security

Image via Flickr user Niko Notibär Last week, the whole SecurityWatch team fanned out over the RSA Conference to get the latest about new security innovations, the latest technology, and what the security community is really talking about. Since most of you were sane enough to not spend the week at a trade show, here's our ten things you need to know about security right now.
10. RSA and the NSA
The National Security Agency was on everybody's mind at this year's conference, and it has been the biggest security story of the past year. And even though the RSA Conference is a distinct entity from the company RSA Security, the alleged multi-million dollar connection between RSA and the NSA was a frequent topic of discussion. RSA chairman Art Coviello dismissed the allegations in his keynote address, but called for reforms within the spy agency. In stark contrast to last year, fears about China took a back seat.
9. Buzzwords Killing Words
Once a word reaches buzzword status, it ceases to mean anything useful. Sadly, there were a ton of words like that at RSAC, where everyone was using the same words, but no one agreed on the definition. When it comes to threat intelligence, were we talking about indicators of compromise, or were we talking about enriching existing data with third-party sources? What exactly does "next-gen" even mean anymore? At this point, we should be at next-next-gen. How can so many products herald a security revolution? Does the the industry even knows what it is promising anymore?

8. When Toasters, Cars, and Coffee Machines Attack
The Internet of Things crept into the RSA Conference this year and everyone is worried over the prospect of securing them. The key takeaway—quite distressingly—is that we are not yet ready to secure all our devices, whether we are talking about household appliances, medical devices, or cars.  Even so, some weren't all that concerned, saying that criminals weren't likely to try remotely controlling or crashing a connected car. It would be more likely that criminals would go "upstream" to compromise servers that use the Things, such as OnStar servers for cars, and monetize that.

7. Encrypt Everything
The answer from everyone on how to improve security—particularly mobile security—was encryption, encryption, encryption. Mobile apps are moving huge amounts of information around the Internet, and many developers are choosing not to encrypt those transactions, giving attackers and nation states  plenty to look at. Again turning to the NSA, Co3 CTO Bruce Schneier posited that the agency probably has broken some form of encryption but can't process huge amounts of encrypted data. He said that the sheer amount of unencrypted information flying around is simply making it too easy for anyone looking to stockpile data.

6. There Are No Silver Bullets
We spent a lot of time talking about presentations and individuals at RSAC, but we shouldn't forget that the event is a trade show and that the show floor is packed full of vendors working to convince buyers that their product is the best around. Surprisingly, many security companies were still pushing the idea of silver bullets—a single-serving solution for any and all of your security problems. This is a little surprising given that the past year has demonstrated that there are numerous avenues for attacks, and that they can differ depending on who is behind them and what they are after. HP's Senior VP Art Gilliland suggested that companies stop searching for new weapons and take a more holistic approach to security. Most important on his list of improvements? Invest in individuals and improve security training.

5. Mobile AV Doesn't Work
While he celebrated the security community working with and within Android to make it better, Google's Lead Engineer for Android Security took a dim view of mobile security thus far. He said that Google's goal was to provide quiet, invisible security and suggested that security companies were more about getting attention and boosting sales. viaForensics CEO and co-founder Andrew Hoog also took issue with traditional security models on mobile. He pointed out that app sandboxing in mobile operating systems does a good job of securing apps but it also limits the ability of security apps to deal with threats. His solution? Give security developers access to root privileges.
I don't agree fully with either position, but rising mobile threats demand new ways of securing devices. Guarding against malicious apps isn't enough, and though the tools security companies are adding to their mobile apps are useful, they won't be enough forever.

4. Security in the Driver's Seat
We talk a lot about how security needs to be part of the organization's DNA, and how security teams can't just be reacting to crises or in firefighting mode all the time. The general consensus seems to be getting ahead of the threats, whether it is by having better security practices to close off avenues of attack or integrating with other teams to make sure security concerns are being considered right from the start.

3. We Need More People In SecurityOne of the things we kept hearing about was how there was a shortage of security professionals. Companies who traditionally didn't have to think about security—protecting their data or making sure their products were secure--are now struggling to find experienced security professionals. Government agencies are trying to attract the brightest hackers to fill their ranks. There is a skills gap, partially because we don't have enough people specializing in security, but also because companies aren't doing a good job recruiting.
We need more women in tech, and information security in particular. Sessions at RSAC focused on creating support structures to encourage women interested in infosec, but also to highlight some of their accomplishments.
2. Leaky Apps are Worse Than Mobile Malware
Defending against malware continues to be a focus for many mobile security companies, but that is by far not the only threat. Many attendees at the RSAC conference suggested that leaky apps—that is, apps that transmit users' personal data without encryption or in huge amounts—are a far greater threat to users. To readers of our Mobile Threat Monday coverage, this should come as no surprise. This year, we're looking forward to new tools like viaProtect to help consumers see what their apps are really doing. That said, watching someone tear apart, modify, and repackage an Android app in five minutes is a reminder that malware is still a problem.

1. Surveillance Is Not Going AwayFreshly minted FBI director James Comey made two things clear in his RSAC 2014 presentation: The FBI needs cooperation from business to fight cyber threats, but that electronic surveillance is here to stay. On one level, we all know this. We can't expect spies and cops to keep tapping phones when the bad guys are communicating with email and other tools. As a society, we need to accept that digital communications are a target, and perhaps a legitimate one. Similarly, the panelists in a fascinating roundtable of US intelligence insiders stressed that the NSA is not a "rogue agency" and that every other nation state is engaging in electronic surveillance. They also said that domestic spying needs to strike a better balance with privacy, and that people should not allow elected officials to use their "cover story" of plausible deniability for intelligence operations.

Keep Attackers Away From Your WordPress Site

WordPress As a content management platform, WordPress is tremendously popular among users because it is so easy to use. The thing is, it's a popular target for criminals and attackers, too. If you have a WordPress site, you need to take some basic steps to secure your site.
DDoS with WordPress
While there is always the concern that your WordPress site can be hacked to serve up malware to your site visitors, or redirect them to a dodgy site elsewhere on the Web, you also don't want to find out that your site is being used to launch attacks against other sites. Earlier this week, security firm Sucuri reported that more than 162,000 WordPress sites had been tricked into participating in a distributed denial-of-service attack against another site.
The thing is, the sites weren't hijacked or infected to form a botnet. The attackers abused Pingbacks, a perfectly legitimate feature in WordPress, to flood the targeted site with unwanted traffic. Pingbacks are used by one WordPress site to notify other sites when a post linked to them. In the attack observed by Sucuri, the attacker tricked the sites into sending a Pingback request to the same target URL, which was easy to do since Pingback is enabled by default in WordPress. The targeted site was suddenly bombarded with Pingback requests, which essentially mounted to a DdoS attack.
If you are running WordPress, you should consider turning off Pingbacks to make sure your site can't be used to attack other sites. The feature notifies you when someone else is talking about you, which is a nice ego-booster, but is it worth keeping it around to be abused? Sucuri has suggestions on how to block pingbacks on its site.
Leaky WordPress
Dave Lewis, a senior security advocate with Akamai Technologies, used Google to find over 111,000 WordPress sites whose database backups were accessible from the Internet. The list included "all manner of websites from independent music sites to doctor offices and even some government websites," Lewis wrote on his CSO blog. The dump contained detailed information about the database, which attackers could use to launch other attacks, but also a potential leak of your data.
Obviously, backups should not be accessible from the Internet. If backups are running locally on the same server WordPress is installed on, then plugins from Wordfence or Sucuri can block unauthorized access, Lewis said.
Outdated WordPressThe most important task for WordPress administrators is to stay on top of software updates, not just for the core platform, but for each of the plugins running on the site. Outdated versions of WordPress are constantly under attack, especially the plugins. "Malicious hackers are always looking for ways to infect computer users, and what better technique can there be than to compromise an existing, legitimate website and subvert it in such a way that it sneakily infects computer users when they visit it," said security consultant Graham Cluley.
Attackers can exploit unpatched flaws to perform SQL injection or cross-site scripting attacks. The flaws can also be exploited to infect the site with malware. For the most part, these issues are generally the result of problems with plugins, not the core software platform, making it even more critical that plugins are regularly updated.
It's important to note the difference between sites hosted on and WordPress sites that run on other servers. The team behind WordPress keeps the software up-to-date on, so that individual users don't have to. Self-hosted sites require the site owner to stay on top of patches and updates to make sure the software remains current.
If you are going to run WordPress, keep ahead of the attackers by keeping your site updated regularly.

Uroburos Malware Defeats Microsoft's PatchGuard

Introduced years ago for 64-bit editions of Windows XP and Windows Server 2003, Microsoft's Kernel Patch Protection, or PatchGuard, is designed to prevent malware attacks that work by modifying essential parts of the Windows kernel. If a rootkit or other malicious program manages to tweak the kernel, PatchGuard deliberately crashes the system. This same feature made life tough for antivirus vendors, as many of them relied on benignly patching the kernel to improve security; they've since adapted. However, a new report from G Data states that a threat called Uroburos can bypass PatchGuard.
Hooking Windows
Rootkits hide their activities by hooking various Windows internal functions. When a program calls on Windows to report the files present in a folder, or the values stored in a Registry key, the request goes first to the rootkit. It in turn calls the actual Windows function, but strips out all references to its own components before passing along the information.
G Data's latest blog post explains how Uroburos gets around PatchGuard. A function with the bulky name KeBugCheckEx deliberately crashes Windows if it detects this kind of kernel hooking activity (or several other suspect activities). So, naturally, Uroburos hooks KeBugCheckEx to hide its other activities.
A very detailed explanation of this process is available on the codeproject website. However, it's definitely an experts-only publication. The introduction states, "This is no tutorial and beginners should not read it."
The fun doesn't stop with subverting KeBugCheckEx. Uroburos still needs to get its driver loaded, and the Driver Signing Policy in 64-bit Windows forbids loading any driver that's not digitally signed by a trusted publisher. The creators of Uroburos used a known vulnerability in a legitimate driver to turn off this policy.
In an earlier post G Data researchers described Uroburos as "highly complex espionage software with Russian roots." It effectively establishes an espionage outpost on the victim PC, creating a virtual file system to securely and secretly hold its tools and stolen data.
The report states, "we estimate that it was designed to target government institutions, research institutions or companies dealing with sensitive information as well as similar high-profile targets," and links it to a 2008 attack called Agent.BTZ that infiltrated the Department of Defense via the infamous "USB in the parking lot" trick. Their evidence is solid. Uroburos even refrains from installing if it detects that Agent.BTZ is already present.
G Data's researchers concluded that a malware system of this complexity is "too expensive to be used as common spyware." They point out that it wasn't even detected until "many years after the suspected first infection." And they offer a wealth of evidence that Uroburos was created by a Russian-speaking group.
The Real Target?
An in-depth report by BAE Systems Applied Intelligence cites the G Data research and offers additional insight into this espionage campaign, which they call "Snake." Researchers gathered over 100 unique files related to Snake, and teased out some interesting facts. For example, virtually all of the files were compiled on a weekday, suggesting that "The creators of the malware operate a working week, just like any other professional."
In many cases, researchers were able to determine the country of origin for a malware submission. Between 2010 and the present, 32 Snake-related samples came in from Ukraine , 11 from Lithuania, and just two from the U.S. The report concludes that Snake is a "permanent feature of the landscape," and offers detailed recommendations for security experts to determine whether their networks have been penetrated. G Data also offers help; if you think you've got an infection, you can contact
Really, this isn't surprising. We've learned that the NSA has spied on foreign heads of state. Other countries will naturally try their own hands at building cyber-espionage tools. And the best of them, like Uroburos, may run for years before they're discovered.

Windows XP: the Final Countdown Begins

RIP Windows XP Next month, on April 8th, Windows XP users will experience their very last Patch Tuesday. After that date, Microsoft will no longer provide updates of any kind. If you've been meaning to upgrade to a newer version of Windows, it's time to stop procrastinating and take action.
As long as you have Windows Update currently enabled, the end of support for Windows XP shouldn't come as a surprise. Last week Microsoft pushed out an out-of-band update titled "A notification about the end of Windows XP support." Once this update has installed, you'll get periodic popup reminders that support is ending. Don't check the box to turn off this reminder; leave it in place until you've taken action.
Escape from XP
Windows Vista will hit the end of its road in just three years, so there's no sense at all in upgrading to Vista. Windows 8.1 is, of course, the cutting edge at present, and it won't sunset until 2023. However, Windows 7 is much more popular. It makes up over half of current Windows installations, and it's good until 2020.
The question is, does that old clunker of a PC meet the hardware requirements for a newer Windows version? XP's needs are quite modest. It wants a 233 MHz processor, 64MB of RAM (128MB recommended) and 1.5GB of free disk space. Vista wants ten times the amount of free disk space, an 800 MHz processor, and 512MB of RAM (1GB recommended). But you don't want to install Vista.
Windows 7 and Windows 8 both require a minimum of a 1 GHz CPU, and the minimum RAM for both is 1GB for 32-bit editions, 2GB for 64-bit editions (4GB is the recommended amount of RAM in both cases). Windows 7 wants 16GB of free disk space; Windows 8 wants 20GB.
If your antique XP computer has an antique graphics card, you won't get the impressive graphics effects that beautify modern Windows versions. You'll need a graphics card with at least 128MB of video RAM. Of course, you may be able to retrofit your system with such a card.
Microsoft does offer a handy Windows 8 Upgrade Assistant. It will check whether your PC is capable of running Windows 8 and assist in the upgrade process. Too bad it's not compatible with XP...
Batten Down the Hatches
Perhaps your XP system just isn't powerful enough to handle a modern operating system, or you rely on legacy software that isn't compatible with other Windows versions. If you're going to keep using it, you need to make a few changes.
First, install a full-scale security suite from a vendor that plans to continue support for XP. Without the security benefit of a fully-patched system, your security software is the only protection you've got.
Modern Windows versions come with Internet Explorer 11; in XP it's stuck at version 8. Ditch Internet Explorer and choose a browser that's still being supported. Make sure all of your third-party software is fully updated; a tool like Secunia Personal Software Inspector 3.0 can help.
Try this experiment. Uninstall Java, Adobe Reader, and Flash, and see if you can manage to do without these vulnerability-riddled tools. If you must read PDF files, consider a less popular PDF reader, one that's less subject to hacking. Actually, consider uninstalling any third-party application that you don't actually need.
When your PC is connected to a home router, wired or wireless, it gets a significant amount of protection from the router's Network Address Translation. The PC has a local-only IP address that's not visible from the Internet. Don't give up that protection by connecting to a possibly-compromised Wi-Fi hotspot. With no security patches for XP, that connection could be deadly. Yes, this stricture makes a Windows XP laptop less than useful. But do you really want to be seen in public running XP?
Current estimates suggest that over 30 percent of Windows installations are still running Windows XP. That's huge. If any of your PCs are among this group, now is the time to start either upgrading or hardening them. Don't wait until XP is dead and buried!

Snowden to SXSW: Here's How To Keep The NSA Out Of Your Stuff

Edward Snowden Edward Snowden, the former NSA contractor who blew the lid off the NSA's secret data collection programs, addressed a crowd at South By Southwest yesterday from his new home in Russia. While he touched on several topics throughout the hour-long talk, he returned again and again to the importance of encryption in maintaining privacy.
Because of the seven proxy servers used to secure Snowden's video feed, his words were sometimes unintelligible. To help make sense of it, I augmented my own notes with a transcript from Inside.
What You Can Do
When asked what average citizens can do to protect themselves from mass surveillance, Snowden mentioned a couple of key technologies. First was full disk encryption, which will protect the data on your device if it's ever stolen or seized. Most desktop OSes now include an option to encrypt the data on your drive.
On the browser side, Snowden recommended NoScript, a browser extension that blocks JavaScript, Java, Flash, and other plugins from running without your explicit permission. He also mentioned Ghostery, a service which reveals what companies and advertisers are following your movements across the web (hint: a lot of it comes from Google) and can block tracking cookies.
Lastly, he recommended TOR—the web traffic anonymizing service. He did acknowledge that it was possible to defeat TOR, but that using the service makes watching you harder. "By using TOR you shift their focus to either attacking the TOR cloud itself, which is incredible difficult, or to try to monitor the exits from TOR and the entrances to TOR and then try to figure out what fits," said Snowden. "And it is very difficult."
We Need Better Tools
At the beginning of the interview, Snowden said he was addressing SXSW because it was the technology sector that could most improve the security situation in the world. Legislative change was important, but he said "tech people that can really craft the solutions to make sure we're safe."
"They're setting fire to the future of the Internet," he continued. "You guys are all the firefighters."
With the NSA investing in weakening established encryption standards, Snowden called for increased research into cryptography to secure the future of privacy. But more important was making privacy tools easier to use. Snowden reflected on how the reporters he worked with were unable to use encryption tools because they were too complicated.
"I think we are actually seeing a lot of progress being made here," said Snowden. "WhisperSystems and the Moxie Marlinspikes of the world are focusing on new user experience, new UIs and basically ways for us to interact with cryptographic tools." WhisperSystems is responsible for RedPhone and TextSecure, two free Android applications for sending and receiving encrypted text and voice messages. These apps and others were designed from the beginning to be secure, and easy to use. Other app developers, like those building, are planning to bring secure and beautifully designed products to market.
The Value of Encryption
Interestingly, Snowden did not dismiss the use of electronic surveillance. Rather, he said that using encryption would prevent the NSA and other intelligence agencies from having easy access to bulk user data. This would not only keep your information safe from the prying eyes of spies, but also scammers, hackers, and unscrupulous advertisers. This is very close to what Bruce Schneier proposed at RSAC 2014, where he posited that even if the NSA can break encryption they cannot do it at scale.
"End to end encryption where it is from my computer directly to your computer makes mass surveillance impossible at the network level," he said. Without an easily accessible stream of information, Snowden believes the NSA would turn back to targeted investigations instead of mass surveillance. "The result of that is a constitutional, more carefully overseen sort of intelligence gathering model where if they want to gather somebody's communications they have to target them specifically."
"We need to think of encryption not as this sort of arcane black art [but] a basic protection" said Snowden. "It is a 'defense against the dark arts' for the digital realm."